feat: Use custom SCC for topolvm-node#35
Conversation
jmolmo
force-pushed
the
topolvm_node_scc
branch
from
cb309ad to
59ceb45
Compare
| - 'configMap' | ||
| - 'emptyDir' | ||
| - 'secret' | ||
| - 'hostPath' |
There was a problem hiding this comment.
(trying to understand how SCC works) How is this SCC associated with the topolvm-node Service account? There is a user filed that contains the list of serviceAccounts. For example- rook
There was a problem hiding this comment.
- thanks for finding this, I saw
usersfield somewhere and forgot where that was during our meetings - in current scenario we are using ClusterRole & ClusterRoleBinding to use this SCC
- in merged commit it was using
privilegeddirectly and this changes that to usetopolvm-nodenamed SCC
There was a problem hiding this comment.
@sp98: I have include the different settings reading what they do .
As @leelavg commented we are using a cluster role binding to to associate the sa with the scc. Include the user in the scc seems to link the scc to a single namespace (because the way you need to specify the user), which i think is very limited for our needs.
There was a problem hiding this comment.
The operator only needs the permissions for the sa in the operator namespace as that is where it will create the containers. Can we try this with a Role?
There was a problem hiding this comment.
@nbalacha : We cannot use Role instead of Cluster Role, because we need permissions for cluster-scoped resources (like nodes).
config/rbac/topolvm_node_scc.yaml
Outdated
| allowPrivilegeEscalation: true | ||
| allowPrivilegedContainer: true |
There was a problem hiding this comment.
- not immediate but our final goal should be to use specific capabilities that the container needs and curtail everything else.
|
@leelavg: changing LGTM is restricted to collaborators DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
config/rbac/topolvm_node_scc.yaml
Outdated
| allowHostDirVolumePlugin: true | ||
| allowHostIPC: false | ||
| allowHostNetwork: false | ||
| allowHostPID: true |
There was a problem hiding this comment.
There was a problem hiding this comment.
@leseb generally nodeplugin doesn't need it however lvmd in the daemonset needs this.
It uses nsenter to get into host pid nasemspace and run lvm ops
There was a problem hiding this comment.
I don't think you need HostPID for nsenter to run any commands on the host. As far as I can tell, Rook uses nsenter already to exec command on the host and we don't use HostPID.
However, if you really feel like we do then let's comment on why. Thanks
There was a problem hiding this comment.
Extract from Openshift documentation:
allowHostPID | boolean | AllowHostPID determines if the policy allows host pid in the containers.
-- | -- | --
If you are asking why do we need hostpid: true in the pod, this is because lvmd needs to see the pid:1 on the host. (here you can follow the complete discussion that drove to this point)
But, for me is new this world of SCCs.. how do you suggest to add this requirement (see pid 1 in the host) in the SCC?
There was a problem hiding this comment.
I don't mean to rehearse or argue on the past decision that led to enabling HostPID. I just want to make sure everybody knows and understands why it is needed. That's all :) So in the config/rbac/topolvm_node_scc.yaml I'm just suggesting adding more comments to explain why each option we enable is needed.
| - 'configMap' | ||
| - 'emptyDir' | ||
| - 'secret' | ||
| - 'hostPath' |
There was a problem hiding this comment.
The operator only needs the permissions for the sa in the operator namespace as that is where it will create the containers. Can we try this with a Role?
jmolmo
force-pushed
the
topolvm_node_scc
branch
from
59ceb45 to
f879995
Compare
Replaced the <privileged> SCC with the custom topolvm-node SCC Signed-off-by: Juan Miguel Olmo Martínez <jolmomar@redhat.com>
jmolmo
force-pushed
the
topolvm_node_scc
branch
from
f879995 to
f7350ca
Compare
|
I have extracted the topolvm-node scc from the cluster role, and created a specific cluster role and binding for the scc. In this way deployment can be more flexible. I guess that we also will need in a near future to add PSPs, :-) |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: jmolmo, leelavg, nbalacha, sp98 The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
5 participants
Replaced the SCC with the custom topolvm-node SCC
Signed-off-by: Juan Miguel Olmo Martínez jolmomar@redhat.com