-
Notifications
You must be signed in to change notification settings - Fork 140
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: change user of operator to 1001 #1155
base: incubation
Are you sure you want to change the base?
Conversation
- this is the one we used for our image - the previous only set to non-root user which can be conflict with customized SCC Signed-off-by: Wen Zhou <[email protected]>
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
I recall facing a similar problem as described in linked JIRA when looking at bringing Workbenches to Service Mesh - #616 It turned out
Changing default SA to
but I am not sure this is relevant in this context. Though might be a thing to work on as well. |
If the We did similar work in the context of Istio and Openshift istio/istio#45394 |
Signed-off-by: Wen Zhou <[email protected]>
Can we just make /opt/manifests group writeable? (in theory volatile content should be copied to /var, but it's too much for us) |
interesting topic of these permissions :D I think we have 2 parts here:
after some reading from https://docs.openshift.com/container-platform/4.16/authentication/managing-security-context-constraints.html#security-context-constraints-pre-allocated-values_configuring-internal-oauth As for the change in istio I did a test:
BUT I guess/think/assume the whole combination:
|
the use case for our Operator with write permission:
This is likely the biggest difference of ours and other products operator. we could make all manifests live under /var/manifests instead of /opt/manifests |
What the problem to make it group writable?
If on startup it copies RO /opt/manifest to /var/manifests under its UID with typical umask, it gets writable directory.
What are the security concerns about that UIDs in the container? There is no sensitive content, the UIDs are virtual from the host point of view. |
we will need to revisit this UID late. |
Description
https://issues.redhat.com/browse/RHOAIENG-10272
How Has This Been Tested?
local build: quay.io/wenzhou/opendatahub-operator-catalog:v2.13.10272-3
test:
Screenshot or short clip
Merge criteria