Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not able to create Security Context Constraints either from yaml or from Security*Builder() #962

Closed
rohanKanojia opened this issue Dec 22, 2017 · 1 comment
Closed

Not able to create Security Context Constraints either from yaml or from Security*Builder() #962

rohanKanojia opened this issue Dec 22, 2017 · 1 comment
Assignees
@piyush-garg

Comments

@rohanKanojia
Copy link
Member

rohanKanojia commented Dec 22, 2017
edited
Loading

Here is a simple example of Security Context Constraints as a yaml file:

kind: SecurityContextConstraints
apiVersion: v1
metadata:
  name: scc-admin
allowPrivilegedContainer: true
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: RunAsAny
users:
- my-admin-user
groups:
- my-admin-group

I can simply create it using oc binary like this:

~/work : $ oc create -f scc-yaml.yml 
securitycontextconstraints "scc-admin" created
~/work : $ oc get scc
NAME               PRIV      CAPS      SELINUX     RUNASUSER          FSGROUP     SUPGROUP    PRIORITY   READONLYROOTFS   VOLUMES
anyuid             false     []        MustRunAs   RunAsAny           RunAsAny    RunAsAny    10         false            [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
hostaccess         false     []        MustRunAs   MustRunAsRange     MustRunAs   RunAsAny    <none>     false            [configMap downwardAPI emptyDir hostPath persistentVolumeClaim projected secret]
hostmount-anyuid   false     []        MustRunAs   RunAsAny           RunAsAny    RunAsAny    <none>     false            [configMap downwardAPI emptyDir hostPath nfs persistentVolumeClaim projected secret]
hostnetwork        false     []        MustRunAs   MustRunAsRange     MustRunAs   MustRunAs   <none>     false            [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
nonroot            false     []        MustRunAs   MustRunAsNonRoot   RunAsAny    RunAsAny    <none>     false            [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
privileged         true      [*]       RunAsAny    RunAsAny           RunAsAny    RunAsAny    <none>     false            [*]
restricted         false     []        MustRunAs   MustRunAsRange     MustRunAs   RunAsAny    <none>     false            [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
scc-admin          true      []        RunAsAny    RunAsAny           RunAsAny    RunAsAny    <none>     false            [awsElasticBlockStore azureDisk azureFile cephFS cinder configMap downwardAPI emptyDir fc flexVolume flocker gcePersistentDisk gitRepo glusterfs iscsi nfs persistentVolumeClaim photonPersistentDisk portworxVolume projected quobyte rbd scaleIO secret vsphere]

But i'm not able to replicate the same thing in Kubernetes Client. When i try to load the whole yaml file as a resource, it doesn't give me any error.

    SecurityContextConstraints scc1 = client.securityContextConstraints()
      .load(getClass().getResourceAsStream("/test-securitycontextconstraints.yml")).get();

When i try to do the same thing using SecurityContextConstraintBuilder(shown in below code snippet). I get the following error :the API version in the data (security.openshift.io/v1) does not match the expected API version (v1)

    SecurityContextConstraints scc2 = new SecurityContextConstraintsBuilder()
      .withNewMetadata().withName("scc1").endMetadata()
      .withAllowPrivilegedContainer(true)
      .withNewRunAsUser()
      .withType("RunAsAny")
      .endRunAsUser()
      .withNewSeLinuxContext()
      .withType("RunAsAny")
      .endSeLinuxContext()
      .withNewFsGroup()
      .withType("RunAsAny")
      .endFsGroup()
      .withNewSupplementalGroups()
      .withType("RunAsAny")
      .endSupplementalGroups()
      .addToUsers("admin")
      .addToGroups("admin-group")
      .build();

    client.securityContextConstraints().createOrReplace(scc2);  // Doesn't work!

Ideally, Kubernetes client should create the security context constraints. All these have been tested on Minishift 1.10.0 using OpenShift 3.6.0 internally.
@hrishin hrishin added this to the Sprint 143 milestone Jan 3, 2018
@piyush-garg
Copy link
Contributor

piyush-garg commented Jan 10, 2018
edited
Loading

@hrishin @rohanKanojia @iocanel

OpenShiftClient client = new DefaultOpenShiftClient();
SecurityContextConstraints scc2 = new SecurityContextConstraintsBuilder()
      .withApiVersion("v1")
      .withNewMetadata().withName("scc1").endMetadata()
      .withAllowPrivilegedContainer(true)
      .withNewRunAsUser()
      .withType("RunAsAny")
      .endRunAsUser()
      .withNewSeLinuxContext()
      .withType("RunAsAny")
      .endSeLinuxContext()
      .withNewFsGroup()
      .withType("RunAsAny")
      .endFsGroup()
      .withNewSupplementalGroups()
      .withType("RunAsAny")
      .endSupplementalGroups()
      .addToUsers("admin")
      .addToGroups("admin-group")
      .build();

    client.securityContextConstraints().createOrReplace(scc2);

If i execute the above example just by overiding apiVersion to v1, it works. In kubernetes-model, it is using apiVersion security.openshift.io/v1

@piyush-garg piyush-garg mentioned this issue Jan 11, 2018
Merged
@piyush-garg piyush-garg self-assigned this Jan 11, 2018
This was referenced Jan 17, 2018
Closed
Merged
Closed
@hrishin hrishin modified the milestones: Sprint 143, backlog Jan 24, 2018
@hrishin hrishin closed this as completed Jan 24, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@piyush-garg piyush-garg

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rohanKanojia @piyush-garg @hrishin