Skip to content

Commit

Permalink
Update scc to add seccompProfiles to handle restricted securityContext
Browse files Browse the repository at this point in the history 
Context:

As part of addressing https://issues.redhat.com/browse/OCPSTRAT-487, there's a plan to enable restricted security context by default starting from Openshift 4.16.
Once this becomes the default setting, existing Triggers functionality may break.
This is because we currently set security context to false, and the pipelines-scc security context constraint (SCC)
doesn't have seccompProfiles: runtime/default, which is required when restricted security context is enabled by default.
  • Loading branch information
@savitaashture
savitaashture committed Apr 23, 2024
1 parent c55c650 commit f7a28b8
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 1 deletion.
2 changes: 2 additions & 0 deletions cmd/openshift/operator/kodata/openshift/00-prereconcile/openshift-pipelines-scc.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@ seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
seccompProfiles:
- runtime/default
volumes:
- configMap
- downwardAPI
Expand Down
1 change: 0 additions & 1 deletion pkg/reconciler/openshift/tektontrigger/extension.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,6 @@ func (oe openshiftExtension) Transformers(comp v1alpha1.TektonComponent) []mf.Tr
occommon.RemoveRunAsUser(),
occommon.RemoveRunAsGroup(),
occommon.ApplyCABundles,
replaceDeploymentArgs("-el-security-context", "false"),
replaceDeploymentArgs("-el-events", "enable"),
}
}
Expand Down

0 comments on commit f7a28b8

Please sign in to comment.