Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Users should be able to configure their workspace pods securityContext capabilities #20459

Closed
l0rd opened this issue Sep 13, 2021 · 1 comment · Fixed by devfile/devworkspace-operator#679
Closed

Users should be able to configure their workspace pods securityContext capabilities #20459

l0rd opened this issue Sep 13, 2021 · 1 comment · Fixed by devfile/devworkspace-operator#679
Assignees
@amisevsk
Labels
engine/devworkspace Issues related to Che configured to use the devworkspace controller as workspace engine. kind/enhancement A feature request - must adhere to the feature request template. severity/P2 Has a minor but important impact to the usage or development of the system. sprint/current

Comments

@l0rd
Copy link
Contributor

l0rd commented Sep 13, 2021

Is your enhancement related to a problem? Please describe

I would like to be able to build a Dockerfile using buildah from within a workspace as described here. On OpenShift and using the DevWorkspace operator.

Describe the solution you'd like

To be able to run buildah successfully the pod should use a ServiceAccount that has anyuid scc (oc adm policy add-scc-to-user anyuid -z <my-service-account>) and it should be possible to set containers SecurityContext capabilities.

    spec:
      serviceAccount: buildah-sa
      containers:
        - name: buildah
          image: image-registry.openshift-image-registry.svc:5000/image-build/buildah
          securityContext:
            capabilities:
              drop:
                - KILL

Describe alternatives you've considered

No response

Additional context

That may be a user configuration specified in a ConfigMap: every workspace of the user would have the serviceAccount and securityContext specified in the ConfigMap.
@l0rd l0rd added the kind/enhancement A feature request - must adhere to the feature request template. label Sep 13, 2021
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Sep 13, 2021
@Katka92 Katka92 added team/controller severity/P1 Has a major impact to usage or development of the system. and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Sep 13, 2021
@l0rd l0rd changed the title Users should be able to configure their workspace pods serviceAccount and securityContext Users should be able to configure their workspace pods securityContext capabilities Sep 14, 2021
@sleshchenko sleshchenko added the engine/devworkspace Issues related to Che configured to use the devworkspace controller as workspace engine. label Sep 24, 2021
@sleshchenko sleshchenko mentioned this issue Sep 24, 2021
Closed
@metlos metlos mentioned this issue Sep 24, 2021
Closed
9 tasks
@l0rd l0rd added severity/P2 Has a minor but important impact to the usage or development of the system. and removed severity/P1 Has a major impact to usage or development of the system. labels Sep 27, 2021
@ibuziuk ibuziuk mentioned this issue Nov 9, 2021
Closed
@max-cx
Copy link

max-cx commented Nov 15, 2021

Hi, a question to the assignee of this issue:

Will the outcome require any changes to the relevant content of the Installation Guide or Administration Guide or End-user Guide?

Yes/No?

@amisevsk amisevsk self-assigned this Nov 16, 2021
@amisevsk amisevsk mentioned this issue Nov 20, 2021
Merged
3 tasks
@l0rd l0rd mentioned this issue Jan 18, 2022
Closed
@l0rd l0rd mentioned this issue Jun 2, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@amisevsk amisevsk

Labels
engine/devworkspace Issues related to Che configured to use the devworkspace controller as workspace engine. kind/enhancement A feature request - must adhere to the feature request template. severity/P2 Has a minor but important impact to the usage or development of the system. sprint/current
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add ability to use SCCs in DevWorkspaces on OpenShift amisevsk/devworkspace-operator
7 participants
@l0rd @ibuziuk @sleshchenko @amisevsk @Katka92 @che-bot @max-cx