-
Notifications
You must be signed in to change notification settings - Fork 96
OCPBUGS-77404: bugfix: mount /etc/containers so image controllers respect cluster-wide image registry configurations #439
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from all commits
a7aa392
ff619ce
b41e22c
78b69b8
1ed86f9
38f570c
1643cc1
038c418
28a62c9
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -33,15 +33,12 @@ spec: | |
| name: openshift-controller-manager | ||
| annotations: | ||
| target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' | ||
| openshift.io/required-scc: restricted-v3 | ||
| openshift.io/required-scc: hostaccess | ||
| labels: | ||
| app: openshift-controller-manager-a | ||
| controller-manager: "true" | ||
| spec: | ||
| hostUsers: false | ||
| securityContext: | ||
| seccompProfile: | ||
| type: RuntimeDefault | ||
| priorityClassName: system-node-critical | ||
| serviceAccountName: openshift-controller-manager-sa | ||
| containers: | ||
|
|
@@ -69,6 +66,8 @@ spec: | |
| valueFrom: | ||
| fieldRef: | ||
| fieldPath: metadata.name | ||
| - name: REGISTRY_AUTH_FILE | ||
| value: /var/run/secrets/image-auth/auth.json | ||
| livenessProbe: | ||
| initialDelaySeconds: 30 | ||
| httpGet: | ||
|
|
@@ -92,6 +91,11 @@ spec: | |
| name: proxy-ca-bundles | ||
| - mountPath: /tmp | ||
| name: tmp | ||
| - mountPath: /etc/containers | ||
| name: etc-containers | ||
| readOnly: true | ||
| - mountPath: /var/run/secrets/image-auth | ||
| name: image-auth | ||
| volumes: | ||
| - name: config | ||
| configMap: | ||
|
|
@@ -110,6 +114,16 @@ spec: | |
| path: tls-ca-bundle.pem | ||
| - emptyDir: {} | ||
| name: tmp | ||
| - hostPath: | ||
|
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Open Question: Does this automatically handle pull secrets for private registries as well?
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It doesn't, but I've opened openshift/openshift-controller-manager#447 to help with this. |
||
| path: /etc/containers | ||
| type: Directory | ||
| name: etc-containers | ||
| - name: image-auth | ||
| secret: | ||
| secretName: pull-secret | ||
| items: | ||
| - key: .dockerconfigjson | ||
| path: auth.json | ||
| nodeSelector: | ||
| node-role.kubernetes.io/master: "" | ||
| tolerations: | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| # needed to support host-mounted image registry configurations. | ||
| kind: Role | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: system:openshift-controller-manager:hostaccess-role | ||
| namespace: openshift-controller-manager | ||
| rules: | ||
| - apiGroups: | ||
| - security.openshift.io | ||
| resources: | ||
| - securitycontextconstraints | ||
| resourceNames: | ||
| - hostaccess | ||
| verbs: | ||
| - use |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| # needed to support host-mounted image registry configurations. | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: RoleBinding | ||
| metadata: | ||
| namespace: openshift-controller-manager | ||
| name: system:openshift-controller-manager:hostaccess-rolebinding | ||
| roleRef: | ||
| apiGroup: rbac.authorization.k8s.io | ||
| kind: Role | ||
| name: system:openshift-controller-manager:hostaccess-role | ||
|
coderabbitai[bot] marked this conversation as resolved.
|
||
| subjects: | ||
| - kind: ServiceAccount | ||
| namespace: openshift-controller-manager | ||
| name: openshift-controller-manager-sa | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧩 Analysis chain
🏁 Script executed:
Repository: openshift/cluster-openshift-controller-manager-operator
Length of output: 81
🏁 Script executed:
Repository: openshift/cluster-openshift-controller-manager-operator
Length of output: 499
🏁 Script executed:
Repository: openshift/cluster-openshift-controller-manager-operator
Length of output: 19745
🏁 Script executed:
Repository: openshift/cluster-openshift-controller-manager-operator
Length of output: 6288
Major security hardening gaps in controller-manager OpenShift Deployment
hostaccessis less restricted thanrestricted-v3and doesn’t align with the guideline requiring a restricted/custom-scoped SCC—either justify the need or wire a custom SCC.runAsNonRoot: trueat pod/containersecurityContext(defense-in-depth).resources.limits(onlyresources.requestsare set).automountServiceAccountTokenis not explicitly set tofalse.🤖 Prompt for AI Agents
Source: Coding guidelines