Bug 1918351: Gather SAP configuration (SCC & ClusterRoleBinding) #291
Conversation
openshift-ci-robot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
openshift-ci-robot
added
the
approved
openshift-ci-robot
added
the
needs-rebase
natiiix
force-pushed
the
gather-sap-scc-crb
branch
from
5ff62a4
to
b08e7d8
Compare
openshift-ci-robot
removed
the
needs-rebase
natiiix
force-pushed
the
gather-sap-scc-crb
branch
from
b08e7d8
to
4c6bd5a
Compare
natiiix
force-pushed
the
gather-sap-scc-crb
branch
2 times, most recently
from
6a02a2e
to
6759c8c
Compare
natiiix
changed the title
natiiix
force-pushed
the
gather-sap-scc-crb
branch
from
6759c8c
to
e58d26b
Compare
natiiix
changed the title
openshift-ci-robot
added
bugzilla/severity-medium
|
@natiiix: This pull request references Bugzilla bug 1918351, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
@natiiix: This pull request references Bugzilla bug 1918351, which is valid. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
1 similar comment
|
@natiiix: This pull request references Bugzilla bug 1918351, which is valid. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
natiiix
force-pushed
the
gather-sap-scc-crb
branch
from
e58d26b
to
71c7bc2
Compare
|
/retest |
|
|
||
| sapNamespaces := map[string]struct{}{} | ||
| for _, item := range datahubsList.Items { | ||
| sapNamespaces[item.GetNamespace()] = struct{}{} |
There was a problem hiding this comment.
That looks a little unnecessary. Can't we have just a list/array of sapNamespaces names?
There was a problem hiding this comment.
Oh yeah, the reason behind this is historical. Now we no longer really care about the particular namespace, in which the resource exists, so we don't really need to collected this information at all. Originally, there was a loop iterating over the namespaces a looking for SCCs/CRBs that match them. It would be a problem to use a list if there were multiple datahubs resources in the namespace (not sure if that's even possible at all). I'll change this one to just a boolean value for simplicity. We don't need the actual namespaces anywhere in the code or in the archive. Wdyt?
|
|
||
| func gatherSAPConfig(ctx context.Context, dynamicClient dynamic.Interface, coreClient corev1client.CoreV1Interface, securityClient securityv1client.SecurityV1Interface, authClient authclient.AuthorizationV1Interface) ([]record.Record, []error) { | ||
| sccFilter := map[string]struct{}{"anyuid": {}, "privileged": {}} | ||
| crbFilter := map[string]struct{}{"system:openshift:scc:anyuid": {}, "system:openshift:scc:privileged": {}} |
There was a problem hiding this comment.
Do we need maps for these? Wouldn't be array of string sufficient?
There was a problem hiding this comment.
You're right. It would work fine, but this syntax ensures that each resource is collected at most once. Originally, there was a name field check when iterating over a list of returned results instead of using Get, which checked if the name existed as a key in this map (which is actually the canonical Go syntax for a set) because it's faster and shorter than iterating over a list. I can change it if you want, but I think this should be fairly clear to anyone aware of this somewhat unusual syntax for sets).
| @@ -0,0 +1 @@ | |||
| {"metadata":{"name":"privileged","selfLink":"/apis/security.openshift.io/v1/securitycontextconstraints/privileged","uid":"8c98d901-ea31-4ad8-8616-f2d2185af2f7","resourceVersion":"40739187","generation":2,"creationTimestamp":"2020-10-29T14:27:37Z","annotations":{"include.release.openshift.io/self-managed-high-availability":"true","kubernetes.io/description":"privileged allows access to all privileged and host features and the ability to run as any user, any group, any fsGroup, and with any SELinux context. WARNING: this is the most relaxed SCC and should be used only for cluster administration. Grant with caution.","release.openshift.io/create-only":"true"},"managedFields":[{"manager":"cluster-version-operator","operation":"Update","apiVersion":"security.openshift.io/v1","time":"2020-10-29T14:27:37Z","fieldsType":"FieldsV1","fieldsV1":{"f:allowHostDirVolumePlugin":{},"f:allowHostIPC":{},"f:allowHostNetwork":{},"f:allowHostPID":{},"f:allowHostPorts":{},"f:allowPrivilegeEscalation":{},"f:allowPrivilegedContainer":{},"f:allowedCapabilities":{},"f:allowedUnsafeSysctls":{},"f:defaultAddCapabilities":{},"f:fsGroup":{".":{},"f:type":{}},"f:groups":{},"f:metadata":{"f:annotations":{".":{},"f:include.release.openshift.io/self-managed-high-availability":{},"f:kubernetes.io/description":{},"f:release.openshift.io/create-only":{}}},"f:priority":{},"f:readOnlyRootFilesystem":{},"f:requiredDropCapabilities":{},"f:runAsUser":{".":{},"f:type":{}},"f:seLinuxContext":{".":{},"f:type":{}},"f:seccompProfiles":{},"f:supplementalGroups":{".":{},"f:type":{}},"f:volumes":{}}},{"manager":"kubectl-edit","operation":"Update","apiVersion":"security.openshift.io/v1","time":"2020-11-26T12:53:56Z","fieldsType":"FieldsV1","fieldsV1":{"f:users":{}}}]},"priority":null,"allowPrivilegedContainer":true,"defaultAddCapabilities":null,"requiredDropCapabilities":null,"allowedCapabilities":["*"],"allowHostDirVolumePlugin":true,"volumes":["*"],"allowHostNetwork":true,"allowHostPorts":true,"allowHostPID":true,"allowHostIPC":true,"allowPrivilegeEscalation":true,"seLinuxContext":{"type":"RunAsAny"},"runAsUser":{"type":"RunAsAny"},"supplementalGroups":{"type":"RunAsAny"},"fsGroup":{"type":"RunAsAny"},"readOnlyRootFilesystem":false,"users":["system:admin","system:serviceaccount:openshift-infra:build-controller","system:serviceaccount:sdi:mlf-deployment-api"],"groups":["system:cluster-admins","system:nodes","system:masters"],"seccompProfiles":["*"],"allowedUnsafeSysctls":["*"]} | |||
There was a problem hiding this comment.
This is little bit weird. All these resources are gathered without their kind and apiVersion. It's probably not an issue, but it's not very consistent (given the format of all our resources)
There was a problem hiding this comment.
That's a very good catch, but we're not doing that anywhere intentionally. It just seems that this client doesn't return those fields when using the Get method for some strange reason.
natiiix
force-pushed
the
gather-sap-scc-crb
branch
from
71c7bc2
to
50ad647
Compare
openshift-ci-robot
added
the
needs-rebase
natiiix
force-pushed
the
gather-sap-scc-crb
branch
from
50ad647
to
9d08b27
Compare
openshift-ci-robot
removed
the
needs-rebase
|
@natiiix: This pull request references Bugzilla bug 1918351, which is valid. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Unfortunately we don't have the option to verify this directly (because we don't have any cluster with SAP installed). I only checked that nothing is added when the SAP is not installed. We verified this approach in remote RH cluster with SAP installed (by sharing IO image including this change). |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: natiiix, tremes The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
2 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
@natiiix: All pull requests linked via external trackers have merged: Bugzilla bug 1918351 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This enhancements gathers
anyuidandprivilegedSCCs, and the corresponding ClusterRoleBindings from clusters running a SAP payload.Categories
Sample archive
config/sap_namespaces.jsonconfig/securitycontextconstraint/config/clusterrolebinding/Documentation
docs/gathered-data.md- "SAPConfig" sectionUnit Tests
pkg/gather/clusterconfig/sap_config_test.goPrivacy
Yes. There are no sensitive data in the newly collected information.
Changelog
No.
References
Jira Task: https://issues.redhat.com/browse/CCXDEV-3485