Merge pull request #2335 from liouk/required-scc

AUTH-482: set required-scc for openshift workloads
openshift · May 3, 2024 · f7eb1eb · f7eb1eb
2 parents 77f948e + bb1c14f
commit f7eb1eb
Show file tree

Hide file tree

Showing 30 changed files with 64 additions and 0 deletions.
diff --git a/assets/admission-webhook/deployment.yaml b/assets/admission-webhook/deployment.yaml
@@ -21,6 +21,7 @@ spec:
     metadata:
       annotations:
         kubectl.kubernetes.io/default-container: prometheus-operator-admission-webhook
+        openshift.io/required-scc: restricted-v2
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
       labels:
         app.kubernetes.io/managed-by: cluster-monitoring-operator

diff --git a/assets/alertmanager/alertmanager.yaml b/assets/alertmanager/alertmanager.yaml
@@ -121,6 +121,7 @@ spec:
     kubernetes.io/os: linux
   podMetadata:
     annotations:
+      openshift.io/required-scc: nonroot
       target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
     labels:
       app.kubernetes.io/component: alert-router

diff --git a/assets/kube-state-metrics/deployment.yaml b/assets/kube-state-metrics/deployment.yaml
@@ -20,6 +20,7 @@ spec:
     metadata:
       annotations:
         kubectl.kubernetes.io/default-container: kube-state-metrics
+        openshift.io/required-scc: restricted-v2
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
       labels:
         app.kubernetes.io/component: exporter

diff --git a/assets/monitoring-plugin/deployment.yaml b/assets/monitoring-plugin/deployment.yaml
@@ -23,6 +23,7 @@ spec:
   template:
     metadata:
       annotations:
+        openshift.io/required-scc: restricted-v2
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
       labels:
         app.kubernetes.io/component: monitoring-plugin

diff --git a/assets/node-exporter/daemonset.yaml b/assets/node-exporter/daemonset.yaml
@@ -19,6 +19,7 @@ spec:
     metadata:
       annotations:
         kubectl.kubernetes.io/default-container: node-exporter
+        openshift.io/required-scc: node-exporter
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
       labels:
         app.kubernetes.io/component: exporter

diff --git a/assets/openshift-state-metrics/deployment.yaml b/assets/openshift-state-metrics/deployment.yaml
@@ -17,6 +17,7 @@ spec:
   template:
     metadata:
       annotations:
+        openshift.io/required-scc: restricted-v2
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
       labels:
         app.kubernetes.io/component: exporter

diff --git a/assets/prometheus-adapter/deployment.yaml b/assets/prometheus-adapter/deployment.yaml
@@ -23,6 +23,7 @@ spec:
     metadata:
       annotations:
         checksum.config/md5: c7fb4696aad1a53eaad3f90f16b9905b
+        openshift.io/required-scc: restricted-v2
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
       labels:
         app.kubernetes.io/component: metrics-adapter

diff --git a/assets/prometheus-k8s/prometheus.yaml b/assets/prometheus-k8s/prometheus.yaml
@@ -170,6 +170,7 @@ spec:
     kubernetes.io/os: linux
   podMetadata:
     annotations:
+      openshift.io/required-scc: nonroot
       target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
     labels:
       app.kubernetes.io/component: prometheus

diff --git a/assets/prometheus-operator-user-workload/deployment.yaml b/assets/prometheus-operator-user-workload/deployment.yaml
@@ -20,6 +20,7 @@ spec:
     metadata:
       annotations:
         kubectl.kubernetes.io/default-container: prometheus-operator
+        openshift.io/required-scc: restricted-v2
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
       labels:
         app.kubernetes.io/component: controller

diff --git a/assets/prometheus-operator/deployment.yaml b/assets/prometheus-operator/deployment.yaml
@@ -20,6 +20,7 @@ spec:
     metadata:
       annotations:
         kubectl.kubernetes.io/default-container: prometheus-operator
+        openshift.io/required-scc: restricted-v2
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
       labels:
         app.kubernetes.io/component: controller

