istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SCC policies are not specific to BookInfo (#5132) 

* SCC policies are not specific to BookInfo

* Update index.md
This commit is contained in:
Ram Vennam 2019-10-11 15:36:22 -04:00 committed by Istio Automation
parent 38c6a004e5
commit 25d8f5c983
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
content/en/docs/setup/platform-setup/openshift/index.md
View File

@ -53,7 +53,7 @@ After installation is complete, expose an OpenShift route for the ingress gatewa
$ oc expose svc/istio-ingressgateway --port=80
{{< /text >}}
## Automatic Injection
## Automatic sidecar injection
Webhook and certificate signing requests support must be enabled for [automatic injection](/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection) to work. Modify the master configuration file on the master node for the cluster as follows.
@ -87,18 +87,18 @@ $ master-restart api
$ master-restart controllers
{{< /text >}}
## Bookinfo
## Privileged security context constraints for sidecars
The Istio sidecar injected into each pod runs with user ID 1337, which is not allowed by default in OpenShift. To allow this user ID to be used, execute the following commands. Replace `-n bookinfo` with the appropriate namespace.
The Istio sidecar injected into each pod runs with user ID 1337, which is not allowed by default in OpenShift. To allow this user ID to be used, execute the following commands. Replace `<target-namespace>` with the appropriate namespace.
{{< text bash >}}
$ oc adm policy add-scc-to-group privileged system:serviceaccounts -n bookinfo
$ oc adm policy add-scc-to-group anyuid system:serviceaccounts -n bookinfo
$ oc adm policy add-scc-to-group privileged system:serviceaccounts -n <target-namespace>
$ oc adm policy add-scc-to-group anyuid system:serviceaccounts -n <target-namespace>
{{< /text >}}
When removing the Bookinfo application, remove the permissions as follows.
When removing your application, remove the permissions as follows.
{{< text bash >}}
$ oc adm policy remove-scc-from-group privileged system:serviceaccounts -n bookinfo
$ oc adm policy remove-scc-from-group anyuid system:serviceaccounts -n bookinfo
$ oc adm policy remove-scc-from-group privileged system:serviceaccounts -n <target-namespace>
$ oc adm policy remove-scc-from-group anyuid system:serviceaccounts -n <target-namespace>
{{< /text >}}