Skip to content

[enterprise-4.9] RHDEVDOCS-3243 Update privileged security context documentation to include information about pod timeouts #39311

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Nov 29, 2021
Merged

[enterprise-4.9] RHDEVDOCS-3243 Update privileged security context documentation to include information about pod timeouts #39311

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion cicd/pipelines/using-pods-in-a-privileged-security-context.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
[id='using-pods-in-a-privileged-security-context']
[id="using-pods-in-a-privileged-security-context"]
= Using pods in a privileged security context
include::modules/common-attributes.adoc[]
include::modules/pipelines-document-attributes.adoc[]
Expand All @@ -24,7 +24,9 @@ In addition, the `Buildah` cluster task, shipped as part of the OpenShift Pipeli

include::modules/op-running-pipeline-and-task-run-pods-with-privileged-security-context.adoc[leveloffset=+1]

include::modules/op-running-pipeline-run-and-task-run-with-custom-scc-and-service-account.adoc[leveloffset=+1]

[id="additional-references_using-pods-in-a-privileged-security-context"]
== Additional resources

* For information on managing SCCs, refer to xref:../../authentication/managing-security-context-constraints.adoc[Managing security context constraints].
121 changes: 121 additions & 0 deletions ...s/op-running-pipeline-run-and-task-run-with-custom-scc-and-service-account.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,121 @@
[id="op-running-pipeline-run-and-task-run-with-custom-scc-and-service-account_{context}"]
= Running pipeline run and task run by using a custom SCC and a custom service account

When using the `pipelines-scc` security context constraint (SCC) associated with the default `pipelines` service account, the pipeline run and task run pods may face timeouts. This happens because in the default `pipelines-scc` SCC, the `fsGroup.type` parameter is set to `MustRunAs`.

[NOTE]
====
For more information about pod timeouts, see link:https://bugzilla.redhat.com/show_bug.cgi?id=1995779[BZ#1995779].
====

To avoid pod timeouts, you can create a custom SCC with the `fsGroup.type` parameter set to `RunAsAny`, and associate it with a custom service account.

[NOTE]
====
As a best practice, use a custom SCC and a custom service account for pipeline runs and task runs. This approach allows greater flexibility and does not break the runs when the defaults are modified during an upgrade.
====

.Procedure

. Define a custom SCC with the `fsGroup.type` parameter set to `RunAsAny`:
+
.Example: Custom SCC
[source,yaml]
----
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
annotations:
kubernetes.io/description: my-scc is a close replica of anyuid scc. pipelines-scc has fsGroup - RunAsAny.
name: my-scc
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
groups:
- system:cluster-admins
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- MKNOD
runAsUser:
type: RunAsAny
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
----

. Create the custom SCC:
+
.Example: Create the `my-scc` SCC
[source,terminal]
----
$ oc create -f my-scc.yaml
----

. Create a custom service account:
+
.Example: Create a `fsgroup-runasany` service account
[source,terminal]
----
$ oc create serviceaccount fsgroup-runasany
----

. Associate the custom SCC with the custom service account:
+
.Example: Associate the `my-scc` SCC with the `fsgroup-runasany` service account
[source,terminal]
----
$ oc adm policy add-scc-to-user my-scc -z fsgroup-runasany
----
+
If you want to use the custom service account for privileged tasks, you can associate the `privileged` SCC with the custom service account by running the following command:
+
.Example: Associate the `privileged` SCC with the `fsgroup-runasany` service account
[source,terminal]
----
$ oc adm policy add-scc-to-user privileged -z fsgroup-runasany
----

. Use the custom service account in the pipeline run and task run:
+
.Example: Pipeline run YAML with `fsgroup-runasany` custom service account
[source,yaml]
----
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: <pipeline-run-name>
spec:
pipelineRef:
name: <pipeline-cluster-task-name>
serviceAccountName: 'fsgroup-runasany'
----
+
.Example: Task run YAML with `fsgroup-runasany` custom service account
[source,yaml]
----
apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
name: <task-run-name>
spec:
taskRef:
name: <cluster-task-name>
serviceAccountName: 'fsgroup-runasany'
----