Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use the most restrictive service account possible #211

Merged
merged 4 commits into from
Oct 21, 2024
Merged

Use the most restrictive service account possible #211

merged 4 commits into from
Oct 21, 2024
+390 −209

Conversation

lpiwowar
Copy link
Collaborator

@lpiwowar lpiwowar commented Sep 27, 2024
edited
Loading

This PR ensures that the test-operator spawns test pods with the least amount of privileges that are required for successful execution of the tests inside the pods. Three changes had to be made:

  1. Triage rules assigned to serviceAccounts
  • This patch ensures that serviceAccounts have only such rights that are really needed for the tests execution.
  1. Do not add capabilities when privileged: false
  • Previously we were adding the NET_ADMIN and NET_RAW capabilities even when privileged: false. This required to run the test pod with privileged scc.
  1. Remove default value for SELinuxLevel
  • Setting the SELinuxLevel on a test pod requires it to run with elevated scc. This patch removes the default value for the SELinuxLevel (secure by default) and leaves the setting up to the user (when privileged: true is used).

Depends-On: openstack-k8s-operators/ci-framework#2448

@lpiwowar lpiwowar marked this pull request as draft September 27, 2024 13:28
@softwarefactory-project-zuul softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/56b05f9b280a42b88626ffbc6c3a0935

✔️ openstack-k8s-operators-content-provider SUCCESS in 4h 28m 30s
podified-multinode-edpm-deployment-crc-test-operator TIMED_OUT in 3h 11m 14s

@lpiwowar
Copy link
Collaborator Author

/retest

@lpiwowar
Copy link
Collaborator Author

recheck

@softwarefactory-project-zuul softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/54961a06a5914faf961d899fa6ef49ba

✔️ openstack-k8s-operators-content-provider SUCCESS in 3h 39m 56s
podified-multinode-edpm-deployment-crc-test-operator TIMED_OUT in 3h 11m 25s

@softwarefactory-project-zuul softwarefactory-project-zuul
Copy link

Merge Failed.

This change or one of its cross-repo dependencies was unable to be automatically merged with the current state of its repository. Please rebase the change and upload a new patchset.
Warning:
Error merging github.com/openstack-k8s-operators/test-operator for 211,02337169a1415ae63f6a2cb3f4726f6629ce780a

@lpiwowar
Copy link
Collaborator Author

lpiwowar commented Oct 1, 2024

The commits need to be cleaned up otherwise this should be good for a review and to be merged.

@lpiwowar lpiwowar force-pushed the bugfix/privileges branch 2 times, most recently from 5b0db4d to 120e74f Compare October 2, 2024 16:07
@lpiwowar lpiwowar marked this pull request as ready for review October 2, 2024 16:07
lpiwowar
lpiwowar commented Oct 4, 2024
View reviewed changes
controllers/common.go Outdated
if privileged {
rbacPolicyRules = append(rbacPolicyRules, rbacv1.PolicyRule{
APIGroups: []string{"security.openshift.io"},
ResourceNames: []string{"anyuid", "privileged"},
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've been just testing the change and we have to enable at least anyuid by default. Marking as draft to prevent from merging.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, so the correct thing would be to use nonroot and nonroot-v2 when privileged: false.

@lpiwowar lpiwowar marked this pull request as draft October 4, 2024 15:53
@lpiwowar lpiwowar force-pushed the bugfix/privileges branch 2 times, most recently from 8eb89ec to 21f71d5 Compare October 10, 2024 16:06
@softwarefactory-project-zuul softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/075b08fe8a6f4ae2a4df674867e9f575

✔️ openstack-k8s-operators-content-provider SUCCESS in 3h 28m 09s
podified-multinode-edpm-deployment-crc-test-operator TIMED_OUT in 3h 10m 24s

@softwarefactory-project-zuul softwarefactory-project-zuul
Copy link

This change depends on a change that failed to merge.

Change openstack-k8s-operators/ci-framework#2448 is needed.

@lpiwowar lpiwowar changed the title Triage privileges Use the most restrictive service account possible Oct 11, 2024
@lpiwowar
Copy link
Collaborator Author

recheck

@softwarefactory-project-zuul softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/a073abd0643f4fb5864c8fb8725da8bd

✔️ openstack-k8s-operators-content-provider SUCCESS in 3h 20m 21s
podified-multinode-edpm-deployment-crc-test-operator TIMED_OUT in 3h 10m 36s

@lpiwowar
Copy link
Collaborator Author

recheck

@lpiwowar lpiwowar closed this Oct 14, 2024
@lpiwowar lpiwowar reopened this Oct 14, 2024
@lpiwowar
Copy link
Collaborator Author

recheck

@softwarefactory-project-zuul softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/9411c73543604f498d0c9beaae0d30f7

✔️ openstack-k8s-operators-content-provider SUCCESS in 3h 34m 34s
podified-multinode-edpm-deployment-crc-test-operator TIMED_OUT in 3h 11m 18s

@lpiwowar
Copy link
Collaborator Author

/retest

@lpiwowar lpiwowar force-pushed the bugfix/privileges branch 2 times, most recently from aa9a1f1 to cd2908a Compare October 16, 2024 11:42
@lpiwowar
Copy link
Collaborator Author

/retest

@lpiwowar
Triage rules assigned to serviceAccounts
362e28c 
This patch triages the rights that are assigned to serviceAccounts
that are related to the test-operator:

- serviceAccount used by the test-operator controller
- serviceAccount that is associated with instances of test-operator
  related CRs.
@lpiwowar
Do not add capabilities when privileged: false
f10780a 
Previously, the test-operator was spawning pods with NET_ADMIN and
NET_RAW capabilities even when privileged: false. Setting these
two capabilities requires elevated securitycontextconstraint.

This commit addresses this issue by using extra capabilities only
when privileged: true.
@lpiwowar
Change default value of SELinuxLevel
f53f712 
This commit removes the default value of SELinuxLevel. This option
should be only used when privileged: true because scc privileged
is required when setting SELinuxLevel on a pod.

Setting SELinuxLevel is sometimes required in order to be able to
allow RWX for a mounted PVC. We're going to move the setting of the
SELinuxLevel to ci-framework and leave the default parameters for
the test-operator secure.

Depends-On: openstack-k8s-operators/ci-framework#2448
@lpiwowar
Update test-operator CSV
ca67497 
This patch updates the test-operator CSV so that it is up to date
with the recent changes.
@lpiwowar lpiwowar marked this pull request as ready for review October 21, 2024 13:04
@openshift-ci openshift-ci bot requested a review from dprince October 21, 2024 13:04
kopecmartin
kopecmartin approved these changes Oct 21, 2024
View reviewed changes
Copy link
Collaborator

@kopecmartin kopecmartin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems reasonable

@openshift-ci openshift-ci bot added the lgtm label Oct 21, 2024
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Oct 21, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kopecmartin, lpiwowar

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [kopecmartin,lpiwowar]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit eae3554 into openstack-k8s-operators:main Oct 21, 2024
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kopecmartin kopecmartin kopecmartin approved these changes

Assignees

@kopecmartin kopecmartin

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lpiwowar @kopecmartin @openshift-merge-robot