Configure security context constraints on OpenShift using Dynatrace Operator

Dynatrace Operator needs permission to access the csi volumes, which are used to provide the necessary binaries to different pods. To allow pods access to the csi volumes you must add a security context constraint.

To add a security context constraint

  1. Create a file called restricted-csi.yaml with the following content.

Note: You can configure the file according to your needs, just make sure you add csi to the volumes.

apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata: 
  name: restricted-csi
runAsUser: 
  type: MustRunAsRange
seLinuxContext: 
  type: MustRunAs
fsGroup: 
  type: MustRunAs
supplementalGroups: 
  type: RunAsAny
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities: null
defaultAddCapabilities: null
priority: null
readOnlyRootFilesystem: false
groups: 
- system:authenticated
requiredDropCapabilities: 
- KILL
- MKNOD
- SETUID
- SETGID
users: []
volumes: 
- configMap
- downwardAPI
- emptyDir
- hostPath
- persistentVolumeClaim
- projected
- secret
- csi
  1. Save the file.
  2. Run the command below to create the security context constraint.
oc apply -f restricted-csi.yaml