Merge pull request #7 from appuio/upgrade-permission-fix

Fix 4.10 cluster upgrades: Create higher prio `privileged` SCC
appuio · Jul 12, 2022 · f39e098 · f39e098
2 parents 8eaf3f0 + e910629
commit f39e098
Show file tree

Hide file tree

Showing 5 changed files with 150 additions and 0 deletions.
diff --git a/class/defaults.yml b/class/defaults.yml
@@ -2,3 +2,8 @@ parameters:
   openshift4_config:
     =_metadata: {}
     globalPullSecret: null
+
+    # Fixes cluster upgrades on OCP4.10 clusters with custom `privileged` SCCs.
+    clusterUpgradeSCCPermissionFix:
+      enabled: true
+      priority: 3
diff --git a/component/main.jsonnet b/component/main.jsonnet
@@ -18,4 +18,5 @@ local dockercfg = kube.Secret('pull-secret') {
 // Define outputs below
 {
   [if params.globalPullSecret != null then '01_dockercfg']: dockercfg,
+  [if params.clusterUpgradeSCCPermissionFix.enabled then '02_clusterUpgradeSCCPermissionFix']: (import 'privileged-scc.libsonnet'),
 }
diff --git a/component/privileged-scc.libsonnet b/component/privileged-scc.libsonnet
@@ -0,0 +1,66 @@
+local kap = import 'lib/kapitan.libjsonnet';
+local kube = import 'lib/kube.libjsonnet';
+local inv = kap.inventory();
+// The hiera parameters for the component
+local params = inv.parameters.openshift4_config;
+
+kube._Object('security.openshift.io/v1', 'SecurityContextConstraints', 'privileged-higher-prio') {
+  metadata+: {
+    labels+: {
+      'app.kubernetes.io/managed-by': 'commodore',
+      'app.kubernetes.io/component': 'openshift4-config',
+    },
+    annotations+: {
+      'kubernetes.io/description': |||
+        Copy of `privileged` with increased priority to be choosen over other custom SCCs.
+
+        privileged allows access to all privileged and host features and the ability to run as any user, any group, any fsGroup, and with any SELinux context.
+        WARNING: this is the most relaxed SCC and should be used only for cluster administration. Grant with caution.
+      |||,
+    },
+  },
+  allowHostDirVolumePlugin: true,
+  allowHostIPC: true,
+  allowHostNetwork: true,
+  allowHostPID: true,
+  allowHostPorts: true,
+  allowPrivilegeEscalation: true,
+  allowPrivilegedContainer: true,
+  allowedCapabilities: [
+    '*',
+  ],
+  allowedUnsafeSysctls: [
+    '*',
+  ],
+  defaultAddCapabilities: null,
+  fsGroup: {
+    type: 'RunAsAny',
+  },
+  groups: [
+    'system:cluster-admins',
+    'system:nodes',
+    'system:masters',
+  ],
+  priority: params.clusterUpgradeSCCPermissionFix.priority,
+  readOnlyRootFilesystem: false,
+  requiredDropCapabilities: null,
+  runAsUser: {
+    type: 'RunAsAny',
+  },
+  seLinuxContext: {
+    type: 'RunAsAny',
+  },
+  seccompProfiles: [
+    '*',
+  ],
+  supplementalGroups: {
+    type: 'RunAsAny',
+  },
+  users: [
+    'system:admin',
+    'system:serviceaccount:openshift-infra:build-controller',
+  ],
+  volumes: [
+    '*',
+  ],
+}
diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc
@@ -20,3 +20,27 @@ See the OpenShift documentation for more details on https://docs.openshift.com/c
 You need to make sure that the existing pull secrets present on a cluster (deployed by the OpenShift installer) are included in the configuration deployed by this component.
 Otherwise, OpenShift cluster services may stop working because their respective container images can't be downloaded anymore.
 ====
+
+== `clusterUpgradeSCCPermissionFix`
+
+[horizontal]
+type:: dictionary
+
+If enabled fixes cluster upgrades on 4.10 clusters with custom SCCs that set `privileged: true`.
+A copy of the default `privileged` SCC is created with increased priority to be chosen over custom SCCs.
+
+=== `clusterUpgradeSCCPermissionFix.enabled`
+
+[horizontal]
+type:: boolean
+default:: `true`
+
+Whether to enable the SCC priority fix.
+
+=== `clusterUpgradeSCCPermissionFix.priority`
+
+[horizontal]
+type:: number
+default:: `3`
+
+The priority the resulting SCC will have.
diff --git a/...olden/defaults/openshift4-config/openshift4-config/02_clusterUpgradeSCCPermissionFix.yaml b/...olden/defaults/openshift4-config/openshift4-config/02_clusterUpgradeSCCPermissionFix.yaml
@@ -0,0 +1,54 @@
+allowHostDirVolumePlugin: true
+allowHostIPC: true
+allowHostNetwork: true
+allowHostPID: true
+allowHostPorts: true
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: true
+allowedCapabilities:
+  - '*'
+allowedUnsafeSysctls:
+  - '*'
+apiVersion: security.openshift.io/v1
+defaultAddCapabilities: null
+fsGroup:
+  type: RunAsAny
+groups:
+  - system:cluster-admins
+  - system:nodes
+  - system:masters
+kind: SecurityContextConstraints
+metadata:
+  annotations:
+    kubernetes.io/description: 'Copy of `privileged` with increased priority to be
+      choosen over other custom SCCs.
+
+
+      privileged allows access to all privileged and host features and the ability
+      to run as any user, any group, any fsGroup, and with any SELinux context.
+
+      WARNING: this is the most relaxed SCC and should be used only for cluster administration.
+      Grant with caution.
+
+      '
+  labels:
+    app.kubernetes.io/component: openshift4-config
+    app.kubernetes.io/managed-by: commodore
+    name: privileged-higher-prio
+  name: privileged-higher-prio
+priority: 3
+readOnlyRootFilesystem: false
+requiredDropCapabilities: null
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+seccompProfiles:
+  - '*'
+supplementalGroups:
+  type: RunAsAny
+users:
+  - system:admin
+  - system:serviceaccount:openshift-infra:build-controller
+volumes:
+  - '*'