diff --git a/class/defaults.yml b/class/defaults.yml index ed29587..0eb52fd 100644 --- a/class/defaults.yml +++ b/class/defaults.yml @@ -2,3 +2,8 @@ parameters: openshift4_config: =_metadata: {} globalPullSecret: null + + # Fixes cluster upgrades on OCP4.10 clusters with custom `privileged` SCCs. + clusterUpgradeSCCPermissionFix: + enabled: true + priority: 3 diff --git a/component/main.jsonnet b/component/main.jsonnet index aa3980b..6360aff 100644 --- a/component/main.jsonnet +++ b/component/main.jsonnet @@ -18,4 +18,5 @@ local dockercfg = kube.Secret('pull-secret') { // Define outputs below { [if params.globalPullSecret != null then '01_dockercfg']: dockercfg, + [if params.clusterUpgradeSCCPermissionFix.enabled then '02_clusterUpgradeSCCPermissionFix']: (import 'privileged-scc.libsonnet'), } diff --git a/component/privileged-scc.libsonnet b/component/privileged-scc.libsonnet new file mode 100644 index 0000000..eef6dd3 --- /dev/null +++ b/component/privileged-scc.libsonnet @@ -0,0 +1,66 @@ +local kap = import 'lib/kapitan.libjsonnet'; +local kube = import 'lib/kube.libjsonnet'; +local inv = kap.inventory(); +// The hiera parameters for the component +local params = inv.parameters.openshift4_config; + +kube._Object('security.openshift.io/v1', 'SecurityContextConstraints', 'privileged-higher-prio') { + metadata+: { + labels+: { + 'app.kubernetes.io/managed-by': 'commodore', + 'app.kubernetes.io/component': 'openshift4-config', + }, + annotations+: { + 'kubernetes.io/description': ||| + Copy of `privileged` with increased priority to be choosen over other custom SCCs. + + privileged allows access to all privileged and host features and the ability to run as any user, any group, any fsGroup, and with any SELinux context. + WARNING: this is the most relaxed SCC and should be used only for cluster administration. Grant with caution. + |||, + }, + }, + allowHostDirVolumePlugin: true, + allowHostIPC: true, + allowHostNetwork: true, + allowHostPID: true, + allowHostPorts: true, + allowPrivilegeEscalation: true, + allowPrivilegedContainer: true, + allowedCapabilities: [ + '*', + ], + allowedUnsafeSysctls: [ + '*', + ], + defaultAddCapabilities: null, + fsGroup: { + type: 'RunAsAny', + }, + groups: [ + 'system:cluster-admins', + 'system:nodes', + 'system:masters', + ], + priority: params.clusterUpgradeSCCPermissionFix.priority, + readOnlyRootFilesystem: false, + requiredDropCapabilities: null, + runAsUser: { + type: 'RunAsAny', + }, + seLinuxContext: { + type: 'RunAsAny', + }, + seccompProfiles: [ + '*', + ], + supplementalGroups: { + type: 'RunAsAny', + }, + users: [ + 'system:admin', + 'system:serviceaccount:openshift-infra:build-controller', + ], + volumes: [ + '*', + ], +} diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc index 04c99d6..f0e948b 100644 --- a/docs/modules/ROOT/pages/references/parameters.adoc +++ b/docs/modules/ROOT/pages/references/parameters.adoc @@ -20,3 +20,27 @@ See the OpenShift documentation for more details on https://docs.openshift.com/c You need to make sure that the existing pull secrets present on a cluster (deployed by the OpenShift installer) are included in the configuration deployed by this component. Otherwise, OpenShift cluster services may stop working because their respective container images can't be downloaded anymore. ==== + +== `clusterUpgradeSCCPermissionFix` + +[horizontal] +type:: dictionary + +If enabled fixes cluster upgrades on 4.10 clusters with custom SCCs that set `privileged: true`. +A copy of the default `privileged` SCC is created with increased priority to be chosen over custom SCCs. + +=== `clusterUpgradeSCCPermissionFix.enabled` + +[horizontal] +type:: boolean +default:: `true` + +Whether to enable the SCC priority fix. + +=== `clusterUpgradeSCCPermissionFix.priority` + +[horizontal] +type:: number +default:: `3` + +The priority the resulting SCC will have. diff --git a/tests/golden/defaults/openshift4-config/openshift4-config/02_clusterUpgradeSCCPermissionFix.yaml b/tests/golden/defaults/openshift4-config/openshift4-config/02_clusterUpgradeSCCPermissionFix.yaml new file mode 100644 index 0000000..907aecb --- /dev/null +++ b/tests/golden/defaults/openshift4-config/openshift4-config/02_clusterUpgradeSCCPermissionFix.yaml @@ -0,0 +1,54 @@ +allowHostDirVolumePlugin: true +allowHostIPC: true +allowHostNetwork: true +allowHostPID: true +allowHostPorts: true +allowPrivilegeEscalation: true +allowPrivilegedContainer: true +allowedCapabilities: + - '*' +allowedUnsafeSysctls: + - '*' +apiVersion: security.openshift.io/v1 +defaultAddCapabilities: null +fsGroup: + type: RunAsAny +groups: + - system:cluster-admins + - system:nodes + - system:masters +kind: SecurityContextConstraints +metadata: + annotations: + kubernetes.io/description: 'Copy of `privileged` with increased priority to be + choosen over other custom SCCs. + + + privileged allows access to all privileged and host features and the ability + to run as any user, any group, any fsGroup, and with any SELinux context. + + WARNING: this is the most relaxed SCC and should be used only for cluster administration. + Grant with caution. + + ' + labels: + app.kubernetes.io/component: openshift4-config + app.kubernetes.io/managed-by: commodore + name: privileged-higher-prio + name: privileged-higher-prio +priority: 3 +readOnlyRootFilesystem: false +requiredDropCapabilities: null +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +seccompProfiles: + - '*' +supplementalGroups: + type: RunAsAny +users: + - system:admin + - system:serviceaccount:openshift-infra:build-controller +volumes: + - '*'