Skip to content
This repository has been archived by the owner on May 1, 2020. It is now read-only.

Support Security Contexts for GID, UID, and fsGroup in OpenShift #1152

Open
6 tasks
msenmurugan opened this issue Dec 9, 2019 · 0 comments
Open
6 tasks

Support Security Contexts for GID, UID, and fsGroup in OpenShift #1152

msenmurugan opened this issue Dec 9, 2019 · 0 comments
Assignees
@mphammer
Labels
black duck operator synopsysctl
Milestone
2020.4.0

Comments

@msenmurugan
Copy link
Member

what do you want
Be able to support arbitrary Security Contexts for GID, UID, and fsGroup in OpenShift.

BlackDuck Ticket: https://jira.dc1.lan/browse/HUB-20580

why is this needed
PodSecurityPolicies can prevent Pods from running if the Security Contexts are not set.
Similarly, SecurityContextConstraints in Openshift can prevent Pods from running.

TODO

  • Add a flag to Synopsysctl to set SecurityContext constraints
  • Modify synopsysctl to create a service account for all resources if on Kubernetes/Openshift (this will make it easy for customers to add the Product to a SecurityContextConstraint)
  • Verify the BlackDuck images can run without being root (aka GID, UID, and fsGroup are not 0)
  • Verify Pods can run with a PodSecurityPolicy enabled
  • Verify Pods can run with a SecurityContextConstraint enabled
  • Test in Openshift

example implementation
https://github.com/blackducksoftware/polaris-contrib/tree/master/blackduck-synopsysctl-example-GID1000
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@mphammer mphammer

Labels
black duck operator synopsysctl
Projects
None yet
Milestone
2020.4.0
Development

No branches or pull requests
2 participants
@mphammer @msenmurugan