-
Story
-
Resolution: Done
-
Undefined
-
None
-
None
-
None
-
False
-
None
-
False
-
OCPSTRAT-35 - Layering ON Cluster Build: Dev Preview
-
-
-
MCO Sprint 238, MCO Sprint 239
-
0
-
0
To enable the custom pod builder to run as an unprivileged pod, the easiest way to accomplish that is by adding a ClusterRoleBinding that allows the machine-os-builder service account to create a pod with the specified user ID (1000), which it currently cannot do. We want this to run with as few privileges as possible to mitigate any security concerns caused by building an image.
Here's an example manifest which will have the desired effect:
--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: machine-os-builder-anyuid roleRef: name: "system:openshift:scc:anyuid" apiGroup: rbac.authorization.k8s.io kind: ClusterRole subjects: - name: machine-os-builder kind: ServiceAccount namespace: "{{.TargetNamespace}}"
Note: This manifest must be in a file by itself since the code which reads it in assumes that only a single manifest exists per file.
Done When:
- The MCO configures this ClusterRoleBinding for the machine-os-builder service account that it creates.
- links to