func addE2EServiceAccountsToSCC(c *kclient.Client, namespaces *kapi.NamespaceList, sccName string) {
err := kclient.RetryOnConflict(kclient.DefaultRetry, func() error {
scc, err := c.SecurityContextConstraints().Get(sccName)
if err != nil {
if apierrs.IsNotFound(err) {
return nil
}
return err
}
groups := []string{}
for _, name := range scc.Groups {
if !strings.Contains(name, "e2e-") {
groups = append(groups, name)
}
}
for _, ns := range namespaces.Items {
if strings.HasPrefix(ns.Name, "e2e-") {
groups = append(groups, fmt.Sprintf("system:serviceaccounts:%s", ns.Name))
}
}
scc.Groups = groups
if _, err := c.SecurityContextConstraints().Update(scc); err != nil {
return err
}
return nil
})
if err != nil {
FatalErr(err)
}
}
func validateServiceAccount(client *kclient.Client, ns string, serviceAccount string, hostNetwork bool) error {
if !hostNetwork {
return nil
}
// get cluster sccs
sccList, err := client.SecurityContextConstraints().List(kapi.ListOptions{})
if err != nil {
if !errors.IsUnauthorized(err) {
return fmt.Errorf("could not retrieve list of security constraints to verify service account %q: %v", serviceAccount, err)
}
return nil
}
// get set of sccs applicable to the service account
userInfo := serviceaccount.UserInfo(ns, serviceAccount, "")
for _, scc := range sccList.Items {
if admission.ConstraintAppliesTo(&scc, userInfo) {
switch {
case hostNetwork && scc.AllowHostNetwork:
return nil
}
}
}
return fmt.Errorf("service account %q is not allowed to access the host network on nodes, needs access via a security context constraint", serviceAccount)
}
func validateSecurityContextConstraints(c *k8sclient.Client, f *cmdutil.Factory) (Result, error) {
ns, _, err := f.DefaultNamespace()
if err != nil {
return Failure, err
}
name := Fabric8SCC
if ns != "default" {
name += "-" + ns
}
rc, err := c.SecurityContextConstraints().Get(name)
if err != nil {
util.Fatalf("Failed to get SecurityContextConstraints, %s in namespace %s\n", err, ns)
}
if rc != nil {
return Success, err
}
return Failure, err
}
func validateServiceAccount(kClient *kclient.Client, ns string, sa string) error {
// get cluster sccs
sccList, err := kClient.SecurityContextConstraints().List(labels.Everything(), fields.Everything())
if err != nil {
return fmt.Errorf("unable to validate service account %v", err)
}
// get set of sccs applicable to the service account
userInfo := serviceaccount.UserInfo(ns, sa, "")
for _, scc := range sccList.Items {
if admission.ConstraintAppliesTo(&scc, userInfo) {
if scc.AllowHostPorts {
return nil
}
}
}
return fmt.Errorf("unable to validate service account, host ports are forbidden")
}
func validateServiceAccount(client *kclient.Client, ns string, serviceAccount string) error {
sccList, err := client.SecurityContextConstraints().List(kapi.ListOptions{})
if err != nil {
if !errors.IsUnauthorized(err) {
return fmt.Errorf("could not retrieve list of security constraints to verify service account %q: %v", serviceAccount, err)
}
}
for _, scc := range sccList.Items {
if scc.AllowPrivilegedContainer {
for _, user := range scc.Users {
if strings.Contains(user, serviceAccount) {
return nil
}
}
}
}
errMsg := "service account %q does not have sufficient privileges, grant access with oadm policy add-scc-to-user %s -z %s"
return fmt.Errorf(errMsg, serviceAccount, bootstrappolicy.SecurityContextConstraintPrivileged, serviceAccount)
}
func deployFabric8SASSecurityContextConstraints(c *k8sclient.Client, f *cmdutil.Factory, ns string) (Result, error) {
name := Fabric8SASSCC
scc := kapi.SecurityContextConstraints{
ObjectMeta: kapi.ObjectMeta{
Name: name,
},
SELinuxContext: kapi.SELinuxContextStrategyOptions{
Type: kapi.SELinuxStrategyRunAsAny,
},
RunAsUser: kapi.RunAsUserStrategyOptions{
Type: kapi.RunAsUserStrategyRunAsAny,
},
Groups: []string{"system:serviceaccounts"},
Volumes: []kapi.FSType{kapi.FSTypeGitRepo, kapi.FSTypeConfigMap, kapi.FSTypeSecret, kapi.FSTypeEmptyDir},
}
_, err := c.SecurityContextConstraints().Get(name)
if err == nil {
err = c.SecurityContextConstraints().Delete(name)
if err != nil {
return Failure, err
}
}
_, err = c.SecurityContextConstraints().Create(&scc)
if err != nil {
util.Fatalf("Cannot create SecurityContextConstraints: %v\n", err)
util.Fatalf("Failed to create SecurityContextConstraints %v in namespace %s: %v\n", scc, ns, err)
return Failure, err
}
util.Infof("SecurityContextConstraints %s is setup correctly\n", name)
return Success, err
}
func validateServiceAccount(client *kclient.Client, ns string, serviceAccount string, hostNetwork, hostPorts bool) error {
if !hostNetwork && !hostPorts {
return nil
}
// get cluster sccs
sccList, err := client.SecurityContextConstraints().List(kapi.ListOptions{})
if err != nil {
if !errors.IsUnauthorized(err) {
return fmt.Errorf("could not retrieve list of security constraints to verify service account %q: %v", serviceAccount, err)
}
return nil
}
// get set of sccs applicable to the service account
userInfo := serviceaccount.UserInfo(ns, serviceAccount, "")
for _, scc := range sccList.Items {
if oscc.ConstraintAppliesTo(&scc, userInfo) {
switch {
case hostPorts && scc.AllowHostPorts:
return nil
case hostNetwork && scc.AllowHostNetwork:
return nil
}
}
}
if hostNetwork {
errMsg := "service account %q is not allowed to access the host network on nodes, grant access with oadm policy add-scc-to-user %s -z %s"
return fmt.Errorf(errMsg, serviceAccount, bootstrappolicy.SecurityContextConstraintsHostNetwork, serviceAccount)
}
if hostPorts {
errMsg := "service account %q is not allowed to access host ports on nodes, grant access with oadm policy add-scc-to-user %s -z %s"
return fmt.Errorf(errMsg, serviceAccount, bootstrappolicy.SecurityContextConstraintsHostNetwork, serviceAccount)
}
return nil
}
func deployFabric8SecurityContextConstraints(c *k8sclient.Client, f *cmdutil.Factory, ns string) (Result, error) {
name := Fabric8SCC
if ns != "default" {
name += "-" + ns
}
var priority int32 = 10
scc := kapi.SecurityContextConstraints{
ObjectMeta: kapi.ObjectMeta{
Name: name,
},
Priority: &priority,
AllowPrivilegedContainer: true,
AllowHostNetwork: true,
AllowHostPorts: true,
Volumes: []kapi.FSType{kapi.FSTypeAll},
SELinuxContext: kapi.SELinuxContextStrategyOptions{
Type: kapi.SELinuxStrategyRunAsAny,
},
RunAsUser: kapi.RunAsUserStrategyOptions{
Type: kapi.RunAsUserStrategyRunAsAny,
},
Users: []string{
"system:serviceaccount:openshift-infra:build-controller",
"system:serviceaccount:" + ns + ":default",
"system:serviceaccount:" + ns + ":fabric8",
"system:serviceaccount:" + ns + ":gerrit",
"system:serviceaccount:" + ns + ":jenkins",
"system:serviceaccount:" + ns + ":router",
"system:serviceaccount:" + ns + ":registry",
"system:serviceaccount:" + ns + ":gogs",
"system:serviceaccount:" + ns + ":fluentd",
},
Groups: []string{bootstrappolicy.ClusterAdminGroup, bootstrappolicy.NodesGroup},
}
_, err := c.SecurityContextConstraints().Get(name)
if err == nil {
err = c.SecurityContextConstraints().Delete(name)
if err != nil {
return Failure, err
}
}
_, err = c.SecurityContextConstraints().Create(&scc)
if err != nil {
util.Errorf("Cannot create SecurityContextConstraints: %v\n", err)
util.Errorf("Failed to create SecurityContextConstraints %v in namespace %s: %v\n", scc, ns, err)
return Failure, err
}
util.Infof("SecurityContextConstraints %s is setup correctly\n", name)
return Success, err
}
// Ensure that the `restricted` SecurityContextConstraints has the RunAsUser set to RunAsAny
//
// if `restricted does not exist lets create it
// otherwise if needed lets modify the RunAsUser
func verifyRestrictedSecurityContextConstraints(c *k8sclient.Client, f *cmdutil.Factory) (Result, error) {
name := RestrictedSCC
ns, _, e := f.DefaultNamespace()
if e != nil {
util.Fatal("No default namespace")
return Failure, e
}
rc, err := c.SecurityContextConstraints().Get(name)
if err != nil {
scc := kapi.SecurityContextConstraints{
ObjectMeta: kapi.ObjectMeta{
Name: RestrictedSCC,
},
SELinuxContext: kapi.SELinuxContextStrategyOptions{
Type: kapi.SELinuxStrategyMustRunAs,
},
RunAsUser: kapi.RunAsUserStrategyOptions{
Type: kapi.RunAsUserStrategyRunAsAny,
},
Groups: []string{bootstrappolicy.AuthenticatedGroup},
}
_, err = c.SecurityContextConstraints().Create(&scc)
if err != nil {
return Failure, err
} else {
util.Infof("SecurityContextConstraints %s created\n", name)
return Success, err
}
}
// lets check that the restricted is configured correctly
if kapi.RunAsUserStrategyRunAsAny != rc.RunAsUser.Type {
rc.RunAsUser.Type = kapi.RunAsUserStrategyRunAsAny
_, err = c.SecurityContextConstraints().Update(rc)
if err != nil {
util.Fatalf("Failed to update SecurityContextConstraints %v in namespace %s: %v\n", rc, ns, err)
return Failure, err
}
util.Infof("SecurityContextConstraints %s is updated to enable fabric8\n", name)
} else {
util.Infof("SecurityContextConstraints %s is configured correctly\n", name)
}
return Success, err
}