From 40c3a9b27eec261a37fee69b74083626926708f5 Mon Sep 17 00:00:00 2001 From: Ilias Rinis Date: Tue, 20 Feb 2024 17:17:47 +0100 Subject: [PATCH] assets: set required-scc for openshift workloads --- assets/base/node.yaml | 2 ++ assets/overlays/aws-ebs/generated/hypershift/controller.yaml | 1 + assets/overlays/aws-ebs/generated/hypershift/node.yaml | 1 + assets/overlays/aws-ebs/generated/standalone/controller.yaml | 1 + assets/overlays/aws-ebs/generated/standalone/node.yaml | 1 + assets/overlays/aws-ebs/patches/controller_add_driver.yaml | 1 + assets/overlays/azure-disk/generated/hypershift/node.yaml | 1 + assets/overlays/azure-disk/generated/standalone/node.yaml | 1 + assets/overlays/azure-file/generated/hypershift/node.yaml | 1 + assets/overlays/azure-file/generated/standalone/node.yaml | 1 + .../operator/test_manifests/aws_ebs_controller_hypershift.yaml | 1 + 11 files changed, 12 insertions(+) diff --git a/assets/base/node.yaml b/assets/base/node.yaml index eb26204d1..960128630 100644 --- a/assets/base/node.yaml +++ b/assets/base/node.yaml @@ -23,6 +23,8 @@ spec: target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' # This annotation prevents eviction from the cluster-autoscaler cluster-autoscaler.kubernetes.io/enable-ds-eviction: "false" + # This annotation prevents potential custom SCCs of taking over + openshift.io/required-scc: privileged labels: app: ${ASSET_PREFIX}-node spec: diff --git a/assets/overlays/aws-ebs/generated/hypershift/controller.yaml b/assets/overlays/aws-ebs/generated/hypershift/controller.yaml index b0f1fd804..ac7e70247 100644 --- a/assets/overlays/aws-ebs/generated/hypershift/controller.yaml +++ b/assets/overlays/aws-ebs/generated/hypershift/controller.yaml @@ -48,6 +48,7 @@ spec: metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict-local-volumes: bound-sa-token,socket-dir + openshift.io/required-scc: restricted-v2 target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' labels: app: aws-ebs-csi-driver-controller diff --git a/assets/overlays/aws-ebs/generated/hypershift/node.yaml b/assets/overlays/aws-ebs/generated/hypershift/node.yaml index 04ef16780..039292f84 100644 --- a/assets/overlays/aws-ebs/generated/hypershift/node.yaml +++ b/assets/overlays/aws-ebs/generated/hypershift/node.yaml @@ -26,6 +26,7 @@ spec: metadata: annotations: cluster-autoscaler.kubernetes.io/enable-ds-eviction: "false" + openshift.io/required-scc: privileged target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' labels: app: aws-ebs-csi-driver-node diff --git a/assets/overlays/aws-ebs/generated/standalone/controller.yaml b/assets/overlays/aws-ebs/generated/standalone/controller.yaml index b935047a7..5b9476b28 100644 --- a/assets/overlays/aws-ebs/generated/standalone/controller.yaml +++ b/assets/overlays/aws-ebs/generated/standalone/controller.yaml @@ -43,6 +43,7 @@ spec: metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict-local-volumes: bound-sa-token,socket-dir + openshift.io/required-scc: restricted-v2 target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' labels: app: aws-ebs-csi-driver-controller diff --git a/assets/overlays/aws-ebs/generated/standalone/node.yaml b/assets/overlays/aws-ebs/generated/standalone/node.yaml index 04ef16780..039292f84 100644 --- a/assets/overlays/aws-ebs/generated/standalone/node.yaml +++ b/assets/overlays/aws-ebs/generated/standalone/node.yaml @@ -26,6 +26,7 @@ spec: metadata: annotations: cluster-autoscaler.kubernetes.io/enable-ds-eviction: "false" + openshift.io/required-scc: privileged target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' labels: app: aws-ebs-csi-driver-node diff --git a/assets/overlays/aws-ebs/patches/controller_add_driver.yaml b/assets/overlays/aws-ebs/patches/controller_add_driver.yaml index 7dc37742e..97ca0634e 100644 --- a/assets/overlays/aws-ebs/patches/controller_add_driver.yaml +++ b/assets/overlays/aws-ebs/patches/controller_add_driver.yaml @@ -9,6 +9,7 @@ spec: metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict-local-volumes: bound-sa-token,socket-dir + openshift.io/required-scc: restricted-v2 spec: containers: - name: csi-driver diff --git a/assets/overlays/azure-disk/generated/hypershift/node.yaml b/assets/overlays/azure-disk/generated/hypershift/node.yaml index 081f1b57e..7ffe11e0f 100644 --- a/assets/overlays/azure-disk/generated/hypershift/node.yaml +++ b/assets/overlays/azure-disk/generated/hypershift/node.yaml @@ -26,6 +26,7 @@ spec: metadata: annotations: cluster-autoscaler.kubernetes.io/enable-ds-eviction: "false" + openshift.io/required-scc: privileged target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' labels: app: azure-disk-csi-driver-node diff --git a/assets/overlays/azure-disk/generated/standalone/node.yaml b/assets/overlays/azure-disk/generated/standalone/node.yaml index 081f1b57e..7ffe11e0f 100644 --- a/assets/overlays/azure-disk/generated/standalone/node.yaml +++ b/assets/overlays/azure-disk/generated/standalone/node.yaml @@ -26,6 +26,7 @@ spec: metadata: annotations: cluster-autoscaler.kubernetes.io/enable-ds-eviction: "false" + openshift.io/required-scc: privileged target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' labels: app: azure-disk-csi-driver-node diff --git a/assets/overlays/azure-file/generated/hypershift/node.yaml b/assets/overlays/azure-file/generated/hypershift/node.yaml index ec408c4a5..be2a53b84 100644 --- a/assets/overlays/azure-file/generated/hypershift/node.yaml +++ b/assets/overlays/azure-file/generated/hypershift/node.yaml @@ -26,6 +26,7 @@ spec: metadata: annotations: cluster-autoscaler.kubernetes.io/enable-ds-eviction: "false" + openshift.io/required-scc: privileged target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' labels: app: azure-file-csi-driver-node diff --git a/assets/overlays/azure-file/generated/standalone/node.yaml b/assets/overlays/azure-file/generated/standalone/node.yaml index ec408c4a5..be2a53b84 100644 --- a/assets/overlays/azure-file/generated/standalone/node.yaml +++ b/assets/overlays/azure-file/generated/standalone/node.yaml @@ -26,6 +26,7 @@ spec: metadata: annotations: cluster-autoscaler.kubernetes.io/enable-ds-eviction: "false" + openshift.io/required-scc: privileged target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' labels: app: azure-file-csi-driver-node diff --git a/pkg/driver/common/operator/test_manifests/aws_ebs_controller_hypershift.yaml b/pkg/driver/common/operator/test_manifests/aws_ebs_controller_hypershift.yaml index 0ad42e7a9..7bf6d22d4 100644 --- a/pkg/driver/common/operator/test_manifests/aws_ebs_controller_hypershift.yaml +++ b/pkg/driver/common/operator/test_manifests/aws_ebs_controller_hypershift.yaml @@ -22,6 +22,7 @@ spec: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict-local-volumes: bound-sa-token,socket-dir target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' + openshift.io/required-scc: restricted-v2 labels: app: aws-ebs-csi-driver-controller hypershift.openshift.io/hosted-control-plane: clusters-test