Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow for configuring default container/pod SecurityContext in CheCluster CR #22307

Closed
AObuchow opened this issue Jun 20, 2023 · 0 comments · Fixed by eclipse-che/che-operator#1729
Closed

Allow for configuring default container/pod SecurityContext in CheCluster CR #22307

AObuchow opened this issue Jun 20, 2023 · 0 comments · Fixed by eclipse-che/che-operator#1729
Assignees
@AObuchow
Labels
area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator kind/enhancement A feature request - must adhere to the feature request template. severity/P1 Has a major impact to usage or development of the system.

Comments

@AObuchow
Copy link

AObuchow commented Jun 20, 2023
edited by l0rd

Is your enhancement related to a problem? Please describe

Currently, there is no way to set the default pod security context or container security context used by workspaces from the Che Cluster CR.

if Che users want to configure the default pod security context or container security context used by workspaces, they have to modify the Che-owned DWOC and set the [corresponding fields](pod security context or container security context used by workspaces) there. However, Che-Operator will automatically configure the

Describe the solution you'd like

It'd be better to allow for configuring the default pod security context or container security context used by workspaces through the Che Cluster CR.

When the containerSecurityContext or podSecurityContext is configured in the Che Cluster CR, we have to make sure it doesn't have any problematic interactions with the container-build SCC if disableContainerBuildCapabilities is set to false (i.e. when container builds are enabled). For instance, it would be invalid to set allowPrivilegeEscalation: false through the containerSecurityContext when container builds are enabled.

IIRC:

Describe alternatives you've considered

The podSecurityContext field config.workspace.podSecurityContext can be set by user in the Che-owned DWOC to set a default pod security context to be used by workspaces. However, the Che-Operator will automatically configure the containerSecurityContext field config.workspace.containerSecurityContext, so there is no workaround for configuring the default workspace container security context.

Additional context

Downstream issue
@AObuchow AObuchow added the kind/enhancement A feature request - must adhere to the feature request template. label Jun 20, 2023
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Jun 20, 2023
@AObuchow AObuchow added severity/P1 Has a major impact to usage or development of the system. area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Jun 20, 2023
@AObuchow AObuchow self-assigned this Jun 29, 2023
@AObuchow AObuchow mentioned this issue Jul 11, 2023
Merged
10 tasks
@tolusha tolusha mentioned this issue May 6, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AObuchow AObuchow

Labels
area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator kind/enhancement A feature request - must adhere to the feature request template. severity/P1 Has a major impact to usage or development of the system.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

add pod & container security context Che Cluster Fields AObuchow/che-operator
2 participants
@AObuchow @che-bot