Skip to content

Commit 8405947

Browse files
DavidHurtaopenshift-cherrypick-robot
DavidHurta
authored and
openshift-cherrypick-robot
committed
pkg/cvo/updatepayload.go: Set openshift.io/required-scc: privileged for version pods
Utilize the `openshift.io/required-scc` annotation [1] to pin the required SCC to `version` pods. This will ensure that any existing custom SCCs in the cluster will not have an effect on the `version` pods. The `privileged` default SCC [2] was chosen as the pod accesses and modifies host `/etc/` files. To do that, a pod must run as root and must also pass SELinux permission checks. This is currently achieved by the pod running as a privileged root. For such permission, the `privileged` default SCC is required. Using the `hostmount-anyuid` default SCC is not sufficient for the existing code as the pod is not able to pass the SELinux permissions checks. Additional SELinux, host file system, and/or code changes would be needed. In the future, we may implement such changes or try to use a local persistent volume [3] as running the version pod as privileged root is undesirable for the pod's goal of copying files into another pod. Some of the other alternatives are modifications to the current architecture of two separate pods or using a different type of volume. [1] https://docs.openshift.com/container-platform/4.17/authentication/managing-security-context-constraints.html#security-context-constraints-requiring_configuring-internal-oauth [2] https://docs.openshift.com/container-platform/4.17/authentication/managing-security-context-constraints.html#default-sccs_configuring-internal-oauth [3] https://kubernetes.io/docs/concepts/storage/volumes/#local
1 parent bc60dbd commit 8405947

File tree

1 file changed

+5
-0
lines changed

1 file changed

+5
-0
lines changed

pkg/cvo/updatepayload.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -225,6 +225,11 @@ func (r *payloadRetriever) fetchUpdatePayloadToDir(ctx context.Context, dir stri
225225
Spec: batchv1.JobSpec{
226226
ActiveDeadlineSeconds: deadline,
227227
Template: corev1.PodTemplateSpec{
228+
ObjectMeta: metav1.ObjectMeta{
229+
Annotations: map[string]string{
230+
"openshift.io/required-scc": "privileged",
231+
},
232+
},
228233
Spec: corev1.PodSpec{
229234
InitContainers: []corev1.Container{
230235
setContainerDefaults(corev1.Container{

0 commit comments

Comments
 (0)