Skip to content

Commit

Permalink
Merge pull request #1067 from ShazaAldawamneh/OCPBUGS-36325
Browse files Browse the repository at this point in the history
[release-4.15] OCPBUGS-36325: Set required-scc for openshift workloads
  • Loading branch information
openshift-merge-bot[bot] authored Jul 22, 2024
2 parents 8740a71 + 963ac78 commit 6105ec7
Show file tree
Hide file tree
Showing 6 changed files with 13 additions and 0 deletions.
1 change: 1 addition & 0 deletions bindata/nodecadaemon.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ spec:
metadata:
annotations:
target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
openshift.io/required-scc: privileged
labels:
name: node-ca
spec:
Expand Down
1 change: 1 addition & 0 deletions manifests/07-operator-ibm-cloud-managed.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ spec:
template:
metadata:
annotations:
openshift.io/required-scc: restricted-v2
target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
labels:
name: cluster-image-registry-operator
Expand Down
1 change: 1 addition & 0 deletions manifests/07-operator.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ spec:
metadata:
annotations:
target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
openshift.io/required-scc: restricted-v2
labels:
name: cluster-image-registry-operator
spec:
Expand Down
6 changes: 6 additions & 0 deletions pkg/resource/azurepathfixjob.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ import (

configapiv1 "github.com/openshift/api/config/v1"
imageregistryv1 "github.com/openshift/api/imageregistry/v1"
securityv1 "github.com/openshift/api/security/v1"
configlisters "github.com/openshift/client-go/config/listers/config/v1"
"github.com/openshift/cluster-image-registry-operator/pkg/defaults"
"github.com/openshift/cluster-image-registry-operator/pkg/storage/azure"
Expand Down Expand Up @@ -225,6 +226,11 @@ func (gapfj *generatorAzurePathFixJob) expected() (runtime.Object, error) {
Spec: batchv1.JobSpec{
BackoffLimit: &backoffLimit,
Template: kcorev1.PodTemplateSpec{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{
securityv1.RequiredSCCAnnotation: "restricted-v2",
},
},
Spec: kcorev1.PodSpec{
RestartPolicy: kcorev1.RestartPolicyNever,
ServiceAccountName: defaults.ServiceAccountName,
Expand Down
2 changes: 2 additions & 0 deletions pkg/resource/deployment.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import (

imageregistryv1 "github.com/openshift/api/imageregistry/v1"
operatorv1 "github.com/openshift/api/operator/v1"
securityv1 "github.com/openshift/api/security/v1"
configlisters "github.com/openshift/client-go/config/listers/config/v1"
"github.com/openshift/library-go/pkg/operator/events"
"github.com/openshift/library-go/pkg/operator/resource/resourceapply"
Expand Down Expand Up @@ -94,6 +95,7 @@ func (gd *generatorDeployment) expected() (runtime.Object, error) {
podTemplateSpec.Annotations = map[string]string{}
}
podTemplateSpec.Annotations[defaults.ChecksumOperatorDepsAnnotation] = depsChecksum
podTemplateSpec.Annotations[securityv1.RequiredSCCAnnotation] = "restricted-v2"

// Strategy defaults to RollingUpdate
deployStrategy := appsapi.DeploymentStrategyType(gd.cr.Spec.RolloutStrategy)
Expand Down
2 changes: 2 additions & 0 deletions pkg/resource/prunercronjob.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ import (
batchlisters "k8s.io/client-go/listers/batch/v1"

imageregistryapiv1 "github.com/openshift/api/imageregistry/v1"
securityv1 "github.com/openshift/api/security/v1"
configv1listers "github.com/openshift/client-go/config/listers/config/v1"
imageregistryv1listers "github.com/openshift/client-go/imageregistry/listers/imageregistry/v1"
"github.com/openshift/library-go/pkg/operator/loglevel"
Expand Down Expand Up @@ -174,6 +175,7 @@ done
},
}
cj.Spec.JobTemplate.Labels = map[string]string{"created-by": gcj.GetName()}
cj.Spec.JobTemplate.Annotations = map[string]string{securityv1.RequiredSCCAnnotation: "restricted-v2"}
return cj, nil
}

Expand Down

0 comments on commit 6105ec7

Please sign in to comment.