SecurityContextConstraints in openshift_rbac.yaml completly wrong formated

oracle / oracle-database-operator

The Oracle Database Operator for Kubernetes (a.k.a. OraOperator) helps developers, DBAs, DevOps and GitOps teams reduce the time and complexity of deploying and managing Oracle Databases. It eliminates the dependency on a human operator or administrator for the majority of database operations.

Universal Permissive License v1.0

141 stars 45 forks source link

SecurityContextConstraints in openshift_rbac.yaml completly wrong formated #105

Closed rbaumgar closed 4 months ago

rbaumgar commented 5 months ago

the scc in the in openshift_rbac.yaml is completly wrong formated and has the wrong API.

https://github.com/oracle/oracle-database-operator/blob/main/config/samples/sidb/openshift_rbac.yaml

This might be the right content:

kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
  name: sidb-scc
  namespace: default
allowPrivilegedContainer: false
users:
  - system:serviceaccount:default:sidb-sa
  - system:serviceaccount:default:oracle-database-operator
runAsUser:
  type: MustRunAsRange
  uidRangeMin: 0
  uidRangeMax: 60000
seLinuxContext:
  type: RunAsAny
fsGroup:
  type: MustRunAs
  ranges:
  - min: 0
    max: 60000
supplementalGroups:
  type: MustRunAs
  ranges:
  - min: 0
    max: 60000

andbos commented 5 months ago

Hi,

Above works for me and if the instances are configured to be in namespace default then they will start. But how to make them run in another namespace?

Best regards, Andreas

rbaumgar commented 5 months ago

you have to apply the same SCC, role and role binding to every namespace you want to use for an Oracle database.

BUT this is a setting I would NEVER recommend in an OpenShift environment from a security perspective.

Oracle databases should run with an arbitrary UID like any other workload in OpenShift.

IshaanDesai45 commented 5 months ago

@rbaumgar @andbos we are working on this and will start a PR for the resolution

IshaanDesai45 commented 4 months ago

@rbaumgar @andbos fixed the openshift_rbac.yaml file in the above PR kindly check and confirm

rbaumgar commented 4 months ago

@IshaanDesai45 looks good. tried with project oracle ecept that that the database is still not running as restricted.

I would update the documentation where the yaml has to be replaced I would recommend the following docu.

in the file, eg rbac/default-ns-role-binding.yaml should be a place holder like $NAMESPACE

export NAMESPACE=my-namespace
cat rbac/default-ns-role-binding.yaml | oc apply -f -

rbaumgar commented 4 months ago

@IshaanDesai45 sorry, the file is still incorrect, nearly all lines except the comments have a leading space. the SCCs are named sidb-oracle-user-scc and sidb-oracle-root-user-scc, but the role references SCC oracle-user-scc and oracle-root-scc.

IshaanDesai45 commented 4 months ago

@rbaumgar fixed the formatting for the openshift_rbac.yaml