operator icon indicating copy to clipboard operation
operator copied to clipboard

Published 20 hours ago verified publisher icon tektoncd

[WIP] Update scc to add seccompProfiles to handle restricted securityContext for Triggers

Open savitaashture opened this issue 2 months ago • 10 comments

Context:

As part of addressing https://issues.redhat.com/browse/OCPSTRAT-487, there's a plan to enable restricted security context by default starting from Openshift 4.16. Once this becomes the default setting, existing Triggers functionality may break. This is because we currently set security context to false, and the pipelines-scc security context constraint (SCC) doesn't have seccompProfiles: runtime/default, which is required when restricted security context is enabled by default.

Tested below scenarios:

1 set security context to restricted for a namespace (oc label ns test pod-security.kubernetes.io/enforce=restricted --overwrite=true)

  • add seccompProfiles: runtime/default to pipelines-scc

    • set el-security-context to true --------- El pod up & running
    • set el-security-context to false --------- el pod won't comes to running state (pods "el-github-listener-7879cb46b6-rgnkg" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "event-listener" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "event-listener" must set securityContext.runAsNonRoot=true))

  • remove seccompProfiles: runtime/default to pipelines-scc

    • set el-security-context to true --------- el pod won't comes to running state
    • set el-security-context to false --------- el pod won't comes to running state

2 remove security context to restricted for a namespace (oc label ns test pod-security.kubernetes.io/enforce-)

  • add seccompProfiles: runtime/default to pipelines-scc

    • set el-security-context to true --------- El pod up & running
    • set el-security-context to false --------- El pod up & running

  • remove seccompProfiles: runtime/default to pipelines-scc

    • set el-security-context to true --------- el pod won't comes to running state
    • set el-security-context to false --------- El pod up & running

Fixes : https://issues.redhat.com/browse/SRVKP-4372

Signed-off-by: Savita Ashture [email protected]

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you review them:

  • [ ] Run make test lint before submitting a PR
  • [ ] Includes tests (if functionality changed/added)
  • [ ] Includes docs (if user facing)
  • [ ] Commit messages follow commit message best practices

See the contribution guide for more details.

Release Notes

savitaashture avatar Apr 23 '24 12:04 savitaashture