The sink app needs the CAP_NET_RAW capability

The CAP_NET_RAW capability is not available with the default PodSecurityPolicy. Create a service account and role binding to the privileged policy and specify the sink to use it. Issue-ID: MULTICLOUD-1310 Signed-off-by: Todd Malsbary <todd.malsbary@intel.com> Change-Id: Ib00ee1e8797d497d024a167fc9a0336d4c2a7ae1
author: Todd Malsbary <todd.malsbary@intel.com> 2021-06-03 17:05:16 -0700
committer: Todd Malsbary <todd.malsbary@intel.com> 2021-06-04 14:25:36 -0700
commit: 225885f76eef52ac1b7d14353833d0b318359d9c (patch)
tree: 4fdc2b8cfb088cc23bbc5776edb136e2a7c711e4 /kud/demo/composite-firewall/sink/templates/serviceaccount.yaml
parent: 99f2be307f194e1f6a60e4098e82f6775c8dad5b (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/kud/demo/composite-firewall/sink/templates/serviceaccount.yaml b/kud/demo/composite-firewall/sink/templates/serviceaccount.yaml
new file mode 100644
index 00000000..2dcd900c
--- /dev/null
+++ b/kud/demo/composite-firewall/sink/templates/serviceaccount.yaml
@@ -0,0 +1,10 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "sink.serviceAccountName" . }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}
author	Todd Malsbary <todd.malsbary@intel.com>	2021-06-03 17:05:16 -0700
committer	Todd Malsbary <todd.malsbary@intel.com>	2021-06-04 14:25:36 -0700
commit	225885f76eef52ac1b7d14353833d0b318359d9c (patch)
tree	4fdc2b8cfb088cc23bbc5776edb136e2a7c711e4 /kud/demo/composite-firewall/sink/templates/serviceaccount.yaml
parent	99f2be307f194e1f6a60e4098e82f6775c8dad5b (diff)