Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dashboard should inject controller.devfile.io/scc: container-build based on the CR property #21756

Closed
ibuziuk opened this issue Oct 11, 2022 · 3 comments · Fixed by eclipse-che/che-dashboard#655
Assignees
Labels
area/dashboard kind/task Internal things, technical debt, and to-do tasks to be performed. severity/P1 Has a major impact to usage or development of the system. sprint/current

Comments

@ibuziuk
Copy link
Member

ibuziuk commented Oct 11, 2022

Is your task related to a problem? Please describe

As part of this issues, dashboard should inject the container build attribute based on the:

attributes:
  controller.devfile.io/scc: container-build

based on the CR property implemented as part of the #21752

Describe the solution you'd like

attribute is injected in every workspace is admin enabled the dedicated property

Describe alternatives you've considered

No response

Additional context

No response

@l0rd
Copy link
Contributor

l0rd commented Oct 13, 2022

I have opened #21768 to makes the container build SCC configurable.

As a consequence Che dashboard should pick the SCC name from spec.devEnvironments.containerBuildConfiguration.openShiftSecurityContextConstraint (instead of using the hard-coded container-build SCC).

@l0rd
Copy link
Contributor

l0rd commented Oct 25, 2022

I don't think this issue is necessary anymore. Setting containerOverrides should be enough. I am saying that because I have figure out that a Pod with the following spec (without the annotation openshift.io/scc: container-build but with the capabilities and allowPrivilegeEscalation: true) is automatically annotated by the scheduler:

apiVersion: v1
kind: Pod
metadata:
  name: rootless
spec:
  containers:
    - name: podman
      image: quay.io/mloriedo/podman:rootless
      imagePullPolicy: Always
      resources:
        limits:
          cpu: 100m
          memory: 1G
      securityContext:
        capabilities:
          add:
           - SETGID
           - SETUID
          drop:
           - KILL
           - MKNOD
        allowPrivilegeEscalation: true

@AObuchow
Copy link

AObuchow commented Oct 26, 2022

This issue should be re-opened as it is still required, see #21770 (comment)

Edit: Never mind, I just saw that a PR was merged for this issue and that the issue has already been resolved.

@ibuziuk ibuziuk mentioned this issue Nov 2, 2022
73 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/dashboard kind/task Internal things, technical debt, and to-do tasks to be performed. severity/P1 Has a major impact to usage or development of the system. sprint/current
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants