fix scc

charts/cnvrg-non-privileged/templates/ocp-scc-jobs.yml

@@ -0,0 +1,23 @@
+kind: SecurityContextConstraints
+apiVersion: security.openshift.io/v1
+metadata:
+  name: "cnvrg-jobs"
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: false
+allowedCapabilities: null
+readOnlyRootFilesystem: false
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+fsGroup:
+  type: RunAsAny
+supplementalGroups:
+  type: RunAsAny
+users:
+- "system:serviceaccount:cnvrg:cnvrg-job"

charts/cnvrg-non-privileged/templates/ocp-scc-pg.yml

@@ -0,0 +1,31 @@
+kind: SecurityContextConstraints
+apiVersion: security.openshift.io/v1
+metadata:
+  name: "cnvrg-scc-control-plane"
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: false
+allowedCapabilities: null
+readOnlyRootFilesystem: false
+runAsUser:
+  type: MustRunAsRange
+  uidRangeMin: 26
+  uidRangeMax: 1000
+seLinuxContext:
+  type: RunAsAny
+fsGroup:
+  type: MustRunAs
+  ranges:
+  - min: 26
+    max: 1000
+supplementalGroups:
+  type: MustRunAs
+  ranges:
+  - min: 26
+    max: 1000
+groups:
+- "system:serviceaccounts:cnvrg"

charts/cnvrg-non-privileged/templates/ocp-scc-prom.yml

@@ -0,0 +1,31 @@
+kind: SecurityContextConstraints
+apiVersion: security.openshift.io/v1
+metadata:
+  name: "cnvrg-scc-control-plane"
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: false
+allowedCapabilities: null
+readOnlyRootFilesystem: false
+runAsUser:
+  type: MustRunAsRange
+  uidRangeMin: 26
+  uidRangeMax: 1000
+seLinuxContext:
+  type: RunAsAny
+fsGroup:
+  type: MustRunAs
+  ranges:
+  - min: 26
+    max: 1000
+supplementalGroups:
+  type: MustRunAs
+  ranges:
+  - min: 26
+    max: 1000
+groups:
+- "system:serviceaccounts:cnvrg"

charts/cnvrg-non-privileged/values.yaml

@@ -102,6 +102,7 @@ controlPlane:
       CNVRG_ENABLE_MOUNT_FOLDERS: false
       CNVRG_MOUNT_HOST_FOLDERS: false
       CNVRG_PROMETHEUS_METRICS: true
+      OCP_ENABLED: true
     sentryUrl: ''
     runJobsOnSelfCluster: ''
     agentCustomTag: agnostic-logs
@@ -155,7 +156,7 @@ controlPlane:
       cpu: 1000m
       memory: 1Gi
   nomex:
-    enabled: true
+    enabled: false
     image: nomex:v1.0.0
 registry:
   name: cnvrg-app-registry
@@ -238,7 +239,7 @@ dbs:
       cpu: '4'
       memory: 8Gi
     javaOpts: ''
-    patchEsNodes: true
+    patchEsNodes: false
     nodeSelector:
     credsRef: es-creds
     pvcName: es-storage

cmd/operator/main.go

@@ -8,7 +8,6 @@ import (
 	"github.com/spf13/viper"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
-	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	"os"
@@ -111,19 +110,17 @@ func setParams(params []param, command *cobra.Command) {
 
 func runOperator() {
 	ctrl.SetLogger(zapr.NewLogger(initZapLog()))
-	selector, err := labels.Parse("name=cnvrg")
-	if err != nil {
-		zap.S().Error(err)
-		return
-	}
-	cacheCfg := cache.Config{LabelSelector: selector}
 
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme: scheme,
 		Cache: cache.Options{
-			DefaultNamespaces: map[string]cache.Config{"cnvrg": cacheCfg},
+			DefaultNamespaces: map[string]cache.Config{
+				"cnvrg": {},
+			},
+		},
+		Metrics: metricsserver.Options{
+			BindAddress: viper.GetString("metrics-addr"),
 		},
-		Metrics:                metricsserver.Options{BindAddress: viper.GetString("metrics-addr")},
 		HealthProbeBindAddress: viper.GetString("health-probe-addr"),
 	})
 	if err != nil {

hack/run-as-kubeconfig.sh

@@ -0,0 +1,6 @@
+export SECRET_NAME_SA=cnvrg-operator
+export TOKEN_SA=`kubectl get secret cnvrg-operator-secret-debug -n cnvrg -ojsonpath='{.data.token}' | base64 -d`
+kubectl config view --raw --minify > kubeconfig.txt
+kubectl config unset users --kubeconfig=kubeconfig.txt
+kubectl config set-credentials ${SECRET_NAME_SA} --kubeconfig=kubeconfig.txt --token=${TOKEN_SA}
+kubectl config set-context --current --kubeconfig=kubeconfig.txt --user=${SECRET_NAME_SA}

pkg/app/controlplane/controlplane.go

@@ -24,12 +24,6 @@ type CpStateManager struct {
 	app *mlopsv1.CnvrgApp
 }
 
-func NewControlPlaneCrdsStateManager(c client.Client, s *runtime.Scheme, log logr.Logger) desired.StateManager {
-	l := log.WithValues("stateManager", "controlPlaneCrds")
-	asm := desired.NewAssetsStateManager(nil, c, s, l, fs, fsRoot+"/crds", nil)
-	return &CpCrdsStateManager{AssetsStateManager: asm}
-}
-
 func NewControlPlaneStateManager(app *mlopsv1.CnvrgApp, c client.Client, s *runtime.Scheme, log logr.Logger) desired.StateManager {
 	l := log.WithValues("stateManager", "controlPlane")
 	asm := desired.NewAssetsStateManager(app, c, s, l, fs, fsRoot, nil)
@@ -72,14 +66,14 @@ func (m *CpStateManager) Load() error {
 	}
 	m.AddToAssets(rbac)
 
-	if m.app.Spec.Networking.Ingress.Type == mlopsv1.OpenShiftIngress {
-		assetName := []string{"ocp-scc.tpl"}
-		ocpScc := desired.NewAssetsGroup(fs, fsRoot+"/conf/rbac", m.Log(), &desired.LoadFilter{AssetName: assetName})
-		if err := ocpScc.LoadAssets(); err != nil {
-			return err
-		}
-		m.AddToAssets(ocpScc)
-	}
+	//if m.app.Spec.Networking.Ingress.Type == mlopsv1.OpenShiftIngress {
+	//	assetName := []string{"ocp-scc.tpl"}
+	//	ocpScc := desired.NewAssetsGroup(fs, fsRoot+"/conf/rbac", m.Log(), &desired.LoadFilter{AssetName: assetName})
+	//	if err := ocpScc.LoadAssets(); err != nil {
+	//		return err
+	//	}
+	//	m.AddToAssets(ocpScc)
+	//}
 
 	if m.app.Spec.ControlPlane.CnvrgClusterProvisionerOperator.Enabled {
 		ccp := desired.NewAssetsGroup(fs, fsRoot+"/ccp", m.Log(), f)

pkg/app/controlplane/tmpl/conf/rbac/ocp-scc-adopted.tpl

@@ -0,0 +1,31 @@
+kind: SecurityContextConstraints
+apiVersion: security.openshift.io/v1
+metadata:
+  name: "cnvrg-scc-control-plane"
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: false
+allowedCapabilities: null
+readOnlyRootFilesystem: false
+runAsUser:
+  type: MustRunAsRange
+  uidRangeMin: 26
+  uidRangeMax: 1000
+seLinuxContext:
+  type: RunAsAny
+fsGroup:
+  type: MustRunAs
+  ranges:
+  - min: 26
+    max: 1000
+supplementalGroups:
+  type: MustRunAs
+  ranges:
+  - min: 26
+    max: 1000
+groups:
+- "system:serviceaccounts:cnvrg"

pkg/app/controlplane/tmpl/conf/rbac/ocp-scc-jobs.tpl

@@ -0,0 +1,23 @@
+kind: SecurityContextConstraints
+apiVersion: security.openshift.io/v1
+metadata:
+  name: "cnvrg-jobs"
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: false
+allowedCapabilities: null
+readOnlyRootFilesystem: false
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+fsGroup:
+  type: RunAsAny
+supplementalGroups:
+  type: RunAsAny
+users:
+- "system:serviceaccount:cnvrg:cnvrg-job"

pkg/app/controlplane/tmpl/conf/rbac/ocp-scc.tpl

@@ -12,7 +12,7 @@ allowHostNetwork: false
 allowHostPID: false
 allowHostPorts: false
 allowPrivilegeEscalation: true
-allowPrivilegedContainer: true
+allowPrivilegedContainer: false
 allowedCapabilities: null
 readOnlyRootFilesystem: false
 runAsUser: