From b38f430c261598f9bd87e865c4576e2053e8396b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Han?= Date: Wed, 24 Nov 2021 11:22:47 +0100 Subject: [PATCH] core: fix openshift security context MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The MKNOD capability was missing and due to recent addition some pod now only require this cap as well as privileged. The cap must be explicitly exposed so it can be requested by a pod. Closes: https://github.com/rook/rook/issues/9234 Signed-off-by: Sébastien Han --- cluster/examples/kubernetes/ceph/operator-openshift.yaml | 2 +- pkg/apis/ceph.rook.io/v1/scc.go | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/cluster/examples/kubernetes/ceph/operator-openshift.yaml b/cluster/examples/kubernetes/ceph/operator-openshift.yaml index bb67dac7d171..6ac93d0f81d2 100644 --- a/cluster/examples/kubernetes/ceph/operator-openshift.yaml +++ b/cluster/examples/kubernetes/ceph/operator-openshift.yaml @@ -18,7 +18,7 @@ allowHostNetwork: false # set to true if running rook with the provider as host allowHostPorts: false priority: -allowedCapabilities: [] +allowedCapabilities: ["MKNOD"] allowHostIPC: true readOnlyRootFilesystem: false requiredDropCapabilities: [] diff --git a/pkg/apis/ceph.rook.io/v1/scc.go b/pkg/apis/ceph.rook.io/v1/scc.go index 954e36c80afc..e99f7e4f3a54 100644 --- a/pkg/apis/ceph.rook.io/v1/scc.go +++ b/pkg/apis/ceph.rook.io/v1/scc.go @@ -42,6 +42,7 @@ func NewSecurityContextConstraints(name, namespace string) *secv1.SecurityContex AllowHostIPC: true, AllowHostNetwork: false, AllowHostPorts: false, + AllowedCapabilities: []corev1.Capability{"MKNOD"}, RequiredDropCapabilities: []corev1.Capability{}, DefaultAddCapabilities: []corev1.Capability{}, RunAsUser: secv1.RunAsUserStrategyOptions{