From 78d2fe24e356549f0084c4f0d8f35a6f63f520cb Mon Sep 17 00:00:00 2001 From: Manish Regmi Date: Fri, 15 Apr 2022 15:52:00 -0700 Subject: [PATCH] changes related to selinux and permissions for openshift * run the sgx container as container_device_plugin_t and init container as container_device_plugin_init_t. these labels are being added to container_selinux package upstream. * add rbac role for openshift Signed-off-by: Manish Regmi --- deployments/operator/rbac/role.yaml | 8 ++++++++ deployments/sgx_plugin/base/intel-sgx-plugin.yaml | 2 ++ pkg/controllers/sgx/controller.go | 3 +++ pkg/controllers/sgx/controller_test.go | 3 +++ 4 files changed, 16 insertions(+) diff --git a/deployments/operator/rbac/role.yaml b/deployments/operator/rbac/role.yaml index e2cfc377d..96090f367 100644 --- a/deployments/operator/rbac/role.yaml +++ b/deployments/operator/rbac/role.yaml @@ -245,3 +245,11 @@ rules: - get - list - watch +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - privileged + verbs: + - use diff --git a/deployments/sgx_plugin/base/intel-sgx-plugin.yaml b/deployments/sgx_plugin/base/intel-sgx-plugin.yaml index 1429c04f2..2a81e8d06 100644 --- a/deployments/sgx_plugin/base/intel-sgx-plugin.yaml +++ b/deployments/sgx_plugin/base/intel-sgx-plugin.yaml @@ -17,6 +17,8 @@ spec: - name: intel-sgx-plugin image: intel/intel-sgx-plugin:devel securityContext: + seLinuxOptions: + type: "container_device_plugin_t" readOnlyRootFilesystem: true allowPrivilegeEscalation: false imagePullPolicy: IfNotPresent diff --git a/pkg/controllers/sgx/controller.go b/pkg/controllers/sgx/controller.go index a783ae755..369da3a9c 100644 --- a/pkg/controllers/sgx/controller.go +++ b/pkg/controllers/sgx/controller.go @@ -106,6 +106,9 @@ func setInitContainer(spec *v1.PodSpec, imageName string) { ImagePullPolicy: "IfNotPresent", Name: "intel-sgx-initcontainer", SecurityContext: &v1.SecurityContext{ + SELinuxOptions: &v1.SELinuxOptions{ + Type: "container_device_plugin_init_t", + }, ReadOnlyRootFilesystem: &yes, }, VolumeMounts: []v1.VolumeMount{ diff --git a/pkg/controllers/sgx/controller_test.go b/pkg/controllers/sgx/controller_test.go index 8b381fd2d..f85cd221c 100644 --- a/pkg/controllers/sgx/controller_test.go +++ b/pkg/controllers/sgx/controller_test.go @@ -71,6 +71,9 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet Image: devicePlugin.Spec.Image, ImagePullPolicy: "IfNotPresent", SecurityContext: &v1.SecurityContext{ + SELinuxOptions: &v1.SELinuxOptions{ + Type: "container_device_plugin_t", + }, ReadOnlyRootFilesystem: &yes, AllowPrivilegeEscalation: &no, },