From 44596c41d278a2748c8df7d3a173831a4de95447 Mon Sep 17 00:00:00 2001
From: Matthew B White <mbwhite@users.noreply.github.com>
Date: Thu, 17 Mar 2022 16:44:55 +0000
Subject: [PATCH] Update to match the IBP official YAML files (#595)

Signed-off-by: Matthew B White <whitemat@uk.ibm.com>
---
 roles/console/templates/k8s/cluster_role.yml.j2  |  6 ++++++
 .../templates/k8s/cluster_role_binding.yml.j2    |  6 ++++++
 .../security_context_constraints.yml.j2          | 16 +++++++---------
 3 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/roles/console/templates/k8s/cluster_role.yml.j2 b/roles/console/templates/k8s/cluster_role.yml.j2
index c96c8717..a43eb2a5 100644
--- a/roles/console/templates/k8s/cluster_role.yml.j2
+++ b/roles/console/templates/k8s/cluster_role.yml.j2
@@ -6,6 +6,12 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: "{{ cluster_role }}"
+  labels:
+  release: "operator"
+  helm.sh/chart: "ibm-ibp"
+  app.kubernetes.io/name: "ibp"
+  app.kubernetes.io/instance: "ibp"
+  app.kubernetes.io/managed-by: "ibp-operator"
 rules:
 - apiGroups:
   - extensions
diff --git a/roles/console/templates/k8s/cluster_role_binding.yml.j2 b/roles/console/templates/k8s/cluster_role_binding.yml.j2
index 1b46c81c..00720c97 100644
--- a/roles/console/templates/k8s/cluster_role_binding.yml.j2
+++ b/roles/console/templates/k8s/cluster_role_binding.yml.j2
@@ -6,6 +6,12 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: "{{ cluster_role_binding }}"
+  labels:
+    release: "operator"
+    helm.sh/chart: "ibm-ibp"
+    app.kubernetes.io/name: "ibp"
+    app.kubernetes.io/instance: "ibp"
+    app.kubernetes.io/managed-by: "ibp-operator"
 subjects:
 - kind: ServiceAccount
   name: "{{ service_account }}"
diff --git a/roles/console/templates/openshift/security_context_constraints.yml.j2 b/roles/console/templates/openshift/security_context_constraints.yml.j2
index 7456ce01..a14b596b 100644
--- a/roles/console/templates/openshift/security_context_constraints.yml.j2
+++ b/roles/console/templates/openshift/security_context_constraints.yml.j2
@@ -6,11 +6,11 @@ apiVersion: security.openshift.io/v1
 kind: SecurityContextConstraints
 metadata:
   name: "{{ security_context_constraints }}"
-allowHostDirVolumePlugin: true
-allowHostIPC: true
-allowHostNetwork: true
-allowHostPID: true
-allowHostPorts: true
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
 allowPrivilegeEscalation: true
 allowPrivilegedContainer: true
 allowedCapabilities:
@@ -20,15 +20,13 @@ allowedCapabilities:
 - SETGID
 - SETUID
 - FOWNER
-defaultAddCapabilities: null
+defaultAddCapabilities: []
 fsGroup:
   type: RunAsAny
 groups:
-- system:cluster-admins
-- system:authenticated
 - system:serviceaccounts:{{ project }}
 readOnlyRootFilesystem: false
-requiredDropCapabilities: null
+requiredDropCapabilities: []
 runAsUser:
   type: RunAsAny
 seLinuxContext: