Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
pkg/cvo/updatepayload: Set 'readOnlyRootFilesystem: false'
This blocks us from being associated with SecurityContextConstraints that set 'readOnlyRootFilesystem: true', because from [1]: > The set of SCCs that admission uses to authorize a pod are > determined by the user identity and groups that the user belongs > to. Additionally, if the pod specifies a service account, the set of > allowable SCCs includes any constraints accessible to the service > account. > > Admission uses the following approach to create the final security > context for the pod: > > 1. Retrieve all SCCs available for use. > 2. Generate field values for security context settings that were not > specified on the request. > 3. Validate the final settings against the available constraints. If we leave readOnlyRootFilesystem implicit, we may get associated with a SCC that sed 'readOnlyRootFilesystem: true', and the version-* actions will fail like [2]: $ oc -n openshift-cluster-version get pods NAME READY STATUS RESTARTS AGE cluster-version-operator-6b5c8ff5c8-4bmxx 1/1 Running 0 33m version-4.10.20-smvt9-6vqwc 0/1 Error 0 10s $ oc -n openshift-cluster-version logs version-4.10.20-smvt9-6vqwc oc logs version-4.10.20-smvt9-6vqwc mv: cannot remove '/manifests/0000_00_cluster-version-operator_00_namespace.yaml': Read-only file system mv: cannot remove '/manifests/0000_00_cluster-version-operator_01_adminack_configmap.yaml': Read-only file system ... For a similar change in another repository, see [3]. [1]: https://docs.openshift.com/container-platform/4.10/authentication/managing-security-context-constraints.html#admission_configuring-internal-oauth [2]: https://bugzilla.redhat.com/show_bug.cgi?id=2110590#c0 [3]: openshift/cluster-openshift-apiserver-operator#437
- Loading branch information