[cluster] Fix the 'preload_image' role (#596)

kpouget · web-flow · commit e876c71edc6b · 2024-11-22T13:50:17.000+01:00
diff --git a/projects/cluster/toolbox/cluster_preload_image/tasks/main.yml b/projects/cluster/toolbox/cluster_preload_image/tasks/main.yml
@@ -5,6 +5,17 @@
     state: directory
     mode: '0755'
 
+- name: Lookup the namespace user ID range
+  shell:
+    set -o pipefail;
+
+    oc get ns {{ cluster_preload_image_namespace }} -ojsonpath={.metadata.annotations} | jq  -r '.["openshift.io/sa.scc.uid-range"]' | cut -d/ -f1
+  register: namespace_uid_range_cmd
+
+- name: Save the namespace uid as run_as_user
+  set_fact:
+    run_as_user: "{{ namespace_uid_range_cmd.stdout }}"
+
 - name: Apply the DaemonSet template
   template:
     src: "{{ cluster_preload_image_ds_template }}"
@@ -89,26 +100,30 @@
       oc describe pods -l name={{ cluster_preload_image_name }}
          -n {{ cluster_preload_image_namespace }}
          > "{{ artifact_extra_logs_dir }}/pods.descr"
+    failed_when: false
 
   - name: Get the status of the preload Pods
     shell:
       oc get pods -l name={{ cluster_preload_image_name }}
          -owide
          -n {{ cluster_preload_image_namespace }}
          > "{{ artifact_extra_logs_dir }}/pods.status"
+    failed_when: false
 
   - name: Get the yaml of the daemonset
     shell:
       oc get ds/{{ cluster_preload_image_name }}
          -oyaml
          -n {{ cluster_preload_image_namespace }}
          > "{{ artifact_extra_logs_dir }}/daemonset.yaml"
+    failed_when: false
 
   - name: Get the status of the daemonset
     shell:
       oc get ds/{{ cluster_preload_image_name }}
          -n {{ cluster_preload_image_namespace }}
          > "{{ artifact_extra_logs_dir }}/daemonset.status"
+    failed_when: false
 
   - name: Delete the DaemonSet, it it exists
     command:
diff --git a/projects/cluster/toolbox/cluster_preload_image/templates/daemonset.yaml.j2 b/projects/cluster/toolbox/cluster_preload_image/templates/daemonset.yaml.j2
@@ -29,7 +29,8 @@ spec:
         - sleep
         - 1d
         securityContext:
-          runAsUser: 999
+          # prevent the image from requesting to run as root
+          runAsUser: {{ run_as_user }}
           allowPrivilegeEscalation: false
           capabilities:
             drop: ["ALL"]
