WIP try to move our pods to nonroot-v2 profile

* Kolla needs sudo, sudo needs uid 0. * Manually mapping uid 0 via annotation does not seem to work.
gibizer · Nov 28, 2023 · 0de4565 · 0de4565
1 parent 3331ffe
commit 0de4565
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 4 deletions.
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -389,7 +389,7 @@ rules:
 - apiGroups:
   - security.openshift.io
   resourceNames:
-  - anyuid
+  - nonroot-v2
   resources:
   - securitycontextconstraints
   verbs:

diff --git a/controllers/nova_controller.go b/controllers/nova_controller.go
@@ -73,7 +73,7 @@ type NovaReconciler struct {
 // +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update
 // +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update
 // service account permissions that are needed to grant permission to the above
-// +kubebuilder:rbac:groups="security.openshift.io",resourceNames=anyuid,resources=securitycontextconstraints,verbs=use
+// +kubebuilder:rbac:groups="security.openshift.io",resourceNames=nonroot-v2,resources=securitycontextconstraints,verbs=use
 // +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch
 // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete;
 
@@ -167,7 +167,7 @@ func (r *NovaReconciler) Reconcile(ctx context.Context, req ctrl.Request) (resul
 	rbacRules := []rbacv1.PolicyRule{
 		{
 			APIGroups:     []string{"security.openshift.io"},
-			ResourceNames: []string{"anyuid"},
+			ResourceNames: []string{"nonroot-v2"},
 			Resources:     []string{"securitycontextconstraints"},
 			Verbs:         []string{"use"},
 		},

diff --git a/pkg/novaconductor/dbsync.go b/pkg/novaconductor/dbsync.go
@@ -59,6 +59,12 @@ func CellDBSyncJob(
 		},
 		Spec: batchv1.JobSpec{
 			Template: corev1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						"io.openshift.builder":            "true",
+						"io.kubernetes.cri-o.userns-mode": "auto:size=65536;map-to-root=false",
+					},
+				},
 				Spec: corev1.PodSpec{
 					RestartPolicy:      corev1.RestartPolicyOnFailure,
 					ServiceAccountName: instance.Spec.ServiceAccount,
@@ -75,7 +81,12 @@ func CellDBSyncJob(
 							Args:  args,
 							Image: instance.Spec.ContainerImage,
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: ptr.To(nova.NovaUserID),
+								RunAsUser:    ptr.To(nova.NovaUserID),
+								RunAsGroup:   ptr.To(nova.NovaUserID),
+								RunAsNonRoot: ptr.To(true),
+								SeccompProfile: &corev1.SeccompProfile{
+									Type: corev1.SeccompProfileTypeRuntimeDefault,
+								},
 							},
 							Env: env,
 							VolumeMounts: []corev1.VolumeMount{