SCC-pinning for openshift workloads

k8snetworkplumbingwg / sriov-network-operator

Operator for provisioning and configuring SR-IOV CNI plugin and device plugin

Apache License 2.0

84 stars 114 forks source link

SCC-pinning for openshift workloads #754

Closed kramaranya closed 3 months ago

kramaranya commented 3 months ago

This PR explicitly sets the required SCC to be used to admit pods. The SCC chosen is the one that the pods are already getting admitted with, which means that this brings no change to the SCC used.

In some cases, custom SCCs can have higher priority than default SCCs, which means that they will be chosen over the default ones. This can lead to unexpected results; in order to protect openshift workloads from this, we must explicitly pin the required SCC to all our workloads in order to make sure that the expected one will be used.

github-actions[bot] commented 3 months ago

Thanks for your PR, To run vendors CIs, Maintainers can use one of:

/test-all: To run all tests for all vendors.
/test-e2e-all: To run all E2E tests for all vendors.
/test-e2e-nvidia-all: To run all E2E tests for NVIDIA vendor.

To skip the vendors CIs, Maintainers can use one of:
/skip-all: To skip all tests for all vendors.
/skip-e2e-all: To skip all E2E tests for all vendors.
/skip-e2e-nvidia-all: To skip all E2E tests for NVIDIA vendor. Best regards.

zeeke commented 3 months ago

These changes are about setting a SecurityContextContraint for the operator's workload, in order to avoid getting assigned one by a custom priority. See [1] and [2]. Also, having the openshift.io/required-scc annotation in a non-Openshift cluster should be harmless, hence no need to add { if .IsOpenshift } statements.

@kramaranya can you confirm my statement? Is there any other information that can be useful for reviewing this?

[1] https://docs.openshift.com/container-platform/4.16/authentication/managing-security-context-constraints.html#scc-prioritization_configuring-internal-oauth [2] https://docs.openshift.com/container-platform/4.16/authentication/managing-security-context-constraints.html#default-sccs_configuring-internal-oauth

coveralls commented 3 months ago

Pull Request Test Coverage Report for Build 10317864792

Details

0 of 0 changed or added relevant lines in 0 files are covered.
No unchanged relevant lines lost coverage.
Overall coverage remained the same at 45.189%

Totals
Change from base Build 10305741803:	0.0%
Covered Lines:	6532
Relevant Lines:	14455

💛 - Coveralls

kramaranya commented 3 months ago

@zeeke you are absolutely right, thanks for gathering this information.

Here is a jira AUTH-482, which might be useful for reviewing this. I have also updated a description of pr.