Merge pull request #170 from liouk/required-scc

AUTH-482: set required-scc for openshift workloads
openshift · Apr 17, 2024 · d7e1d3c · d7e1d3c
2 parents 41f6ab2 + 40c3a9b
commit d7e1d3c
Show file tree

Hide file tree

Showing 11 changed files with 12 additions and 0 deletions.
diff --git a/assets/base/node.yaml b/assets/base/node.yaml
@@ -23,6 +23,8 @@ spec:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
         # This annotation prevents eviction from the cluster-autoscaler
         cluster-autoscaler.kubernetes.io/enable-ds-eviction: "false"
+        # This annotation prevents potential custom SCCs of taking over
+        openshift.io/required-scc: privileged
       labels:
         app: ${ASSET_PREFIX}-node
     spec:

diff --git a/assets/overlays/aws-ebs/generated/hypershift/controller.yaml b/assets/overlays/aws-ebs/generated/hypershift/controller.yaml
@@ -48,6 +48,7 @@ spec:
     metadata:
       annotations:
         cluster-autoscaler.kubernetes.io/safe-to-evict-local-volumes: bound-sa-token,socket-dir
+        openshift.io/required-scc: restricted-v2
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
       labels:
         app: aws-ebs-csi-driver-controller

diff --git a/assets/overlays/aws-ebs/generated/hypershift/node.yaml b/assets/overlays/aws-ebs/generated/hypershift/node.yaml
@@ -26,6 +26,7 @@ spec:
     metadata:
       annotations:
         cluster-autoscaler.kubernetes.io/enable-ds-eviction: "false"
+        openshift.io/required-scc: privileged
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
       labels:
         app: aws-ebs-csi-driver-node

diff --git a/assets/overlays/aws-ebs/generated/standalone/controller.yaml b/assets/overlays/aws-ebs/generated/standalone/controller.yaml
@@ -43,6 +43,7 @@ spec:
     metadata:
       annotations:
         cluster-autoscaler.kubernetes.io/safe-to-evict-local-volumes: bound-sa-token,socket-dir
+        openshift.io/required-scc: restricted-v2
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
       labels:
         app: aws-ebs-csi-driver-controller

diff --git a/assets/overlays/aws-ebs/generated/standalone/node.yaml b/assets/overlays/aws-ebs/generated/standalone/node.yaml
@@ -26,6 +26,7 @@ spec:
     metadata:
       annotations:
         cluster-autoscaler.kubernetes.io/enable-ds-eviction: "false"
+        openshift.io/required-scc: privileged
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
       labels:
         app: aws-ebs-csi-driver-node

diff --git a/assets/overlays/aws-ebs/patches/controller_add_driver.yaml b/assets/overlays/aws-ebs/patches/controller_add_driver.yaml
@@ -9,6 +9,7 @@ spec:
     metadata:
       annotations:
         cluster-autoscaler.kubernetes.io/safe-to-evict-local-volumes: bound-sa-token,socket-dir
+        openshift.io/required-scc: restricted-v2
     spec:
       containers:
         - name: csi-driver

diff --git a/assets/overlays/azure-disk/generated/hypershift/node.yaml b/assets/overlays/azure-disk/generated/hypershift/node.yaml
@@ -26,6 +26,7 @@ spec:
     metadata:
       annotations:
         cluster-autoscaler.kubernetes.io/enable-ds-eviction: "false"
+        openshift.io/required-scc: privileged
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
       labels:
         app: azure-disk-csi-driver-node

diff --git a/assets/overlays/azure-disk/generated/standalone/node.yaml b/assets/overlays/azure-disk/generated/standalone/node.yaml
@@ -26,6 +26,7 @@ spec:
     metadata:
       annotations:
         cluster-autoscaler.kubernetes.io/enable-ds-eviction: "false"
+        openshift.io/required-scc: privileged
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
       labels:
         app: azure-disk-csi-driver-node

diff --git a/assets/overlays/azure-file/generated/hypershift/node.yaml b/assets/overlays/azure-file/generated/hypershift/node.yaml
@@ -26,6 +26,7 @@ spec:
     metadata:
       annotations:
         cluster-autoscaler.kubernetes.io/enable-ds-eviction: "false"
+        openshift.io/required-scc: privileged
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
       labels:
         app: azure-file-csi-driver-node

diff --git a/assets/overlays/azure-file/generated/standalone/node.yaml b/assets/overlays/azure-file/generated/standalone/node.yaml
@@ -26,6 +26,7 @@ spec:
     metadata:
       annotations:
         cluster-autoscaler.kubernetes.io/enable-ds-eviction: "false"
+        openshift.io/required-scc: privileged
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
       labels:
         app: azure-file-csi-driver-node

diff --git a/pkg/driver/common/operator/test_manifests/aws_ebs_controller_hypershift.yaml b/pkg/driver/common/operator/test_manifests/aws_ebs_controller_hypershift.yaml
@@ -22,6 +22,7 @@ spec:
       annotations:
         cluster-autoscaler.kubernetes.io/safe-to-evict-local-volumes: bound-sa-token,socket-dir
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+        openshift.io/required-scc: restricted-v2
       labels:
         app: aws-ebs-csi-driver-controller
         hypershift.openshift.io/hosted-control-plane: clusters-test