Merge pull request #176 from booxter/restrict-northd

Run northd as scc:restricted-v2
openstack-k8s-operators · Dec 12, 2023 · 461bbc8 · 461bbc8
2 parents 057e303 + 2679af6
commit 461bbc8
Show file tree

Hide file tree

Showing 5 changed files with 5 additions and 15 deletions.
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -222,15 +222,15 @@ rules:
   - security.openshift.io
   resourceNames:
   - anyuid
+  - privileged
   resources:
   - securitycontextconstraints
   verbs:
   - use
 - apiGroups:
   - security.openshift.io
   resourceNames:
-  - anyuid
-  - privileged
+  - restricted-v2
   resources:
   - securitycontextconstraints
   verbs:

diff --git a/controllers/ovnnorthd_controller.go b/controllers/ovnnorthd_controller.go
@@ -83,7 +83,7 @@ func (r *OVNNorthdReconciler) GetLogger(ctx context.Context) logr.Logger {
 // +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update
 // +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update
 // service account permissions that are needed to grant permission to the above
-// +kubebuilder:rbac:groups="security.openshift.io",resourceNames=anyuid,resources=securitycontextconstraints,verbs=use
+// +kubebuilder:rbac:groups="security.openshift.io",resourceNames=restricted-v2,resources=securitycontextconstraints,verbs=use
 // +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch
 
 // Reconcile - OVN Northd
@@ -237,7 +237,7 @@ func (r *OVNNorthdReconciler) reconcileNormal(ctx context.Context, instance *ovn
 	rbacRules := []rbacv1.PolicyRule{
 		{
 			APIGroups:     []string{"security.openshift.io"},
-			ResourceNames: []string{"anyuid"},
+			ResourceNames: []string{"restricted-v2"},
 			Resources:     []string{"securitycontextconstraints"},
 			Verbs:         []string{"use"},
 		},

diff --git a/pkg/ovnnorthd/const.go b/pkg/ovnnorthd/const.go
@@ -3,8 +3,4 @@ package ovnnorthd
 const (
 	// ServiceName -
 	ServiceName = "ovn-northd"
-
-	// openvswitch:openvswitch
-	OVSUid int64 = 997
-	OVSGid int64 = 995
 )
diff --git a/pkg/ovnnorthd/scc.go b/pkg/ovnnorthd/scc.go
@@ -5,12 +5,8 @@ import corev1 "k8s.io/api/core/v1"
 func getOVNNorthdSecurityContext() *corev1.SecurityContext {
 	falseVal := false
 	trueVal := true
-	runAsUser := int64(OVSUid)
-	runAsGroup := int64(OVSGid)
 
 	return &corev1.SecurityContext{
-		RunAsUser:                &runAsUser,
-		RunAsGroup:               &runAsGroup,
 		RunAsNonRoot:             &trueVal,
 		AllowPrivilegeEscalation: &falseVal,
 		Capabilities: &corev1.Capabilities{

diff --git a/tests/kuttl/common/assert_sample_deployment.yaml b/tests/kuttl/common/assert_sample_deployment.yaml
@@ -142,9 +142,7 @@ spec:
           timeoutSeconds: 5
         securityContext:
           allowPrivilegeEscalation: false
-          runAsGroup: 995
           runAsNonRoot: true
-          runAsUser: 997
         name: ovn-northd
         readinessProbe:
           exec:
@@ -176,7 +174,7 @@ apiVersion: v1
 kind: Pod
 metadata:
   annotations:
-    openshift.io/scc: anyuid
+    openshift.io/scc: restricted-v2
   labels:
     service: ovn-northd
 ---