Skip to content

Update OpenShift security context constraints to support the operator service account #1325

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jun 27, 2024
Merged

Update OpenShift security context constraints to support the operator service account #1325

merged 3 commits into from
Jun 27, 2024

Conversation

jvoravong
Copy link
Contributor

Description:

  • Bug Fix: Addressed an issue where the Operator was not always deployable to OpenShift environments due to the lack of a validating Security Context Constraint.
  • Updates:
    • Enhanced Security Context Constraints (SCC) for OpenShift to fix formatting issues and include support for the operator service account.
    • Changed the SCC fsGroup type from MustRunAs to RunAsAny to avoid issues with dynamic default fsGroup constraint value ranges, which could prevent the operator from deploying in OpenShift environments. Users can still override SCC settings using the securityContextConstraintsOverwrite value.
    • Refer to the OpenShift documentation for details: OpenShift SCC Strategies
      • FSGroup - MustRunAs - Requires at least one range to be specified if not using pre-allocated values. Uses the minimum value of the first range as the default. Validates against the first ID in the first range.

Testing:

  • Reproduced the bug and tested the fix with OpenShift 4.12.11 (Kubernetes v1.25.7) to ensure successful deployment of the Operator. Testing other OpenShift versions as well.

@jvoravong jvoravong requested review from a team as code owners June 18, 2024 21:42
@jvoravong jvoravong marked this pull request as draft June 18, 2024 22:38
@jvoravong
Copy link
Contributor Author

The functional tests are failing with the current main branch, looking into fixing them.

@jvoravong jvoravong marked this pull request as ready for review June 25, 2024 21:15
@jinja2 jinja2 merged commit d750237 into main Jun 27, 2024
35 checks passed
@jinja2 jinja2 deleted the OTL-2841 branch June 27, 2024 17:54
@github-actions github-actions bot locked and limited conversation to collaborators Jun 27, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jinja2 jinja2 jinja2 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jvoravong @jinja2