Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add SCC RBAC for OpenShift #1208

Merged
merged 1 commit into from
Sep 26, 2024
Merged

feat: Add SCC RBAC for OpenShift #1208

merged 1 commit into from
Sep 26, 2024

Conversation

adambkaplan
Copy link
Contributor

What does this PR do?

OpenShift by default has very stringent pod security requirements for containers that often don't neatly align with upstream k8s Pod Security Standards. The "nonroot-v2" SecurityContextConstraint aligns most closely with the "restricted" pod security standard, but must be explicitly granted to a service account in order to be used. Granting the Jenkins service account permission to use the "nonroot-v2" SCC allows the StatefulSet to deploy on an OpenShift cluster.

If you modified files in the ./charts/jenkins/ directory, please also include the following:

Submitter checklist
Beta Give feedback

Special notes for your reviewer

  • Note that to grant this SCC to Jenkins, the Helm chart needs to be deployed by a user with cluster-admin (or similar) permissions. Does this need to be noted in other documentation?
  • Question for future/followup - should we consider a separate openshift section in values.yaml? I noticed route is in the controller options, which is likewise an openshift-ism not available in standard Kubernetes.

@adambkaplan
feat: Add SCC RBAC for OpenShift
c6d4668 
OpenShift by default has very stringent pod security requirements
for containers that often don't neatly align with upstream k8s Pod
Security Standards. The "nonroot-v2" SecurityContextConstraint
aligns most closely with the "restricted" pod security standard,
but must be explicitly granted to a service account in order to be
used. Granting the Jenkins service account permission to use the
"nonroot-v2" SCC allows the StatefulSet to deploy on an OpenShift
cluster.

Note that to grant this SCC to Jenkins, the Helm chart needs to be
deployed by a user with cluster-admin (or similar) permissions.

Chart version bumped to 5.7.0 as this is a net new feature.

Signed-off-by: Adam Kaplan <adam.kaplan@redhat.com>
@adambkaplan adambkaplan requested a review from a team as a code owner September 26, 2024 15:18
@timja timja enabled auto-merge (squash) September 26, 2024 15:20
@timja timja merged commit 6dc42f6 into jenkinsci:main Sep 26, 2024
6 checks passed
@adambkaplan adambkaplan deleted the openshift-scc branch September 26, 2024 15:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timja timja timja approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add OpenShift Security Context Constraints to RBAC
2 participants
@adambkaplan @timja