search

oracle / oracle-database-operator

The Oracle Database Operator for Kubernetes (a.k.a. OraOperator) helps developers, DBAs, DevOps and GitOps teams reduce the time and complexity of deploying and managing Oracle Databases. It eliminates the dependency on a human operator or administrator for the majority of database operations.
Universal Permissive License v1.0
131 stars 42 forks source link

SecurityContextConstraints in openshift_rbac.yaml completly wrong formated #105

Open rbaumgar opened 1 month ago

rbaumgar commented 1 month ago

the scc in the in openshift_rbac.yaml is completly wrong formated and has the wrong API.

https://github.com/oracle/oracle-database-operator/blob/main/config/samples/sidb/openshift_rbac.yaml

This might be the right content:

kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
  name: sidb-scc
  namespace: default
allowPrivilegedContainer: false
users:
  - system:serviceaccount:default:sidb-sa
  - system:serviceaccount:default:oracle-database-operator
runAsUser:
  type: MustRunAsRange
  uidRangeMin: 0
  uidRangeMax: 60000
seLinuxContext:
  type: RunAsAny
fsGroup:
  type: MustRunAs
  ranges:
  - min: 0
    max: 60000
supplementalGroups:
  type: MustRunAs
  ranges:
  - min: 0
    max: 60000
andbos commented 1 month ago

Hi,

Above works for me and if the instances are configured to be in namespace default then they will start. But how to make them run in another namespace?

Best regards, Andreas

rbaumgar commented 1 month ago

you have to apply the same SCC, role and role binding to every namespace you want to use for an Oracle database.

BUT this is a setting I would NEVER recommend in an OpenShift environment from a security perspective.

Oracle databases should run with an arbitrary UID like any other workload in OpenShift.

IshaanDesai45 commented 3 weeks ago

@rbaumgar @andbos we are working on this and will start a PR for the resolution

IshaanDesai45 commented 2 days ago

@rbaumgar @andbos fixed the openshift_rbac.yaml file in the above PR kindly check and confirm

rbaumgar commented 1 day ago

@IshaanDesai45 looks good. tried with project oracle ecept that that the database is still not running as restricted.

I would update the documentation where the yaml has to be replaced I would recommend the following docu.

in the file, eg rbac/default-ns-role-binding.yaml should be a place holder like $NAMESPACE

export NAMESPACE=my-namespace
cat rbac/default-ns-role-binding.yaml | oc apply -f -
rbaumgar commented 1 day ago

@IshaanDesai45 sorry, the file is still incorrect, nearly all lines except the comments have a leading space. the SCCs are named sidb-oracle-user-scc and sidb-oracle-root-user-scc, but the role references SCC oracle-user-scc and oracle-root-scc.