Create custom SCC with privilege escalation

The OpenShift pipelines 1.9 no longer allow running containers with
privilege escalation. Since a subset of pipeline tasks requires the
privilege escalation we need to use a custom SCC that is build on top of
pipeline SCC and add the escalation.

This commit adds the custom SCC, links it with the pipeline service
account and refactors ansible to be compatible with the new setup.

JIRA: ISV-3280

Author: Allda

README.md

@@ -72,6 +72,16 @@ tkn pipeline start operator-ci-pipeline \
   --showlog
 ```
 
+A subset of tasks in the pipeline requires privilege escalation which is no longer
+supported with OpenShift Pipelines 1.9. Thus a new `SCC` needs to be created and linked
+with `pipeline` service account. Creating [SCC](https://docs.openshift.com/container-platform/4.11/authentication/managing-security-context-constraints.html#security-context-constraints-creating_configuring-internal-oauth)
+requires user with cluster-admin privileges.
+```bash
+# Create a new SCC
+oc apply -f ansible/roles/operator-pipeline/templates/openshift/openshift-pipelines-custom-scc.yml
+# Add SCC to a pipeline service account
+oc adm policy add-scc-to-user pipelines-custom-scc -z pipeline
+```
 
 
 To enable opening the PR and uploading the pipeline logs (visible to the certification project

ansible/init.sh

@@ -25,19 +25,17 @@ get_environments() {
 
 # execute playbook for given environment
 execute_playbook() {
-    local secret=$(dirname "$0")/vaults/$env/secret-vars.yml
+    local secret=$(dirname "$0")/vaults/$env/ocp-token.yml
     if [ ! -f $secret ]; then
         touch $secret
         echo "File $secret was not found, empty one was created"
     fi
 
-    ansible-playbook -i inventory/operator-pipeline playbooks/deploy.yml \
+    ansible-playbook -i inventory/operator-pipeline-$1 playbooks/operator-pipeline-env-setup.yml \
         --vault-password-file=$2 \
         -e "env=$1" \
         -e "ocp_host=`oc whoami --show-server`" \
-        -e "ocp_token=`oc whoami -t`" \
-        --tags init \
-        -vvvv
+        -e "ocp_token=`oc whoami -t`"
 }
 
 # update token for given environment
@@ -49,7 +47,7 @@ update_token() {
         | awk '$2=="kubernetes.io/service-account-token" && $1~/^operator-pipeline-admin-token/ {print $3; exit}' \
         | base64 -d)
 
-    local secret=$(dirname "$0")/vaults/$env/secret-vars.yml
+    local secret=$(dirname "$0")/vaults/$env/ocp-token.yml
 
     echo "ocp_token: $token" > $secret
     ansible-vault encrypt $secret --vault-password-file $2 > /dev/null

ansible/inventory/group_vars/operator-pipeline.yml

@@ -3,6 +3,7 @@
 ansible_connection: local
 env: unset
 oc_namespace: "operator-pipeline-{{ env }}"
+service_account_name: operator-pipeline-admin
 branch: "{{ env }}"
 preflight_min_version: 0.0.0
 preflight_trigger_environment: preprod

ansible/playbooks/operator-pipeline-env-setup.yml

@@ -0,0 +1,9 @@
+---
+- name: Setup operator-pipeline namespace
+  hosts: "operator-pipeline-{{ env }}"
+
+  tasks:
+    - name: Configure namespace + service account
+      include_role:
+        name: operator-pipeline
+        tasks_from: operator-pipeline-service-account

ansible/roles/operator-pipeline/tasks/main.yml

@@ -15,77 +15,21 @@
 - name: Deploy namespace resources
   when: namespace_state == 'present'
   block:
-    - include_tasks: tasks/pipeline-secrets.yml
 
-    # We can't use the k8s module here because it always tries to GET the resource
-    # prior to creation or patching. The ImageStreamImport API only supports POST.
-    - name: Import certified-operator-index imagestream
-      tags:
-        - import-index-images
-      no_log: yes
-      uri:
-        url: "{{ ocp_host }}/apis/image.openshift.io/v1/namespaces/{{ oc_namespace }}/imagestreamimports"
-        method: POST
-        # The 'or' condition is needed to support Ansible versions < 2.13
-        validate_certs: "{{ lookup('env', 'K8S_AUTH_VERIFY_SSL', default='yes') or 'yes' }}"
-        status_code: 201
-        body_format: json
-        headers:
-          Authorization: "Bearer {{ ocp_token }}"
-        body:
-          apiVersion: image.openshift.io/v1
-          kind: ImageStreamImport
-          metadata:
-            name: certified-operator-index
-            labels:
-              app: operator-pipeline
-              suffix: "{{ suffix }}"
-              env: "{{ env }}"
-          spec:
-            import: true
-            repository:
-              from:
-                kind: DockerImage
-                name: "{{ certified_operator_index }}"
-              importPolicy:
-                insecure: "{{ insecure_index_import | default(false) }}"
-                scheduled: true
-              referencePolicy:
-                type: Local
+    - include_tasks: tasks/pipeline-secrets.yml
+    - include_tasks: tasks/operator-pipeline-import-index-images.yml
 
-    - name: Import redhat-marketplace-index imagestream
+    - name: Add custom pipeline SCC and link it with pipeline SA
       tags:
-        - import-index-images
-      no_log: true
-      ansible.builtin.uri:
-        url: "{{ ocp_host }}/apis/image.openshift.io/v1/namespaces/{{ oc_namespace }}/imagestreamimports"
-        method: POST
-        # The 'or' condition is needed to support Ansible versions < 2.13
-        validate_certs: "{{ lookup('env', 'K8S_AUTH_VERIFY_SSL', default='yes') or 'yes' }}"
-        status_code: 201
-        body_format: json
-        headers:
-          Authorization: "Bearer {{ ocp_token }}"
-        body:
-          apiVersion: image.openshift.io/v1
-          kind: ImageStreamImport
-          metadata:
-            name: redhat-marketplace-index
-            labels:
-              app: operator-pipeline
-              suffix: "{{ suffix }}"
-              env: "{{ env }}"
-          spec:
-            import: true
-            repository:
-              from:
-                kind: DockerImage
-                name: "{{ redhat_marketplace_index }}"
-              importPolicy:
-                insecure: "{{ insecure_index_import | default(false) }}"
-                scheduled: true
-              referencePolicy:
-                type: Local
+        - pipeline-scc
+      k8s:
+        state: present
+        apply: true
+        definition: "{{ lookup('template', '{{ item }}') }}"
+      with_items:
+        - ../templates/openshift/openshift-pipelines-custom-scc.yml
+        - ../templates/openshift/openshift-pipeline-sa-scc-role.yml
+        - ../templates/openshift/openshift-pipeline-sa-scc-role-bindings.yml
 
     - name: Deploy pipeline tasks
       tags:

ansible/roles/operator-pipeline/tasks/operator-pipeline-import-index-images.yml

@@ -0,0 +1,70 @@
+---
+# We can't use the k8s module here because it always tries to GET the resource
+# prior to creation or patching. The ImageStreamImport API only supports POST.
+- name: Import certified-operator-index imagestream
+  tags:
+    - import-index-images
+  no_log: yes
+  uri:
+    url: "{{ ocp_host }}/apis/image.openshift.io/v1/namespaces/{{ oc_namespace }}/imagestreamimports"
+    method: POST
+    # The 'or' condition is needed to support Ansible versions < 2.13
+    validate_certs: "{{ lookup('env', 'K8S_AUTH_VERIFY_SSL', default='yes') or 'yes' }}"
+    status_code: 201
+    body_format: json
+    headers:
+      Authorization: "Bearer {{ ocp_token }}"
+    body:
+      apiVersion: image.openshift.io/v1
+      kind: ImageStreamImport
+      metadata:
+        name: certified-operator-index
+        labels:
+          app: operator-pipeline
+          suffix: "{{ suffix }}"
+          env: "{{ env }}"
+      spec:
+        import: true
+        repository:
+          from:
+            kind: DockerImage
+            name: "{{ certified_operator_index }}"
+          importPolicy:
+            insecure: "{{ insecure_index_import | default(false) }}"
