Cherrypick PWX-27673 and PWX-32294 to 23.7.0 (#988) (#1132) (#1140) (#…

…1140) * Add portworx-restricted scc (#988) * Add portworx-restricted scc * Add portworx restricted scc to cluster role * cherry PWX-32294 * remove RequiredDropCapabilities from testspec * fix failing TestSCC test --------- Co-authored-by: siyingjin <122411280+siyingjin@users.noreply.github.com>
libopenstorage · Jul 14, 2023 · b62723c · b62723c
1 parent ab04e96
commit b62723c
Show file tree

Hide file tree

Showing 12 changed files with 111 additions and 16 deletions.
diff --git a/drivers/storage/portworx/component/csi.go b/drivers/storage/portworx/component/csi.go
@@ -320,7 +320,7 @@ func (c *csi) createClusterRole(
 			{
 				APIGroups:     []string{"security.openshift.io"},
 				Resources:     []string{"securitycontextconstraints"},
-				ResourceNames: []string{PxSCCName},
+				ResourceNames: []string{PxRestrictedSCCName},
 				Verbs:         []string{"use"},
 			},
 			{

diff --git a/drivers/storage/portworx/component/lighthouse.go b/drivers/storage/portworx/component/lighthouse.go
@@ -204,7 +204,7 @@ func (c *lighthouse) createClusterRole() error {
 				{
 					APIGroups:     []string{"security.openshift.io"},
 					Resources:     []string{"securitycontextconstraints"},
-					ResourceNames: []string{PxSCCName, "anyuid"},
+					ResourceNames: []string{PxRestrictedSCCName, "anyuid"},
 					Verbs:         []string{"use"},
 				},
 				{

diff --git a/drivers/storage/portworx/component/pvccontroller.go b/drivers/storage/portworx/component/pvccontroller.go
@@ -238,7 +238,7 @@ func (c *pvcController) createClusterRole() error {
 				{
 					APIGroups:     []string{"security.openshift.io"},
 					Resources:     []string{"securitycontextconstraints"},
-					ResourceNames: []string{PxSCCName},
+					ResourceNames: []string{PxRestrictedSCCName},
 					Verbs:         []string{"use"},
 				},
 				{

diff --git a/drivers/storage/portworx/component/securitycontextconstraints.go b/drivers/storage/portworx/component/securitycontextconstraints.go
@@ -28,6 +28,8 @@ const (
 	SCCComponentName = "scc"
 	// PxSCCName name of portworx securityContextConstraints
 	PxSCCName = "portworx"
+	// PxRestrictedSCCName name of portworx-restricted securityContextConstraints
+	PxRestrictedSCCName = "portworx-restricted"
 	// PxNodeWiperServiceAccountName name of portworx node wiper service account
 	PxNodeWiperServiceAccountName = "px-node-wiper"
 )
@@ -189,11 +191,11 @@ func (s *scc) getSCCs(cluster *opcorev1.StorageCluster) []ocp_secv1.SecurityCont
 				Name: PxSCCName,
 			},
 			AllowHostDirVolumePlugin: true,
-			AllowHostIPC:             true,
+			AllowHostIPC:             false,
 			AllowHostNetwork:         true,
-			AllowHostPID:             true,
-			AllowHostPorts:           true,
-			AllowPrivilegeEscalation: boolPtr(true),
+			AllowHostPID:             false,
+			AllowHostPorts:           false,
+			AllowPrivilegeEscalation: boolPtr(false),
 			AllowPrivilegedContainer: true,
 			AllowedUnsafeSysctls:     []string{"*"},
 			AllowedCapabilities: []corev1.Capability{
@@ -222,11 +224,52 @@ func (s *scc) getSCCs(cluster *opcorev1.StorageCluster) []ocp_secv1.SecurityCont
 				fmt.Sprintf("system:serviceaccount:%s:%s", cluster.Namespace, LhServiceAccountName),
 				fmt.Sprintf("system:serviceaccount:%s:%s", cluster.Namespace, PVCServiceAccountName),
 				fmt.Sprintf("system:serviceaccount:%s:%s", cluster.Namespace, CollectorServiceAccountName),
+				fmt.Sprintf("system:serviceaccount:%s:%s", cluster.Namespace, ServiceAccountNameTelemetry),
 				fmt.Sprintf("system:serviceaccount:%s:%s", cluster.Namespace, "px-node-wiper"),
 				fmt.Sprintf("system:serviceaccount:%s:%s", cluster.Namespace, "px-prometheus"),
 				fmt.Sprintf("system:serviceaccount:%s:%s", cluster.Namespace, "stork-scheduler"),
 			},
 		},
+		{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: PxRestrictedSCCName,
+			},
+			AllowHostDirVolumePlugin: true,
+			AllowHostIPC:             false,
+			AllowHostNetwork:         true,
+			AllowHostPID:             false,
+			AllowHostPorts:           false,
+			AllowPrivilegeEscalation: boolPtr(false),
+			AllowPrivilegedContainer: false,
+			FSGroup: ocp_secv1.FSGroupStrategyOptions{
+				Type: ocp_secv1.FSGroupStrategyMustRunAs,
+			},
+			ReadOnlyRootFilesystem: false,
+			RunAsUser: ocp_secv1.RunAsUserStrategyOptions{
+				Type: ocp_secv1.RunAsUserStrategyMustRunAsRange,
+			},
+			SELinuxContext: ocp_secv1.SELinuxContextStrategyOptions{
+				Type: ocp_secv1.SELinuxStrategyMustRunAs,
+			},
+			SupplementalGroups: ocp_secv1.SupplementalGroupsStrategyOptions{
+				Type: ocp_secv1.SupplementalGroupsStrategyRunAsAny,
+			},
+			Volumes: []ocp_secv1.FSType{
+				ocp_secv1.FSTypeConfigMap,
+				ocp_secv1.FSTypeDownwardAPI,
+				ocp_secv1.FSTypeEmptyDir,
+				ocp_secv1.FSTypeHostPath,
+				ocp_secv1.FSTypePersistentVolumeClaim,
+				ocp_secv1.FSProjected,
+				ocp_secv1.FSTypeSecret,
+			},
+			Groups: nil,
+			Users: []string{
+				fmt.Sprintf("system:serviceaccount:%s:%s", cluster.Namespace, CSIServiceAccountName),
+				fmt.Sprintf("system:serviceaccount:%s:%s", cluster.Namespace, LhServiceAccountName),
+				fmt.Sprintf("system:serviceaccount:%s:%s", cluster.Namespace, PVCServiceAccountName),
+			},
+		},
 	}
 }
 

