Merge pull request #71 from projectsyn/ocp4/allow-scc-nonroot-v2

Allow vcluster containers to run with arbitrary non-root UIDs on OpenShift
projectsyn · Nov 22, 2023 · de4a726 · de4a726
2 parents b17d6cf + 12504d6
commit de4a726
Show file tree

Hide file tree

Showing 2 changed files with 79 additions and 0 deletions.
diff --git a/component/cluster.libsonnet b/component/cluster.libsonnet
@@ -136,6 +136,46 @@ local cluster = function(name, options)
     roleRef_: clusterRole,
   };
 
+  local sccRole = if isOpenshift then
+    kube.Role('use-nonroot-v2') {
+      metadata+: {
+        namespace: options.namespace,
+      },
+      rules: [
+        {
+          apiGroups: [
+            'security.openshift.io',
+          ],
+          resourceNames: [
+            'nonroot-v2',
+          ],
+          resources: [
+            'securitycontextconstraints',
+          ],
+          verbs: [
+            'use',
+          ],
+        },
+      ],
+    };
+  local sccRoleBinding = if isOpenshift then
+    kube.RoleBinding('default-use-nonroot-v2') {
+      metadata+: {
+        annotations+: {
+          'vcluster.syn.tools/description': 'Allow vcluster to sync pods with arbitrary nonroot users by allowing the default ServiceAccount to use the nonroot-v2 scc',
+        },
+        namespace: options.namespace,
+      },
+      roleRef_: sccRole,
+      subjects: [
+        {
+          kind: 'ServiceAccount',
+          name: 'default',
+          namespace: options.namespace,
+        },
+      ],
+    };
+
   local service = kube.Service(name) {
     metadata+: {
       namespace: options.namespace,
@@ -413,6 +453,8 @@ local cluster = function(name, options)
     roleBinding,
     clusterRole,
     clusterRoleBinding,
+    sccRole,
+    sccRoleBinding,
     service,
     headlessService,
     statefulSet,

diff --git a/tests/golden/openshift/openshift/openshift/10_cluster.yaml b/tests/golden/openshift/openshift/openshift/10_cluster.yaml
@@ -124,6 +124,43 @@ subjects:
     name: vc-openshift
     namespace: syn-openshift
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations: {}
+  labels:
+    name: use-nonroot-v2
+  name: use-nonroot-v2
+  namespace: syn-openshift
+rules:
+  - apiGroups:
+      - security.openshift.io
+    resourceNames:
+      - nonroot-v2
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    vcluster.syn.tools/description: Allow vcluster to sync pods with arbitrary nonroot
+      users by allowing the default ServiceAccount to use the nonroot-v2 scc
+  labels:
+    name: default-use-nonroot-v2
+  name: default-use-nonroot-v2
+  namespace: syn-openshift
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: use-nonroot-v2
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: syn-openshift
+---
 apiVersion: v1
 kind: Service
 metadata: