Uploaded image for project: 'Maistra'
  1. Maistra
  2. MAISTRA-974

Istio Authorization tasks need anyuid scc

    XMLWordPrintable

Details

    • Task
    • Resolution: Done
    • Minor
    • maistra-1.0.2
    • None
    • None
    • None
    • MAISTRA 1.0.2

    Description

      The following Test cases/Tasks failed in OCP4 environment when we didn't add anyuid scc.

      Build: istio maistra-1.0.0 GA images
      Environment: OCP4.1 AWS and OCP4.2 AWS

      Task: Authorization for HTTP Services - https://archive.istio.io/v1.1/docs/tasks/security/authz-http/
      1. The additional ServiceAccount (bookinfo-productpage, bookinfo-reviews) require anyuid scc. Otherwise, this test cannot be passed on OCP4.1 or OCP4.2 cluster.

      Upstream doc referenece:
      https://archive.istio.io/v1.1/docs/tasks/security/authz-http/#before-you-begin
      https://raw.githubusercontent.com/istio/istio/release-1.1/samples/bookinfo/platform/kube/bookinfo-add-serviceaccount.yaml

      Task: Authorization for TCP Services - https://archive.istio.io/v1.1/docs/tasks/security/authz-tcp/
      1. The additional ServiceAccount (bookinfo-ratings-v2) requires anyuid scc.
      2. We don't have a bookinfo-ratings-v2 maistra image to replace the upstream image: istio/examples-bookinfo-ratings-v2:1.10.0
      3. mongob needs anyuid scc

      Upstream doc referenece:
      https://raw.githubusercontent.com/istio/istio/release-1.1/samples/bookinfo/platform/kube/rbac/ratings-v2-add-serviceaccount.yaml
      https://raw.githubusercontent.com/istio/istio/release-1.1/samples/bookinfo/platform/kube/bookinfo-db.yaml

      ====
      The following two tasks include nginx and mongodb application. We may not support those application on OCP cluster. They require anyuid scc as well.

      Task: Collecting Metrics for TCP services - https://archive.istio.io/v1.1/docs/tasks/telemetry/metrics/tcp-metrics/
      1. mongodb needs anyuid scc
      Upstream Doc Ref:
      https://raw.githubusercontent.com/istio/istio/release-1.1/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml
      https://raw.githubusercontent.com/istio/istio/release-1.1/samples/bookinfo/platform/kube/bookinfo-db.yaml

      Task: Mutual TLS over HTTPS - https://archive.istio.io/v1.1/docs/tasks/security/https-overlay/
      1. nginx app needs anyuid scc
      Upstream Doc Ref:
      https://raw.githubusercontent.com/istio/istio/release-1.1/samples/https/nginx-app.yaml

      Attachments

        Activity

          People

            ddolguik-ocp Dmitri Dolguikh (Inactive)
            yuaxu@redhat.com Yuanlin Xu
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: