Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport of Remove anyuid SCC requirement for OpenShift into release/1.3.x #3848

Conversation

hc-github-team-consul-core
Copy link
Collaborator

Backport

This PR is auto-generated from #3813 to be assessed for backporting due to the inclusion of the label backport/1.3.x.

🚨

Warning automatic cherry-pick of commits failed. If the first commit failed,
you will see a blank no-op commit below. If at least one commit succeeded, you
will see the cherry-picked commits up to, not including, the commit where
the merge conflict occurred.

The person who merged in the original PR is:
@curtbushko
This person should manually cherry-pick the original PR into a new backport PR,
and close this one when the manual backport PR is merged in.

merge conflict error: POST https://api.github.com/repos/hashicorp/consul-k8s/merges: 409 Merge conflict []

The below text is copied from the body of the original PR.


  • OpenShift does not want you to use a hardcoded user id and group when running containers.
  • We currently hardcode 5995 and 5996 for the init and inject containers.
  • OpenShift tells you what ids you can use by adding an annotation to the namespace you are deploying to.
  • We now read that annotation from the namespace and change the ids at run time.
  • This removes the requirement of having to run oc adm policy add-scc-to-group anyuid system:serviceaccounts:$TARGET_NAMESPACE when deploying to OpenShift

Changes proposed in this PR

  • Added some helper code to connect-inject/common that reads from the namespace and gets the UID and Group to be used. This code has some fallbacks based from previous versions of OpenShift
  • NOTE: The word 'range' is used in the OpenShift annotation but it is not really a range (anymore).
  • If on OpenShift, use the IDs for init and connect inject.
  • For CNI, we add an annotation to the pod with the redirect config. It includes the UID in the json blob. CNI uses this annotation/blob during Pod Network setup.
  • Acceptance tests were creating the anyuid policy when running on OpenShift and that is not longer needed. (Files dropped/kustomize changes).

How I've tested this PR

  • Unit tests
  • Created a local CRC OpenShift cluster, deployed consul and static server to manually check the IDs.
  • Had @wilkermichael run the connect acceptance tests against a real OpenShift cluster using my control plane image.

How I expect reviewers to test this PR

👀

Checklist


Overview of commits

@hashicorp-cla
Copy link

CLA assistant check

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes


temp seems not to be a GitHub user.
You need a GitHub account to be able to sign the CLA. If you already have a GitHub account, please add the email address used for this commit to your account.

Have you signed the CLA already but the status is still pending? Recheck it.

@curtbushko
Copy link
Contributor

Closed in favour of manual backport: #3850

@curtbushko curtbushko closed this Apr 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants