Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SCC to the Service Account in OCP #51

Open
LCaparelli opened this issue May 7, 2020 · 2 comments · Fixed by #81 · May be fixed by #179
Open

Add SCC to the Service Account in OCP #51

LCaparelli opened this issue May 7, 2020 · 2 comments · Fixed by #81 · May be fixed by #179
Assignees
@LCaparelli
Labels
enhancement 👑 New feature or request
Milestone
v0.7.0

Comments

@LCaparelli
Copy link
Member

Having the operator's Service Account using a restrictive SCC would improve the operator's security.

I have an initial implementation of this that is failing to build due to some dependency issues. The libraries we're using seem to be somewhat incompatible as they are now, let's keep a close watch to continue this as soon as possible.

At the moment the cluster admin must add an SCC to the Service Account in order to be able to start pods correctly in OCP 3.x. (#41) and if this was implemented it wouldn't be necessary.
@LCaparelli LCaparelli self-assigned this May 7, 2020
@LCaparelli LCaparelli added the enhancement 👑 New feature or request label May 7, 2020
@LCaparelli LCaparelli added this to the v0.3.0 milestone May 7, 2020
@ricardozanini ricardozanini added this to To do in Nexus Operator Development via automation May 7, 2020
@LCaparelli LCaparelli mentioned this issue Jun 1, 2020
Merged
@LCaparelli
Copy link
Member Author

Upon further investigation it was discovered that the SCC couldn't be created due to being a cluster-scoped resource. As such, it couldn't have a namespaced resource as owner. Until a more suitable alternative is found the user will need to apply a valid SCC to the service account being used by the operator when using the community Nexus image.

When using the Red Hat certified image this is no longer necessary after #81 as it sets the container user/group to one in the range defined by the openshift.io/sa.scc.supplemental-groups and openshift.io/sa.scc.uid-range namespace annotations, satisfying the constraints imposed by the restricted SCC and successfully starting the pods.

@ricardozanini ricardozanini reopened this Jun 1, 2020
@ricardozanini ricardozanini mentioned this issue Sep 26, 2020
Closed
@LCaparelli LCaparelli modified the milestones: v0.3.0, v0.4.0 Sep 28, 2020
@LCaparelli
Copy link
Member Author

Re-opening as we'll be able to create the SCC after #161

@LCaparelli LCaparelli reopened this Sep 28, 2020
@LCaparelli LCaparelli linked a pull request Oct 18, 2020 that will close this issue
Draft
4 tasks
@ricardozanini ricardozanini modified the milestones: v0.4.0, v0.5.0 Oct 27, 2020
@ricardozanini ricardozanini modified the milestones: v0.5.0, v0.6.0 Dec 9, 2020
@ricardozanini ricardozanini modified the milestones: v0.6.0, v0.7.0 Jun 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@LCaparelli LCaparelli

Labels
enhancement 👑 New feature or request
Projects
None yet
Milestone
v0.7.0
2 participants
@ricardozanini @LCaparelli