From 225885f76eef52ac1b7d14353833d0b318359d9c Mon Sep 17 00:00:00 2001
From: Todd Malsbary <todd.malsbary@intel.com>
Date: Thu, 3 Jun 2021 17:05:16 -0700
Subject: The sink app needs the CAP_NET_RAW capability

The CAP_NET_RAW capability is not available with the default
PodSecurityPolicy.  Create a service account and role binding to the
privileged policy and specify the sink to use it.

Issue-ID: MULTICLOUD-1310
Signed-off-by: Todd Malsbary <todd.malsbary@intel.com>
Change-Id: Ib00ee1e8797d497d024a167fc9a0336d4c2a7ae1
---
 .../composite-firewall/sink/templates/rolebinding.yaml     | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 kud/demo/composite-firewall/sink/templates/rolebinding.yaml

(limited to 'kud/demo/composite-firewall/sink/templates/rolebinding.yaml')

diff --git a/kud/demo/composite-firewall/sink/templates/rolebinding.yaml b/kud/demo/composite-firewall/sink/templates/rolebinding.yaml
new file mode 100644
index 00000000..14c5b758
--- /dev/null
+++ b/kud/demo/composite-firewall/sink/templates/rolebinding.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "sink.fullname" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: psp:privileged
+subjects:
+- kind: ServiceAccount
+  name: {{ include "sink.serviceAccountName" . }}
+  namespace: {{ $.Release.Namespace }}
+{{- end }}
-- 
cgit 1.2.3-korg