diff --git a/assets/prometheus-user-workload/prometheus.yaml b/assets/prometheus-user-workload/prometheus.yaml
@@ -180,6 +180,7 @@ spec:
   overrideHonorTimestamps: true
   podMetadata:
     annotations:
+      openshift.io/required-scc: nonroot-v2
       target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
     labels:
       app.kubernetes.io/component: prometheus

diff --git a/assets/telemeter-client/deployment.yaml b/assets/telemeter-client/deployment.yaml
@@ -17,6 +17,7 @@ spec:
   template:
     metadata:
       annotations:
+        openshift.io/required-scc: restricted-v2
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
       labels:
         app.kubernetes.io/component: telemetry-metrics-collector

diff --git a/assets/thanos-querier/deployment.yaml b/assets/thanos-querier/deployment.yaml
@@ -24,6 +24,7 @@ spec:
   template:
     metadata:
       annotations:
+        openshift.io/required-scc: restricted-v2
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
       labels:
         app.kubernetes.io/component: query-layer

diff --git a/assets/thanos-ruler/thanos-ruler.yaml b/assets/thanos-ruler/thanos-ruler.yaml
@@ -106,6 +106,7 @@ spec:
   listenLocal: true
   podMetadata:
     annotations:
+      openshift.io/required-scc: nonroot-v2
       target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
   priorityClassName: openshift-user-critical
   queryConfig:

diff --git a/jsonnet/components/admission-webhook.libsonnet b/jsonnet/components/admission-webhook.libsonnet
@@ -25,6 +25,9 @@ function(params)
             labels+: {
               'app.kubernetes.io/managed-by': 'cluster-monitoring-operator',
             },
+            annotations+: {
+              'openshift.io/required-scc': 'restricted-v2',
+            },
           },
           spec+: {
             // TODO(simonpasquier): configure client certificate authority to

diff --git a/jsonnet/components/alertmanager.libsonnet b/jsonnet/components/alertmanager.libsonnet
@@ -245,6 +245,11 @@ function(params)
         },
       },
       spec+: {
+        podMetadata+: {
+          annotations+: {
+            'openshift.io/required-scc': 'nonroot',
+          },
+        },
         securityContext: {
           fsGroup: 65534,
           runAsNonRoot: true,

diff --git a/jsonnet/components/kube-state-metrics.libsonnet b/jsonnet/components/kube-state-metrics.libsonnet
@@ -192,6 +192,9 @@ function(params)
             labels+: {
               'app.kubernetes.io/managed-by': 'cluster-monitoring-operator',
             },
+            annotations+: {
+              'openshift.io/required-scc': 'restricted-v2',
+            },
           },
           spec+: {
             containers:

diff --git a/jsonnet/components/monitoring-plugin.libsonnet b/jsonnet/components/monitoring-plugin.libsonnet
@@ -189,6 +189,7 @@ function(params)
           metadata: $.metadata(noName=true, noNamespace=true) + {
             annotations: {
               'target.workload.openshift.io/management': '{"effect": "PreferredDuringScheduling"}',
+              'openshift.io/required-scc': 'restricted-v2',
             },
           },
           spec: {

diff --git a/jsonnet/components/node-exporter.libsonnet b/jsonnet/components/node-exporter.libsonnet
@@ -169,6 +169,9 @@ function(params)
             labels+: {
               'app.kubernetes.io/managed-by': 'cluster-monitoring-operator',
             },
+            annotations+: {
+              'openshift.io/required-scc': 'node-exporter',
+            },
           },
           spec+: {
             initContainers+: [

diff --git a/jsonnet/components/openshift-state-metrics.libsonnet b/jsonnet/components/openshift-state-metrics.libsonnet
@@ -32,6 +32,9 @@ function(params) {
           labels+: {
             'app.kubernetes.io/managed-by': 'cluster-monitoring-operator',
           } + cfg.commonLabels,
+          annotations+: {
+            'openshift.io/required-scc': 'restricted-v2',
+          },
         },
         spec+: {
           containers:

diff --git a/jsonnet/components/prometheus-adapter.libsonnet b/jsonnet/components/prometheus-adapter.libsonnet
@@ -93,6 +93,9 @@ function(params)
               labels+: {
                 'app.kubernetes.io/managed-by': 'cluster-monitoring-operator',
               },
+              annotations+: {
+                'openshift.io/required-scc': 'restricted-v2',
+              },
             },
             spec+: {
               containers:

