Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ability to use SCCs in DevWorkspaces on OpenShift #679

Merged
merged 7 commits into from
Dec 3, 2021
Merged

Add ability to use SCCs in DevWorkspaces on OpenShift #679

merged 7 commits into from
Dec 3, 2021

Conversation

amisevsk
Copy link
Collaborator

What does this PR do?

This is a proof-of-concept PR that adds the ability to use SecurityContextConstraints (SCCs) in DevWorkspaces, which can be used to e.g. enable container builds within workspace containers. SCCs used by a DevWorkspace are defined through the attribute controller.devfile.io/scc: <scc-name>.

In order to avoid overextending the default DWO RBAC, no ability to view/edit SCCs is granted to the Operator by default, and attempting to use SCCs in workspaces will fail with a message like

operator does not have permissions to get the 'anyuid' SecurityContextConstraints

The requirements to use this feature are:

  1. The DevWorkspace Operator serviceaccount must explicitly be granted get and update privileges for a given SCC by a cluster-admin
  2. The user creating the DevWorkspace must be granted the use privilege on that SCC by a cluster-admin
  3. The DevWorkspace must be created with the controller.devfile.io/scc attribute by a user with permissions to use that SCC.

One benefit in this approach is that the cluster admin can revoke these privileges from users/the controller after the fact without breaking regular workspaces.

Once the controller.devfile.io/scc attribute is set on a DevWorkspace, it cannot be modified in order to avoid leaking SAs into existin SCCs. Using the attribute adds a finalizer for SCCs to the DevWorkspace to ensure any changes to SCCs are cleaned up when the workspace is deleted.

Since SCCs are an OpenShift feature, this functionality is disabled on Kubernetes and attempting to use the attribute will be rejected by webhooks.

What issues does this PR fix or reference?

Closes eclipse-che/che#20459

Is it tested? How?

The steps below follow similarly to the Buildah OpenShift rootless build doc.

  1. Create a new SCC that grants the specific capabilties that are required (any scc can be used but this is probably best practice here): 
    cat <<EOF | oc apply -f -
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: container-build
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- "KILL"
- "MKNOD"
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users: []
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
EOF
    This SCC is a modified version of the anyuid SCC with the added requirement that containers drop the KILL capability.
  2. Grant the DevWorkspace Operator the get and update privileges for this SCC: 
    NAMESPACE=<namespace-where-dwo-is-deployed>

cat <<EOF | oc apply -f - 
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: dwo-access-to-scc
  labels:
    test: dwo-scc-access
rules:
- apiGroups:
    - "security.openshift.io"
  resources:
    - "securitycontextconstraints"
  resourceNames:
    - "container-build"
  verbs:
    - "get"
    - "update"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: dwo-access-to-scc
  labels:
    test: dwo-scc-access
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: dwo-access-to-scc
subjects:
- kind: ServiceAccount
  name: devworkspace-controller-serviceaccount
  namespace: ${NAMESPACE}
EOF
  3. Let the user creating the DevWorkspace use the container-build SCC: 
    oc adm policy add-scc-to-user container-build <username>
  4. Create a DevWorkspace that uses the container-build SCC: 
    cat <<EOF | oc apply -f -
kind: DevWorkspace
apiVersion: workspace.devfile.io/v1alpha2
metadata:
  name: container-build
spec:
  started: true
  routingClass: 'basic'
  template:
    attributes:
      controller.devfile.io/scc: container-build
      controller.devfile.io/storage-type: ephemeral
    components:
      - name: container-build
        container:
          image: quay.io/amisevsk/container-build:dev
          memoryLimit: 512Mi
          mountSources: true
          command:
          - "tail"
          - "-f"
          - "/dev/null"
EOF
    The image used in this DevWorkspace is build according to the buildah doc and can be used to run buildah builds.
  5. Check that the pod created for this workspace has the openshift.io/scc: container-build annotation
  6. Exec into the pod and verify configuration is as specified in the buildah doc (e.g. user is 1000, can build images)
  7. Delete DevWorkspace, and verify that .users field in container-build SCC is empty (i.e. that the workspace's ServiceAccount is removed)

