diff --git a/bindata/assets/config/defaultconfig.yaml b/bindata/assets/config/defaultconfig.yaml index 49ece54fd7..8d944f814a 100644 --- a/bindata/assets/config/defaultconfig.yaml +++ b/bindata/assets/config/defaultconfig.yaml @@ -20,6 +20,15 @@ admission: audit-version: "latest" warn: "restricted" warn-version: "latest" + exemptions: + usernames: + # The build controller creates pods that are likely to be privileged + # based on BuildConfig objects. Access to these build pods is however + # still limited by the SCC exec admission and so we can safely add the + # build-controller SA here. + # This configuration should never be exposed to cluster users as no + # such guarantees are made for any other OpenShift SA/user. + - system:serviceaccount:openshift-infra:build-controller apiServerArguments: allow-privileged: - "true"