OCPBUGS-46410: Set openshift.io/required-scc: privileged annotation in version pods
#1129
Conversation
… for `version` pods Utilize the `openshift.io/required-scc` annotation [1] to pin the required SCC to `version` pods. This will ensure that any existing custom SCCs in the cluster will not have an effect on the `version` pods. The `privileged` default SCC [2] was chosen as the pod accesses and modifies host `/etc/` files. To do that, a pod must run as root and must also pass SELinux permission checks. This is currently achieved by the pod running as a privileged root. For such permission, the `privileged` default SCC is required. Using the `hostmount-anyuid` default SCC is not sufficient for the existing code as the pod is not able to pass the SELinux permissions checks. Additional SELinux, host file system, and/or code changes would be needed. In the future, we may implement such changes or try to use a local persistent volume [3] as running the version pod as privileged root is undesirable for the pod's goal of copying files into another pod. Some of the other alternatives are modifications to the current architecture of two separate pods or using a different type of volume. [1] https://docs.openshift.com/container-platform/4.17/authentication/managing-security-context-constraints.html#security-context-constraints-requiring_configuring-internal-oauth [2] https://docs.openshift.com/container-platform/4.17/authentication/managing-security-context-constraints.html#default-sccs_configuring-internal-oauth [3] https://kubernetes.io/docs/concepts/storage/volumes/#local
|
/jira cherrypick OCPBUGS-31462 |
openshift-ci
bot
added
the
approved
|
@DavidHurta: Jira Issue OCPBUGS-31462 has been cloned as Jira Issue OCPBUGS-46410. Will retitle bug to link to clone. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
changed the title
openshift.io/required-scc: privileged annotation in version podsopenshift.io/required-scc: privileged annotation in version pods
openshift-ci-robot
added
jira/severity-important
|
@DavidHurta: This pull request references Jira Issue OCPBUGS-46410, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
openshift-ci-robot
added
jira/valid-bug
|
@DavidHurta: This pull request references Jira Issue OCPBUGS-46410, which is valid. The bug has been moved to the POST state. 7 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/retest-required |
1 similar comment
|
/retest-required |
|
@DavidHurta: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: DavidHurta, petr-muller The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
A manual cherry-pick of the #1106 PR for the
release-4.18branch.