Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PWX-32294 : Reconfigure SCC templates #1132

Merged
merged 4 commits into from
Jul 13, 2023
Merged

PWX-32294 : Reconfigure SCC templates #1132

merged 4 commits into from
Jul 13, 2023

Conversation

nikita-bhatia
Copy link
Contributor

Reconfigure both SCC templates to remove the following privileges:

  • allowHostIPC: false
  • allowHostPID: false
  • allowHostPorts: false
  • allowPrivilegeEscalation: false

Powrtworx-restricted scc already have these privileges, changed portworx SCC to have these priveileges

@nikita-bhatia nikita-bhatia requested review from zoxpx and a team July 12, 2023 12:25
@codecov
Copy link

codecov bot commented Jul 12, 2023
edited
Loading

Codecov Report

Patch coverage: 100.00% and no project coverage change.

Comparison is base (594afb4) 75.55% compared to head (9ff871d) 75.55%.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #1132   +/-   ##
=======================================
  Coverage   75.55%   75.55%           
=======================================
  Files          64       64           
  Lines       17853    17853           
=======================================
  Hits        13488    13488           
  Misses       3408     3408           
  Partials      957      957
Impacted Files Coverage Δ
...e/portworx/component/securitycontextconstraints.go 86.63% <100.00%> (ø)

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

zoxpx
zoxpx approved these changes Jul 12, 2023
View reviewed changes
Copy link
Collaborator

@zoxpx zoxpx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you check if the PX actually deploys with these settings?

  • if you didn't, please do check before the commit

Note, there is one change that you missed (line 239, should also set AllowPrivilegeEscalation: false for the "restricted" conf

  • please fix this before the commit

Other than this, the DIFF looks OK -- thanks Nikita!

drivers/storage/portworx/component/securitycontextconstraints.go Show resolved Hide resolved
@nikita-bhatia
Copy link
Contributor Author

Did you check if the PX actually deploys with these settings?

  • if you didn't, please do check before the commit

Note, there is one change that you missed (line 239, should also set AllowPrivilegeEscalation: false for the "restricted" conf

  • please fix this before the commit

Other than this, the DIFF looks OK -- thanks Nikita!

Yes, with these changes, deployed px version 3.0.0 and all pods were up and running.

NAME READY STATUS RESTARTS AGE
autopilot-78f45c4698-7fxgm 1/1 Running 0 27m
portworx-api-2crxd 1/1 Running 0 27m
portworx-api-lj4wc 1/1 Running 0 27m
portworx-api-vhlth 1/1 Running 0 27m
portworx-api-xtq68 1/1 Running 0 27m
portworx-kvdb-55xm8 1/1 Running 0 16m
portworx-kvdb-5kzbb 1/1 Running 0 15m
portworx-kvdb-dhhdf 1/1 Running 0 15m
portworx-operator-6749c676bf-9n2vs 1/1 Running 0 42m
prometheus-px-prometheus-0 2/2 Running 0 27m
px-cluster-6jxpl 2/2 Running 1 (12m ago) 27m
px-cluster-g9jrp 2/2 Running 0 27m
px-cluster-szcfx 2/2 Running 0 27m
px-cluster-x9mhq 2/2 Running 0 27m
px-csi-ext-6d9d658d85-fkpxr 4/4 Running 0 27m
px-csi-ext-6d9d658d85-jhp8r 4/4 Running 0 27m
px-csi-ext-6d9d658d85-s4xzq 4/4 Running 1 (18m ago) 27m
px-plugin-744645f478-b47zs 1/1 Running 0 27m
px-plugin-744645f478-bhvmf 1/1 Running 0 27m
px-plugin-proxy-77b6bcb79f-splf2 1/1 Running 0 27m
px-prometheus-operator-84b575d-cglrn 1/1 Running 0 27m
px-telemetry-metrics-collector-bccf858bf-vm84m 2/2 Running 0 16m
px-telemetry-phonehome-942cm 2/2 Running 0 16m
px-telemetry-phonehome-ck5f6 2/2 Running 0 16m
px-telemetry-phonehome-pt2ns 2/2 Running 0 16m
px-telemetry-phonehome-v2km9 2/2 Running 0 16m
px-telemetry-registration-57bd9598f9-4ldtz 2/2 Running 0 16m
stork-7f6b75dbb5-5l7vk 1/1 Running 0 27m
stork-7f6b75dbb5-hgngt 1/1 Running 0 27m
stork-7f6b75dbb5-j9cn5 1/1 Running 1 (27m ago) 27m
stork-scheduler-d4c44fb86-6p4jn 1/1 Running 0 27m
stork-scheduler-d4c44fb86-stzcc 1/1 Running 0 27m
stork-scheduler-d4c44fb86-tzpdq 1/1 Running 0 27m

@nikita-bhatia nikita-bhatia merged commit faecc3e into master Jul 13, 2023
8 checks passed
@nikita-bhatia nikita-bhatia mentioned this pull request Jul 14, 2023
Merged
nikita-bhatia added a commit that referenced this pull request Jul 14, 2023
@nikita-bhatia @siyingjin
Cherrypick PWX-27673 and PWX-32294 to 23.7.0 (#988) (#1132) (#1140) (#…
b62723c 
…1140)

* Add portworx-restricted scc (#988)

* Add portworx-restricted scc

* Add portworx restricted scc to cluster role

* cherry PWX-32294

* remove RequiredDropCapabilities from testspec

* fix failing TestSCC test

---------

Co-authored-by: siyingjin <122411280+siyingjin@users.noreply.github.com>
@nikita-bhatia nikita-bhatia deleted the remove_priveleges branch July 24, 2023 04:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zoxpx zoxpx zoxpx approved these changes

Assignees
No one assigned
Labels
area/components size/s stage/approved stage/in-review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@nikita-bhatia @zoxpx