Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Set seccomp profiles and grant SAs necessary premissions to run #154

Merged
merged 1 commit into from
Jun 3, 2022
Merged

fix: Set seccomp profiles and grant SAs necessary premissions to run #154

merged 1 commit into from
Jun 3, 2022

Conversation

JoaoBraveCoding
Copy link
Contributor

@JoaoBraveCoding JoaoBraveCoding commented Jun 2, 2022
edited
Loading

When running in namespace with Pod Security Standard profile "restricted"
we need to set RunAsNonRoot and SeccompProfile to all workloads running
on that namespace. Futhermore on OpenShift to run with a SeccompProfile
set we need to grant service accounts premisisons to use the SCC
nonroot-v2
Fixes #149

@JoaoBraveCoding JoaoBraveCoding requested a review from a team as a code owner June 2, 2022 14:07
@JoaoBraveCoding JoaoBraveCoding force-pushed the 149 branch 6 times, most recently from 794b491 to 143aad0 Compare June 2, 2022 15:25
@JoaoBraveCoding JoaoBraveCoding force-pushed the 149 branch 5 times, most recently from c38d957 to 6707633 Compare June 2, 2022 18:23
@JoaoBraveCoding
Copy link
Contributor Author

So CI was failing because if I set on the AM deployment the securityContext: runAsNonRoot: true then the AM pods do not start with the following error:

 Warning  Failed     3s (x5 over 37s)  kubelet            Error: container has runAsNonRoot and image has non-numeric user (nobody), cannot verify user is non-root (pod: "alertmanager-self-scrape-0_e2e-tests(6840fcd1-b25a-4d95-bcb4-87da5ded49d8)", container: config-reloader)

I checked and indeed the AM dockerimage uses nobody... but I'm afraid I might be missing something because it feels weird to me that if the problem is indeed with the dockerimage that only now the problem is surfacing. Do know anything about this @simonpasquier

sthaha
sthaha previously approved these changes Jun 3, 2022
View reviewed changes
@sthaha
Copy link
Collaborator

sthaha commented Jun 3, 2022

Looks good to me 😍
I will let @simonpasquier approve the PR.

sthaha
sthaha reviewed Jun 3, 2022
View reviewed changes
Copy link
Collaborator

@sthaha sthaha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removing approval for @simonpasquier to approve this PR.
We should consider releasing as soon as this merges.

@sthaha sthaha dismissed their stale review June 3, 2022 03:05

I will let Simon who understands this better approve the PR

@JoaoBraveCoding
fix: set seccomp profiles and grant SAs necessary premissions to run
18487a8 
When running in namespace with Pod Security Standard profile "restricted"
we need to set RunAsNonRoot and SeccompProfile to all workloads running
on that namespace. Futhermore on OpenShift to run with a SeccompProfile
set we need to grant service accounts premisisons to use the SCC
nonroot-v2 rhobs#149
@JoaoBraveCoding
Copy link
Contributor Author

For traceability: After talking with @simonpasquier offline we decided to add to the Alertmanager deployment a arbitrary UID in order to solve the issue above [1] and future prof the Alertmanager deployment if in the future we have to add persistent storage.

[1] #154 (comment)

@simonpasquier simonpasquier merged commit 1d44825 into rhobs:main Jun 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sthaha sthaha sthaha left review comments

@simonpasquier simonpasquier simonpasquier approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Prometheus Operator fails to run on 4.11.0-0.ci-2022-05-28 or later
3 participants
@JoaoBraveCoding @sthaha @simonpasquier