Openshift SCC / Route support

Djeezus commented 2 years ago

'lo all,

It's my understanding that this k8-operator is heavily based on the official HELM-charts, and thus I assume that at least the securiryContexts will eventually be part of the operator, but maybe not the openshift-routes.

For now, I have manually updated the code to include both of them, and things work fine on Openshift ... If noone is working on it, or planning to do so, I would like to volunteer/help for this part.

Grtz, gert

swoehrl-mw commented 2 years ago

Hi @Djeezus. Currently no one is working on these topics. If you have the time and energy to help and want to contribute this, PRs are always welcome. From my perspective it is just important that both aspects are optional so that a non-OpenShift standard kubernetes is still the default target.

Djeezus commented 2 years ago

Ok, I've started working on a local fork ...

I've adapted the Makefile to check for OSE or K8 build :

ifeq ($(shell which oc),)
$(info "No OC found, assuming K8 build...")
else
$(info "OC found in path, assuming OSE build...")
$(shell ln -sf $$(which oc) $$(echo $${PATH} | awk -F: '{print $$1}')/kubectl)
# other OSE-specific vars/configs go here ...
endif

if you have other idea/opinion, let me know

swoehrl-mw commented 2 years ago

I've adapted the Makefile to check for OSE or K8 build

Why would you need to do this? The build happens in the Github Actions pipeline which has no connection to any specific environment. Aside from that the build itself is and must stay generic. All detections regarding OpenShift and specific behaviour must happen at runtime.

From my perspective there can be two points where OpenShift-specific behaviour could be relevant:

In the helm chart to deploy the operator in another way for OpenShift (e.g. add extra kubernetes objects). If this is the case it needs to be enabled via an option in the helm values
In the operator code itself during deployment of a cluster. In my opinion this should be configured via a commandline flag and exposed as a value in the helm chart.

Djeezus commented 2 years ago

indeed, for the functional part everything is going to be in runtime ... With the Makefile adaptation, I was just thinking about people cloning it locally on their machine (like me), I'll leave that out eventually thus

ghost commented 2 years ago

Hi, any progress on this? Support for OpenShift would be highly appreciated.

jave commented 2 years ago

What is needed for better openshift support?

We tried installing this operator on a single node openshift cluster, in the "default" namespace, and it seemed to work pretty well. We didnt get routes, also we used the example my-cluster, which expects multiple worker nodes, and we had only one node in this cluster. still opensearch started, and we could load it with data.

Then we tried installing on another larger cluster, in a separate namespace, not "default" and in this case nothing much worked at all, the operator rbac proxy didnt seem to boot even.

So, what is needed for improved openshift support?

jave commented 2 years ago

for the time being we are using a workaround, in a test cluster

create a "opensearchtest" ns in the testcluster
apply the example my-cluster yaml file in the opensearchtest ns
run the following: oc adm policy add-scc-to-user anyuid -z default oc adm policy add-scc-to-user anyuid -z opensearch-operator-controller-manager

this makes the operator at least proceed. I would advice against this in a production openshift instance

balpert89 commented 1 year ago

I agree with @jave you should not enable the default service account to run as anyuid. In addition I have observed that the security-update job does not pick up the service account configured with .spec.general.serviceAccount.

apiVersion: opensearch.opster.io/v1
kind: OpenSearchCluster
metadata:
  name: opensearch
  namespace: some-test
spec:
  general:
    httpPort: 9200
    pluginsList:
      - repository-s3
      - ' https://github.com/aiven/prometheus-exporter-plugin-for-opensearch/releases/download/1.3.6.0/prometheus-exporter-1.3.6.0.zip'
    serviceName: opensearch
    serviceAccount: opensearch
    vendor: opensearch
    version: 1.3.6

$k logs -n some-test opensearch-securityconfig-update-67tkq

chmod: cannot access '/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh': Permission denied
OpenSearch Security not initialized./bin/bash: /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh: Permission denied
/bin/bash: /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh: Permission denied
/bin/bash: /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh: Permission denied
/bin/bash: /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh: Permission denied
/bin/bash: /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh: Permission denied
/bin/bash: /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh: Permission denied
/bin/bash: /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh: Permission denied
/bin/bash: /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh: Permission denied
/bin/bash: /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh: Permission denied
/bin/bash: /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh: Permission denied
/bin/bash: /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh: Permission denied
/bin/bash: /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh: Permission denied
/bin/bash: /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh: Permission denied
/bin/bash: /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh: Permission denied
/bin/bash: /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh: Permission denied
/bin/bash: /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh: Permission denied
/bin/bash: /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh: Permission denied
/bin/bash: /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh: Permission denied
/bin/bash: /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh: Permission denied
/bin/bash: /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh: Permission denied
/bin/bash: /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh: Permission denied

copying the job manifest and adding .spec.serviceAccountName: opensearch & .spec.securityContext.runAsUser: 1000 (the opensearch user id from the image) enables the job to finish successfully.

swoehrl-mw commented 1 year ago

In addition I have observed that the security-update job does not pick up the service account configured with .spec.general.serviceAccount.

Good catch, this is a bug. I've created a separate issue (#392) to track this.

As a general statement regarding OpenShift: Supporting OpenShift specifics is currently not a priority for us so it is unlikely we will implement something in the near future. However, if someone wants to tackle OpenShift-specific issues and open PRs for them, we will be happy to accept them.

opensearch-project / opensearch-k8s-operator

Openshift SCC / Route support #197