Drop privileged SCC from RBAC grants#601
Conversation
fmount
left a comment
There was a problem hiding this comment.
/lgtm thanks a lot for this one!
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fmount, gouthampacha The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Build failed (check pipeline). Post ✔️ openstack-k8s-operators-content-provider SUCCESS in 2h 07m 44s |
|
@gouthampacha the CI issue seems a real problem w/ manila-db-sync job that is not running. I think this is related to the fact we build the job with [1] and we should probably remove: SeccompProfile: &corev1.SeccompProfile{
Type: corev1.SeccompProfileTypeRuntimeDefault,
},that is incompatible w/ [1] https://github.com/openstack-k8s-operators/manila-operator/blob/main/internal/manila/funcs.go#L43 |
|
@gouthampacha retriggering CI with the updated |
manila-share no longer runs with a privileged security context, so remove the privileged SCC from kubebuilder RBAC markers, the runtime policy rules, and the generated ClusterRole/Role manifests. Only the anyuid SCC is needed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
As we removed scc from the rbac roles assigned to manila sa, we need to fix the SeccompProfile assigned to the manila jobs (both dbsync and cronjobs). In addition, this patch removes the hostPath /etc/machine-id mount that prevent the final removal of privileged rbac. Signed-off-by: Francesco Pantano <fpantano@redhat.com>
11499d7 to
cd90138
Compare
Summary
privilegedSCC from kubebuilder RBAC markers, runtime policy rules, and generated ClusterRole/Role manifestsprivilegedSCC is eliminatedanyuidSCC remains, which is sufficient for all manila servicesFollow-up to #597 which removed the privileged security context from the manila-share StatefulSet.
Jira: OSPRH-32347
Test plan
make manifestsregeneratesconfig/rbac/role.yamlwithoutprivilegedmake generatesucceedsgrep -r 'privileged' internal/ config/rbac/returns no SCC-related hits🤖 Generated with Claude Code