From 9f78c2a20e51eae568902251ba048c304fa89b36 Mon Sep 17 00:00:00 2001 From: David Hurta Date: Fri, 13 Dec 2024 14:53:52 +0100 Subject: [PATCH] pkg/cvo/updatepayload.go: Set `openshift.io/required-scc`: privileged for `version` pods Utilize the `openshift.io/required-scc` annotation [1] to pin the required SCC to `version` pods. This will ensure that any existing custom SCCs in the cluster will not have an effect on the `version` pods. The `privileged` default SCC [2] was chosen as the pod accesses and modifies host `/etc/` files. To do that, a pod must run as root and must also pass SELinux permission checks. This is currently achieved by the pod running as a privileged root. For such permission, the `privileged` default SCC is required. Using the `hostmount-anyuid` default SCC is not sufficient for the existing code as the pod is not able to pass the SELinux permissions checks. Additional SELinux, host file system, and/or code changes would be needed. In the future, we may implement such changes or try to use a local persistent volume [3] as running the version pod as privileged root is undesirable for the pod's goal of copying files into another pod. Some of the other alternatives are modifications to the current architecture of two separate pods or using a different type of volume. [1] https://docs.openshift.com/container-platform/4.17/authentication/managing-security-context-constraints.html#security-context-constraints-requiring_configuring-internal-oauth [2] https://docs.openshift.com/container-platform/4.17/authentication/managing-security-context-constraints.html#default-sccs_configuring-internal-oauth [3] https://kubernetes.io/docs/concepts/storage/volumes/#local --- pkg/cvo/updatepayload.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkg/cvo/updatepayload.go b/pkg/cvo/updatepayload.go index d08b56127..0110780df 100644 --- a/pkg/cvo/updatepayload.go +++ b/pkg/cvo/updatepayload.go @@ -225,6 +225,11 @@ func (r *payloadRetriever) fetchUpdatePayloadToDir(ctx context.Context, dir stri Spec: batchv1.JobSpec{ ActiveDeadlineSeconds: deadline, Template: corev1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: map[string]string{ + "openshift.io/required-scc": "privileged", + }, + }, Spec: corev1.PodSpec{ InitContainers: []corev1.Container{ setContainerDefaults(corev1.Container{