Merge pull request #22737 from deads2k/scc-switch-3

add minimal SCC changes to switch to CRD

Author: deads2k

hack/local-up-master/kube-apiserver-manifests/01_security_context_constraint_crd.yaml

@@ -0,0 +1,290 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: securitycontextconstraints.security.openshift.io
+spec:
+  group: security.openshift.io
+  names:
+    kind: SecurityContextConstraints
+    listKind: SecurityContextConstraintsList
+    plural: securitycontextconstraints
+    singular: securitycontextconstraints
+  subresources:
+    status: {}
+  scope: Cluster
+  versions:
+  - name: v1
+    served: true
+    storage: true
+  validation:
+    openAPIV3Schema:
+      properties:
+        allowHostDirVolumePlugin:
+          nullable: true
+          description: AllowHostDirVolumePlugin determines if the policy allow containers
+            to use the HostDir volume plugin +k8s:conversion-gen=false
+          type: boolean
+        allowHostIPC:
+          nullable: true
+          description: AllowHostIPC determines if the policy allows host ipc in the
+            containers.
+          type: boolean
+        allowHostNetwork:
+          nullable: true
+          description: AllowHostNetwork determines if the policy allows the use of
+            HostNetwork in the pod spec.
+          type: boolean
+        allowHostPID:
+          nullable: true
+          description: AllowHostPID determines if the policy allows host pid in the
+            containers.
+          type: boolean
+        allowHostPorts:
+          nullable: true
+          description: AllowHostPorts determines if the policy allows host ports in
+            the containers.
+          type: boolean
+        allowPrivilegeEscalation:
+          nullable: true
+          description: AllowPrivilegeEscalation determines if a pod can request to
+            allow privilege escalation. If unspecified, defaults to true.
+          type: boolean
+        allowPrivilegedContainer:
+          nullable: true
+          description: AllowPrivilegedContainer determines if a container can request
+            to be run as privileged.
+          type: boolean
+        allowedCapabilities:
+          nullable: true
+          description: AllowedCapabilities is a list of capabilities that can be requested
+            to add to the container. Capabilities in this field maybe added at the
+            pod author's discretion. You must not list a capability in both AllowedCapabilities
+            and RequiredDropCapabilities. To allow all capabilities you may use '*'.
+          items:
+            type: string
+          type: array
+        allowedFlexVolumes:
+          nullable: true
+          description: AllowedFlexVolumes is a whitelist of allowed Flexvolumes.  Empty
+            or nil indicates that all Flexvolumes may be used.  This parameter is
+            effective only when the usage of the Flexvolumes is allowed in the "Volumes"
+            field.
+          items:
+            properties:
+              driver:
+                description: Driver is the name of the Flexvolume driver.
+                type: string
+            type: object
+          type: array
+        allowedUnsafeSysctls:
+          nullable: true
+          description: 'AllowedUnsafeSysctls is a list of explicitly allowed unsafe
+            sysctls, defaults to none. Each entry is either a plain sysctl name or
+            ends in "*" in which case it is considered as a prefix of allowed sysctls.
+            Single * means all unsafe sysctls are allowed. Kubelet has to whitelist
+            all allowed unsafe sysctls explicitly to avoid rejection.  Examples: e.g.
+            "foo/*" allows "foo/bar", "foo/baz", etc. e.g. "foo.*" allows "foo.bar",
+            "foo.baz", etc.'
+          items:
+            type: string
+          type: array
+        apiVersion:
+          nullable: true
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+          type: string
+        defaultAddCapabilities:
+          nullable: true
+          description: DefaultAddCapabilities is the default set of capabilities that
+            will be added to the container unless the pod spec specifically drops
+            the capability.  You may not list a capabiility in both DefaultAddCapabilities
+            and RequiredDropCapabilities.
+          items:
+            type: string
+          type: array
+        defaultAllowPrivilegeEscalation:
+          nullable: true
+          description: DefaultAllowPrivilegeEscalation controls the default setting
+            for whether a process can gain more privileges than its parent process.
+          type: boolean
+        forbiddenSysctls:
+          nullable: true
+          description: 'ForbiddenSysctls is a list of explicitly forbidden sysctls,
+            defaults to none. Each entry is either a plain sysctl name or ends in
+            "*" in which case it is considered as a prefix of forbidden sysctls. Single
+            * means all sysctls are forbidden.  Examples: e.g. "foo/*" forbids "foo/bar",
+            "foo/baz", etc. e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.'
+          items:
+            type: string
+          type: array
+        fsGroup:
+          nullable: true
+          description: FSGroup is the strategy that will dictate what fs group is
+            used by the SecurityContext.
+          properties:
+            ranges:
+              nullable: true
+              description: Ranges are the allowed ranges of fs groups.  If you would
+                like to force a single fs group then supply a single range with the
+                same start and end.
+              items:
+                properties:
+                  max:
+                    description: Max is the end of the range, inclusive.
+                    format: int64
+                    type: integer
+                  min:
+                    description: Min is the start of the range, inclusive.
+                    format: int64
+                    type: integer
+                type: object
+              type: array
+            type:
+              nullable: true
+              description: Type is the strategy that will dictate what FSGroup is
+                used in the SecurityContext.
+              type: string
+          type: object
+        groups:
+          nullable: true
+          description: The groups that have permission to use this security context
+            constraints
+          items:
+            type: string
+          type: array
+        kind:
+          nullable: true
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          description: 'Standard object''s metadata. More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#metadata'
+          type: object
+        priority:
+          nullable: true
+          description: Priority influences the sort order of SCCs when evaluating
+            which SCCs to try first for a given pod request based on access in the
+            Users and Groups fields.  The higher the int, the higher priority. An
+            unset value is considered a 0 priority. If scores for multiple SCCs are
+            equal they will be sorted from most restrictive to least restrictive.
+            If both priorities and restrictions are equal the SCCs will be sorted
+            by name.
+          format: int32
+          type: integer
+        readOnlyRootFilesystem:
+          nullable: true
+          description: ReadOnlyRootFilesystem when set to true will force containers
+            to run with a read only root file system.  If the container specifically
+            requests to run with a non-read only root file system the SCC should deny
+            the pod. If set to false the container may run with a read only root file
+            system if it wishes but it will not be forced to.
+          type: boolean
+        requiredDropCapabilities:
+          nullable: true
+          description: RequiredDropCapabilities are the capabilities that will be
+            dropped from the container.  These are required to be dropped and cannot
+            be added.
+          items:
+            type: string
+          type: array
+        runAsUser:
+          nullable: true
+          description: RunAsUser is the strategy that will dictate what RunAsUser
+            is used in the SecurityContext.
+          properties:
+            type:
+              nullable: true
+              description: Type is the strategy that will dictate what RunAsUser is
+                used in the SecurityContext.
+              type: string
+            uid:
+              nullable: true
+              description: UID is the user id that containers must run as.  Required
+                for the MustRunAs strategy if not using namespace/service account
+                allocated uids.
+              format: int64
+              type: integer
+            uidRangeMax:
+              nullable: true
+              description: UIDRangeMax defines the max value for a strategy that allocates
+                by range.
+              format: int64
+              type: integer
+            uidRangeMin:
+              nullable: true
+              description: UIDRangeMin defines the min value for a strategy that allocates
+                by range.
+              format: int64
+              type: integer
+          type: object
+        seLinuxContext:
+          nullable: true
+          description: SELinuxContext is the strategy that will dictate what labels
+            will be set in the SecurityContext.
+          properties:
+            seLinuxOptions:
+              nullable: true
+              description: seLinuxOptions required to run as; required for MustRunAs
+              type: object
+            type:
+              nullable: true
+              description: Type is the strategy that will dictate what SELinux context
+                is used in the SecurityContext.
+              type: string
+          type: object
+        seccompProfiles:
+          nullable: true
+          description: "SeccompProfiles lists the allowed profiles that may be set
+            for the pod or container's seccomp annotations.  An unset (nil) or empty
+            value means that no profiles may be specifid by the pod or container.\tThe
+            wildcard '*' may be used to allow all profiles.  When used to generate
+            a value for a pod the first non-wildcard profile will be used as the default."
+          items:
+            type: string
+          type: array
+        supplementalGroups:
+          nullable: true
+          description: SupplementalGroups is the strategy that will dictate what supplemental
+            groups are used by the SecurityContext.
+          properties:
+            ranges:
+              nullable: true
+              description: Ranges are the allowed ranges of supplemental groups.  If
+                you would like to force a single supplemental group then supply a
+                single range with the same start and end.
+              items:
+                properties:
+                  max:
+                    description: Max is the end of the range, inclusive.
+                    format: int64
+                    type: integer
+                  min:
+                    description: Min is the start of the range, inclusive.
+                    format: int64
+                    type: integer
+                type: object
+              type: array
+            type:
+              nullable: true
+              description: Type is the strategy that will dictate what supplemental
+                groups is used in the SecurityContext.
+              type: string
+          type: object
+        users:
+          nullable: true
+          description: The users who have permissions to use this security context
+            constraints
+          items:
+            type: string
+          type: array
+        volumes:
+          nullable: true
+          description: Volumes is a white list of allowed volume plugins.  FSType
+            corresponds directly with the field names of a VolumeSource (azureFile,
+            configMap, emptyDir).  To allow all volumes you may use "*". To allow
+            no volumes, set to ["none"].
+          items:
+            type: string
+          type: array

