Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace system:build-strategy-docker role from the hpo-operator-rolebinding.yml to a more restrictive one #75

Closed
khansaad opened this issue Jul 6, 2022 · 2 comments · Fixed by #86
Closed

Replace system:build-strategy-docker role from the hpo-operator-rolebinding.yml to a more restrictive one #75

khansaad opened this issue Jul 6, 2022 · 2 comments · Fixed by #86
Assignees
@khansaad
Labels
bug Something isn't working
Milestone
01-Aug-2022

Comments

@khansaad
Copy link
Contributor

khansaad commented Jul 6, 2022

We have added a ClusterRole in hpo-operator-rolebinding.yml file under kind: ClusterRoleBinding which has a role name as system:build-strategy-docker. This is needed to install python modules inside kubernetes/openshift.

We need to find an alternate solution to make the role more restrictive i.e. avoid giving more permissions to a role than actually required.
@khansaad khansaad added the bug Something isn't working label Jul 6, 2022
@khansaad khansaad self-assigned this Jul 6, 2022
@chandrams chandrams mentioned this issue Jul 18, 2022
Closed
@khansaad
Copy link
Contributor Author

The deployment is failing in openshift with just system:build-strategy-docker role. When we add a new role with scc:anyuid (see below), it works.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
 name: hpo-scc-crb
roleRef:
 apiGroup: rbac.authorization.k8s.io
 kind: ClusterRole
 name: system:openshift:scc:anyuid
subjects:
- kind: ServiceAccount
  name: hpo-sa
  namespace: "{{ HPO_NAMESPACE }}"

To remove this dependency, we're looking into adding venv (virtual environment) in docker file and see if it works.

@khansaad khansaad added this to the 01-Aug-2022 milestone Jul 19, 2022
@khansaad
Copy link
Contributor Author

Adding venv is not helping. We're still facing the same issue.
The docker image builds successfully and works on minikube but it fails on openshift when it rebuilds there, due to the restriction it imposes.
Looking deeper into python permissions when the modules are installed.

@khansaad khansaad mentioned this issue Aug 1, 2022
Merged
@khansaad khansaad linked a pull request Aug 1, 2022 that will close this issue
Fix issue while running HPO on Openshift #86
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@khansaad khansaad

Labels
bug Something isn't working
Projects
None yet
Milestone
01-Aug-2022
Development

Successfully merging a pull request may close this issue.

Fix issue while running HPO on Openshift khansaad/hpo
1 participant
@khansaad