Add SCC to the Service Account in OCP
LCaparelli opened this issue · 2 comments
Having the operator's Service Account using a restrictive SCC would improve the operator's security.
I have an initial implementation of this that is failing to build due to some dependency issues. The libraries we're using seem to be somewhat incompatible as they are now, let's keep a close watch to continue this as soon as possible.
At the moment the cluster admin must add an SCC to the Service Account in order to be able to start pods correctly in OCP 3.x. (#41) and if this was implemented it wouldn't be necessary.
Upon further investigation it was discovered that the SCC couldn't be created due to being a cluster-scoped resource. As such, it couldn't have a namespaced resource as owner. Until a more suitable alternative is found the user will need to apply a valid SCC to the service account being used by the operator when using the community Nexus image.
When using the Red Hat certified image this is no longer necessary after #81 as it sets the container user/group to one in the range defined by the openshift.io/sa.scc.supplemental-groups and openshift.io/sa.scc.uid-range namespace annotations, satisfying the constraints imposed by the restricted SCC and successfully starting the pods.
Re-opening as we'll be able to create the SCC after #161