From f20278ed74eba62f6176e01d6e72433cf1173c71 Mon Sep 17 00:00:00 2001
From: Eoin Gallinagh <eoingallinagh@gmail.com>
Date: Wed, 4 Oct 2023 16:04:13 +0100
Subject: [PATCH] add: SecurityContextConstraint kustomize

---
 ray-operator/config/default/kustomization.yaml |  1 +
 ray-operator/config/scc/kustomization.yaml     |  6 ++++++
 ray-operator/config/scc/ray_operator_scc.yaml  | 11 +++++++++++
 3 files changed, 18 insertions(+)
 create mode 100644 ray-operator/config/scc/kustomization.yaml
 create mode 100644 ray-operator/config/scc/ray_operator_scc.yaml

diff --git a/ray-operator/config/default/kustomization.yaml b/ray-operator/config/default/kustomization.yaml
index 7df72cd3e94..34c2558c540 100644
--- a/ray-operator/config/default/kustomization.yaml
+++ b/ray-operator/config/default/kustomization.yaml
@@ -16,6 +16,7 @@ bases:
 - ../crd
 - ../rbac
 - ../manager
+- ../scc
 - namespace.yaml
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
 #- ../prometheus
diff --git a/ray-operator/config/scc/kustomization.yaml b/ray-operator/config/scc/kustomization.yaml
new file mode 100644
index 00000000000..e2a5455944d
--- /dev/null
+++ b/ray-operator/config/scc/kustomization.yaml
@@ -0,0 +1,6 @@
+resources:
+- ray_operator_scc.yaml
+
+commonLabels:
+  app.kubernetes.io/name: kuberay
+  app.kubernetes.io/component: kuberay-operator
diff --git a/ray-operator/config/scc/ray_operator_scc.yaml b/ray-operator/config/scc/ray_operator_scc.yaml
new file mode 100644
index 00000000000..1246a5d57e3
--- /dev/null
+++ b/ray-operator/config/scc/ray_operator_scc.yaml
@@ -0,0 +1,11 @@
+kind: SecurityContextConstraints
+apiVersion: security.openshift.io/v1
+metadata:
+  name: run-as-ray-user
+seLinuxContext:
+  type: MustRunAs
+runAsUser:
+  type: MustRunAs
+  uid: 1000
+users:
+  - 'system:serviceaccount:$(namespace):kuberay-operator'