-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When the disableContainerBuildCapabilities parameter is set to true, RoleBindings for Service Accounts are not created #22945
Comments
Hello. |
Hi @tolusha, thank you sincerely for your response; your insights are immensely valuable to me. Regarding the
Could you please shed more light on this? Don't you think there's room for improvement here? |
Hello @dmitryrode If you need to use the custom SCC, then:
With regards to the
|
To be honest I don't like this snippet, for me it looks inconsistent [1] |
Hello @tolusha, thank you for sharing the details. I attempted to adjust the parameters, but integrating them with OpenShift appears somewhat convoluted. But I can confirm custom SCC works fine :) But only when Let me elaborate further details:
Does it genuinely make sense to proceed in this manner in case of using custom Security Contexts? I believe you are right and the snippet from the comment above looks inconsistent :) Otherwise it turns out that we are losing the ability to manage SCC and Container Security in such configurations. |
@tolusha, I mean the following: the former pathway appears functional: Custom OpenShiftSecurityContextConstraint → Workspace Creation → Automatic SA Generation → Automatic RBAC Establishment (RoleBinding with permissions to utilize your SCC) → Workspace Execution. However, the pathway involving container security context encounters issues: Custom OpenShiftSecurityContextConstraint → Custom ContainerSecurityContext → Workspace Creation → Automatic SA Generation → Absence of RBAC Setup → Workspace Failure due to SA inability to utilize the custom OpenShift SCC. |
Hello @dmitryrode I see. [1] https://github.com/eclipse-che/che-operator/blob/a4e19ead9d324dce09f5ca400a5cb7eff3abd253/pkg/deploy/dev-workspace-config/dev_workspace_config.go#L125 The workaround is to update the default container security context. config:
env:
- name: CHE_DEFAULT_SPEC_DEVENVIRONMENTS_CONTAINERSECURITYCONTEXT
value: '<JSON_STRING_REPRESENTING_CONTAINER_SECURITY_CONTEXT>' For instance: config:
env:
- name: CHE_DEFAULT_SPEC_DEVENVIRONMENTS_CONTAINERSECURITYCONTEXT
value: '{"allowPrivilegeEscalation": true,"capabilities": {"add": ["SETGID", "SETUID"]}}' |
@dmitryrode @tolusha IIRC, we don't allow modifying the containerSecurityContext when container builds are enabled, as a way to ensure the correct container-build SCC is selected to permit building containers in a workspace. If a workspace service account has multiple SCCs available, a suitable SCC that has the least amount of privileges is picked. See the original issue description. In other words, we intended to always have the container security context set to the following to ensure the provided container builds SCC would work:
I do think this restriction could be removed, however. If a user is confident in configuring their own SCC as well as the pod & container security contexts, we should assume that they are aware that they might risk breaking workspaces that rely on the container build SCC. While working on allowing users to configure their workspace pod and container security contexts, I actually vaguely remember trying to do a strategic merge in the case the admin modifies the |
Issues go stale after Mark the issue as fresh with If this issue is safe to close now please do so. Moderators: Add |
Summary
Hello everyone,
I've been exploring running workspaces with custom container SecurityContexts and OpenShift SCCs. Here's what I've observed: when the
disableContainerBuildCapabilities
parameter is set to false, I noticed that in the user namespace, the operator creates RoleBindings to enable the use of the provided SCC by ServiceAccount.However, when
disableContainerBuildCapabilities
is set to true, presumably due to the use of container SecurityContexts (which is why I need both SCC and SecurityContexts), I encountered a situation where the RoleBindings were not created.I attempted to delve into the code for any clues but didn't find anything useful.
Could someone please help me understand if this is the expected behavior, or if there are additional configurations I need to provide? Any insights would be greatly appreciated.
Relevant information
Eclipse Che Version: 7.84.0
Cluster version: 4.15.0-0.okd-2024-03-10-010116
Below is the YAML configuration for Eclipse Che:
When disableContainerBuildCapabilities is set to false, the RoleBindings are created correctly:
When disableContainerBuildCapabilities is set to true, the RoleBindings are not created:
The text was updated successfully, but these errors were encountered: