Red Hat Konflux purge security-profiles-operator#7
Open
red-hat-konflux[bot] wants to merge 118 commits intokonfluxfrom
Open
Red Hat Konflux purge security-profiles-operator#7red-hat-konflux[bot] wants to merge 118 commits intokonfluxfrom
red-hat-konflux[bot] wants to merge 118 commits intokonfluxfrom
Conversation
The test pod in testCaseRunPod uses a container running as root. This doesn't work by default on OCP, where the security defaults force all pods to run as non-root regardless of what their Dockerfile says. As pointed out in another PR that tried to use a non-root container, there is value in testing a root container as well. To solve this, this patch adds an openshift-specific annotation, forces the pod to run as root and in order for all this to be allowed, sets the SA that binds to a role that allows using privileged SCCs. Tested on OCP 4.11.
…ry operator redeploy No idea why we didn't catch this before when running the RBAC roles and SA on OCP before, but redeploying the operator wouldn't re-add the RBAC role, role binding and the SA required to grant the ability to use the SCC needed to record replicated controllers. This patch adds the needed manifests as part of deploying the operator. Note that most of the code is only executed on OCP, on other distros, only the SA is added so that we can always reference the SA regardless of the distribution.
This is meant to remove some of the flakiness in our tests. We make the assumption that our vanilla tests are running in single-node mode only, so we take advantage of that fact and set a boolean that indicates that it's a single-node test environment. Signed-off-by: Juan Antonio Osorio <juan.osoriorobles@eu.equinix.com>
To avoid hanging the tests in case a profile is left behind for one reason or another.
synchronize with upstream
OpenShift uses a fork of Go which in turn uses OpenSSL for crypto instead of BoringSSL: https://developers.redhat.com/blog/2019/06/24/go-and-fips-140-2-on-red-hat-enterprise-linux In order to support running SPO that was compiled with that version of Go, we need to allow the access() system call to avoid a crash.
Allow the access() syscall from the operator seccomp profile
synchronize with upstream
Ocp sync 0.5.0
We were naively appending all permissions from the SELinux profile about to be merged, this was causing potential duplicates. Let's check if the permission is already present before merging it.
This pr fix seccompprofiles deletion when a node is removed, we added a check to see if node finalizer is a deleted node, if so, we remove such finalizer so the seccompprofile can be deleted without any issues.
Upgrade golang.org/x/text to get around CVE warnings
OWNERS: Downstream only: Add QE,PX and docs to OWNERS to allow them t…
This is a valid AVC denial message:
type=AVC msg=audit(1666691794.882:1434): avc: denied { read write open } for pid=94509...
Note the three permissions inside the curly braces. It did not match the regex at all and wasn't thus parsed.
Similarly to how seccomp profiles allow setting the default action to LOG, let's allow the selinux profiles to be set to permissive mode. This way, all calls would have still be allowed, but would appear in audit.log. This is useful in case the user is just iterating on a policy and wants to deploy a first version of the policy in the wild without causing AVC denials.
OCP does not compile the binaries it runs with upstream go, but rather a
fork of go that uses OpenSSL for cryptography:
https://github.com/golang-fips
This fork uses dlopen() on startup to load symbols that correspond to
the crypto functions:
https://github.com/golang-fips/openssl-fips/blob/b9297ed11fc8890f74822482c46f4c9cb5507251/openssl/openssl.go#L53
https://github.com/golang-fips/openssl-fips/blob/eeda1baae76c92112220de78c5a498a6ba0abb6b/openssl/goopenssl.h#L66-L72
For some reason, this dlopen initialization does to work well for SPO on
OpenShift clusters running in FIPS mode where the dlopen call just
segfaults:
```
(gdb) frame 0
"libcrypto.so.1.1") at dlopen.c:78
78 return _dlfcn_hook->dlopen (file, mode, DL_CALLER);
(gdb) p _dlfcn_hook
$1 = (struct dlfcn_hook *) 0x0
(gdb) list
73 void *
74 __dlopen (const char *file, int mode DL_CALLER_DECL)
75 {
76 # ifdef SHARED
77 if (!rtld_active ())
78 return _dlfcn_hook->dlopen (file, mode, DL_CALLER);
79 # endif
80
81 struct dlopen_args args;
82 args.file = file;
```
To work around this issue, this patch adds the option to compile SPO as
a dynamically linked executable.
Please see https://issues.redhat.com/browse/OCPBUGS-3431 for more
details.
Builds using the ubi8/go-toolset image which links against OpenSSL for cryptography, see: https://access.redhat.com/documentation/en-us/red_hat_developer_tools/2018.4/html/using_go_toolset/chap-changes
Adds an OpenShift-specific annotation that aids the OLM in showing the operator for the correct OpenShift subscriptions.
OLM: Add an OpenShift-specific annotation
OCPBUGS-3431: Build SPO as a dynamically linked binary to work better in FIPS mode
recordingmerger: Fix producing union of SELinux permissions
…sive CMP-1679: selinux: Add a permissive boolean
Added an env variable to specific what selinuxd image to use, this fixs a e2e issues when we are running rhel9 node
Add an option to specific what selinuxd image to use during e2e test
This PR fixes issues with tc_log_enricher_test where expected result are being changed because of changes in logger formate
Fix e2e tc_log_enricher_test
Set `ocp` branch to use the correct commit for tag 0.8.1
This reverts commit cacffc8. The bump to 0.8.2-dev version should not be part of this branch.
…_to_dev Revert "Back to dev"
Make ProfileRecordingSpec.DisableProfileAfterRecording and SpecBase.Disabled optional. This addresses CRD validation errors when upgrading to v0.8.1
Added an env variable to specific what selinuxd image to use, this fixs a e2e issues when we are running rhel9 node
This PR fixes issues with tc_log_enricher_test where expected result are being changed because of changes in logger formate
Update v0.8.2
Remove Wiharris User is not a member of the org. User is not a collaborator. Satisfy at least one of these conditions to make the user trusted. Error by openshift-ci bot
Fix a yaml formating issue
…file to the pod if has * image, and on container if there is a match.
Release v0.8.4
Amend v0.8.4
Signed-off-by: red-hat-konflux <konflux@no-reply.konflux-ci.dev>
…rator Red Hat Konflux update security-profiles-operator
Signed-off-by: red-hat-konflux <konflux@no-reply.konflux-ci.dev>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pipelines as Code configuration removal