From 6d97eca92af2ae8244ebfa527182ea9046926279 Mon Sep 17 00:00:00 2001 From: Dmitry Kartsev Date: Thu, 8 Feb 2024 12:04:33 +0200 Subject: [PATCH] fix scc --- .../templates/ocp-scc-jobs.yml | 23 ++++++++++++++ .../templates/ocp-scc-pg.yml | 31 +++++++++++++++++++ .../templates/ocp-scc-prom.yml | 31 +++++++++++++++++++ charts/cnvrg-non-privileged/values.yaml | 5 +-- cmd/operator/main.go | 15 ++++----- hack/run-as-kubeconfig.sh | 6 ++++ pkg/app/controlplane/controlplane.go | 22 +++++-------- .../tmpl/conf/rbac/ocp-scc-adopted.tpl | 31 +++++++++++++++++++ .../tmpl/conf/rbac/ocp-scc-jobs.tpl | 23 ++++++++++++++ .../controlplane/tmpl/conf/rbac/ocp-scc.tpl | 2 +- 10 files changed, 163 insertions(+), 26 deletions(-) create mode 100644 charts/cnvrg-non-privileged/templates/ocp-scc-jobs.yml create mode 100644 charts/cnvrg-non-privileged/templates/ocp-scc-pg.yml create mode 100644 charts/cnvrg-non-privileged/templates/ocp-scc-prom.yml create mode 100644 hack/run-as-kubeconfig.sh create mode 100644 pkg/app/controlplane/tmpl/conf/rbac/ocp-scc-adopted.tpl create mode 100644 pkg/app/controlplane/tmpl/conf/rbac/ocp-scc-jobs.tpl diff --git a/charts/cnvrg-non-privileged/templates/ocp-scc-jobs.yml b/charts/cnvrg-non-privileged/templates/ocp-scc-jobs.yml new file mode 100644 index 00000000..d9ef4525 --- /dev/null +++ b/charts/cnvrg-non-privileged/templates/ocp-scc-jobs.yml @@ -0,0 +1,23 @@ +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: "cnvrg-jobs" +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: null +readOnlyRootFilesystem: false +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +fsGroup: + type: RunAsAny +supplementalGroups: + type: RunAsAny +users: +- "system:serviceaccount:cnvrg:cnvrg-job" diff --git a/charts/cnvrg-non-privileged/templates/ocp-scc-pg.yml b/charts/cnvrg-non-privileged/templates/ocp-scc-pg.yml new file mode 100644 index 00000000..550da3d9 --- /dev/null +++ b/charts/cnvrg-non-privileged/templates/ocp-scc-pg.yml @@ -0,0 +1,31 @@ +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: "cnvrg-scc-control-plane" +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: null +readOnlyRootFilesystem: false +runAsUser: + type: MustRunAsRange + uidRangeMin: 26 + uidRangeMax: 1000 +seLinuxContext: + type: RunAsAny +fsGroup: + type: MustRunAs + ranges: + - min: 26 + max: 1000 +supplementalGroups: + type: MustRunAs + ranges: + - min: 26 + max: 1000 +groups: +- "system:serviceaccounts:cnvrg" diff --git a/charts/cnvrg-non-privileged/templates/ocp-scc-prom.yml b/charts/cnvrg-non-privileged/templates/ocp-scc-prom.yml new file mode 100644 index 00000000..550da3d9 --- /dev/null +++ b/charts/cnvrg-non-privileged/templates/ocp-scc-prom.yml @@ -0,0 +1,31 @@ +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: "cnvrg-scc-control-plane" +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: null +readOnlyRootFilesystem: false +runAsUser: + type: MustRunAsRange + uidRangeMin: 26 + uidRangeMax: 1000 +seLinuxContext: + type: RunAsAny +fsGroup: + type: MustRunAs + ranges: + - min: 26 + max: 1000 +supplementalGroups: + type: MustRunAs + ranges: + - min: 26 + max: 1000 +groups: +- "system:serviceaccounts:cnvrg" diff --git a/charts/cnvrg-non-privileged/values.yaml b/charts/cnvrg-non-privileged/values.yaml index 8e1f22d9..acdbd3c0 100644 --- a/charts/cnvrg-non-privileged/values.yaml +++ b/charts/cnvrg-non-privileged/values.yaml @@ -102,6 +102,7 @@ controlPlane: CNVRG_ENABLE_MOUNT_FOLDERS: false CNVRG_MOUNT_HOST_FOLDERS: false CNVRG_PROMETHEUS_METRICS: true + OCP_ENABLED: true sentryUrl: '' runJobsOnSelfCluster: '' agentCustomTag: agnostic-logs @@ -155,7 +156,7 @@ controlPlane: cpu: 1000m memory: 1Gi nomex: - enabled: true + enabled: false image: nomex:v1.0.0 registry: name: cnvrg-app-registry @@ -238,7 +239,7 @@ dbs: cpu: '4' memory: 8Gi javaOpts: '' - patchEsNodes: true + patchEsNodes: false nodeSelector: credsRef: es-creds pvcName: es-storage diff --git a/cmd/operator/main.go b/cmd/operator/main.go index 5ea3efb3..ed0d980b 100644 --- a/cmd/operator/main.go +++ b/cmd/operator/main.go @@ -8,7 +8,6 @@ import ( "github.com/spf13/viper" "go.uber.org/zap" "go.uber.org/zap/zapcore" - "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/runtime" clientgoscheme "k8s.io/client-go/kubernetes/scheme" "os" @@ -111,19 +110,17 @@ func setParams(params []param, command *cobra.Command) { func runOperator() { ctrl.SetLogger(zapr.NewLogger(initZapLog())) - selector, err := labels.Parse("name=cnvrg") - if err != nil { - zap.S().Error(err) - return - } - cacheCfg := cache.Config{LabelSelector: selector} mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ Scheme: scheme, Cache: cache.Options{ - DefaultNamespaces: map[string]cache.Config{"cnvrg": cacheCfg}, + DefaultNamespaces: map[string]cache.Config{ + "cnvrg": {}, + }, + }, + Metrics: metricsserver.Options{ + BindAddress: viper.GetString("metrics-addr"), }, - Metrics: metricsserver.Options{BindAddress: viper.GetString("metrics-addr")}, HealthProbeBindAddress: viper.GetString("health-probe-addr"), }) if err != nil { diff --git a/hack/run-as-kubeconfig.sh b/hack/run-as-kubeconfig.sh new file mode 100644 index 00000000..595aa874 --- /dev/null +++ b/hack/run-as-kubeconfig.sh @@ -0,0 +1,6 @@ +export SECRET_NAME_SA=cnvrg-operator +export TOKEN_SA=`kubectl get secret cnvrg-operator-secret-debug -n cnvrg -ojsonpath='{.data.token}' | base64 -d` +kubectl config view --raw --minify > kubeconfig.txt +kubectl config unset users --kubeconfig=kubeconfig.txt +kubectl config set-credentials ${SECRET_NAME_SA} --kubeconfig=kubeconfig.txt --token=${TOKEN_SA} +kubectl config set-context --current --kubeconfig=kubeconfig.txt --user=${SECRET_NAME_SA} \ No newline at end of file diff --git a/pkg/app/controlplane/controlplane.go b/pkg/app/controlplane/controlplane.go index 579b8d8a..defb3ada 100644 --- a/pkg/app/controlplane/controlplane.go +++ b/pkg/app/controlplane/controlplane.go @@ -24,12 +24,6 @@ type CpStateManager struct { app *mlopsv1.CnvrgApp } -func NewControlPlaneCrdsStateManager(c client.Client, s *runtime.Scheme, log logr.Logger) desired.StateManager { - l := log.WithValues("stateManager", "controlPlaneCrds") - asm := desired.NewAssetsStateManager(nil, c, s, l, fs, fsRoot+"/crds", nil) - return &CpCrdsStateManager{AssetsStateManager: asm} -} - func NewControlPlaneStateManager(app *mlopsv1.CnvrgApp, c client.Client, s *runtime.Scheme, log logr.Logger) desired.StateManager { l := log.WithValues("stateManager", "controlPlane") asm := desired.NewAssetsStateManager(app, c, s, l, fs, fsRoot, nil) @@ -72,14 +66,14 @@ func (m *CpStateManager) Load() error { } m.AddToAssets(rbac) - if m.app.Spec.Networking.Ingress.Type == mlopsv1.OpenShiftIngress { - assetName := []string{"ocp-scc.tpl"} - ocpScc := desired.NewAssetsGroup(fs, fsRoot+"/conf/rbac", m.Log(), &desired.LoadFilter{AssetName: assetName}) - if err := ocpScc.LoadAssets(); err != nil { - return err - } - m.AddToAssets(ocpScc) - } + //if m.app.Spec.Networking.Ingress.Type == mlopsv1.OpenShiftIngress { + // assetName := []string{"ocp-scc.tpl"} + // ocpScc := desired.NewAssetsGroup(fs, fsRoot+"/conf/rbac", m.Log(), &desired.LoadFilter{AssetName: assetName}) + // if err := ocpScc.LoadAssets(); err != nil { + // return err + // } + // m.AddToAssets(ocpScc) + //} if m.app.Spec.ControlPlane.CnvrgClusterProvisionerOperator.Enabled { ccp := desired.NewAssetsGroup(fs, fsRoot+"/ccp", m.Log(), f) diff --git a/pkg/app/controlplane/tmpl/conf/rbac/ocp-scc-adopted.tpl b/pkg/app/controlplane/tmpl/conf/rbac/ocp-scc-adopted.tpl new file mode 100644 index 00000000..550da3d9 --- /dev/null +++ b/pkg/app/controlplane/tmpl/conf/rbac/ocp-scc-adopted.tpl @@ -0,0 +1,31 @@ +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: "cnvrg-scc-control-plane" +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: null +readOnlyRootFilesystem: false +runAsUser: + type: MustRunAsRange + uidRangeMin: 26 + uidRangeMax: 1000 +seLinuxContext: + type: RunAsAny +fsGroup: + type: MustRunAs + ranges: + - min: 26 + max: 1000 +supplementalGroups: + type: MustRunAs + ranges: + - min: 26 + max: 1000 +groups: +- "system:serviceaccounts:cnvrg" diff --git a/pkg/app/controlplane/tmpl/conf/rbac/ocp-scc-jobs.tpl b/pkg/app/controlplane/tmpl/conf/rbac/ocp-scc-jobs.tpl new file mode 100644 index 00000000..d9ef4525 --- /dev/null +++ b/pkg/app/controlplane/tmpl/conf/rbac/ocp-scc-jobs.tpl @@ -0,0 +1,23 @@ +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: "cnvrg-jobs" +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: null +readOnlyRootFilesystem: false +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +fsGroup: + type: RunAsAny +supplementalGroups: + type: RunAsAny +users: +- "system:serviceaccount:cnvrg:cnvrg-job" diff --git a/pkg/app/controlplane/tmpl/conf/rbac/ocp-scc.tpl b/pkg/app/controlplane/tmpl/conf/rbac/ocp-scc.tpl index 64660244..0dbda9f5 100644 --- a/pkg/app/controlplane/tmpl/conf/rbac/ocp-scc.tpl +++ b/pkg/app/controlplane/tmpl/conf/rbac/ocp-scc.tpl @@ -12,7 +12,7 @@ allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: true -allowPrivilegedContainer: true +allowPrivilegedContainer: false allowedCapabilities: null readOnlyRootFilesystem: false runAsUser: