[5.15] SCC Fix - Githubissues

noobaa / noobaa-operator

Operator for NooBaa - object data service for hybrid and multi cloud environments :cloud: :wrench:

https://www.noobaa.io

Apache License 2.0

102 stars 99 forks source link

[5.15] SCC Fix #1359

Closed tangledbytes closed 4 months ago

tangledbytes commented 4 months ago

Explain the changes

In the master branch and 5.16, because we do no longer have an init container, we no longer require a lot of privileges to operate. The same is not true for versions before and including 5.15.

I tried multiple combinations of:

AUDIT_WRITE
CHOWN
DAC_OVERRIDE
FOWNER
FSETID
KILL
MKNOD
NET_BIND_SERVICE
SETFCAP
SETGID
SETPCAP
SETUID
SYS_CHROOT

capabilities but nothing really worked hence adding back the dropped default privileges. Will seek exception for this container (and I think we did do that initially for 5.14).

Issues: Fixed #xxx / Gap #xxx

Broke 4.15.3 RC build - fixing that

Testing Instructions:

Created a fresh openshift-cluster from cluster bot.
Used CLI built from this patch and ran nb install ....
Waited for the system to be stable.
Ran aws s3 ls against the deployment.
Created obc and then S3 ops against that bucket using admin credentials.

The above testing was done to ensure that system is indeed functional at least in 5.15.

[ ] Doc added/updated
[ ] Tests added

tangledbytes commented 4 months ago

Please note that we will need to request exception for the DB pod just like we did for noobaa-endpoint pod. The same isn't true for the recent versions of NooBaa though.