Skip to content

Commit fd5024c

Browse files
authored
Revert "[dev+stage] Add SCC for nested containerization (#6127)" (#6308)
This reverts commit e39a666. We decided not to go down this route due to concerns about weakening cluster security by allowing pods to use the container_runtime_t label. Signed-off-by: Adam Cmiel <[email protected]>
1 parent 061e7fc commit fd5024c

File tree

6 files changed

+0
-181
lines changed

6 files changed

+0
-181
lines changed

components/konflux-rbac/staging/base/kustomization.yaml

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,3 @@ resources:
88
- konflux-viewer-user-actions.yaml
99
- konflux-builder-bot-actions.yaml
1010
- konflux-releaser-bot-actions.yaml
11-
patches:
12-
- path: patch-appstudio-pipelines-runner.yaml
13-
target:
14-
kind: ClusterRole
15-
name: appstudio-pipelines-runner

components/konflux-rbac/staging/base/patch-appstudio-pipelines-runner.yaml

Lines changed: 0 additions & 8 deletions
This file was deleted.

components/pipeline-service/development/main-pipeline-service-configuration.yaml

Lines changed: 0 additions & 42 deletions
Original file line numberDiff line numberDiff line change
@@ -2332,45 +2332,3 @@ volumes:
23322332
- persistentVolumeClaim
23332333
- projected
23342334
- secret
2335-
---
2336-
allowHostDirVolumePlugin: false
2337-
allowHostIPC: false
2338-
allowHostNetwork: false
2339-
allowHostPID: false
2340-
allowHostPorts: false
2341-
allowPrivilegeEscalation: false
2342-
allowPrivilegedContainer: false
2343-
allowedCapabilities:
2344-
- SETFCAP
2345-
apiVersion: security.openshift.io/v1
2346-
defaultAddCapabilities: null
2347-
fsGroup:
2348-
type: MustRunAs
2349-
groups:
2350-
- system:cluster-admins
2351-
kind: SecurityContextConstraints
2352-
metadata:
2353-
annotations:
2354-
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
2355-
argocd.argoproj.io/sync-wave: "0"
2356-
name: appstudio-pipelines-nested-containerization-scc
2357-
priority: 10
2358-
readOnlyRootFilesystem: false
2359-
requiredDropCapabilities:
2360-
- MKNOD
2361-
runAsUser:
2362-
type: RunAsAny
2363-
seLinuxContext:
2364-
type: MustRunAs
2365-
seLinuxOptions:
2366-
type: container_runtime_t
2367-
supplementalGroups:
2368-
type: RunAsAny
2369-
users: []
2370-
volumes:
2371-
- configMap
2372-
- downwardAPI
2373-
- emptyDir
2374-
- persistentVolumeClaim
2375-
- projected
2376-
- secret

components/pipeline-service/staging/base/main-pipeline-service-configuration.yaml

Lines changed: 0 additions & 42 deletions
Original file line numberDiff line numberDiff line change
@@ -2161,45 +2161,3 @@ volumes:
21612161
- persistentVolumeClaim
21622162
- projected
21632163
- secret
2164-
---
2165-
allowHostDirVolumePlugin: false
2166-
allowHostIPC: false
2167-
allowHostNetwork: false
2168-
allowHostPID: false
2169-
allowHostPorts: false
2170-
allowPrivilegeEscalation: false
2171-
allowPrivilegedContainer: false
2172-
allowedCapabilities:
2173-
- SETFCAP
2174-
apiVersion: security.openshift.io/v1
2175-
defaultAddCapabilities: null
2176-
fsGroup:
2177-
type: MustRunAs
2178-
groups:
2179-
- system:cluster-admins
2180-
kind: SecurityContextConstraints
2181-
metadata:
2182-
annotations:
2183-
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
2184-
argocd.argoproj.io/sync-wave: "0"
2185-
name: appstudio-pipelines-nested-containerization-scc
2186-
priority: 10
2187-
readOnlyRootFilesystem: false
2188-
requiredDropCapabilities:
2189-
- MKNOD
2190-
runAsUser:
2191-
type: RunAsAny
2192-
seLinuxContext:
2193-
type: MustRunAs
2194-
seLinuxOptions:
2195-
type: container_runtime_t
2196-
supplementalGroups:
2197-
type: RunAsAny
2198-
users: []
2199-
volumes:
2200-
- configMap
2201-
- downwardAPI
2202-
- emptyDir
2203-
- persistentVolumeClaim
2204-
- projected
2205-
- secret

