Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use OpenShift's required-scc annotation on components #1931

Open
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

maiqueb
Copy link
Contributor

@maiqueb maiqueb commented Dec 4, 2024

What this PR does / why we need it:
This PR adds the required-scc annotation whenever the components are deploying in an OpenShift cluster.

Starting from 4.19 this is required.

Special notes for your reviewer:

Release note:

Adds the `openshift.io/required-scc` annotation to all CNAO components when executed in an OpenShift cluster.

@kubevirt-bot kubevirt-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels Dec 4, 2024
@kubevirt-bot kubevirt-bot requested a review from oshoval December 4, 2024 16:16
@kubevirt-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign oshoval for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@maiqueb
Copy link
Contributor Author

maiqueb commented Dec 4, 2024

@RamLavi I still need to patch up CNAO itself. Could you point me to the correct place ?

{{ if .IsOpenshift }}
annotations:
openshift.io/required-scc: "restricted-v2"
kubectl.kubernetes.io/default-container: manager
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: why include this in the .IsOpenshift conditional? I'd have expected:

      annotations:
        kubectl.kubernetes.io/default-container: manager
{{ if .IsOpenshift }}
        openshift.io/required-scc: "restricted-v2"
{{ end }}

Copy link
Collaborator

@oshoval oshoval Dec 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agree,
also on the rest please

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess it's possible, I'll try.

Comment on lines 146 to 147
annotations:
openshift.io/required-scc: "restricted-v2"
Copy link
Collaborator

@oshoval oshoval Dec 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

aint it should be with
{{ if .IsOpenshift }} or {{ if .EnableSCC }} ?
same for L233

do we need to create this scc ? or it is one that is already created ?
(for example for bridge-marker we create the scc by CNAO upon needs)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The script that templates this doesn't know any of those variables.

And kubemacpool - for whatever reason - already always has OpenShift related data set:

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if needed we can add to the script, i can show you if you want where

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is this an issue now, when it wasn't before ?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

    - key: openshift.io/run-level
      operator: NotIn
      values:
      - "0"
      - "1"

for me this seems to have less effect then creating scc
wdty?
i am totally not into being more restrictive by this PR, but imho this might not be the same case here

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not creating an SCC here, I'm saying that this pod can only use this SCC.

On a platform that doesn't use SCCs - e.g. vanilla kubernetes - this is just one more annotation. There's no handler for it.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any OpenShift variant in a version that we should support (we support 3 versions back) will have restricted-v2 SCC already created for us ?

Copy link
Collaborator

@oshoval oshoval Dec 8, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

btw, if KMP annotation can always be in the manifest, and no scc need to be created for this specific name
(iiuc it is a system one), then it should be better to not annotate it via CNAO, but add it directly on KMP repo please, same for the rest where applicable.

Note: this also might answer who need to annotate CNAO itself, if no SCC need to be created, and the annotation can always be in the manifest, CNAO can just have it on its own manifests,
else HCO need to create the SCC / or maybe even annotate if no other option.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

before making me spend a lot of time on this, can I get agreement from the maintainers of those repos that they're OK with it ?

... like, if they're not, they'll have to do this themselves in 4.19 scope ...

@phoracek / @RamLavi / @oshoval
who maintains the linux-bridge thing ?

Copy link
Collaborator

@oshoval oshoval Dec 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

of course you do, thanks
linux-bridge is part of CNAO
all relevant in the hack/components/bump-linux-bridge.sh and its yaml 002-linux-bridge.yaml iirc

annotations:
openshift.io/required-scc: "passt-binding-cni"
Copy link
Collaborator

@oshoval oshoval Dec 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we need to create the scc?
same question for linux-bridge below (there might be more)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if so, the PR isnt final yet iiuc

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

?

Copy link
Collaborator

@oshoval oshoval Dec 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

meant that the required SCC might need to be added unless they exists already in the manifests
i see for example this one exists already, if all the other already exists / system created we are good
can you please spin it on CRC / kcli to see we are all set please?

kind: SecurityContextConstraints
metadata:
  name: passt-binding-cni

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@oshoval it's working:

oc version
Client Version: 4.17.7
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: 4.17.7
Kubernetes Version: v1.30.6

cat <<EOF | oc apply -f -              
apiVersion: networkaddonsoperator.network.kubevirt.io/v1
kind: NetworkAddonsConfig
metadata:
  name: cluster
spec:
  multus: {}
  linuxBridge: {}
  kubeMacPool: {}
  ovs: {}
  kubeSecondaryDNS: {}
  kubevirtIpamController: {}
  imagePullPolicy: Always
EOF
networkaddonsconfig.networkaddonsoperator.network.kubevirt.io/cluster configured

oc get pods -ncluster-network-addons -w
NAME                                                  READY   STATUS    RESTARTS   AGE
bridge-marker-44qm4                                   1/1     Running   0          65s
cluster-network-addons-operator-6c96bbb9d9-7dcvr      2/2     Running   0          10m
kube-cni-linux-bridge-plugin-zh6bf                    1/1     Running   0          66s
kubemacpool-cert-manager-65d6b697fb-dqjgv             1/1     Running   0          65s
kubemacpool-mac-controller-manager-5db75d6c4d-hcrvf   2/2     Running   0          65s
kubevirt-ipam-controller-manager-7f588c55df-w9jpk     1/1     Running   0          64s
ovs-cni-amd64-d4tsm                                   1/1     Running   0          65s
passt-binding-cni-wh29m                               1/1     Running   0          64s
secondary-dns-6c89d7864d-rvr94                        2/2     Running   0          64s

oc get pods -oyaml -ncluster-network-addons | grep required-scc
      openshift.io/required-scc: bridge-marker
      openshift.io/required-scc: linux-bridge
      openshift.io/required-scc: restricted-v2
      openshift.io/required-scc: restricted-v2
      openshift.io/required-scc: restricted-v2
      openshift.io/required-scc: passt-binding-cni

@maiqueb maiqueb changed the title Use required scc ipam components Use OpenShift's required-scc annotation on components Dec 5, 2024
@maiqueb maiqueb force-pushed the use-required-scc-ipam-components branch from d514395 to 006a7af Compare December 5, 2024 18:19
@kubevirt-bot kubevirt-bot added size/M and removed size/S labels Dec 5, 2024
@maiqueb maiqueb force-pushed the use-required-scc-ipam-components branch from 006a7af to c6019b7 Compare December 5, 2024 19:49
@maiqueb maiqueb force-pushed the use-required-scc-ipam-components branch from c6019b7 to 4ee876e Compare December 9, 2024 09:36
@kubevirt-bot kubevirt-bot added size/S and removed size/M labels Dec 9, 2024
Copy link

sonarqubecloud bot commented Dec 9, 2024

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dco-signoff: yes Indicates the PR's author has DCO signed all their commits. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants