jwendell · November 10, 2017 13:47
diff --git a/openshift.yaml b/openshift.yaml
 #
 # Allow users to read the istio config map
 #
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: Role
 metadata:
  name: istio-configmap-viewer
  namespace: istio-system
 rules:
 - resources: ["configmaps"]
  verbs: ["get", "list", "watch"]
  resourceNames: ["istio"]
  apiGroups: [""]
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
  name: istio-configmap-viewer-rb
  namespace: istio-system
 roleRef:
  kind: Role
  name: istio-configmap-viewer
  namespace: istio-system
 subjects:
 - kind: Group
  name: system:authenticated
  namespace: istio-system
 ---
 #
 # Allow users to create ingress objects
 #
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: istio-ingress-for-everyone
 rules:
 - resources: ["ingresses"]
  verbs: ["*"]
  apiGroups: ["extensions"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: istio-ingress-for-everyone-rb
 roleRef:
  kind: ClusterRole
  name: istio-ingress-for-everyone
 subjects:
 - kind: Group
  name: system:authenticated
 ---
 #
 # Allow containers to run with UID 0, and run with privileges, in all namespaces
 #
 apiVersion: security.openshift.io/v1
 kind: SecurityContextConstraints
 metadata:
  name: istio-scc
 runAsUser:
  type: RunAsAny
 seLinuxContext:
  type: MustRunAs
 supplementalGroups:
  type: RunAsAny
 groups:
 - system:serviceaccounts
 allowHostDirVolumePlugin: true
 allowHostIPC: true
 allowHostNetwork: true
 allowHostPID: true
 allowHostPorts: true
 allowPrivilegedContainer: true
 allowedCapabilities:
 - '*'
 allowedFlexVolumes: []
 defaultAddCapabilities: []
 fsGroup:
  type: RunAsAny
 readOnlyRootFilesystem: false
 requiredDropCapabilities: []
 seccompProfiles:
 - '*'
 volumes:
 - '*'
 ---
	#
	# Allow users to read the istio config map
	#
	apiVersion: rbac.authorization.k8s.io/v1beta1
	kind: Role
	metadata:
	name: istio-configmap-viewer
	namespace: istio-system
	rules:
	- resources: ["configmaps"]
	verbs: ["get", "list", "watch"]
	resourceNames: ["istio"]
	apiGroups: [""]
	---
	apiVersion: rbac.authorization.k8s.io/v1beta1
	kind: RoleBinding
	metadata:
	name: istio-configmap-viewer-rb
	namespace: istio-system
	roleRef:
	kind: Role
	name: istio-configmap-viewer
	namespace: istio-system
	subjects:
	- kind: Group
	name: system:authenticated
	namespace: istio-system
	---
	#
	# Allow users to create ingress objects
	#
	apiVersion: rbac.authorization.k8s.io/v1beta1
	kind: ClusterRole
	metadata:
	name: istio-ingress-for-everyone
	rules:
	- resources: ["ingresses"]
	verbs: ["*"]
	apiGroups: ["extensions"]
	---
	apiVersion: rbac.authorization.k8s.io/v1beta1
	kind: ClusterRoleBinding
	metadata:
	name: istio-ingress-for-everyone-rb
	roleRef:
	kind: ClusterRole
	name: istio-ingress-for-everyone
	subjects:
	- kind: Group
	name: system:authenticated
	---
	#
	# Allow containers to run with UID 0, and run with privileges, in all namespaces
	#
	apiVersion: security.openshift.io/v1
	kind: SecurityContextConstraints
	metadata:
	name: istio-scc
	runAsUser:
	type: RunAsAny
	seLinuxContext:
	type: MustRunAs
	supplementalGroups:
	type: RunAsAny
	groups:
	- system:serviceaccounts
	allowHostDirVolumePlugin: true
	allowHostIPC: true
	allowHostNetwork: true
	allowHostPID: true
	allowHostPorts: true
	allowPrivilegedContainer: true
	allowedCapabilities:
	- '*'
	allowedFlexVolumes: []
	defaultAddCapabilities: []
	fsGroup:
	type: RunAsAny
	readOnlyRootFilesystem: false
	requiredDropCapabilities: []
	seccompProfiles:
	- '*'
	volumes:
	- '*'
	---