Skip to content

Commit

Permalink
changes related to selinux and permissions for openshift
Browse files Browse the repository at this point in the history
 * run the sgx container as container_device_plugin_t and init container
   as container_device_plugin_init_t. these labels are being added to
   container_selinux package upstream.
 * add rbac role for openshift
Signed-off-by: Manish Regmi <[email protected]>
  • Loading branch information
mregmi committed Apr 28, 2022
1 parent 23eacb3 commit 78d2fe2
Show file tree
Hide file tree
Showing 4 changed files with 16 additions and 0 deletions.
8 changes: 8 additions & 0 deletions deployments/operator/rbac/role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -245,3 +245,11 @@ rules:
- get
- list
- watch
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
resourceNames:
- privileged
verbs:
- use
2 changes: 2 additions & 0 deletions deployments/sgx_plugin/base/intel-sgx-plugin.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ spec:
- name: intel-sgx-plugin
image: intel/intel-sgx-plugin:devel
securityContext:
seLinuxOptions:
type: "container_device_plugin_t"
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
imagePullPolicy: IfNotPresent
Expand Down
3 changes: 3 additions & 0 deletions pkg/controllers/sgx/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,9 @@ func setInitContainer(spec *v1.PodSpec, imageName string) {
ImagePullPolicy: "IfNotPresent",
Name: "intel-sgx-initcontainer",
SecurityContext: &v1.SecurityContext{
SELinuxOptions: &v1.SELinuxOptions{
Type: "container_device_plugin_init_t",
},
ReadOnlyRootFilesystem: &yes,
},
VolumeMounts: []v1.VolumeMount{
Expand Down
3 changes: 3 additions & 0 deletions pkg/controllers/sgx/controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,9 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
Image: devicePlugin.Spec.Image,
ImagePullPolicy: "IfNotPresent",
SecurityContext: &v1.SecurityContext{
SELinuxOptions: &v1.SELinuxOptions{
Type: "container_device_plugin_t",
},
ReadOnlyRootFilesystem: &yes,
AllowPrivilegeEscalation: &no,
},
Expand Down

0 comments on commit 78d2fe2

Please sign in to comment.