Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add option to configure seLinux and runAs policies #538

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add option to configure seLinux and runAs policies #538

wants to merge 1 commit into from
+23 −7

Conversation

AlbertoPimpo
Copy link

@AlbertoPimpo AlbertoPimpo commented Aug 6, 2024
edited
Loading

EDIT: after discussions, we decided to make seLinux and runAs policies configurable instead of changing the default.

When creating a securityContextContraint for Openshift, the helm chart currently set the selinux strategy to MustRunAs, but this might lead to permission errors if you are using selinux in the node and you want to mount an host folder with an HostPath.

I think there is no reason for disallowing selinux context to be changed for the fluentbit deployment. Also, this is the same behavior used by red hat for their cluster logging operator that deploys fluentd.
https://github.com/openshift/cluster-logging-operator/blob/master/internal/auth/securitycontextconstraint.go#L46

@AlbertoPimpo AlbertoPimpo force-pushed the patch-1 branch 7 times, most recently from 6a5ef04 to 6f256e1 Compare August 6, 2024 12:06
@AlbertoPimpo
Copy link
Author

Sorry for all the pushes but I had to fix the verification of the commit 😅

@AlbertoPimpo
Copy link
Author

@stevehipwell @naseemkullah @edsiper could you please take a look?

@stevehipwell
Copy link
Collaborator

@AlbertoPimpo I'm not familiar enough with OpenShift to make a call on this change.

FYI you need to rebase and bump your chart version.

@cosmo0920
Copy link

Maybe we need to ask to take a look this change @patrick-stephens ?
He sometimes do some stuffs of his technology interests of Openshift.

@AlbertoPimpo
Copy link
Author

FYI you need to rebase and bump your chart version

@stevehipwell done 👍

@AlbertoPimpo
Copy link
Author

If it can help, in the PodSecurityPolicy you indeed allow to change the selinux context https://github.com/fluent/helm-charts/blob/main/charts/fluent-bit/templates/psp.yaml#L28

@patrick-stephens
Copy link
Contributor

I would not be a fan of changing it from one hardcoded value to another, let's make it configurable with a default.

@AlbertoPimpo
Copy link
Author

I would not be a fan of changing it from one hardcoded value to another, let's make it configurable with a default.

@patrick-stephens I like the idea, maybe we should do the same for psp? I can take care of that.

@AlbertoPimpo
Copy link
Author

@patrick-stephens sorry for taking so long, it's done now. Feel free to merge it.

@AlbertoPimpo AlbertoPimpo changed the title Change Openshift scc seLinuxContext to RunAsAny Add option to configure seLinux and runAs policies Nov 10, 2024
@AlbertoPimpo
Copy link
Author

@stevehipwell @naseemkullah @edsiper this is ready to be merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@edsiper edsiper Awaiting requested review from edsiper edsiper is a code owner

@naseemkullah naseemkullah Awaiting requested review from naseemkullah naseemkullah is a code owner

@stevehipwell stevehipwell Awaiting requested review from stevehipwell stevehipwell is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@AlbertoPimpo @stevehipwell @cosmo0920 @patrick-stephens