BUG 1806438: Remove explicit securityContext and add granular securitycontextconstraints "use" permissions in machine-api-controllers clusterRole

[enxebre]

Without the runlabel #496, we’ll run as a high user by default, no need to say run me as non root.

Otherwise when removing the runlevel completely for the openshift-machine-api namespace openshift/cluster-autoscaler-operator#133 the kube controller manager complains with Error creating: pods "machine-api-operator-75c887884f-" is forbidden: unable to validate against any security context constraint: [spec.containers[0].securityContext.securityContext.runAsUser: Invalid value: 65534: must be in the ranges: [1000340000, 1000349999] spec.containers[1].securityContext.securityContext.runAsUser: Invalid value: 65534: must be in the ranges: [1000340000, 1000349999]] https://storage.googleapis.com/origin-ci-test/pr-logs/pull/openshift_cluster-autoscaler-operator/133/pull-ci-openshift-cluster-autoscaler-operator-master-e2e-aws/496/artifacts/e2e-aws/pods/openshift-kube-controller-manager_kube-controller-manager-ip-10-0-133-251.us-east-2.compute.internal_kube-controller-manager.log"

Only after this PR makes it to payload then https://github.com/openshift/cluster-autoscaler-operator/pull/133/files should go green as no pods within the openshift-machine-api namespace will set an invalid user.

[openshift-ci-robot]

@enxebre: This pull request references Bugzilla bug 1806438, which is valid. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.5.0) matches configured target release for branch (4.5.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

BUG 1806438: Remove explicit securityContext

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@enxebre: This pull request references Bugzilla bug 1806438, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.5.0) matches configured target release for branch (4.5.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

BUG 1806438: Remove explicit securityContext

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@enxebre: This pull request references Bugzilla bug 1806438, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.5.0) matches configured target release for branch (4.5.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

BUG 1806438: Remove explicit securityContext

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@enxebre: This pull request references Bugzilla bug 1806438, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.5.0) matches configured target release for branch (4.5.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

BUG 1806438: Remove explicit securityContext

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[enxebre]

/retest

[enxebre]

/cherrypick release-4.4
/cherrypick release-4.3

[openshift-cherrypick-robot]

@enxebre: once the present PR merges, I will cherry-pick it on top of release-4.4 in a new PR and assign it to you.

In response to this:

/cherrypick release-4.4
/cherrypick release-4.3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@enxebre: This pull request references Bugzilla bug 1806438, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.5.0) matches configured target release for branch (4.5.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

BUG 1806438: Remove explicit securityContext

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@enxebre: This pull request references Bugzilla bug 1806438, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.5.0) matches configured target release for branch (4.5.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

BUG 1806438: Remove explicit securityContext

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[JoelSpeed]

/lgtm

[markmc]

@enxebre As per comment in openshift/cluster-autoscaler-operator#133 the baremetal pod deployment uses hostNetwork, hostPort, and privileged

/cc @sadasu @stbenjam @hardys

[enxebre]

@enxebre As per comment in openshift/cluster-autoscaler-operator#133 the baremetal pod deployment uses hostNetwork, hostPort, and privileged

@markmc good catch, I believe adding the specifics SCC to the clusterRole used by the machine-api-controllers should be enough as per openshift/cluster-ingress-operator@1409f54
i.e

- apiGroups:
  - security.openshift.io
  resources:
  - securitycontextconstraints
  verbs:
  - use
  resourceNames:
  - hostnetwork
  - privileged

cc @Miciah @smarterclayton can you confirm?

/hold

[smarterclayton]

Yes, although ONLY the component that needs those should have a reference to the SCC via a unique service account.

[enxebre]

Yes, although ONLY the component that needs those should have a reference to the SCC via a unique service account.

Agreed, currently our granularity let us give this to the pod which run the multiple machine controllers. In near future we might consider breaking this pod down into multiple components.

/hold cancel
/retest

[markmc]

/lgtm

Would be good to get feedback from @sadasu's testing too

[sadasu]

/approve
I was able to patch in the latest fix for this PR with the fix for openshift/cluster-autoscaler-operator#133 by e2e baremetal (virtual) deployment. Happy to report that the metal3 pod came up fine and so did all the workers.

[enxebre]

/retest

[enxebre]

/retest

[enxebre]

/test e2e-gcp

[JoelSpeed]

/approve

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: JoelSpeed, sadasu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [JoelSpeed]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[JoelSpeed]

/retest

[stlaz]

why does the operator require privileged SCC to run?

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[stlaz]

/hold

[spec.containers[0].securityContext.securityContext.runAsUser: Invalid value: 65534: must be in the ranges: [1000340000, 1000349999] spec.containers[1].securityContext.securityContext.runAsUser: Invalid value: 65534: must be in the ranges: [1000340000, 1000349999]]

if this was the only problem then just the removal of runAsUser should do

[enxebre]

/retest

[enxebre]

/hold cancel

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-cherrypick-robot]

@enxebre: new pull request created: #511

In response to this:

/cherrypick release-4.4
/cherrypick release-4.3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.