components/pipeline-service/staging/stone-stage-p01/deploy.yaml

Lines changed: 0 additions & 42 deletions
Original file line numberDiff line numberDiff line change
@@ -2715,48 +2715,6 @@ fsGroup:
27152715
groups:
27162716
- system:cluster-admins
27172717
kind: SecurityContextConstraints
2718-
metadata:
2719-
annotations:
2720-
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
2721-
argocd.argoproj.io/sync-wave: "0"
2722-
name: appstudio-pipelines-nested-containerization-scc
2723-
priority: 10
2724-
readOnlyRootFilesystem: false
2725-
requiredDropCapabilities:
2726-
- MKNOD
2727-
runAsUser:
2728-
type: RunAsAny
2729-
seLinuxContext:
2730-
seLinuxOptions:
2731-
type: container_runtime_t
2732-
type: MustRunAs
2733-
supplementalGroups:
2734-
type: RunAsAny
2735-
users: []
2736-
volumes:
2737-
- configMap
2738-
- downwardAPI
2739-
- emptyDir
2740-
- persistentVolumeClaim
2741-
- projected
2742-
- secret
2743-
---
2744-
allowHostDirVolumePlugin: false
2745-
allowHostIPC: false
2746-
allowHostNetwork: false
2747-
allowHostPID: false
2748-
allowHostPorts: false
2749-
allowPrivilegeEscalation: false
2750-
allowPrivilegedContainer: false
2751-
allowedCapabilities:
2752-
- SETFCAP
2753-
apiVersion: security.openshift.io/v1
2754-
defaultAddCapabilities: null
2755-
fsGroup:
2756-
type: MustRunAs
2757-
groups:
2758-
- system:cluster-admins
2759-
kind: SecurityContextConstraints
27602718
metadata:
27612719
annotations:
27622720
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true

components/pipeline-service/staging/stone-stg-rh01/deploy.yaml

Lines changed: 0 additions & 42 deletions
Original file line numberDiff line numberDiff line change
@@ -2727,48 +2727,6 @@ fsGroup:
27272727
groups:
27282728
- system:cluster-admins
27292729
kind: SecurityContextConstraints
2730-
metadata:
2731-
annotations:
2732-
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
2733-
argocd.argoproj.io/sync-wave: "0"
2734-
name: appstudio-pipelines-nested-containerization-scc
2735-
priority: 10
2736-
readOnlyRootFilesystem: false
2737-
requiredDropCapabilities:
2738-
- MKNOD
2739-
runAsUser:
2740-
type: RunAsAny
2741-
seLinuxContext:
2742-
seLinuxOptions:
2743-
type: container_runtime_t
2744-
type: MustRunAs
2745-
supplementalGroups:
2746-
type: RunAsAny
2747-
users: []
2748-
volumes:
2749-
- configMap
2750-
- downwardAPI
2751-
- emptyDir
2752-
- persistentVolumeClaim
2753-
- projected
2754-
- secret
2755-
---
2756-
allowHostDirVolumePlugin: false
2757-
allowHostIPC: false
2758-
allowHostNetwork: false
2759-
allowHostPID: false
2760-
allowHostPorts: false
2761-
allowPrivilegeEscalation: false
2762-
allowPrivilegedContainer: false
2763-
allowedCapabilities:
2764-
- SETFCAP
2765-
apiVersion: security.openshift.io/v1
2766-
defaultAddCapabilities: null
2767-
fsGroup:
2768-
type: MustRunAs
2769-
groups:
2770-
- system:cluster-admins
2771-
kind: SecurityContextConstraints
27722730
metadata:
27732731
annotations:
27742732
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true

0 commit comments

Comments
 (0)