Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Add Security context constrint for openshift #297

Merged
merged 2 commits into from
Oct 11, 2023
Merged

fix: Add Security context constrint for openshift #297

merged 2 commits into from
Oct 11, 2023

Conversation

odinnordico
Copy link
Contributor

Pull request

What this PR does / why we need it

When adding the security context, the component fails to be installed in an openshift cluster due to it does not match any securitycontextconstraint

Which issue(s) this PR fixes

Fixes N/A

Describe testing done for PR

  • Install TAP in a openshift cluster
  • Apply the following file
Click to expand 
#@ load("@ytt:data", "data")
#@ load("@ytt:assert", "assert")

#@ kubernetes_distribution = data.values.kubernetes_distribution
#@ validDistributions = [None, "", "openshift"]
#@ if kubernetes_distribution not in validDistributions:
#@   assert.fail("{} not in {}".format(kubernetes_distribution, validDistributions))
#@ end

#@ if kubernetes_distribution == "openshift":
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: service-binding-nonroot-scc
  namespace: service-bindings
rules:
- apiGroups:
  - security.openshift.io
  resourceNames:
  - service-binding-scc
  resources:
  - securitycontextconstraints
  verbs:
  - use
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: service-binding-nonroot-scc
  namespace: service-bindings
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: service-binding-nonroot-scc
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:serviceaccounts:service-bindings
---
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: MustRunAs
groups: []
kind: SecurityContextConstraints
metadata:
  name: service-binding-scc
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
  type: MustRunAsNonRoot
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
seccompProfiles:
- runtime/default
users: []
volumes:
- configMap
- csi
- downwardAPI
- emptyDir
- ephemeral
- persistentVolumeClaim
- projected
- secret
#@ end
  • Check SB is up after deleting the deployment and kicking the SB app

Additional information or special notes for your reviewer

@vmwclabot vmwclabot added the cla-not-required CLA not required label Oct 3, 2023
@codecov-commenter
Copy link

codecov-commenter commented Oct 3, 2023
edited
Loading

Codecov Report

Merging #297 (ffe0b48) into main (787d0ca) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #297   +/-   ##
=======================================
  Coverage   93.02%   93.02%           
=======================================
  Files          16       16           
  Lines         774      774           
=======================================
  Hits          720      720           
  Misses         42       42           
  Partials       12       12

@odinnordico odinnordico merged commit 37121c2 into vmware-tanzu:main Oct 11, 2023
odinnordico added a commit that referenced this pull request Oct 11, 2023
@odinnordico
fix: Add Security context constraint for openshift (#297)
ff1b9cb 
* fix: Add Security context constraint for openshift

Signed-off-by: Diego Alfonso <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@atmandhol atmandhol atmandhol approved these changes

@shaheerkootteeri shaheerkootteeri shaheerkootteeri approved these changes

@anibmurthy anibmurthy Awaiting requested review from anibmurthy

Assignees
No one assigned
Labels
cla-not-required CLA not required
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@odinnordico @codecov-commenter @atmandhol @shaheerkootteeri @vmwclabot