Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(core): Permissions on operator and builder pods (S2I compatibility) #4487

Merged
merged 2 commits into from
Jul 3, 2023
Merged

fix(core): Permissions on operator and builder pods (S2I compatibility) #4487

merged 2 commits into from
Jul 3, 2023

Conversation

gansheer
Copy link
Contributor

@gansheer gansheer commented Jun 14, 2023
edited
Loading

Ref #4476

For compatibility with S2I publish strategy:

  • Change default Dockerfile user from 1001 to 1001:0 with 775 permissions to be able the write with group 0
  • Add builder pod security context compatible with OCP SecurityContextConstraint restricted-v2 (https://docs.openshift.com/container-platform/4.12/authentication/managing-security-context-constraints.html)
  • Change Dockerfile S2I to user compatible with SecurityContextConstraint
  • Add permission to get a namespace to operator to ensure SecurityContextConstraint labels in namespace are accessible
  • Remove root FsGroup on operator as it is no longer needed

This has been tested on:

  • OCP (CRC) with default project on routine/pod strategy
  • OCP (CRC) with user created project on routine/pod strategy
  • spectrum on routine/pod strategy

Note: there is a different user on builder pod dockerfile (--chown) because the BuildConfig binary strategy replaces 775 permissions with 755, so we need to fall back to owner user.

Release Note

fix(core): Permissions on operator and builder pods (S2I compatibility)

@gansheer gansheer marked this pull request as draft June 19, 2023 08:58
@gansheer
fix(core): Permissions on operator and builder pods (S2I compatibility)
02bfee4 
* Change default Dockerfile user from 1001 to 1001:0
* Add builder pod security context compatible with OCP SecurityContextConstraint restricted-v2 (https://docs.openshift.com/container-platform/4.12/authentication/managing-security-context-constraints.html)
* Change Dockerfile S2I to user compatible with SecurityContextConstraint
* Add permission to get a namespace to operator to ensure SecurityContextConstraint labels in namespace are accessible
* Remove root FsGroup on operator as it is no longer needed
@gansheer gansheer force-pushed the fix/4476_permissions_errors branch from 173a2eb to 02bfee4 Compare June 29, 2023 08:36
@gansheer gansheer marked this pull request as ready for review June 29, 2023 08:42
@gansheer
Copy link
Contributor Author

@oscerd @christophd @claudio4j could on of you please launch the tests ?

@gansheer gansheer requested review from squakez and oscerd June 29, 2023 08:45
@squakez squakez merged commit 2f5a0e5 into apache:main Jul 3, 2023
@squakez squakez mentioned this pull request Jul 3, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@squakez squakez squakez approved these changes

@oscerd oscerd Awaiting requested review from oscerd

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gansheer @oscerd @squakez