operator
operator copied to clipboard
[WIP] Update scc to add seccompProfiles to handle restricted securityContext for Triggers
Context:
As part of addressing https://issues.redhat.com/browse/OCPSTRAT-487, there's a plan to enable restricted security context by default starting from Openshift 4.16. Once this becomes the default setting, existing Triggers functionality may break. This is because we currently set security context to false, and the pipelines-scc security context constraint (SCC) doesn't have seccompProfiles: runtime/default, which is required when restricted security context is enabled by default.
Tested below scenarios:
1 set security context to restricted for a namespace (oc label ns test pod-security.kubernetes.io/enforce=restricted --overwrite=true
)
-
add seccompProfiles: runtime/default to
pipelines-scc
- set
el-security-context
to true --------- El pod up & running - set
el-security-context
to false --------- el pod won't comes to running state (pods "el-github-listener-7879cb46b6-rgnkg" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "event-listener" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "event-listener" must set securityContext.runAsNonRoot=true)
)
- set
-
remove seccompProfiles: runtime/default to
pipelines-scc
- set
el-security-context
to true --------- el pod won't comes to running state - set
el-security-context
to false --------- el pod won't comes to running state
- set
2 remove security context to restricted for a namespace (oc label ns test pod-security.kubernetes.io/enforce-
)
-
add seccompProfiles: runtime/default to
pipelines-scc
- set
el-security-context
to true --------- El pod up & running - set
el-security-context
to false --------- El pod up & running
- set
-
remove seccompProfiles: runtime/default to
pipelines-scc
- set
el-security-context
to true --------- el pod won't comes to running state - set
el-security-context
to false --------- El pod up & running
- set
Fixes : https://issues.redhat.com/browse/SRVKP-4372
Signed-off-by: Savita Ashture [email protected]
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you review them:
- [ ] Run
make test lint
before submitting a PR - [ ] Includes tests (if functionality changed/added)
- [ ] Includes docs (if user facing)
- [ ] Commit messages follow commit message best practices
See the contribution guide for more details.