diff --git a/data/kubemacpool/kubemacpool.yaml b/data/kubemacpool/kubemacpool.yaml index f380ca519..9d7e3e5dc 100644 --- a/data/kubemacpool/kubemacpool.yaml +++ b/data/kubemacpool/kubemacpool.yaml @@ -201,8 +201,8 @@ spec: priorityClassName: system-cluster-critical restartPolicy: Always securityContext: - runAsNonRoot: true - runAsUser: 107 + runAsNonRoot: {{ .RunAsNonRoot }} + runAsUser: {{ .RunAsUser }} seccompProfile: type: RuntimeDefault terminationGracePeriodSeconds: 5 @@ -320,8 +320,8 @@ spec: priorityClassName: system-cluster-critical restartPolicy: Always securityContext: - runAsNonRoot: true - runAsUser: 107 + runAsNonRoot: {{ .RunAsNonRoot }} + runAsUser: {{ .RunAsUser }} seccompProfile: type: RuntimeDefault terminationGracePeriodSeconds: 5 diff --git a/hack/components/bump-kubemacpool.sh b/hack/components/bump-kubemacpool.sh index 1fa36ed65..0c7fe864e 100755 --- a/hack/components/bump-kubemacpool.sh +++ b/hack/components/bump-kubemacpool.sh @@ -82,6 +82,9 @@ spec: - image: "{{ .KubeRbacProxyImage }}" imagePullPolicy: "{{ .ImagePullPolicy }}" name: kube-rbac-proxy + securityContext: + runAsNonRoot: "{{ .RunAsNonRoot }}" + runAsUser: "{{ .RunAsUser }}" EOF cat < config/cnao/cnao_cert-manager_patch.yaml @@ -106,6 +109,9 @@ spec: value: "{{ .CertRotateInterval | default \"4380h0m0s\" }}" - name: CERT_OVERLAP_INTERVAL value: "{{ .CertOverlapInterval | default \"24h0m0s\" }}" + securityContext: + runAsNonRoot: "{{ .RunAsNonRoot }}" + runAsUser: "{{ .RunAsUser }}" EOF cat < config/cnao/cnao_placement_patch.yaml @@ -153,7 +159,7 @@ mv kustomize $KUBEMACPOOL_PATH rm kustomize.tar.gz ( cd $KUBEMACPOOL_PATH - ./kustomize build config/cnao | sed "s/'{{ toYaml \(.*\)}}'/{{ toYaml \1}}/" + ./kustomize build config/cnao | sed "s/'{{ toYaml \(.*\)}}'/{{ toYaml \1}}/;s/'{{ .RunAsNonRoot }}'/{{ .RunAsNonRoot }}/g;s/'{{ .RunAsUser }}'/{{ .RunAsUser }}/g" ) > data/kubemacpool/kubemacpool.yaml echo 'Get kubemacpool image name and update it under CNAO' diff --git a/pkg/network/kubemacpool.go b/pkg/network/kubemacpool.go index 05f1c625c..dbb6d10cc 100644 --- a/pkg/network/kubemacpool.go +++ b/pkg/network/kubemacpool.go @@ -96,7 +96,7 @@ func changeSafeKubeMacPool(prev, next *cnao.NetworkAddonsConfigSpec) []error { } // renderLinuxBridge generates the manifests of Linux Bridge -func renderKubeMacPool(conf *cnao.NetworkAddonsConfigSpec, manifestDir string) ([]*unstructured.Unstructured, error) { +func renderKubeMacPool(conf *cnao.NetworkAddonsConfigSpec, manifestDir string, clusterInfo *ClusterInfo) ([]*unstructured.Unstructured, error) { if conf.KubeMacPool == nil { return nil, nil } @@ -115,6 +115,14 @@ func renderKubeMacPool(conf *cnao.NetworkAddonsConfigSpec, manifestDir string) ( data.Data["CertRotateInterval"] = conf.SelfSignConfiguration.CertRotateInterval data.Data["CertOverlapInterval"] = conf.SelfSignConfiguration.CertOverlapInterval + if clusterInfo.SCCAvailable { + data.Data["RunAsNonRoot"] = "null" + data.Data["RunAsUser"] = "null" + } else { + data.Data["RunAsNonRoot"] = "true" + data.Data["RunAsUser"] = "107" + } + ciphers, tlsMinVersion := SelectCipherSuitesAndMinTLSVersion(conf.TLSSecurityProfile) data.Data["TLSSecurityProfileCiphers"] = strings.Join(ciphers, ",") data.Data["TLSMinVersion"] = TLSVersionToHumanReadable(tlsMinVersion) diff --git a/pkg/network/network.go b/pkg/network/network.go index 3360524f0..3ec6bab69 100644 --- a/pkg/network/network.go +++ b/pkg/network/network.go @@ -134,7 +134,7 @@ func Render(conf *cnao.NetworkAddonsConfigSpec, manifestDir string, openshiftNet objs = append(objs, o...) // render kubeMacPool - o, err = renderKubeMacPool(conf, manifestDir) + o, err = renderKubeMacPool(conf, manifestDir, clusterInfo) if err != nil { return nil, err } @@ -206,7 +206,7 @@ func RenderObjsToRemove(prev, conf *cnao.NetworkAddonsConfigSpec, manifestDir st } if conf.KubeMacPool == nil { - o, err := renderKubeMacPool(prev, manifestDir) + o, err := renderKubeMacPool(prev, manifestDir, clusterInfo) if err != nil { return nil, err }