Skip to content

Commit 601336c

Browse files
rjeberhardrjeberhard
committed
Merge branch 'fix-openshift-dopv-initcontainer' into 'main'
Fix SCC violation of InitDomainOnPVRunAsRoot=true for openshift See merge request weblogic-cloud/weblogic-kubernetes-operator!5023
2 parents a63f4d4 + 63f3aaf commit 601336c

File tree

1 file changed

+10
-4
lines changed

1 file changed

+10
-4
lines changed

operator/src/main/java/oracle/kubernetes/operator/helpers/JobStepContext.java

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -108,6 +108,7 @@ public class JobStepContext extends BasePodStepContext {
108108
private V1Job jobModel;
109109
private Step conflict;
110110
private Packet packet;
111+
private static String OPENSHIFT = "OpenShift";
111112

112113
JobStepContext(Packet packet) {
113114
super((DomainPresenceInfo) packet.get(ProcessingConstants.DOMAIN_PRESENCE_INFO));
@@ -533,7 +534,12 @@ private void addInitDomainOnPVInitContainer(List<V1Container> initContainers) {
533534
@Override
534535
V1SecurityContext getInitContainerSecurityContext() {
535536
if (isInitDomainOnPVRunAsRoot()) {
536-
return new V1SecurityContext().runAsGroup(0L).runAsUser(0L);
537+
if (OPENSHIFT.equalsIgnoreCase(super.getKubernetesPlatform())) {
538+
// Cannot set runAsUser(0L) because it will violate SCC.
539+
return new V1SecurityContext().runAsGroup(0L);
540+
} else {
541+
return new V1SecurityContext().runAsGroup(0L).runAsUser(0L);
542+
}
537543
}
538544
if (getServerSpec().getContainerSecurityContext() != null) {
539545
return getServerSpec().getContainerSecurityContext();
@@ -571,7 +577,7 @@ private String getDomainHomeOnPVHomeOwnership() {
571577
.map(V1PodSecurityContext::getRunAsGroup)
572578
.orElse(-1L);
573579

574-
if ("OpenShift".equals(getKubernetesPlatform())) {
580+
if (OPENSHIFT.equals(getKubernetesPlatform())) {
575581
uid = (uid == -1L) ? 1000L : uid;
576582
gid = (gid == -1L) ? 0L : gid;
577583
} else {
@@ -682,14 +688,14 @@ protected V1PodSpec createPodSpec() {
682688
podSpec.securityContext(podSecurityContext.fsGroup(podSecurityContext.getRunAsGroup()));
683689
} else if (podSecurityContext.getFsGroup() == null) {
684690
Optional.ofNullable(TuningParameters.getInstance()).ifPresent(instance -> {
685-
if (!"OpenShift".equalsIgnoreCase(instance.getKubernetesPlatform()) && !isInitDomainOnPVRunAsRoot()) {
691+
if (!OPENSHIFT.equalsIgnoreCase(instance.getKubernetesPlatform()) && !isInitDomainOnPVRunAsRoot()) {
686692
podSpec.securityContext(podSecurityContext.fsGroup(0L));
687693
}
688694
});
689695
}
690696
if (podSpec.getSecurityContext().getFsGroupChangePolicy() == null) {
691697
Optional.ofNullable(TuningParameters.getInstance()).ifPresent(instance -> {
692-
if (!"OpenShift".equalsIgnoreCase(instance.getKubernetesPlatform()) && !isInitDomainOnPVRunAsRoot()) {
698+
if (!OPENSHIFT.equalsIgnoreCase(instance.getKubernetesPlatform()) && !isInitDomainOnPVRunAsRoot()) {
693699
podSpec.getSecurityContext().fsGroupChangePolicy("OnRootMismatch");
694700
}
695701
});

0 commit comments

Comments
 (0)