Check and improve k0smotron HCPs on OpenShift #1041
Description
As a followup of #1026, we need to review the following and improve k0smotron accordingly
For reference, please find below all the tweaks I had to do to finally make things work in an Openshift context. It may help you to address the Openshift integration in the future
- ~~Missing RBAC for finalizers~~ (fixed in https://github.com/k0sproject/k0smotron/pull/1035)
- On etcd statefulset
- Add a dedicated service account
- custom SCC resource that allows `fsGroup: 1001`
- manually patch the statefulset to use the service account instead of `default`.
- On controller statefulset
- Add a dedicated service account
- custom SCC resource that allows the following
- `DAC_READ_SEARCH`, `NET_ADMIN`, `NET_RAW` and `SYS_MODULE` capabilities
- `allowPrivilegeEscalation` to true
- manually patch the statefulset to use the service account instead of `default`.
Some configuration like service account and `securitycontext` could be exposed through the `K0smotronControlPlane.spec` field to set these settings for etcd and the controller. The `default` service account in an Openshift context is assigned the `restricted-v2` SCC which prevent etcd from starting (using `default` is also not recommended in general). k0s controller needs to run as root because of its entrypoint (due to commands like iptables-save) and control plane components need specific capabilities which are dropped by default in Openshift.