diff --git a/cloudpak/stable/ibm-spectrum-scale-csi-operator-bundle/case/ibm-spectrum-scale-csi-operator/README.md b/cloudpak/stable/ibm-spectrum-scale-csi-operator-bundle/case/ibm-spectrum-scale-csi-operator/README.md index bbda76b83..06d764516 100644 --- a/cloudpak/stable/ibm-spectrum-scale-csi-operator-bundle/case/ibm-spectrum-scale-csi-operator/README.md +++ b/cloudpak/stable/ibm-spectrum-scale-csi-operator-bundle/case/ibm-spectrum-scale-csi-operator/README.md @@ -29,3 +29,56 @@ This operator does not require any pod security requirements. # SecurityContextConstraints Requirements The operator maintains the Security Context Constraints, removing the required restraints when the operator is uninstalled. + +The installed SCC is as follows, please note this is a jinja2 template applied by the operator: + +``` YAML + kind: SecurityContextConstraints + apiVersion: security.openshift.io/v1 + metadata: + annotations: + kubernetes.io/description: allow hostpath and host network to be accessible + generation: 1 + name: csiaccess + selfLink: /apis/security.openshift.io/v1/securitycontextconstraints/csiaccess + readOnlyRootFilesystem: false + requiredDropCapabilities: + - KILL + - MKNOD + - SETUID + - SETGID + runAsUser: + type: RunAsAny + seLinuxContext: + type: RunAsAny + supplementalGroups: + type: RunAsAny + volumes: + - configMap + - downwardAPI + - emptyDir + - hostPath + - persistentVolumeClaim + - projected + - secret + allowHostDirVolumePlugin: true + allowHostIPC: false + allowHostNetwork: true + allowHostPID: false + allowHostPorts: false + allowPrivilegeEscalation: true + allowPrivilegedContainer: true + allowedCapabilities: [] + defaultAddCapabilities: null + fsGroup: + type: MustRunAs + groups: + - system:authenticated + {% if csiaccess_users|length > 0 %} + users: + {% for user in csiaccess_users %} + - "{{user}}" + {% endfor %} + {% endif %} + +``` diff --git a/cloudpak/stable/ibm-spectrum-scale-csi-operator-bundle/tests/lintOverrides.yaml b/cloudpak/stable/ibm-spectrum-scale-csi-operator-bundle/tests/lintOverrides.yaml index e6ba37f03..da26f2e55 100644 --- a/cloudpak/stable/ibm-spectrum-scale-csi-operator-bundle/tests/lintOverrides.yaml +++ b/cloudpak/stable/ibm-spectrum-scale-csi-operator-bundle/tests/lintOverrides.yaml @@ -7,7 +7,7 @@ overrides: reduceTo: WARNING rule: NoPrivilegedContainers - - reason: Using default values and DROP ALL capabilities. Did not make GA time for explicit defitinition. + - reason: Using default values and DROP ALL capabilities. reduceTo: WARNING rule: PodSecurityContextDefined @@ -32,7 +32,7 @@ overrides: rule: ContainerHasLivenessProbe - reason: pull-secret can be provided in CR - reduceTo: WARNING + reduceTo: INFO rule: ServiceAccountHasPullSecret - reason: File is auto-generated, outside of our control. diff --git a/operator/.osdk-scorecard.yaml b/operator/.osdk-scorecard.yaml index 70bc55a73..1a9ebf9de 100644 --- a/operator/.osdk-scorecard.yaml +++ b/operator/.osdk-scorecard.yaml @@ -12,4 +12,4 @@ scorecard: namespace: "ibm-spectrum-scale-csi-driver" cr-manifest: - "deploy/crds/csiscaleoperators.csi.ibm.com_cr.yaml" - csv-path: "deploy/olm-catalog/ibm-spectrum-scale-csi-operator/2.0.0/ibm-spectrum-scale-csi-operator.v2.0.0.clusterserviceversion.yaml" + csv-path: "deploy/olm-catalog/ibm-spectrum-scale-csi-operator/1.1.0/ibm-spectrum-scale-csi-operator.v1.1.0.clusterserviceversion.yaml" diff --git a/operator/deploy/crds/csiscaleoperators.csi.ibm.com.crd.yaml b/operator/deploy/crds/csiscaleoperators.csi.ibm.com.crd.yaml index 21c383110..892e349e5 100644 --- a/operator/deploy/crds/csiscaleoperators.csi.ibm.com.crd.yaml +++ b/operator/deploy/crds/csiscaleoperators.csi.ibm.com.crd.yaml @@ -1,5 +1,5 @@ --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: diff --git a/operator/deploy/operator.yaml b/operator/deploy/operator.yaml index 91859919f..ff7d0721f 100644 --- a/operator/deploy/operator.yaml +++ b/operator/deploy/operator.yaml @@ -75,6 +75,7 @@ spec: cpu: 50m memory: 50Mi securityContext: + privileged: false capabilities: drop: - ALL