SCC runAsUser missing for Openshift in helm chart

[abudavis]

Wave chart 4.4.1
Openshift 4.14

We are trying to install wave (in a namespace "wave") on Openshift but it seems the SCC is missing in the helm chart.
There is a workaround to get this to work which is to pass this in the helm command:
--set securityContext.runAsUser=1000769991

But this has implications for us as all installs are done by ArgoCD/GitOps and as such it will not be able to lookup the "openshift.io/sa.scc.uid-range: 1000940000/10000" from the "wave" namespace and pass it on to the helm ArgoCD app. Please offer a proper fix for this, so that we are able to install this using ArgoCD.

Helm:

NAME	NAMESPACE	REVISION	UPDATED                               	STATUS  	CHART     	APP VERSION
wave	wave     	1       	2024-12-09 14:35:49.96603192 +0100 CET	deployed	wave-4.4.1	v0.10.0  

Error in Deployment:

message: 'pods "wave-wave-5f66949dd9-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "pipelines-scc": Forbidden: not usable by user or serviceaccount, provider "splunk-otel-agent-splunk-otel-collector": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .containers[0].runAsUser: Invalid value: 1000: must be in the ranges: [1000940000, 1000949999], provider restricted: .containers[0].runAsUser: Invalid value: 1000: must be in the ranges: [1000940000, 1000949999], provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "wiz-integration-wiz-sensor-scc": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]'

[abudavis]

This is the solution, please add it to your helm chart or documentation :)

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: system:openshift:scc:anyuid
  namespace: wave
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:openshift:scc:anyuid
subjects:
- kind: ServiceAccount
  name: wave-wave
  namespace: wave

[toelke]

Hey! Thanks for the report.

Would ...:anyuid be the best practice here? Or would we need some value like openStack.UseUID that sets both RunAsUser and that RoleBinding for a specific UID?

[abudavis]

@toelke I do not know any other way to fix this, the basic principle is to prevent pods from running as root user.

[toelke]

I understand. What you said in your original message is a solution, I was asking if there was a better one.

I'd be happy to add the RoleBinding into the helm chart for the next release. If you wish, you could open a PR.

[abudavis]

I am told the anyuid SCC is a quick fix which is less secure bypassing the range defined on the namespace. I’ll come back after having tested a few alternatives. A different question - our security team wants us to run wave against a security audit tool to discover possible vulnerabilities (not saying there is any) before we are allowed to put this in production, do you happen to have any such reports or suggest a tool we could use? On 12 Dec 2024, at 12:48 PM, Philipp Riederer ***@***.***> wrote: I understand. What you said in your original message is a solution, I was asking if there was a better one. I'd be happy to add the RoleBinding into the helm chart for the next release. If you wish, you could open a PR. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you modified the open/close state.Message ID: ***@***.***>