Bug 1459271

Summary: [RFE] [TD] SmartState Analysis and OpenSCAP Pod shouldn't need privileged permissions
Product: Red Hat CloudForms Management Engine Reporter: Federico Simoncelli <fsimonce>
Component: SmartState AnalysisAssignee: Nimrod Shneor <nshneor>
Status: CLOSED WONTFIX QA Contact: brahmani
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.8.0CC: jhardy, lavenel, obarenbo, oourfali
Target Milestone: GAKeywords: FutureFeature
Target Release: cfme-future   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: container
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-06 05:11:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: Container Management Target Upstream Version:
Embargoed:

Description Federico Simoncelli 2017-06-06 17:01:29 UTC 
Description of problem:
We should drop the need for a privileged Pod to run SmartState Analysis and OpenSCAP.

This will deliver improved security and reliability (no interaction with the Node docker daemon).

On one side the performance will increase (no interaction with docker daemon) on the other we won't be able to leverage the local node image cache (in case the image was already local).

Also this will allow to schedule and run inspection on infrastructure that do not allow privileged Pods (e.g. OpenShift/Kubernetes PaaS).

References:
https://github.com/openshift/image-inspector/issues/35
https://github.com/openshift/image-inspector/pull/37
Comment 3 Scott Weiss 2017-12-11 16:33:45 UTC 
the relevant PR for this bug is now located at https://github.com/openshift/image-inspector/pull/58
Comment 4 Scott Weiss 2017-12-11 16:35:04 UTC 
related PR on the manageiq side of things: https://github.com/ManageIQ/manageiq-providers-kubernetes/pull/50