You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Having the operator's Service Account using a restrictive SCC would improve the operator's security.
I have an initial implementation of this that is failing to build due to some dependency issues. The libraries we're using seem to be somewhat incompatible as they are now, let's keep a close watch to continue this as soon as possible.
At the moment the cluster admin must add an SCC to the Service Account in order to be able to start pods correctly in OCP 3.x. (#41) and if this was implemented it wouldn't be necessary.
The text was updated successfully, but these errors were encountered:
Upon further investigation it was discovered that the SCC couldn't be created due to being a cluster-scoped resource. As such, it couldn't have a namespaced resource as owner. Until a more suitable alternative is found the user will need to apply a valid SCC to the service account being used by the operator when using the community Nexus image.
When using the Red Hat certified image this is no longer necessary after #81 as it sets the container user/group to one in the range defined by the openshift.io/sa.scc.supplemental-groups and openshift.io/sa.scc.uid-range namespace annotations, satisfying the constraints imposed by the restricted SCC and successfully starting the pods.
Having the operator's Service Account using a restrictive SCC would improve the operator's security.
I have an initial implementation of this that is failing to build due to some dependency issues. The libraries we're using seem to be somewhat incompatible as they are now, let's keep a close watch to continue this as soon as possible.
At the moment the cluster admin must add an SCC to the Service Account in order to be able to start pods correctly in OCP 3.x. (#41) and if this was implemented it wouldn't be necessary.
The text was updated successfully, but these errors were encountered: