ansible/helm: add ssc to not allow root previleges #4655

camilamacedo86 · 2021-03-13T15:21:24Z

Signed-off-by: Camila Macedo cmacedo@redhat.com

Description of the change:

(ansible/v1)(helm/v1) Add SecurityContext to now allow root privileges and align project languages with Golang.

Motivation for the change:

Reduce the complexities for we address Extract config/base plugin valid for any language/type from Golang kubernetes-sigs/kubebuilder#2015
Keep Ansible/Helm/Go aligned (Align Helm/Ansible plugins with the changes made for Golang ( go/v3 )) Align Helm/Ansible plugins with the changes made for Golang ( go/v3 ) #4542
Closes: Apply SCC for Ansible/Helm #4656

Checklist

If the pull request includes user-facing changes, extra documentation is required:

Add a new changelog fragment in changelog/fragments (see changelog/fragments/00-template.yaml)
Add or update relevant sections of the docs website in website/content/en/docs

estroz · 2021-03-15T20:33:50Z

changelog/fragments/ansible-helm-ssc.yaml

+# release notes and/or the migration guide
+entries:
+  - description: >
+      (ansible/v1)(helm/v1) Add SecurityContext to now allow root privileges.


Suggested change

(ansible/v1)(helm/v1) Add SecurityContext to now allow root privileges.

(ansible/v1, helm/v1) Added `securityContext`'s to the manager's Deployment to disallow running as root user.

estroz · 2021-03-15T20:34:34Z

changelog/fragments/ansible-helm-ssc.yaml

+    # Migration can be defined to automatically add a section to
+    # the migration guide. This is required for breaking changes.
+    migration:
+      header: (ansible/v1)(helm/v1) **(Optional)** Add SecurityContext to now allow root privileges.


All v1.y migrations are optional.

Suggested change

header: (ansible/v1)(helm/v1) **(Optional)** Add SecurityContext to now allow root privileges.

header: (ansible/v1, helm/v1) Add `securityContext`'s to your manager's Deployment.

estroz · 2021-03-15T20:35:00Z

changelog/fragments/ansible-helm-ssc.yaml

+    migration:
+      header: (ansible/v1)(helm/v1) **(Optional)** Add SecurityContext to now allow root privileges.
+      body: >
+        In the `config/manager` add the following security context:


Suggested change

In the `config/manager` add the following security context:

In `config/manager/manager.yaml`, add the following security contexts:

estroz · 2021-03-15T20:36:56Z

changelog/fragments/ansible-helm-ssc.yaml

+      body: >
+        In the `config/manager` add the following security context:
+        ```yaml
+        spec:


Can you indent these from the root field, ex

spec: ... template: ... spec: securityContext: runAsNonRoot: true containers: - name: manager securityContext: allowPrivilegeEscalation: false

Signed-off-by: Camila Macedo <cmacedo@redhat.com>

estroz

/lgtm

This is related to upgrade operator-sdk to v1.6.0: https://sdk.operatorframework.io/docs/upgrading-sdk-version/v1.6.0/ operator-framework/operator-sdk#4655 Signed-off-by: Wayne Sun <gsun@redhat.com>

openshift-ci-robot requested review from jmccormick2001 and marc-obrien March 13, 2021 15:21

camilamacedo86 temporarily deployed to deploy March 13, 2021 15:21 Inactive

camilamacedo86 force-pushed the add-ssc-ansible-helm branch from 03faf5a to 16b0302 Compare March 13, 2021 17:46

camilamacedo86 temporarily deployed to deploy March 13, 2021 17:47 Inactive

camilamacedo86 mentioned this pull request Mar 13, 2021

Align Helm/Ansible plugins with the changes made for Golang ( go/v3 ) #4542

Closed

camilamacedo86 changed the title ~~ansible/helm: add ssc to not allow root previleges~~ WIP: ansible/helm: add ssc to not allow root previleges Mar 13, 2021

openshift-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 13, 2021

camilamacedo86 force-pushed the add-ssc-ansible-helm branch from 16b0302 to 7daef58 Compare March 15, 2021 11:35

camilamacedo86 temporarily deployed to deploy March 15, 2021 11:35 Inactive

camilamacedo86 force-pushed the add-ssc-ansible-helm branch from 7daef58 to 59bf269 Compare March 15, 2021 11:37

camilamacedo86 temporarily deployed to deploy March 15, 2021 11:37 Inactive

camilamacedo86 temporarily deployed to deploy March 15, 2021 11:38 Inactive

camilamacedo86 force-pushed the add-ssc-ansible-helm branch from 59bf269 to 418d6f8 Compare March 15, 2021 15:11

camilamacedo86 temporarily deployed to deploy March 15, 2021 15:12 Inactive

camilamacedo86 changed the title ~~WIP: ansible/helm: add ssc to not allow root previleges~~ ansible/helm: add ssc to not allow root previleges Mar 15, 2021

openshift-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 15, 2021

camilamacedo86 requested review from asmacdo, estroz and jmrodri March 15, 2021 19:59

estroz suggested changes Mar 15, 2021

View reviewed changes

ansible/helm: add ssc to not allow root previleges

5bec9e1

Signed-off-by: Camila Macedo <cmacedo@redhat.com>

camilamacedo86 force-pushed the add-ssc-ansible-helm branch from 418d6f8 to 5bec9e1 Compare March 15, 2021 22:59

camilamacedo86 temporarily deployed to deploy March 15, 2021 22:59 Inactive

estroz approved these changes Mar 15, 2021

View reviewed changes

openshift-ci-robot assigned estroz Mar 15, 2021

openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Mar 15, 2021

camilamacedo86 merged commit 4506415 into operator-framework:master Mar 16, 2021

camilamacedo86 deleted the add-ssc-ansible-helm branch March 16, 2021 01:21

camilamacedo86 mentioned this pull request Mar 22, 2021

Ansible operator-sdk v1.5.0 with updated kube-rbac-proxy:v0.8.0 fails to run with permission denied #4684

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ansible/helm: add ssc to not allow root previleges #4655

ansible/helm: add ssc to not allow root previleges #4655

camilamacedo86 commented Mar 13, 2021 •

edited

estroz Mar 15, 2021

estroz Mar 15, 2021

estroz Mar 15, 2021

estroz Mar 15, 2021

estroz left a comment

	(ansible/v1)(helm/v1) Add SecurityContext to now allow root privileges.
	(ansible/v1, helm/v1) Added `securityContext`'s to the manager's Deployment to disallow running as root user.

	header: (ansible/v1)(helm/v1) (Optional) Add SecurityContext to now allow root privileges.
	header: (ansible/v1, helm/v1) Add `securityContext`'s to your manager's Deployment.

	In the `config/manager` add the following security context:
	In `config/manager/manager.yaml`, add the following security contexts:

ansible/helm: add ssc to not allow root previleges #4655

ansible/helm: add ssc to not allow root previleges #4655

Conversation

camilamacedo86 commented Mar 13, 2021 • edited

estroz Mar 15, 2021

Choose a reason for hiding this comment

estroz Mar 15, 2021

Choose a reason for hiding this comment

estroz Mar 15, 2021

Choose a reason for hiding this comment

estroz Mar 15, 2021

Choose a reason for hiding this comment

estroz left a comment

Choose a reason for hiding this comment

camilamacedo86 commented Mar 13, 2021 •

edited