flux2 icon indicating copy to clipboard operation
flux2 copied to clipboard

Published 20 hours ago verified publisher icon fluxcd

OpenShift SCC in declarative form

Open errordeveloper opened this issue 6 months ago • 2 comments

Currently OpenShift docs have this:

for i in ${!FLUX_CONTROLLERS[@]}; do
  oc adm policy add-scc-to-user nonroot system:serviceaccount:${FLUX_NAMESPACE}:${FLUX_CONTROLLERS[$i]}
done

This can be expressed as a role:

apiVersion: "rbac.authorization.k8s.io/v1"
kind:       "ClusterRole"
metadata: name: string
rules: {
	apiGroups: [
		"security.openshift.io",
	]
	resources: [
		"securitycontextconstraints",
	]
	resourceNames: [
		"nonroot",
	]
	verbs: [
		"use",
	]
}

I based the above on something I wrote for Cilium here: https://github.com/cilium/cilium-olm/blob/d595d9b949ee9eab66968cd5e32636bb79f2fe9d/config/operator/rbac.cue#L50-L66

Happy to make a PR to the docs with an expanded YAML version once I have a bit of time.

errordeveloper avatar Feb 15 '24 21:02 errordeveloper

Hey @errordeveloper so with this cluster role instead of running a command for each controller SA, people can just do a kubectl apply? If so then I think it's a great UX improvement.

stefanprodan avatar Feb 16 '24 10:02 stefanprodan

@stefanprodan exactly :)

errordeveloper avatar Feb 16 '24 10:02 errordeveloper

@errordeveloper can you please post on #4625 the exact YAML that would work for Flux?

stefanprodan avatar Feb 23 '24 08:02 stefanprodan

Could this be something flux does on bootstrap?

jack-evans avatar Apr 16 '24 17:04 jack-evans

Adding that SCC YAML to the repo before bootstrap should be straight forward https://fluxcd.io/flux/installation/configuration/boostrap-customization/

stefanprodan avatar Apr 16 '24 18:04 stefanprodan