hack/local-up-master/lib.sh

@@ -248,6 +248,17 @@ function localup::start_kubecontrollermanager() {
     os::log::debug "Waiting for kube-controller-manager to come up"
     kube::util::wait_for_url "http://localhost:10252/healthz" "kube-controller-manager: " 1 ${WAIT_FOR_URL_API_SERVER} ${MAX_TIME_FOR_URL_API_SERVER} \
         || { os::log::error "check kube-controller-manager logs: ${KUBE_CONTROLLER_MANAGER_LOG}" ; exit 1 ; }
+
+    # we need SCCs as they are part of the OpenShift apiserver bootstrap process
+    echo "Waiting for the SCCs to appear"
+    tstamp=$(date +%s)
+    set +e
+    while (( $(date +%s) - $tstamp < 160 )); do
+        oc get --config="${LOCALUP_CONFIG}/kube-apiserver/admin.kubeconfig" --raw /apis/security.openshift.io/v1/securitycontextconstraints 2>/dev/null 1>&2 && break
+        sleep 0.25
+    done
+    set -e
+    oc get --config="${LOCALUP_CONFIG}/kube-apiserver/admin.kubeconfig" --raw /apis/security.openshift.io/v1/securitycontextconstraints 2>/dev/null 1>&2 || bash
 }
 
 function localup::start_openshiftapiserver() {

pkg/admission/customresourcevalidation/attributes.go

@@ -7,6 +7,7 @@ import (
 
 	configv1 "github.com/openshift/api/config/v1"
 	quotav1 "github.com/openshift/api/quota/v1"
+	securityv1 "github.com/openshift/api/security/v1"
 )
 
 // unstructuredUnpackingAttributes tries to convert to a real object in the config scheme
@@ -46,4 +47,5 @@ var supportedObjectsScheme = runtime.NewScheme()
 func init() {
 	utilruntime.Must(configv1.Install(supportedObjectsScheme))
 	utilruntime.Must(quotav1.Install(supportedObjectsScheme))
+	utilruntime.Must(securityv1.Install(supportedObjectsScheme))
 }

pkg/admission/customresourcevalidation/customresourcevalidationregistration/cr_validation_registration.go

@@ -1,6 +1,7 @@
 package customresourcevalidationregistration
 
 import (
+	"github.com/openshift/origin/pkg/admission/customresourcevalidation/securitycontextconstraints"
 	"k8s.io/apiserver/pkg/admission"
 
 	"github.com/openshift/origin/pkg/admission/customresourcevalidation/authentication"
@@ -25,6 +26,9 @@ var AllCustomResourceValidators = []string{
 	config.PluginName,
 	scheduler.PluginName,
 	clusterresourcequota.PluginName,
+
+	// this one is special because we don't work without it.
+	securitycontextconstraints.DefaultingPluginName,
 }
 
 func RegisterCustomResourceValidation(plugins *admission.Plugins) {
@@ -40,4 +44,7 @@ func RegisterCustomResourceValidation(plugins *admission.Plugins) {
 	// This plugin validates the quota.openshift.io/v1 ClusterResourceQuota resources.
 	// NOTE: This is only allowed because it is required to get a running control plane operator.
 	clusterresourcequota.Register(plugins)
+
+	// this one is special because we don't work without it.
+	securitycontextconstraints.RegisterDefaulting(plugins)
 }