SCC fixes #1340
SCC fixes #1340
Conversation
tangledbytes
force-pushed
the
utkarsh/fix/sccs
branch
3 times, most recently
from
53c7ba2 to
22455fe
Compare
|
Tested on OpenShift. Test steps:
|
|
NOTE: This PR adds a new SCC (for the operator itself) but that SCC is not being deployed by default (at least in the PR). Do we need do that as well @nimrod-becker? |
deploy/role.yaml
Outdated
| @@ -132,3 +140,4 @@ rules: | |||
| - '*' | |||
| verbs: | |||
| - '*' | |||
|
|
|||
There was a problem hiding this comment.
remove this so it can be removed also in deploy.go
deploy/scc_db.yaml
Outdated
| @@ -10,6 +10,11 @@ allowHostPID: false | |||
| allowHostPorts: false | |||
| allowPrivilegedContainer: false | |||
| readOnlyRootFilesystem: false | |||
| allowedCapabilities: | |||
There was a problem hiding this comment.
Do we need this? As we don't ask for these capabilities in statefulset-postgres-db.yaml
There was a problem hiding this comment.
Yeah, maybe we don't. I just tested the entire thing on openshift without this in place and it worked just fine. Will remove this.
There was a problem hiding this comment.
Tested it on 4.16 cluster as well (previously only on minishift).
tangledbytes
force-pushed
the
utkarsh/fix/sccs
branch
from
22455fe to
69bd001
Compare
|
@tangledbytes I think we need to, otherwise we won't fix the security scanning right? |
|
It seems that OLM does not support SCC deployment for operators right now, so we cannot really do it here (I mean we can but then NooBaa operator will create an SCC for itself, which is weird). They have an open issue for it - operator-framework/operator-lifecycle-manager#1547. The above issue was opened by a Rook member (my guess) and they handle this right now by provisioning SCCs in the OCS operator here - https://github.com/red-hat-storage/ocs-operator/blob/main/controllers/ocsinitialization/sccs.go. Given the above, I think we can merge this PR and I will open a PR in the OCS operator to make sure that just like for Rook, we have a SCC for noobaa operator as well there. Any comments @jackyalbo? |
Signed-off-by: Utkarsh Srivastava <[email protected]> include pod agent change Signed-off-by: Utkarsh Srivastava <[email protected]> make gen-api Signed-off-by: Utkarsh Srivastava <[email protected]> update deploy.go Signed-off-by: Utkarsh Srivastava <[email protected]> address PR comments Signed-off-by: Utkarsh Srivastava <[email protected]>
tangledbytes
force-pushed
the
utkarsh/fix/sccs
branch
from
69bd001 to
76d4722
Compare
|
Merging this for now. Will create the required PR in OCS as next steps. |
Explain the changes
This Pr introduces some "security" fixes which were done on the request of one of the NooBaa customer.
These changes were submitted to QE for preliminary testing. The initial testing failed as noobaa-endpoint had issue due to read-only root filesystem. IIRC, this was later on removed and the preliminary tests completed successfully. Hence this PR, has 3 changes which were not submitted to QE back then:
Removes read-only root filesystem for noobaa-endpoint (as QE found issue with this)
Adds a change for noobaa agent which was not possible to test earlier because we provision pods and pods can't be patched once created (other than container image).
Danny had some changes in the PG DB sts, this PR accommodates those changes (which were not there as the initial work was done on top of 5.14).
Doc added/updated
Tests added