diff --git a/jsonnet/components/prometheus-operator-user-workload.libsonnet b/jsonnet/components/prometheus-operator-user-workload.libsonnet
@@ -61,6 +61,9 @@ function(params)
             labels+: {
               'app.kubernetes.io/managed-by': 'cluster-monitoring-operator',
             },
+            annotations+: {
+              'openshift.io/required-scc': 'restricted-v2',
+            },
           },
           spec+: {
             nodeSelector+: {

diff --git a/jsonnet/components/prometheus-operator.libsonnet b/jsonnet/components/prometheus-operator.libsonnet
@@ -46,6 +46,9 @@ function(params)
             labels+: {
               'app.kubernetes.io/managed-by': 'cluster-monitoring-operator',
             },
+            annotations+: {
+              'openshift.io/required-scc': 'restricted-v2',
+            },
           },
           spec+: {
             nodeSelector+: {

diff --git a/jsonnet/components/prometheus-user-workload.libsonnet b/jsonnet/components/prometheus-user-workload.libsonnet
@@ -332,6 +332,11 @@ function(params)
               super.alertmanagers,
             ),
         },
+        podMetadata+: {
+          annotations+: {
+            'openshift.io/required-scc': 'nonroot-v2',
+          },
+        },
         securityContext: {
           fsGroup: 65534,
           runAsNonRoot: true,

diff --git a/jsonnet/components/prometheus.libsonnet b/jsonnet/components/prometheus.libsonnet
@@ -362,6 +362,11 @@ function(params)
             },
           },
         },
+        podMetadata+: {
+          annotations+: {
+            'openshift.io/required-scc': 'nonroot',
+          },
+        },
         securityContext: {
           fsGroup: 65534,
           runAsNonRoot: true,

diff --git a/jsonnet/components/telemeter-client.libsonnet b/jsonnet/components/telemeter-client.libsonnet
@@ -58,6 +58,9 @@ function(params) {
           labels+: {
             'app.kubernetes.io/managed-by': 'cluster-monitoring-operator',
           } + cfg.commonLabels,
+          annotations+: {
+            'openshift.io/required-scc': 'restricted-v2',
+          },
         },
         spec+: {
           containers:

diff --git a/jsonnet/components/thanos-querier.libsonnet b/jsonnet/components/thanos-querier.libsonnet
@@ -277,6 +277,9 @@ function(params)
             labels+: {
               'app.kubernetes.io/managed-by': 'cluster-monitoring-operator',
             },
+            annotations+: {
+              'openshift.io/required-scc': 'restricted-v2',
+            },
           },
           spec+: {
             // TODO(slashpai): remove once new kube-thanos is released which has this change

diff --git a/jsonnet/components/thanos-ruler.libsonnet b/jsonnet/components/thanos-ruler.libsonnet
@@ -353,6 +353,11 @@ function(params)
             }],
           },
         },
+        podMetadata+: {
+          annotations+: {
+            'openshift.io/required-scc': 'nonroot-v2',
+          },
+        },
         securityContext: {
           fsGroup: 65534,
           runAsNonRoot: true,

diff --git a/manifests/0000_50_cluster-monitoring-operator_05-deployment-ibm-cloud-managed.yaml b/manifests/0000_50_cluster-monitoring-operator_05-deployment-ibm-cloud-managed.yaml
@@ -18,6 +18,7 @@ spec:
   template:
     metadata:
       annotations:
+        openshift.io/required-scc: restricted-v2
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
       labels:
         app: cluster-monitoring-operator

diff --git a/manifests/0000_50_cluster-monitoring-operator_05-deployment.yaml b/manifests/0000_50_cluster-monitoring-operator_05-deployment.yaml
@@ -21,6 +21,7 @@ spec:
         app.kubernetes.io/name: cluster-monitoring-operator
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+        openshift.io/required-scc: restricted-v2
     spec:
       serviceAccountName: cluster-monitoring-operator
       nodeSelector: