Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create database copy in tmp directory #974

Merged

Conversation

perdasilva
Copy link
Contributor

Signed-off-by: perdasilva perdasilva@redhat.com

Description of the change:
opm registry serve creates a writable copy of the db to a tmp file. This file was being created at the root of the filesystem. This breaks on cluster due to permissions (can't write on /). This change creates the file in the tmp directory to not get caught by fs permissions.

Motivation for the change:
The recent security updates require us to run as non-root rendering '/' read-only. Also it's not good practice to write to the root.

Reviewer Checklist

  • Implementation matches the proposed design, or proposal is updated to match implementation
  • Sufficient unit test coverage
  • Sufficient end-to-end test coverage
  • Docs updated or added to /docs
  • Commit messages sensible and descriptive

Signed-off-by: perdasilva <perdasilva@redhat.com>
@codecov
Copy link

codecov bot commented Jun 23, 2022

Codecov Report

Merging #974 (44b87d0) into master (0899512) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master     #974   +/-   ##
=======================================
  Coverage   52.48%   52.48%           
=======================================
  Files         103      103           
  Lines        9240     9240           
=======================================
  Hits         4850     4850           
  Misses       3468     3468           
  Partials      922      922           

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0899512...44b87d0. Read the comment docs.

@perdasilva perdasilva added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 23, 2022
Copy link
Member

@dinhxuanvu dinhxuanvu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jun 23, 2022
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jun 23, 2022

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: perdasilva

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@perdasilva perdasilva merged commit 79e8f25 into operator-framework:master Jun 23, 2022
anik120 added a commit to anik120/operator-lifecycle-manager that referenced this pull request Aug 24, 2022
This PR exposes a spec.runAsRoot field, so that cluster admins can
indicate that they want to run the catalogsource container as root
user.

This, along with the Pod Admission Controller enforce level `privileged`
allows cluster admins to run catalogsources that are built with a version
of opm that is less than v1.23.2 (i.e a version of opm that does not contain
[this commit](operator-framework/operator-registry#974)
anik120 added a commit to anik120/api that referenced this pull request Aug 25, 2022
With the [change](operator-framework/operator-registry#974) in opm being copied to a /tmp
folder rather than / (root), a registry pod created in a namespace labled
enforce:restricted for the Pod Security Admission controller is created by
the catalog operator with the (appropriate securityContext details) https://github.com/operator-framework/operator-lifecycle-manager/pull/2820/files#diff-fffdeef1fc140a5dc5dc92dda323f567a6e46fc2ecbb0b91ba907acd02bde50dR185-R210
to run it in restricted mode.

However, Catalogs built with a version of opm that does not contain the above
change still needs privileged permission to run in a namespace that has to
be labeled as enforce:privileged for the PSA controller.

This PR introduces a new field, spec.runAsRoot, so that admins can indiciate
their intent to allow to run the old CatalogSource in a privileged mode.
When the catalog operator sees this field set to true, it will not set the
securityContext in the registry pod to `runAsNonRoot:true`. Instead, it will
set the securityContext to `runAsNonRoot:false`.
anik120 added a commit to anik120/operator-lifecycle-manager that referenced this pull request Aug 25, 2022
This PR exposes a spec.runAsRoot field, so that cluster admins can
indicate that they want to run the catalogsource container as root
user.

This, along with the Pod Admission Controller enforce level `privileged`
allows cluster admins to run catalogsources that are built with a version
of opm that is less than v1.23.2 (i.e a version of opm that does not contain
[this commit](operator-framework/operator-registry#974)

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>
anik120 added a commit to anik120/api that referenced this pull request Aug 25, 2022
With the [change](operator-framework/operator-registry#974) in opm being copied to a /tmp
folder rather than / (root), a registry pod created in a namespace labled
enforce:restricted for the Pod Security Admission controller is created by
the catalog operator with the (appropriate securityContext details) https://github.com/operator-framework/operator-lifecycle-manager/pull/2820/files#diff-fffdeef1fc140a5dc5dc92dda323f567a6e46fc2ecbb0b91ba907acd02bde50dR185-R210
to run it in restricted mode.

