robbmanes · February 27, 2024 16:15
diff --git a/podman-api-host.yaml b/podman-api-host.yaml
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: podman-api-host
  labels:
    app: podman-api-host
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: podman-api-host
  labels:
    app: podman-api-host
  namespace: podman-api-host
 ---
 apiVersion: security.openshift.io/v1
 kind: SecurityContextConstraints
 metadata:
  name: podman-api-host
  labels:
    app: podman-api-host
  namespace: podman-api-host
 allowHostDirVolumePlugin: true
 users:
  - system:serviceaccount:podman-api-host:podman-api-host
 runAsUser:
  type: MustRunAsNonRoot
 seLinuxContext:
  type: RunAsAny
 allowPrivilegeEscalation: true
 allowPrivilegedContainer: true
 allowedCapabilities:
 - '*'
 allowedUnsafeSysctls:
 - '*'
 fsGroup:
  type: RunAsAny
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 metadata:
  name: 99-podman-api-socket
  labels:
    machineconfiguration.openshift.io/role: worker
 spec:
  machineConfigPoolSelector:
  matchLabels:
    podman-api-host: true
  config:
    ignition:
      version: 3.2.0
    systemd:
      units:
      - name: podman.service
        enabled: true
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: podman-api-host-test
  labels:
    app: podman-api-host
  namespace: podman-api-host
 spec:
  template:
    spec:
      selector:
        matchLabels:
          podman-api-host: true
      containers:
      - name: podman
        image: registry.access.redhat.com/ubi9/podman
        command: ['sh', '-c', 'podman --log-level=debug --remote --url unix:/var/run/docker.sock ps -a']
        securityContext:
          runAsUser: 1000
        volumeMounts:
        - mountPath: /var/run/docker.sock
          name: docker-socket
      restartPolicy: Never
      volumes:
      - name: docker-socket
        hostPath:
          path: /run/podman/podman.sock
          type: Socket
      securityContext:
        seLinuxOptions:
          type: spc_t
      serviceAccount: podman-api-host
      serviceAccountName: podman-api-host
	---
	apiVersion: v1
	kind: Namespace
	metadata:
	name: podman-api-host
	labels:
	app: podman-api-host
	---
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: podman-api-host
	labels:
	app: podman-api-host
	namespace: podman-api-host
	---
	apiVersion: security.openshift.io/v1
	kind: SecurityContextConstraints
	metadata:
	name: podman-api-host
	labels:
	app: podman-api-host
	namespace: podman-api-host
	allowHostDirVolumePlugin: true
	users:
	- system:serviceaccount:podman-api-host:podman-api-host
	runAsUser:
	type: MustRunAsNonRoot
	seLinuxContext:
	type: RunAsAny
	allowPrivilegeEscalation: true
	allowPrivilegedContainer: true
	allowedCapabilities:
	- '*'
	allowedUnsafeSysctls:
	- '*'
	fsGroup:
	type: RunAsAny
	---
	apiVersion: machineconfiguration.openshift.io/v1
	kind: MachineConfig
	metadata:
	name: 99-podman-api-socket
	labels:
	machineconfiguration.openshift.io/role: worker
	spec:
	machineConfigPoolSelector:
	matchLabels:
	podman-api-host: true
	config:
	ignition:
	version: 3.2.0
	systemd:
	units:
	- name: podman.service
	enabled: true
	---
	apiVersion: batch/v1
	kind: Job
	metadata:
	name: podman-api-host-test
	labels:
	app: podman-api-host
	namespace: podman-api-host
	spec:
	template:
	spec:
	selector:
	matchLabels:
	podman-api-host: true
	containers:
	- name: podman
	image: registry.access.redhat.com/ubi9/podman
	command: ['sh', '-c', 'podman --log-level=debug --remote --url unix:/var/run/docker.sock ps -a']
	securityContext:
	runAsUser: 1000
	volumeMounts:
	- mountPath: /var/run/docker.sock
	name: docker-socket
	restartPolicy: Never
	volumes:
	- name: docker-socket
	hostPath:
	path: /run/podman/podman.sock
	type: Socket
	securityContext:
	seLinuxOptions:
	type: spc_t
	serviceAccount: podman-api-host
	serviceAccountName: podman-api-host