osd: add privileged support (back) to blkdevmapper securityContext (w…

…ork-around) The blockdevmapper securityContext was changed to request a minimal set of required capabilities for its operation and drop running as privileged. While the base change works and is valid in terms of the container's copy operation, it turns out that OpenShift may require some additional configuration not currently covered by the limited securityContext and the capabilities granted. To not break those OpenShift deployments, make the blkdevmapper securityContext listen to the ROOK_HOSTPATH_REQUIRES_PRIVILEGED flag again to set privileged mode. This flag is true on OpenShift deployments and running as privileged works around the (missing) configuration problem for now. To properly drop privileged completely some additional investigation needs to be done on OpenShift deployments without relying on privileged execution. Signed-off-by: Omar Pakker <Omar007@users.noreply.github.com>
rook · Nov 17, 2021 · 8f90558 · 8f90558
1 parent 2d03a8e
commit 8f90558
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 4 deletions.
diff --git a/pkg/operator/ceph/cluster/osd/spec.go b/pkg/operator/ceph/cluster/osd/spec.go
@@ -777,12 +777,15 @@ func (c *Cluster) getActivateOSDInitContainer(configDir, namespace, osdID string
 // To be able to perform this action, the CAP_MKNOD capability is required.
 // Provide a securityContext which requests the MKNOD capability for the container to function properly.
 func getBlockDevMapperContext() *v1.SecurityContext {
+	privileged := controller.HostPathRequiresPrivileged()
+
 	return &v1.SecurityContext{
 		Capabilities: &v1.Capabilities{
 			Add: []v1.Capability{
 				"MKNOD",
 			},
 		},
+		Privileged: &privileged,
 	}
 }
 

diff --git a/pkg/operator/ceph/controller/spec.go b/pkg/operator/ceph/controller/spec.go
@@ -604,12 +604,13 @@ func (c *daemonConfig) buildAdminSocketCommand() string {
 	return command
 }
 
+func HostPathRequiresPrivileged() bool {
+	return os.Getenv("ROOK_HOSTPATH_REQUIRES_PRIVILEGED") == "true"
+}
+
 // PodSecurityContext detects if the pod needs privileges to run
 func PodSecurityContext() *v1.SecurityContext {
-	privileged := false
-	if os.Getenv("ROOK_HOSTPATH_REQUIRES_PRIVILEGED") == "true" {
-		privileged = true
-	}
+	privileged := HostPathRequiresPrivileged()
 
 	return &v1.SecurityContext{
 		Privileged: &privileged,