From 2e7905af009a4b891185472514030e62b0cdd6a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Han?= Date: Wed, 24 Nov 2021 11:22:47 +0100 Subject: [PATCH] core: fix openshift security context MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The MKNOD capability was missing and due to recent addition some pod now only require this cap as well as privileged. The cap must be explicitly exposed so it can be requested by a pod. Closes: https://github.com/rook/rook/issues/9234 Signed-off-by: Sébastien Han (cherry picked from commit b38f430c261598f9bd87e865c4576e2053e8396b) # Conflicts: # cluster/examples/kubernetes/ceph/operator-openshift.yaml # pkg/apis/ceph.rook.io/v1/scc.go --- .../kubernetes/ceph/operator-openshift.yaml | 4 + pkg/apis/ceph.rook.io/v1/scc.go | 76 +++++++++++++++++++ 2 files changed, 80 insertions(+) create mode 100644 pkg/apis/ceph.rook.io/v1/scc.go diff --git a/cluster/examples/kubernetes/ceph/operator-openshift.yaml b/cluster/examples/kubernetes/ceph/operator-openshift.yaml index 9704dbea08e32..0fcfdeef335bb 100644 --- a/cluster/examples/kubernetes/ceph/operator-openshift.yaml +++ b/cluster/examples/kubernetes/ceph/operator-openshift.yaml @@ -14,9 +14,13 @@ allowPrivilegedContainer: true allowHostNetwork: true allowHostDirVolumePlugin: true priority: +<<<<<<< HEAD allowedCapabilities: [] allowHostPorts: true allowHostPID: true # remove this once we drop support for Nautilus +======= +allowedCapabilities: ["MKNOD"] +>>>>>>> b38f430c2 (core: fix openshift security context) allowHostIPC: true readOnlyRootFilesystem: false requiredDropCapabilities: [] diff --git a/pkg/apis/ceph.rook.io/v1/scc.go b/pkg/apis/ceph.rook.io/v1/scc.go new file mode 100644 index 0000000000000..e99f7e4f3a548 --- /dev/null +++ b/pkg/apis/ceph.rook.io/v1/scc.go @@ -0,0 +1,76 @@ +/* +Copyright 2021 The Rook Authors. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +    http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1 + +import ( + "fmt" + + secv1 "github.com/openshift/api/security/v1" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// NewSecurityContextConstraints returns a new SecurityContextConstraints for Rook-Ceph to run on +// OpenShift. +func NewSecurityContextConstraints(name, namespace string) *secv1.SecurityContextConstraints { + return &secv1.SecurityContextConstraints{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "security.openshift.io/v1", + Kind: "SecurityContextConstraints", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + AllowPrivilegedContainer: true, + AllowHostDirVolumePlugin: true, + ReadOnlyRootFilesystem: false, + AllowHostIPC: true, + AllowHostNetwork: false, + AllowHostPorts: false, + AllowedCapabilities: []corev1.Capability{"MKNOD"}, + RequiredDropCapabilities: []corev1.Capability{}, + DefaultAddCapabilities: []corev1.Capability{}, + RunAsUser: secv1.RunAsUserStrategyOptions{ + Type: secv1.RunAsUserStrategyRunAsAny, + }, + SELinuxContext: secv1.SELinuxContextStrategyOptions{ + Type: secv1.SELinuxStrategyMustRunAs, + }, + FSGroup: secv1.FSGroupStrategyOptions{ + Type: secv1.FSGroupStrategyMustRunAs, + }, + SupplementalGroups: secv1.SupplementalGroupsStrategyOptions{ + Type: secv1.SupplementalGroupsStrategyRunAsAny, + }, + Volumes: []secv1.FSType{ + secv1.FSTypeConfigMap, + secv1.FSTypeDownwardAPI, + secv1.FSTypeEmptyDir, + secv1.FSTypeHostPath, + secv1.FSTypePersistentVolumeClaim, + secv1.FSProjected, + secv1.FSTypeSecret, + }, + Users: []string{ + fmt.Sprintf("system:serviceaccount:%s:rook-ceph-system", namespace), + fmt.Sprintf("system:serviceaccount:%s:default", namespace), + fmt.Sprintf("system:serviceaccount:%s:rook-ceph-mgr", namespace), + fmt.Sprintf("system:serviceaccount:%s:rook-ceph-osd", namespace), + }, + } +}