diff --git a/drivers/storage/portworx/components_test.go b/drivers/storage/portworx/components_test.go
@@ -11866,6 +11866,11 @@ func TestSCC(t *testing.T) {
 	err = testutil.Get(k8sClient, scc, expectedSCC.Name, "")
 	require.NotNil(t, err)
 
+	expectedPxRestrictedSCC := testutil.GetExpectedSCC(t, "portworxRestrictedSCC.yaml")
+	pxRestrictedSCC := &ocp_secv1.SecurityContextConstraints{}
+	err = testutil.Get(k8sClient, pxRestrictedSCC, expectedPxRestrictedSCC.Name, "")
+	require.NotNil(t, err)
+
 	// Install with SCC enabled
 	crd := testutil.GetExpectedCRDV1(t, "sccCrd.yaml")
 	err = k8sClient.Create(context.TODO(), crd)
@@ -11877,15 +11882,27 @@ func TestSCC(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, expectedSCC, scc)
 
+	err = testutil.Get(k8sClient, pxRestrictedSCC, expectedPxRestrictedSCC.Name, "")
+	require.NoError(t, err)
+	require.Equal(t, expectedSCC, scc)
+
 	// Update SCC
 	scc.AllowHostNetwork = false
 	err = k8sClient.Update(context.TODO(), scc)
 	require.NoError(t, err)
+
+	pxRestrictedSCC.AllowHostNetwork = true
+	err = k8sClient.Update(context.TODO(), pxRestrictedSCC)
+	require.NoError(t, err)
+
 	err = driver.PreInstall(cluster)
 	require.NoError(t, err)
 	err = testutil.Get(k8sClient, scc, expectedSCC.Name, "")
 	require.NoError(t, err)
 
