feat: Set "openshift.io/required-scc" annotation on deployments #1282
Conversation
The annotation pins required SCC. Signed-off-by: Andrej Krejcir <[email protected]>
kubevirt-bot
added
release-note-none
|
|
Can you add a little context like it was done in kubevirt/hyperconverged-cluster-operator#3284? |
I've updated PR description. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: 0xFelix The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kubevirt-bot
added
the
approved
|
/cherry-pick release-v0.22 |
|
@akrejcir: new pull request created: #1283 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
What this PR does / why we need it:
The annotation pins required SCC.
The OpenShift API dictates that a workload can require an SCC by using the annotation:
https://docs.openshift.com/container-platform/4.17/authentication/managing-security-context-constraints.html#security-context-constraints-requiring_configuring-internal-oauth
required-sccprevents different SCCs from being auto-selected by pods. The auto selection can fail in multiple ways: not enough permissions, changes of UID. When combined with pod security admission (on in new clusters in 4.19), this can result in SCCs being selected based on RBAC permissions that violate PSA and results in pods not running.Which issue(s) this PR fixes:
Fixes: https://issues.redhat.com/browse/CNV-56031
Special notes for your reviewer:
Release note: