Skip to content

SecurityContextConstraints in openshift_rbac.yaml completly wrong formated #105

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rbaumgar opened this issue May 27, 2024 · 7 comments
Closed

SecurityContextConstraints in openshift_rbac.yaml completly wrong formated #105

rbaumgar opened this issue May 27, 2024 · 7 comments
Assignees
@IshaanDesai45
Labels
documentation Improvements or additions to documentation sidb Single Instance Database

Comments

@rbaumgar
Copy link

the scc in the in openshift_rbac.yaml is completly wrong formated and has the wrong API.

https://github.com/oracle/oracle-database-operator/blob/main/config/samples/sidb/openshift_rbac.yaml

This might be the right content:

kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
  name: sidb-scc
  namespace: default
allowPrivilegedContainer: false
users:
  - system:serviceaccount:default:sidb-sa
  - system:serviceaccount:default:oracle-database-operator
runAsUser:
  type: MustRunAsRange
  uidRangeMin: 0
  uidRangeMax: 60000
seLinuxContext:
  type: RunAsAny
fsGroup:
  type: MustRunAs
  ranges:
  - min: 0
    max: 60000
supplementalGroups:
  type: MustRunAs
  ranges:
  - min: 0
    max: 60000
@andbos
Copy link

andbos commented May 28, 2024

Hi,

Above works for me and if the instances are configured to be in namespace default then they will start. But how to make them run in another namespace?

Best regards,
Andreas

@rbaumgar
Copy link
Author

you have to apply the same SCC, role and role binding to every namespace you want to use for an Oracle database.

BUT this is a setting I would NEVER recommend in an OpenShift environment from a security perspective.

Oracle databases should run with an arbitrary UID like any other workload in OpenShift.

@IshaanDesai45
Copy link
Contributor

@rbaumgar @andbos we are working on this and will start a PR for the resolution

@IshaanDesai45 IshaanDesai45 added documentation Improvements or additions to documentation sidb Single Instance Database labels Jun 24, 2024
@IshaanDesai45 IshaanDesai45 mentioned this issue Jul 4, 2024
Merged
@IshaanDesai45
Copy link
Contributor

@rbaumgar @andbos fixed the openshift_rbac.yaml file in the above PR kindly check and confirm

@rbaumgar
Copy link
Author

rbaumgar commented Jul 4, 2024

@IshaanDesai45 looks good. tried with project oracle ecept that that the database is still not running as restricted.

I would update the documentation where the yaml has to be replaced I would recommend the following docu.

in the file, eg rbac/default-ns-role-binding.yaml should be a place holder like $NAMESPACE

export NAMESPACE=my-namespace
cat rbac/default-ns-role-binding.yaml | oc apply -f -

@rbaumgar
Copy link
Author

rbaumgar commented Jul 4, 2024

@IshaanDesai45 sorry, the file is still incorrect, nearly all lines except the comments have a leading space.
the SCCs are named sidb-oracle-user-scc and sidb-oracle-root-user-scc, but the role references SCC oracle-user-scc and oracle-root-scc.

@IshaanDesai45
Copy link
Contributor

@rbaumgar fixed the formatting for the openshift_rbac.yaml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@IshaanDesai45 IshaanDesai45

Labels
documentation Improvements or additions to documentation sidb Single Instance Database
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rbaumgar @IshaanDesai45 @andbos