Uploaded image for project: 'Red Hat OpenShift Dev Spaces (formerly CodeReady Workspaces) '
  1. Red Hat OpenShift Dev Spaces (formerly CodeReady Workspaces)
  2. CRW-4536

Allow configuration of workspace PodSecurityContext/ContainerSecurityContext in CheCluster CR

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False
    • Documentation (Ref Guide, User Guide, etc.), Release Notes
    • Hide
      = Configuring default container and pod SecurityContext in CheCluster CR

      With this update, the following CheCluster CR fields are available:
      * `spec.devEnvironments.security`
      * `spec.devEnvironments.security.containerSecurityContext`
      * `spec.devEnvironments.security.podSecurityContext`

      Use the `spec.devEnvironments.security.containerSecurityContext` and `spec.devEnvironments.security.podSecurityContext`fields to configure the pod and security contexts used by workspaces by setting the corresponding `DevWorkspaceOperatorConfiguration` fields.

      [NOTE]
      ====
      If you use the `devEnvironments.security.containerSecurityContext` field and `devEnvironments.disableContainerBuildCapabilities` is set to `false`, the container security context required for the container-builds SCC will be used, overriding the security context set in `devEnvironments.security.containerSecurityContext`.
      ====
      Show
      = Configuring default container and pod SecurityContext in CheCluster CR With this update, the following CheCluster CR fields are available: * `spec.devEnvironments.security` * `spec.devEnvironments.security.containerSecurityContext` * `spec.devEnvironments.security.podSecurityContext` Use the `spec.devEnvironments.security.containerSecurityContext` and `spec.devEnvironments.security.podSecurityContext`fields to configure the pod and security contexts used by workspaces by setting the corresponding `DevWorkspaceOperatorConfiguration` fields. [NOTE] ==== If you use the `devEnvironments.security.containerSecurityContext` field and `devEnvironments.disableContainerBuildCapabilities` is set to `false`, the container security context required for the container-builds SCC will be used, overriding the security context set in `devEnvironments.security.containerSecurityContext`. ====
    • Enhancement
    • Done

      The DevWorkspaceOperatorConfig custom resource contains fields that can be used to configure a default pod and container securityContext. Currently these fields are used by the Dev Spaces Operator to configure a security context that allows for building containers within the cluster with the container-build SCC:

          containerSecurityContext: 
      allowPrivilegeEscalation: true
      capabilities: 
        add: 
          - SETGID
          - SETUID

      However, in some cases, an admin may need to add additional configuration in order to run pods on their cluster, and so it would be helpful to expose these fields in the CheCluster to make this simpler.

      In doing this, however, we would have to take care to handle the interaction between any setting on these fields and disableContainerBuildCapabilities. If container build is enabled, we would need to verify that any container/pod security context applied is compatible with the required context for container builds (e.g. an admin could not specify allowPrivilegeEscalation: false while container builds were enabled).

      As a workaround, currently, the Dev Spaces Operator only sets the containerSecurityContext field, so it is possible to edit the DevWorkspaceOperatorConfig to include a default pod securityContext.

              aobuchow Andrew Obuchowicz (Inactive)
              amisevsk Angel Misevski (Inactive)
              David Kwon David Kwon
              Jana Vrbkova Jana Vrbkova
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: