SecurityContextConstraints in openshift_rbac.yaml completly wrong formated

[rbaumgar]

the scc in the in openshift_rbac.yaml is completly wrong formated and has the wrong API.

https://github.com/oracle/oracle-database-operator/blob/main/config/samples/sidb/openshift_rbac.yaml

This might be the right content:

kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
  name: sidb-scc
  namespace: default
allowPrivilegedContainer: false
users:
  - system:serviceaccount:default:sidb-sa
  - system:serviceaccount:default:oracle-database-operator
runAsUser:
  type: MustRunAsRange
  uidRangeMin: 0
  uidRangeMax: 60000
seLinuxContext:
  type: RunAsAny
fsGroup:
  type: MustRunAs
  ranges:
  - min: 0
    max: 60000
supplementalGroups:
  type: MustRunAs
  ranges:
  - min: 0
    max: 60000

[andbos]

Hi,

Above works for me and if the instances are configured to be in namespace default then they will start. But how to make them run in another namespace?

Best regards,
Andreas

[rbaumgar]

you have to apply the same SCC, role and role binding to every namespace you want to use for an Oracle database.

BUT this is a setting I would NEVER recommend in an OpenShift environment from a security perspective.

Oracle databases should run with an arbitrary UID like any other workload in OpenShift.

[IshaanDesai45]

@rbaumgar @andbos we are working on this and will start a PR for the resolution

[IshaanDesai45]

@rbaumgar @andbos fixed the openshift_rbac.yaml file in the above PR kindly check and confirm

[rbaumgar]

@IshaanDesai45 looks good. tried with project oracle ecept that that the database is still not running as restricted.

I would update the documentation where the yaml has to be replaced I would recommend the following docu.

in the file, eg rbac/default-ns-role-binding.yaml should be a place holder like $NAMESPACE

export NAMESPACE=my-namespace
cat rbac/default-ns-role-binding.yaml | oc apply -f -

[rbaumgar]

@IshaanDesai45 sorry, the file is still incorrect, nearly all lines except the comments have a leading space.
the SCCs are named sidb-oracle-user-scc and sidb-oracle-root-user-scc, but the role references SCC oracle-user-scc and oracle-root-scc.

[IshaanDesai45]

@rbaumgar fixed the formatting for the openshift_rbac.yaml