-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(security): support restricted pod security standard #450
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code seems to make sense and works as expected with a basic manual run. I'll let @tthvo sign off.
Looks great! From some readings, I did manual runs on Openshift
|
I believe the security context set here for cryostat containers are default and will be overwritted from CR spec as in #446 ? |
Did this work on 4.10.18? I expected the operator deployment would not be accepted because of the
I'm not sure if there's any parameters we could set for this in
That seems like a good idea. We should do that once operator-framework/operator-sdk#5939 is fixed.
Yes absolutely. The next scorecard test I want to write is one that creates the Cryostat CR and ensures that Cryostat starts properly. |
That's right. |
@tthvo I created 3 new issues for each point in #450 (comment) |
Great! I am excited to work on those :D
Hmm right! I totally forgot that. Interestingly, Operator pod is actually admitted and launched in 4.10.18 with seccompProfile set. |
Editted: The default namespace should not used as SCC does not apply. Worked as expected on 4.10.18! Thanks for pointing me to this :D |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great to me! Worked as expected :D
The primary difficulty with this fix is that OpenShift < 4.11 does not permit you to set
seccompProfile
by default. Following the discussion in redhat-openshift-ecosystem/community-operators-prod#1417, I decided to take the following approach with this PR.For the operator deployment:
runAsNonRoot
andseccompProfile
in the pod security context. This is not backwards compatible with OpenShift < 4.11. In the downstream release, we will have to removeseccompProfile
to support these versions. Therestricted-v2
Security Context Constraint (SCC) will set theseccompProfile
for us when it is necessary. The alternative is not being compliant on standard Kubernetes, which does not have a SCC mechanism. The end result will be upstream releases will continue to work on Kubernetes 1.19, and OpenShift >= 4.11. Downstream releases will continue to work on OpenShift >= 4.6.For the operand deployments:
runAsNonRoot
and if not running on OpenShift, setseccompProfile
. This preserves backwards compatibility, and relies on therestricted-v2
SCC to setseccompProfile
in OpenShift >= 4.11.Fixes: #404