However, Catalogs built with a version of opm that does not contain the above
change still needs privileged permission to run in a namespace that has to
be labeled as enforce:privileged for the PSA controller.

This PR introduces a new field, spec.runAsRoot, so that admins can indiciate
their intent to allow to run the old CatalogSource in a privileged mode.
When the catalog operator sees this field set to true, it will not set the
securityContext in the registry pod to `runAsNonRoot:true`. Instead, it will
set the securityContext to `runAsNonRoot:false`.
anik120 added a commit to anik120/api that referenced this pull request Aug 25, 2022
With the [change](operator-framework/operator-registry#974) in opm being copied to a /tmp
folder rather than / (root), a registry pod created in a namespace labled
enforce:restricted for the Pod Security Admission controller is created by
the catalog operator with the (appropriate securityContext details) https://github.com/operator-framework/operator-lifecycle-manager/pull/2820/files#diff-fffdeef1fc140a5dc5dc92dda323f567a6e46fc2ecbb0b91ba907acd02bde50dR185-R210
to run it in restricted mode.
However, Catalogs built with a version of opm that does not contain the above
change still needs privileged permission to run in a namespace that has to
be labeled as enforce:privileged for the PSA controller.
This PR introduces a new field, spec.runAsRoot, so that admins can indiciate
their intent to allow to run the old CatalogSource in a privileged mode.
When the catalog operator sees this field set to true, it will not set the
securityContext in the registry pod to `runAsNonRoot:true`. Instead, it will
set the securityContext to `runAsNonRoot:false`.
anik120 added a commit to anik120/api that referenced this pull request Aug 25, 2022
With the [change](operator-framework/operator-registry#974) in opm being copied to a /tmp
folder rather than / (root), a registry pod created in a namespace labled
enforce:restricted for the Pod Security Admission controller is created by
the catalog operator with the (appropriate securityContext details) https://github.com/operator-framework/operator-lifecycle-manager/pull/2820/files#diff-fffdeef1fc140a5dc5dc92dda323f567a6e46fc2ecbb0b91ba907acd02bde50dR185-R210
to run it in restricted mode.
However, Catalogs built with a version of opm that does not contain the above
change still needs privileged permission to run in a namespace that has to
be labeled as enforce:privileged for the PSA controller.
This PR introduces a new field, spec.runAsRoot, so that admins can indiciate
their intent to allow to run the old CatalogSource in a privileged mode.
When the catalog operator sees this field set to true, it will not set the
securityContext in the registry pod to `runAsNonRoot:true`. Instead, it will
set the securityContext to `runAsNonRoot:false`.
anik120 added a commit to anik120/operator-lifecycle-manager that referenced this pull request Aug 26, 2022
This PR exposes a spec.runAsRoot field, so that cluster admins can
indicate that they want to run the catalogsource container as root
user.

This, along with the Pod Admission Controller enforce level `privileged`
allows cluster admins to run catalogsources that are built with a version
of opm that is less than v1.23.2 (i.e a version of opm that does not contain
[this commit](operator-framework/operator-registry#974)

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>
anik120 added a commit to anik120/operator-lifecycle-manager that referenced this pull request Aug 29, 2022
This PR exposes a spec.runAsRoot field, so that cluster admins can
indicate that they want to run the catalogsource container as root
user.

This, along with the Pod Admission Controller enforce level `privileged`
allows cluster admins to run catalogsources that are built with a version
of opm that is less than v1.23.2 (i.e a version of opm that does not contain
[this commit](operator-framework/operator-registry#974)

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>
anik120 added a commit to anik120/operator-lifecycle-manager that referenced this pull request Aug 29, 2022
This PR exposes a spec.runAsRoot field, so that cluster admins can
indicate that they want to run the catalogsource container as root
user.

This, along with the Pod Admission Controller enforce level `privileged`
allows cluster admins to run catalogsources that are built with a version
of opm that is less than v1.23.2 (i.e a version of opm that does not contain
[this commit](operator-framework/operator-registry#974)

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>
anik120 added a commit to anik120/operator-lifecycle-manager that referenced this pull request Aug 29, 2022
This PR exposes a spec.runAsRoot field, so that cluster admins can
indicate that they want to run the catalogsource container as root
user.

This, along with the Pod Admission Controller enforce level `privileged`
allows cluster admins to run catalogsources that are built with a version
of opm that is less than v1.23.2 (i.e a version of opm that does not contain
[this commit](operator-framework/operator-registry#974)

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>
anik120 added a commit to anik120/operator-lifecycle-manager that referenced this pull request Sep 1, 2022
This PR exposes a spec.runAsRoot field, so that cluster admins can
indicate that they want to run the catalogsource container as root
user.

This, along with the Pod Admission Controller enforce level `privileged`
allows cluster admins to run catalogsources that are built with a version
of opm that is less than v1.23.2 (i.e a version of opm that does not contain
[this commit](operator-framework/operator-registry#974)

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>
anik120 added a commit to anik120/operator-lifecycle-manager that referenced this pull request Sep 6, 2022
This PR exposes a spec.runAsRoot field, so that cluster admins can
indicate that they want to run the catalogsource container as root
user.

This, along with the Pod Admission Controller enforce level `privileged`
allows cluster admins to run catalogsources that are built with a version
of opm that is less than v1.23.2 (i.e a version of opm that does not contain
[this commit](operator-framework/operator-registry#974)

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>
anik120 added a commit to anik120/operator-lifecycle-manager that referenced this pull request Sep 6, 2022
This PR exposes a spec.runAsRoot field, so that cluster admins can
indicate that they want to run the catalogsource container as root
user.

This, along with the Pod Admission Controller enforce level `privileged`
allows cluster admins to run catalogsources that are built with a version
of opm that is less than v1.23.2 (i.e a version of opm that does not contain
[this commit](operator-framework/operator-registry#974)

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>
anik120 added a commit to anik120/operator-lifecycle-manager that referenced this pull request Sep 8, 2022
This PR exposes a spec.runAsRoot field, so that cluster admins can
indicate that they want to run the catalogsource container as root
user.

This, along with the Pod Admission Controller enforce level `privileged`
allows cluster admins to run catalogsources that are built with a version
of opm that is less than v1.23.2 (i.e a version of opm that does not contain
[this commit](operator-framework/operator-registry#974)

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>
anik120 added a commit to anik120/operator-lifecycle-manager that referenced this pull request Sep 9, 2022
This PR exposes a spec.runAsRoot field, so that cluster admins can
indicate that they want to run the catalogsource container as root
user.

This, along with the Pod Admission Controller enforce level `privileged`
allows cluster admins to run catalogsources that are built with a version
of opm that is less than v1.23.2 (i.e a version of opm that does not contain
[this commit](operator-framework/operator-registry#974)

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>
anik120 added a commit to anik120/operator-lifecycle-manager that referenced this pull request Sep 9, 2022
This PR exposes a spec.runAsRoot field, so that cluster admins can
indicate that they want to run the catalogsource container as root
user.

This, along with the Pod Admission Controller enforce level `privileged`
allows cluster admins to run catalogsources that are built with a version
of opm that is less than v1.23.2 (i.e a version of opm that does not contain
[this commit](operator-framework/operator-registry#974)

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>
anik120 added a commit to anik120/operator-lifecycle-manager that referenced this pull request Sep 12, 2022
This PR exposes a spec.runAsRoot field, so that cluster admins can
indicate that they want to run the catalogsource container as root
user.