+            scheduled: true
+          referencePolicy:
+            type: Local
+
+- name: Import redhat-marketplace-index imagestream
+  tags:
+    - import-index-images
+  no_log: true
+  ansible.builtin.uri:
+    url: "{{ ocp_host }}/apis/image.openshift.io/v1/namespaces/{{ oc_namespace }}/imagestreamimports"
+    method: POST
+    # The 'or' condition is needed to support Ansible versions < 2.13
+    validate_certs: "{{ lookup('env', 'K8S_AUTH_VERIFY_SSL', default='yes') or 'yes' }}"
+    status_code: 201
+    body_format: json
+    headers:
+      Authorization: "Bearer {{ ocp_token }}"
+    body:
+      apiVersion: image.openshift.io/v1
+      kind: ImageStreamImport
+      metadata:
+        name: redhat-marketplace-index
+        labels:
+          app: operator-pipeline
+          suffix: "{{ suffix }}"
+          env: "{{ env }}"
+      spec:
+        import: true
+        repository:
+          from:
+            kind: DockerImage
+            name: "{{ redhat_marketplace_index }}"
+          importPolicy:
+            insecure: "{{ insecure_index_import | default(false) }}"
+            scheduled: true
+          referencePolicy:
+            type: Local

ansible/roles/operator-pipeline/tasks/operator-pipeline-service-account.yml

@@ -0,0 +1,47 @@
+---
+- name: Configure Namespace
+  tags:
+    - namespace
+    - init
+  k8s:
+    state: "present"
+    definition:
+      kind: Namespace
+      apiVersion: v1
+      metadata:
+        name: "{{ oc_namespace }}"
+
+- name: Create service account
+  tags:
+    - service-account
+    - init
+  k8s:
+    state: present
+    namespace: "{{ oc_namespace }}"
+    definition:
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: "{{ service_account_name }}"
+
+- name: Grant SA "{{ service_account_name }}" role
+  tags:
+    - service-account
+    - init
+  k8s:
+    state: present
+    namespace: "{{ oc_namespace }}"
+    definition:
+      apiVersion: rbac.authorization.k8s.io/v1
+      kind: ClusterRoleBinding
+      metadata:
+        name: "{{ service_account_name }}-{{ item }}"
+      roleRef:
+        kind: ClusterRole
+        name: "{{ item }}"
+      subjects:
+        - kind: ServiceAccount
+          name: "{{ service_account_name }}"
+          namespace: "{{ oc_namespace }}"
+  with_items:
+    - cluster-admin

ansible/roles/operator-pipeline/templates/openshift/openshift-pipeline-sa-scc-role-bindings.yml

@@ -0,0 +1,13 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: "system:openshift:scc:pipelines-custom-scc"
+subjects:
+  - kind: ServiceAccount
+    name: pipeline
+    namespace: "{{ oc_namespace }}"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: "system:openshift:scc:pipelines-custom-scc"

ansible/roles/operator-pipeline/templates/openshift/openshift-pipeline-sa-scc-role.yml

@@ -0,0 +1,13 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: 'system:openshift:scc:pipelines-custom-scc'
+rules:
+  - verbs:
+      - use
+    apiGroups:
+      - security.openshift.io
+    resources:
+      - securitycontextconstraints
+    resourceNames:
+      - pipelines-custom-scc

ansible/roles/operator-pipeline/templates/openshift/openshift-pipelines-custom-scc.yml

@@ -0,0 +1,42 @@
+---
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+    kubernetes.io/description: pipelines-custom-scc is a close replica of pipeline scc with privilege escalation.
+    release.openshift.io/create-only: "true"
+  name: pipelines-custom-scc
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: true
+allowedCapabilities:
+  - SETFCAP
+defaultAddCapabilities: null
+fsGroup:
+  type: MustRunAs
+groups:
+  - system:cluster-admins
+priority: 10
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+  - MKNOD
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: MustRunAs
+supplementalGroups:
+  type: RunAsAny
+volumes:
+  - configMap
+  - downwardAPI
+  - emptyDir
+  - persistentVolumeClaim
+  - projected
+  - secret