- Sort Score
- Result 10 results
- Languages All
Results 1 - 10 of 11 for privileges (0.16 sec)
-
manifests/charts/istio-cni/templates/clusterrole.yaml
verbs: ["watch", "get", "list"] {{- if .Values.cni.repair.repairPods }} {{- /* No privileges needed*/}} {{- else if .Values.cni.repair.deletePods }} - apiGroups: [""] resources: ["pods"] verbs: ["delete"] {{- else if .Values.cni.repair.labelPods }} - apiGroups: [""] {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} resources: ["pods/status"]
Others - Registered: Wed May 08 22:53:08 GMT 2024 - Last Modified: Sat May 04 01:55:56 GMT 2024 - 2.2K bytes - Viewed (0) -
manifests/charts/istio-cni/templates/daemonset.yaml
port: 8000 securityContext: privileged: true # always requires privilege to be useful (install node plugin, etc) runAsGroup: 0 runAsUser: 0 runAsNonRoot: false # Both ambient and sidecar repair mode require elevated node privileges to function. # But we don't need _everything_ in `privileged`, so drop+readd capabilities based on feature.
Others - Registered: Wed May 08 22:53:08 GMT 2024 - Last Modified: Fri May 03 19:29:42 GMT 2024 - 9.4K bytes - Viewed (0) -
cni/README.md
## Privileges required
Plain Text - Registered: Wed May 08 22:53:08 GMT 2024 - Last Modified: Fri May 03 19:29:42 GMT 2024 - 12.3K bytes - Viewed (0) -
docs/en/docs/advanced/behind-a-proxy.md
``` This tells Traefik to listen on port 9999 and to use another file `routes.toml`. !!! tip We are using port 9999 instead of the standard HTTP port 80 so that you don't have to run it with admin (`sudo`) privileges. Now create that other file `routes.toml`: ```TOML hl_lines="5 12 20" [http] [http.middlewares] [http.middlewares.api-stripprefix.stripPrefix] prefixes = ["/api/v1"]
Plain Text - Registered: Sun May 05 07:19:11 GMT 2024 - Last Modified: Thu May 02 22:37:31 GMT 2024 - 11.6K bytes - Viewed (2) -
manifests/charts/istio-cni/values.yaml
# Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. repairPods: true initContainerName: "istio-validation" brokenPodLabelKey: "cni.istio.io/uninitialized" brokenPodLabelValue: "true"
Others - Registered: Wed May 08 22:53:08 GMT 2024 - Last Modified: Tue Apr 30 22:24:38 GMT 2024 - 5.2K bytes - Viewed (1) -
cni/pkg/util/podutil.go
Patch( context.Background(), pod.Name, types.MergePatchType, annotationPatch, metav1.PatchOptions{}, // Both "pods" and "pods/status" can mutate the metadata. However, pods/status is lower privilege, so we use that instead. "status", ) return err } func AnnotateUnenrollPod(client kubernetes.Interface, pod *metav1.ObjectMeta) error {
Go - Registered: Wed May 08 22:53:08 GMT 2024 - Last Modified: Fri May 03 19:29:42 GMT 2024 - 3.9K bytes - Viewed (0) -
manifests/charts/ztunnel/templates/rbac.yaml
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} rules: - apiGroups: ["security.openshift.io"] resources: ["securitycontextconstraints"] resourceNames: ["privileged"] verbs: ["use"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: ztunnel labels: app: ztunnel release: {{ .Release.Name }}
Others - Registered: Wed May 08 22:53:08 GMT 2024 - Last Modified: Sat May 04 01:17:57 GMT 2024 - 1.3K bytes - Viewed (0) -
.devcontainer/devcontainer.json
{ "name": "istio build-tools", "image": "gcr.io/istio-testing/build-tools:master-b0f2fd3b4240c8178b14de4689d0e663e11868ff", "privileged": true, "remoteEnv": { "USE_GKE_GCLOUD_AUTH_PLUGIN": "True", "BUILD_WITH_CONTAINER": "0", "CARGO_HOME": "/home/.cargo", "RUSTUP_HOME": "/home/.rustup" }, "features": { "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {}, "ghcr.io/mpriscella/features/kind:1": {} },
Json - Registered: Wed May 08 22:53:08 GMT 2024 - Last Modified: Thu May 02 16:31:40 GMT 2024 - 879 bytes - Viewed (1) -
manifests/charts/istio-control/istio-discovery/files/waypoint.yaml
port: 15021 scheme: HTTP initialDelaySeconds: 0 periodSeconds: 15 successThreshold: 1 timeoutSeconds: 1 securityContext: privileged: false runAsGroup: 1337 runAsUser: 0 capabilities: drop: - ALL volumeMounts: - name: workload-socket
Others - Registered: Wed May 08 22:53:08 GMT 2024 - Last Modified: Fri May 03 19:29:42 GMT 2024 - 10.1K bytes - Viewed (0) -
manifests/charts/ztunnel/templates/daemonset.yaml
{{ toYaml .Values.resources | trim | indent 10 }} {{- end }} {{- with .Values.imagePullPolicy }} imagePullPolicy: {{ . }} {{- end }} securityContext: allowPrivilegeEscalation: false privileged: false capabilities: drop: - ALL add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html - NET_ADMIN # Required for TPROXY and setsockopt
Others - Registered: Wed May 08 22:53:08 GMT 2024 - Last Modified: Fri May 03 19:29:42 GMT 2024 - 5.2K bytes - Viewed (0)