From 3e54055ae9342c61dd27c953f2c2462c69c51b29 Mon Sep 17 00:00:00 2001
From: Travis Nielsen <tnielsen@redhat.com>
Date: Thu, 14 Mar 2024 12:33:49 -0600
Subject: [PATCH] security: operator and toolbox scc for default service
 account

The default service account access is needed for the operator
and the toolbox to run on openshift. This is a follow-up from
PR 13362 that created a new default service account to use with
all ceph or rook components that were relying on the default
service account.

Signed-off-by: Travis Nielsen <tnielsen@redhat.com>
---
 .../templates/securityContextConstraints.yaml               | 3 +--
 deploy/examples/common-external.yaml                        | 6 ++++++
 deploy/examples/direct-mount.yaml                           | 1 +
 deploy/examples/operator-openshift.yaml                     | 2 +-
 deploy/examples/toolbox-operator-image.yaml                 | 1 +
 deploy/examples/toolbox.yaml                                | 1 +
 6 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/deploy/charts/rook-ceph-cluster/templates/securityContextConstraints.yaml b/deploy/charts/rook-ceph-cluster/templates/securityContextConstraints.yaml
index f79bcef07f79..82a0bc363b6c 100644
--- a/deploy/charts/rook-ceph-cluster/templates/securityContextConstraints.yaml
+++ b/deploy/charts/rook-ceph-cluster/templates/securityContextConstraints.yaml
@@ -37,9 +37,8 @@ volumes:
   - secret
 users:
   # A user needs to be added for each rook service account.
-  - system:serviceaccount:{{ .Release.Namespace }}:default
+  - system:serviceaccount:{{ .Release.Namespace }}:rook-ceph-default
   - system:serviceaccount:{{ .Release.Namespace }}:rook-ceph-mgr
   - system:serviceaccount:{{ .Release.Namespace }}:rook-ceph-osd
   - system:serviceaccount:{{ .Release.Namespace }}:rook-ceph-rgw
-  - system:serviceaccount:{{ .Release.Namespace }}:rook-ceph-default
 {{- end }}
diff --git a/deploy/examples/common-external.yaml b/deploy/examples/common-external.yaml
index 51f1c5fbeb6c..03e7192d9257 100644
--- a/deploy/examples/common-external.yaml
+++ b/deploy/examples/common-external.yaml
@@ -57,6 +57,12 @@ metadata:
   name: rook-ceph-cmd-reporter
   namespace: rook-ceph-external # namespace:cluster
 ---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rook-ceph-default
+  namespace: rook-ceph-external # namespace:cluster
+---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
diff --git a/deploy/examples/direct-mount.yaml b/deploy/examples/direct-mount.yaml
index db4487eb51ac..2788c7fc6d81 100644
--- a/deploy/examples/direct-mount.yaml
+++ b/deploy/examples/direct-mount.yaml
@@ -16,6 +16,7 @@ spec:
         app: rook-direct-mount
     spec:
       dnsPolicy: ClusterFirstWithHostNet
+      serviceAccountName: rook-ceph-default
       containers:
         - name: rook-direct-mount
           image: rook/ceph:master
diff --git a/deploy/examples/operator-openshift.yaml b/deploy/examples/operator-openshift.yaml
index 2c409e38591c..9243ae9f47c2 100644
--- a/deploy/examples/operator-openshift.yaml
+++ b/deploy/examples/operator-openshift.yaml
@@ -45,7 +45,7 @@ users:
   # This assumes running in the default sample "rook-ceph" namespace.
   # If other namespaces or service accounts are configured, they need to be updated here.
   - system:serviceaccount:rook-ceph:rook-ceph-system # serviceaccount:namespace:operator
-  - system:serviceaccount:rook-ceph:default # serviceaccount:namespace:cluster
+  - system:serviceaccount:rook-ceph:rook-ceph-default # serviceaccount:namespace:cluster
   - system:serviceaccount:rook-ceph:rook-ceph-mgr # serviceaccount:namespace:cluster
   - system:serviceaccount:rook-ceph:rook-ceph-osd # serviceaccount:namespace:cluster
   - system:serviceaccount:rook-ceph:rook-ceph-rgw # serviceaccount:namespace:cluster
diff --git a/deploy/examples/toolbox-operator-image.yaml b/deploy/examples/toolbox-operator-image.yaml
index 2bdc4adbe478..4e733c17664f 100644
--- a/deploy/examples/toolbox-operator-image.yaml
+++ b/deploy/examples/toolbox-operator-image.yaml
@@ -22,6 +22,7 @@ spec:
         app: rook-ceph-tools-operator-image
     spec:
       dnsPolicy: ClusterFirstWithHostNet
+      serviceAccountName: rook-ceph-default
       containers:
         - name: rook-ceph-tools-operator-image
           image: rook/ceph:master
diff --git a/deploy/examples/toolbox.yaml b/deploy/examples/toolbox.yaml
index adcae195cf25..ea62db8f208a 100644
--- a/deploy/examples/toolbox.yaml
+++ b/deploy/examples/toolbox.yaml
@@ -16,6 +16,7 @@ spec:
         app: rook-ceph-tools
     spec:
       dnsPolicy: ClusterFirstWithHostNet
+      serviceAccountName: rook-ceph-default
       containers:
         - name: rook-ceph-tools
           image: quay.io/ceph/ceph:v18.2.2