This, along with the Pod Admission Controller enforce level `privileged`
allows cluster admins to run catalogsources that are built with a version
of opm that is less than v1.23.2 (i.e a version of opm that does not contain
[this commit](operator-framework/operator-registry#974)

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>
anik120 added a commit to anik120/operator-lifecycle-manager that referenced this pull request Sep 13, 2022
This PR exposes a spec.runAsRoot field, so that cluster admins can
indicate that they want to run the catalogsource container as root
user.

This, along with the Pod Admission Controller enforce level `privileged`
allows cluster admins to run catalogsources that are built with a version
of opm that is less than v1.23.2 (i.e a version of opm that does not contain
[this commit](operator-framework/operator-registry#974)

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>
anik120 added a commit to anik120/operator-lifecycle-manager that referenced this pull request Sep 13, 2022
This PR configures the Catalogsource reconciler to use the spec.GrpcPodConfig.SecurityContextConfig
field to determine if the pod.spec.securityContext and container[*].spec.SecurityContext for the registry
pod should be configured to be runnable in a PSA restrcited namespace or not, so that cluster admins can
indicate that they want to run legacy catalogsources in a non-resctricted (baseline/privileged) namespace.

This allows cluster admins to run catalogsources that are built with a version of opm that is less than
v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974)

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>
anik120 added a commit to anik120/operator-lifecycle-manager that referenced this pull request Sep 13, 2022
This PR configures the Catalogsource reconciler to use the spec.GrpcPodConfig.SecurityContextConfig
field to determine if the pod.spec.securityContext and container[*].spec.SecurityContext for the registry
pod should be configured to be runnable in a PSA restrcited namespace or not, so that cluster admins can
indicate that they want to run legacy catalogsources in a non-resctricted (baseline/privileged) namespace.

This allows cluster admins to run catalogsources that are built with a version of opm that is less than
v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974)

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>
anik120 added a commit to anik120/operator-lifecycle-manager that referenced this pull request Sep 13, 2022
This PR configures the Catalogsource reconciler to use the spec.GrpcPodConfig.SecurityContextConfig
field to determine if the pod.spec.securityContext and container[*].spec.SecurityContext for the registry
pod should be configured to be runnable in a PSA restrcited namespace or not, so that cluster admins can
indicate that they want to run legacy catalogsources in a non-resctricted (baseline/privileged) namespace.

This allows cluster admins to run catalogsources that are built with a version of opm that is less than
v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974)

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>
anik120 added a commit to anik120/operator-lifecycle-manager that referenced this pull request Sep 13, 2022
This PR configures the Catalogsource reconciler to use the spec.GrpcPodConfig.SecurityContextConfig
field to determine if the pod.spec.securityContext and container[*].spec.SecurityContext for the registry
pod should be configured to be runnable in a PSA restrcited namespace or not, so that cluster admins can
indicate that they want to run legacy catalogsources in a non-resctricted (baseline/privileged) namespace.

This allows cluster admins to run catalogsources that are built with a version of opm that is less than
v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974)

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>
anik120 added a commit to anik120/operator-lifecycle-manager that referenced this pull request Sep 14, 2022
This PR configures the Catalogsource reconciler to use the spec.GrpcPodConfig.SecurityContextConfig
field to determine if the pod.spec.securityContext and container[*].spec.SecurityContext for the registry
pod should be configured to be runnable in a PSA restrcited namespace or not, so that cluster admins can
indicate that they want to run legacy catalogsources in a non-resctricted (baseline/privileged) namespace.

This allows cluster admins to run catalogsources that are built with a version of opm that is less than
v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974)

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>
anik120 added a commit to anik120/operator-lifecycle-manager that referenced this pull request Sep 14, 2022
This PR configures the Catalogsource reconciler to use the spec.GrpcPodConfig.SecurityContextConfig
field to determine if the pod.spec.securityContext and container[*].spec.SecurityContext for the registry
pod should be configured to be runnable in a PSA restrcited namespace or not, so that cluster admins can
indicate that they want to run legacy catalogsources in a non-resctricted (baseline/privileged) namespace.