PR Checklist

  • E2E tests pass (when PR is ready, comment /test v8-devworkspace-operator-e2e, v8-che-happy-path to trigger)
    • v8-devworkspace-operator-e2e: DevWorkspace e2e test
    • v8-che-happy-path: Happy path for verification integration with Che

JPinkney
JPinkney approved these changes Nov 22, 2021
View reviewed changes
Copy link
Contributor

@JPinkney JPinkney left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I'm definitely a fan of giving cluster admins all the control here

@openshift-ci openshift-ci bot added the lgtm label Nov 22, 2021
@openshift-ci
Copy link

openshift-ci bot commented Nov 22, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: amisevsk, JPinkney

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@amisevsk
Copy link
Collaborator Author

/test v8-devworkspace-operator-e2e

@amisevsk
Add controller RBAC for creating LocalSubjectAccessReviews
781aa87 
Allow the controller to create LocalSubjectAccessReviews in order to
review user permissions when access DevWorkspace features.

Signed-off-by: Angel Misevski <amisevsk@redhat.com>
@amisevsk
Regenerate files to include LocalSubjectAccessReviews RBAC
abdf48e 
Signed-off-by: Angel Misevski <amisevsk@redhat.com>
@amisevsk
Add additional SCCs attribute and use webhooks to verify authorization
9263531 
Add attribute 'controller.devfile.io/scc' which defines additional SCCs
to add to the workspace service account.

Add a MutatingWebhook check that reviews the requesters permissions for
access the given SCC.

Functionality only enabled on OpenShift.

Signed-off-by: Angel Misevski <amisevsk@redhat.com>
@amisevsk
Add SCC to workspace ServiceAccount when specified in DevWorkspace.
e682bf1 
Look into 'controller.devfile.io/scc' attribute on DevWorkspaces and
attempt to add scc listed there to the workspace serviceAccount. This
requires additional privileges for the DW controller which are not
provided by default (must be granted explicitly by a cluster-admin)

Signed-off-by: Angel Misevski <amisevsk@redhat.com>
@amisevsk
Check list/watch access to SCCs before attempting to use them
193caf3 
The way that controller-runtime caches works means that errors in
listing and watching a resource results in cluster interactions that
require the cache hanging and errors being logged asynchronously. In
order to use the cached client we have to check for list/watch access.

Signed-off-by: Angel Misevski <amisevsk@redhat.com>
@amisevsk
Use non-caching client for managing SCCs to limit RBAC required.
4940238 
Signed-off-by: Angel Misevski <amisevsk@redhat.com>
@amisevsk
Add finalizer for SA SCCs when they're used and clean up on deletion
74780cc 
Signed-off-by: Angel Misevski <amisevsk@redhat.com>
@openshift-ci
Copy link

openshift-ci bot commented Nov 23, 2021

New changes are detected. LGTM label has been removed.

@openshift-ci openshift-ci bot removed the lgtm label Nov 23, 2021
@amisevsk
Copy link
Collaborator Author

amisevsk commented Dec 3, 2021

/test v8-devworkspace-operator-e2e

@amisevsk amisevsk mentioned this pull request Dec 3, 2021
Closed
@amisevsk amisevsk merged commit b55f6bc into devfile:main Dec 3, 2021
@amisevsk amisevsk deleted the add-scc-to-workspace branch December 3, 2021 17:47
@l0rd l0rd mentioned this pull request Jan 18, 2022
Closed
@l0rd l0rd mentioned this pull request May 27, 2022
Closed
@l0rd l0rd mentioned this pull request Jul 4, 2022
Closed
This was referenced Oct 24, 2022
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JPinkney JPinkney JPinkney approved these changes

@l0rd l0rd Awaiting requested review from l0rd

Assignees

@JPinkney JPinkney

Labels
approved
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Users should be able to configure their workspace pods securityContext capabilities
2 participants
@amisevsk @JPinkney