+	err = testutil.Get(k8sClient, pxRestrictedSCC, expectedPxRestrictedSCC.Name, "")
+	require.NoError(t, err)
+
 	// Update SCC priority
 	cluster.Annotations = make(map[string]string)
 	cluster.Annotations[pxutil.AnnotationSCCPriority] = "2"

diff --git a/drivers/storage/portworx/testspec/csiClusterRole_k8s_1.11.yaml b/drivers/storage/portworx/testspec/csiClusterRole_k8s_1.11.yaml
@@ -53,7 +53,7 @@ rules:
   verbs: ["*"]
 - apiGroups: ["security.openshift.io"]
   resources: ["securitycontextconstraints"]
-  resourceNames: ["portworx"]
+  resourceNames: ["portworx-restricted"]
   verbs: ["use"]
 - apiGroups: ["policy"]
   resources: ["podsecuritypolicies"]

diff --git a/drivers/storage/portworx/testspec/csiClusterRole_k8s_1.13.yaml b/drivers/storage/portworx/testspec/csiClusterRole_k8s_1.13.yaml
@@ -60,7 +60,7 @@ rules:
   verbs: ["*"]
 - apiGroups: ["security.openshift.io"]
   resources: ["securitycontextconstraints"]
-  resourceNames: ["portworx"]
+  resourceNames: ["portworx-restricted"]
   verbs: ["use"]
 - apiGroups: ["policy"]
   resources: ["podsecuritypolicies"]

diff --git a/drivers/storage/portworx/testspec/csiClusterRole_k8s_1.14.yaml b/drivers/storage/portworx/testspec/csiClusterRole_k8s_1.14.yaml
@@ -56,7 +56,7 @@ rules:
   verbs: ["*"]
 - apiGroups: ["security.openshift.io"]
   resources: ["securitycontextconstraints"]
-  resourceNames: ["portworx"]
+  resourceNames: ["portworx-restricted"]
   verbs: ["use"]
 - apiGroups: ["policy"]
   resources: ["podsecuritypolicies"]

diff --git a/drivers/storage/portworx/testspec/lighthouseClusterRole.yaml b/drivers/storage/portworx/testspec/lighthouseClusterRole.yaml
@@ -30,7 +30,7 @@ rules:
     verbs: ["*"]
   - apiGroups: ["security.openshift.io"]
     resources: ["securitycontextconstraints"]
-    resourceNames: ["portworx", "anyuid"]
+    resourceNames: ["portworx-restricted", "anyuid"]
     verbs: ["use"]
   - apiGroups: ["policy"]
     resources: ["podsecuritypolicies"]

diff --git a/drivers/storage/portworx/testspec/portworxRestrictedSCC.yaml b/drivers/storage/portworx/testspec/portworxRestrictedSCC.yaml
@@ -0,0 +1,34 @@
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: false
+allowedCapabilities: null
+apiVersion: security.openshift.io/v1
+defaultAddCapabilities: null
+fsGroup:
+  type: MustRunAs
+kind: SecurityContextConstraints
+metadata:
+  name: portworx-restricted
+  resourceVersion: "1"
+readOnlyRootFilesystem: false
+runAsUser:
+  type: MustRunAsRange
+seLinuxContext:
+  type: MustRunAs
+supplementalGroups:
+  type: RunAsAny
+users:
+  - system:serviceaccount:kube-test:px-csi
+  - system:serviceaccount:kube-test:px-lighthouse
+  - system:serviceaccount:kube-test:portworx-pvc-controller
+volumes:
+  - configMap
+  - downwardAPI
+  - emptyDir
+  - persistentVolumeClaim
+  - projected
+  - secret
diff --git a/drivers/storage/portworx/testspec/portworxSCC.yaml b/drivers/storage/portworx/testspec/portworxSCC.yaml
@@ -1,9 +1,9 @@
 allowHostDirVolumePlugin: true
-allowHostIPC: true
+allowHostIPC: false
 allowHostNetwork: true
-allowHostPID: true
-allowHostPorts: true
-allowPrivilegeEscalation: true
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: false
 allowPrivilegedContainer: true
 allowedCapabilities:
 - '*'
@@ -33,6 +33,7 @@ users:
 - system:serviceaccount:kube-test:px-lighthouse
 - system:serviceaccount:kube-test:portworx-pvc-controller
 - system:serviceaccount:kube-test:px-metrics-collector
+- system:serviceaccount:kube-test:px-telemetry
 - system:serviceaccount:kube-test:px-node-wiper
 - system:serviceaccount:kube-test:px-prometheus
 - system:serviceaccount:kube-test:stork-scheduler

diff --git a/drivers/storage/portworx/testspec/pvcControllerClusterRole.yaml b/drivers/storage/portworx/testspec/pvcControllerClusterRole.yaml
@@ -44,7 +44,7 @@ rules:
   verbs: ["get", "list", "watch", "create", "update"]
 - apiGroups: ["security.openshift.io"]
   resources: ["securitycontextconstraints"]
-  resourceNames: ["portworx"]
+  resourceNames: ["portworx-restricted"]
   verbs: ["use"]
 - apiGroups: ["policy"]
   resources: ["podsecuritypolicies"]