Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix for test case operator-install-status-no-privileges. #1665

Merged
merged 6 commits into from
Apr 10, 2024
Merged

Fix for test case operator-install-status-no-privileges. #1665

merged 6 commits into from
Apr 10, 2024

Conversation

greyerof
Copy link
Contributor

@greyerof greyerof commented Nov 28, 2023
edited
Loading

The original motivation for this test case was checking whether the
operator wasn't creating any SA with RBAC rules related to SCC.

The implementation was wrong as it was (only) checking the resourceNames
list to be empty to pass. But empty list means that any resourceName is
allowed (as per k8s docs).

Since it's impossible to predict all the "privileged" SCCs that might
have been created in the cluster apart from the default ones, this new
implementation is another "canary in the mine" check so we can flag
operators that try to use/create cluster's SCCs.

Operators will need to justify the SCC accesses in their SAs.

@greyerof
Fix for test case operator-install-status-no-privileges.
f96f8d4 
With this fix, the test case fails when resourceName's rules have been
found in the CSV's clusterPermissions field and the operator was not
cluster-wide installed.

Also, minor refactor to use a helper pointer to the env.Operators[i].
@dcibot
Copy link
Collaborator

dcibot commented Mar 21, 2024

from change #1665:

@ramperher
Copy link
Collaborator

/dci-rerun

@dcibot
Copy link
Collaborator

dcibot commented Mar 22, 2024

from change #1665:

@greyerof
Modified test case to detect SCC rules in CSV's clusterPermissions.
b06b3da 
The original motivation for this test case was checking whether the
operator wasn't creating any SA with RBAC rules related to SCC.

The implementation was wrong as it was (only) checking the resourceNames
list to be empty to pass. But empty list means that any resourceName is
allowed (as per k8s docs).

Since it's impossible to predict all the "privileged" SCCs that might
have been created in the cluster apart from the default ones, this new
implementation is another "canary in the mine" check so we can flag
operators that try to use/create cluster's SCCs.

Operators will need to justify the SCC accesses in their SAs.
@dcibot
Copy link
Collaborator

dcibot commented Apr 1, 2024

from change #1665:

@greyerof greyerof requested a review from edcdavid April 2, 2024 13:22
greyerof added 2 commits April 5, 2024 03:29
@greyerof
Updated compliant reason when no clusterPermissions found.
2d5c9de 
Also, minor refactor to remove the need for the helper var
securityResourceFound.
@greyerof
Merge branch 'main' into fix_operator_privileges_tc
2445a39
@dcibot
Copy link
Collaborator

dcibot commented Apr 5, 2024

from change #1665:

@greyerof greyerof requested a review from sebrandon1 April 8, 2024 14:33
@sebrandon1 sebrandon1 merged commit f1ce203 into redhat-best-practices-for-k8s:main Apr 10, 2024
22 checks passed
@dcibot
Copy link
Collaborator

dcibot commented Apr 10, 2024

from change #1665:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Apetree100122 Apetree100122 Apetree100122 approved these changes

@edcdavid edcdavid edcdavid approved these changes

@sebrandon1 sebrandon1 sebrandon1 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@greyerof @dcibot @ramperher @sebrandon1 @edcdavid @Apetree100122