WIP: Openshift 4.11 Pod security standards

[CathalOConnorRH]

Created new SCC to match baseline pod security standards by setting allowPrivilegeEscalation: false and updating clusterrole to use new SCC. This is required from Openshift 4.11 onwards.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: CathalOConnorRH
Once this PR has been reviewed and has the lgtm label, please assign fgiloux for approval by writing /assign @fgiloux in a comment. For more information see:The Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[bnallapeta]

@CathalOConnorRH @Mo3m3n has already worked on implementing this in his PR #241 and there is a discussion going on there. Could you please check that and see if this PR is bringing other changes than what he submitted there?

[CathalOConnorRH]

@CathalOConnorRH @Mo3m3n has already worked on implementing this in his PR #241 and there is a discussion going on there. Could you please check that and see if this PR is bringing other changes than what he submitted there?

I believe these are different, @Mo3m3n is implementing pod security on ckcp deployment, this PR is implementing pod security on the pods created by the pipeline runs which will be on the workload clusters

[Mo3m3n]

@CathalOConnorRH Shouldn't this rather be handled by the Openshift pipelines operator ?
There are multiple applications deployed in this project, some of them via operators (pipelines, gitops, etc) others directly by our scripts (kcp pod, syncer pod, etc).
My understanding is that it is the scope of the operator to make sure deployments runs in the cluster.
One way to double check this is to try running Openshift pipelines operator in 4.11 and see we get any warnings about restricted security policy.

[CathalOConnorRH]

@Mo3m3n There is an upstream story opened for this for v1.9 but no release date set yet. This will secure pipelines sooner and allow us to resolve any issues we may encounter.

[Roming22]

Setting as draft, as my understanding is that this PR might not be merged.

[adambkaplan]

@CathalOConnorRH the item that's missing here is the role binding.

Looking at what the Tekton operator does, it creates a RoleBinding in every namespace to go along with the pipelines service account. It seems that we would need to replicate this logic in the workspace controller.

[adambkaplan]

We don't need these - these are special annotations used by OLM for OpenShift (I believe)

[adambkaplan]

Likewise - I don' think we need this, since ArgoCD is going to be doing the syncing.

[adambkaplan]

I guess the key question is if this ClusterRole needs to be created on the workload cluster, or if it needs to be created in KCP.

[Roming22]

@CathalOConnorRH has this PR gone stale? If it is not needed anymore please close it. If it is still relevant please respond to the feedback and rebase the changes.

[openshift-merge-robot]

@CathalOConnorRH: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[bnallapeta]

@CathalOConnorRH Could you check if this PR is relevant anymore with the changes to the repo? If not, please close it.