This allows cluster admins to run catalogsources that are built with a version of opm that is less than
v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974)

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>
anik120 added a commit to anik120/operator-lifecycle-manager that referenced this pull request Sep 14, 2022
This PR configures the Catalogsource reconciler to use the spec.GrpcPodConfig.SecurityContextConfig
field to determine if the pod.spec.securityContext and container[*].spec.SecurityContext for the registry
pod should be configured to be runnable in a PSA restrcited namespace or not, so that cluster admins can
indicate that they want to run legacy catalogsources in a non-resctricted (baseline/privileged) namespace.

This allows cluster admins to run catalogsources that are built with a version of opm that is less than
v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974)

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>
openshift-merge-robot pushed a commit to operator-framework/operator-lifecycle-manager that referenced this pull request Sep 14, 2022
…2845)

* (chore) vendor in o-f/api v0.17.1

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>

* (psa) allow legacy Catalogsources to run in non-restrcted namespaces

This PR configures the Catalogsource reconciler to use the spec.GrpcPodConfig.SecurityContextConfig
field to determine if the pod.spec.securityContext and container[*].spec.SecurityContext for the registry
pod should be configured to be runnable in a PSA restrcited namespace or not, so that cluster admins can
indicate that they want to run legacy catalogsources in a non-resctricted (baseline/privileged) namespace.

This allows cluster admins to run catalogsources that are built with a version of opm that is less than
v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974)

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>
anik120 added a commit to anik120/operator-framework-olm that referenced this pull request Sep 14, 2022
…(#2845)

* (chore) vendor in o-f/api v0.17.1

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>

* (psa) allow legacy Catalogsources to run in non-restrcted namespaces

This PR configures the Catalogsource reconciler to use the spec.GrpcPodConfig.SecurityContextConfig
field to determine if the pod.spec.securityContext and container[*].spec.SecurityContext for the registry
pod should be configured to be runnable in a PSA restrcited namespace or not, so that cluster admins can
indicate that they want to run legacy catalogsources in a non-resctricted (baseline/privileged) namespace.

This allows cluster admins to run catalogsources that are built with a version of opm that is less than
v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974)

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>

Upstream-commit: edffd9c83c3065073e5f91ff0d7c7b78a5c77063
Upstream-repository: operator-lifecycle-manager
timflannagan pushed a commit to timflannagan/operator-framework-olm that referenced this pull request Sep 15, 2022
…(#2845)

* (chore) vendor in o-f/api v0.17.1

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>

* (psa) allow legacy Catalogsources to run in non-restrcted namespaces

This PR configures the Catalogsource reconciler to use the spec.GrpcPodConfig.SecurityContextConfig
field to determine if the pod.spec.securityContext and container[*].spec.SecurityContext for the registry
pod should be configured to be runnable in a PSA restrcited namespace or not, so that cluster admins can
indicate that they want to run legacy catalogsources in a non-resctricted (baseline/privileged) namespace.

This allows cluster admins to run catalogsources that are built with a version of opm that is less than
v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974)

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>

Upstream-commit: edffd9c83c3065073e5f91ff0d7c7b78a5c77063
Upstream-repository: operator-lifecycle-manager
anik120 added a commit to anik120/operator-framework-olm that referenced this pull request Sep 15, 2022
…(#2845)

* (chore) vendor in o-f/api v0.17.1

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>

* (psa) allow legacy Catalogsources to run in non-restrcted namespaces

This PR configures the Catalogsource reconciler to use the spec.GrpcPodConfig.SecurityContextConfig
field to determine if the pod.spec.securityContext and container[*].spec.SecurityContext for the registry
pod should be configured to be runnable in a PSA restrcited namespace or not, so that cluster admins can
indicate that they want to run legacy catalogsources in a non-resctricted (baseline/privileged) namespace.

This allows cluster admins to run catalogsources that are built with a version of opm that is less than
v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974)

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>

Upstream-commit: edffd9c83c3065073e5f91ff0d7c7b78a5c77063
Upstream-repository: operator-lifecycle-manager
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants