Merge pull request #180 from booxter/tigthen-ovsdb-to-restricted

Tighten ovn dbclusters to scc=restricted-v2
openstack-k8s-operators · Jan 10, 2024 · 69ebcbe · 69ebcbe
2 parents 3bd418c + 5ae497f
commit 69ebcbe
Show file tree

Hide file tree

Showing 6 changed files with 35 additions and 17 deletions.
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -218,14 +218,6 @@ rules:
   - list
   - update
   - watch
-- apiGroups:
-  - security.openshift.io
-  resourceNames:
-  - anyuid
-  resources:
-  - securitycontextconstraints
-  verbs:
-  - use
 - apiGroups:
   - security.openshift.io
   resourceNames:

diff --git a/controllers/ovndbcluster_controller.go b/controllers/ovndbcluster_controller.go
@@ -91,7 +91,7 @@ func (r *OVNDBClusterReconciler) GetLogger(ctx context.Context) logr.Logger {
 // +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update
 // +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update
 // service account permissions that are needed to grant permission to the above
-// +kubebuilder:rbac:groups="security.openshift.io",resourceNames=anyuid,resources=securitycontextconstraints,verbs=use
+// +kubebuilder:rbac:groups="security.openshift.io",resourceNames=restricted-v2,resources=securitycontextconstraints,verbs=use
 // +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch
 
 // Reconcile - OVN DBCluster
@@ -254,7 +254,7 @@ func (r *OVNDBClusterReconciler) reconcileNormal(ctx context.Context, instance *
 	rbacRules := []rbacv1.PolicyRule{
 		{
 			APIGroups:     []string{"security.openshift.io"},
-			ResourceNames: []string{"anyuid"},
+			ResourceNames: []string{"restricted-v2"},
 			Resources:     []string{"securitycontextconstraints"},
 			Verbs:         []string{"use"},
 		},

diff --git a/pkg/ovndbcluster/statefulset.go b/pkg/ovndbcluster/statefulset.go
@@ -112,6 +112,11 @@ func StatefulSet(
 	envVars["CONFIG_HASH"] = env.SetValue(configHash)
 	// TODO: Make confs customizable
 	envVars["OVN_RUNDIR"] = env.SetValue("/tmp")
+	// we have to set LOGDIR even though we don't want to log to file. This is
+	// because ovsdb-server will still attempt to write a line into the file
+	// before seizing file logging, and the default log file location is not
+	// available for write
+	envVars["OVN_LOGDIR"] = env.SetValue("/tmp")
 
 	statefulset := &appsv1.StatefulSet{
 		ObjectMeta: metav1.ObjectMeta{

diff --git a/templates/ovndbcluster/bin/setup.sh b/templates/ovndbcluster/bin/setup.sh
@@ -28,7 +28,28 @@ if [[ "$(hostname)" != "{{ .SERVICE_NAME }}-0" ]]; then
     #ovsdb-tool join-cluster /etc/ovn/ovn${DB_TYPE}_db.db ${DB_NAME} tcp:$(hostname).{{ .SERVICE_NAME }}.${NAMESPACE}.svc.cluster.local:${RAFT_PORT} tcp:{{ .SERVICE_NAME }}-0.{{ .SERVICE_NAME }}.${NAMESPACE}.svc.cluster.local:${RAFT_PORT}
     OPTS="--db-${DB_TYPE}-cluster-remote-proto=tcp --db-${DB_TYPE}-cluster-remote-addr={{ .SERVICE_NAME }}-0.{{ .SERVICE_NAME }}.${NAMESPACE}.svc.cluster.local --db-${DB_TYPE}-cluster-remote-port=${RAFT_PORT}"
 fi
-/usr/local/bin/start-${DB_TYPE}-db-server --db-${DB_TYPE}-election-timer={{ .OVN_ELECTION_TIMER }} --db-${DB_TYPE}-cluster-local-proto=tcp \
---db-${DB_TYPE}-cluster-local-addr=$(hostname).{{ .SERVICE_NAME }}.${NAMESPACE}.svc.cluster.local --db-${DB_TYPE}-probe-interval-to-active={{ .OVN_PROBE_INTERVAL_TO_ACTIVE }} \
---db-${DB_TYPE}-cluster-local-port=${RAFT_PORT} --db-${DB_TYPE}-addr=0.0.0.0 --db-${DB_TYPE}-port=${DB_PORT} \
---ovn-${DB_TYPE}-log=-vfile:{{ .OVN_LOG_LEVEL }} ${OPTS}
+
+# call to ovn-ctl directly instead of start-${DB_TYPE}-db-server to pass
+# extra_args after --
+set /usr/share/ovn/scripts/ovn-ctl --no-monitor
+
+set "$@" --db-${DB_TYPE}-election-timer={{ .OVN_ELECTION_TIMER }}
+set "$@" --db-${DB_TYPE}-cluster-local-proto=tcp
+set "$@" --db-${DB_TYPE}-cluster-local-addr=$(hostname).{{ .SERVICE_NAME }}.${NAMESPACE}.svc.cluster.local
+set "$@" --db-${DB_TYPE}-cluster-local-port=${RAFT_PORT}
+set "$@" --db-${DB_TYPE}-probe-interval-to-active={{ .OVN_PROBE_INTERVAL_TO_ACTIVE }}
+set "$@" --db-${DB_TYPE}-addr=0.0.0.0
+set "$@" --db-${DB_TYPE}-port=${DB_PORT}
+
+# log to console
+set "$@" --ovn-${DB_TYPE}-log=-vconsole:{{ .OVN_LOG_LEVEL }}
+
+# if server attempts to log to file, ignore
+#
+# note: even with -vfile:off (see below), the server sometimes attempts to
+# create a log file -> this argument makes sure it doesn't polute OVN_LOGDIR
+# with a nearly empty log file
+set "$@" --ovn-${DB_TYPE}-logfile=/dev/null
+
+# don't log to file (we already log to console)
+$@ ${OPTS} run_${DB_TYPE}_ovsdb -- -vfile:off
diff --git a/tests/kuttl/common/assert_sample_deployment.yaml b/tests/kuttl/common/assert_sample_deployment.yaml
@@ -182,7 +182,7 @@ apiVersion: v1
 kind: Pod
 metadata:
   annotations:
-    openshift.io/scc: anyuid
+    openshift.io/scc: restricted-v2
   labels:
     service: ovsdbserver-nb
   name: ovsdbserver-nb-0
@@ -191,7 +191,7 @@ apiVersion: v1
 kind: Pod
 metadata:
   annotations:
-    openshift.io/scc: anyuid
+    openshift.io/scc: restricted-v2
   labels:
     service: ovsdbserver-sb
   name: ovsdbserver-sb-0

diff --git a/tests/kuttl/tests/ovn_scale/04-errors.yaml b/tests/kuttl/tests/ovn_scale/04-errors.yaml
@@ -2,6 +2,6 @@ apiVersion: v1
 kind: Pod
 metadata:
   annotations:
-    openshift.io/scc: anyuid
+    openshift.io/scc: restricted-v2
   labels:
     service: ovn