Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't add security context on <4.11 as OpenShift restricted SCCs do not tolerate it #3401

Merged
merged 3 commits into from
Feb 19, 2024
Merged

Don't add security context on <4.11 as OpenShift restricted SCCs do not tolerate it #3401

merged 3 commits into from
Feb 19, 2024

Conversation

bennerv
Copy link
Collaborator

@bennerv bennerv commented Feb 12, 2024
edited
Loading

What this PR does / why we need it:

In <4.11, the SCCs don't align with the secCompProfile set on the pods, which result in the pods with the added secCompProfile failing to schedule / run.

Test plan for issue:

Unit tests + manual testing of 4.10 version

Testing instructions:

  1. Create a 4.10 cluster at this aro operator version + RP version
  2. Make sure MUO, aro-operator (worker and master), and geneva logging pods are working as intended.
  3. Check the presence of: aro-worker and aro-master operators (secCompProfile), geneva logging namespace (should not have labels), and MUO deployment (secCompProfile)
  4. Upgrade to 4.11
  5. AdminUpdate the cluster
  6. All the items in step 3 should have the appropriate things now

Changes

  • Namespace:
	"pod-security.kubernetes.io/enforce": "privileged",
	"pod-security.kubernetes.io/audit":   "privileged",
	"pod-security.kubernetes.io/warn":    "privileged",
  • Pods: under .spec.template.spec
      securityContext:
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault
  • Pods: under .spec.template.spec.containers[]
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            runAsNonRoot: true

Is there any documentation that needs to be updated for this PR?

nope

@bennerv bennerv force-pushed the fix-securityadmission-for-lt-4.10 branch from d5b2d54 to 1458954 Compare February 12, 2024 18:56
@bennerv bennerv added hold Hold next-release To be included in the next RP release rollout labels Feb 12, 2024
@bennerv
Copy link
Collaborator Author

bennerv commented Feb 12, 2024

/hold on testing - cc @SrinivasAtmakuri

AldoFusterTurpin
AldoFusterTurpin reviewed Feb 13, 2024
View reviewed changes
Copy link

@AldoFusterTurpin AldoFusterTurpin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One concern about a possible panic and a couple of optional minor suggestions.
Thank you!

pkg/operator/helpers.go Outdated Show resolved Hide resolved
pkg/operator/helpers.go Outdated Show resolved Hide resolved
pkg/operator/helpers.go Outdated Show resolved Hide resolved
@bennerv bennerv force-pushed the fix-securityadmission-for-lt-4.10 branch 2 times, most recently from 6fc7815 to 141babd Compare February 14, 2024 20:57
@bennerv bennerv force-pushed the fix-securityadmission-for-lt-4.10 branch from 141babd to 0e6c742 Compare February 14, 2024 21:00
@bennerv bennerv removed the hold Hold label Feb 15, 2024
jaitaiwan
jaitaiwan approved these changes Feb 15, 2024
View reviewed changes
Copy link
Contributor

@jaitaiwan jaitaiwan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

AldoFusterTurpin
AldoFusterTurpin approved these changes Feb 19, 2024
View reviewed changes
Copy link

@AldoFusterTurpin AldoFusterTurpin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks for the minor tweaks.

@cadenmarchese cadenmarchese merged commit 5ac65fd into Azure:master Feb 19, 2024
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SrinivasAtmakuri SrinivasAtmakuri SrinivasAtmakuri left review comments

@jaitaiwan jaitaiwan jaitaiwan approved these changes

@AldoFusterTurpin AldoFusterTurpin AldoFusterTurpin approved these changes

@cadenmarchese cadenmarchese cadenmarchese approved these changes

@jewzaam jewzaam Awaiting requested review from jewzaam jewzaam is a code owner

@hawkowl hawkowl Awaiting requested review from hawkowl hawkowl is a code owner

@rogbas rogbas Awaiting requested review from rogbas rogbas is a code owner

@jharrington22 jharrington22 Awaiting requested review from jharrington22 jharrington22 is a code owner

@cblecker cblecker Awaiting requested review from cblecker cblecker is a code owner

@UlrichSchlueter UlrichSchlueter Awaiting requested review from UlrichSchlueter UlrichSchlueter is a code owner

@s-amann s-amann Awaiting requested review from s-amann

@SudoBrendan SudoBrendan Awaiting requested review from SudoBrendan SudoBrendan is a code owner

@Shivkumar13 Shivkumar13 Awaiting requested review from Shivkumar13

@yjst2012 yjst2012 Awaiting requested review from yjst2012 yjst2012 is a code owner

@anshulvermapatel anshulvermapatel Awaiting requested review from anshulvermapatel anshulvermapatel is a code owner

@hlipsig hlipsig Awaiting requested review from hlipsig hlipsig is a code owner

@dofinn dofinn Awaiting requested review from dofinn

Assignees
No one assigned
Labels
next-release To be included in the next RP release rollout
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@bennerv @jaitaiwan @AldoFusterTurpin @cadenmarchese @SrinivasAtmakuri