Bug 1813067

Summary: Restic and Velero pods can be assigned the incorrect SCC
Product: OpenShift Container Platform Reporter: Jason Montleon <jmontleo>
Component: Migration ToolingAssignee: Jason Montleon <jmontleo>
Status: CLOSED ERRATA QA Contact: Xin jiang <xjiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.3.0CC: dymurray, jmatthew, sregidor
Target Milestone: ---   
Target Release: 4.4.0   
Hardware: Unspecified   
OS: Unspecified   
URL: https://github.com/konveyor/mig-operator/pull/257
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 1813289 (view as bug list) Environment:
Last Closed: 2020-05-28 11:06:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1813289    
Attachments:
Description Flags
SCC resource none

Description Jason Montleon 2020-03-12 20:40:33 UTC 
Description of problem:
Velero is assigned wide open permissions. This was done because we need access to pretty much any resource we need to back up. However, the verb list is probably way less restrictive than it can be.

https://github.com/konveyor/mig-operator/blob/master/deploy/olm-catalog/konveyor-operator/v1.2.0/konveyor-operator.v1.2.0.clusterserviceversion.yaml#L679-L688

Version-Release number of selected component (if applicable):
CAM <= 1.1.1

How reproducible:


Steps to Reproduce:
1. Create an SCC that allows running privileged pods as root but restricts filesystem write access to the container.
2. Install CAM

Actual results:
Failures because of the missing permission

Expected results:
Velero/Restic use the correct SCC.

Additional info:
At a mimimum we can probably remove the use verb for (almost?) all resources and give ourselves the ability to use just the one SCC.

https://github.com/konveyor/mig-operator/pull/257/files

We may even be able to reduce this to just get/list in the clusterrole and provide wider permissions in a role scoped to the namespace so we velero can watch, create, update, patch, and delete its resources. That may take more time to figure out accurately than the above though.
Comment 1 John Matthews 2020-03-23 13:18:15 UTC 
*** Bug 1813289 has been marked as a duplicate of this bug. ***
Comment 5 Sergio 2020-05-13 14:09:42 UTC 
Created attachment 1688032 [details]
SCC resource
Comment 6 Sergio 2020-05-13 14:10:34 UTC 
Verfied using CAM 1.2 stage

After deploying the attached SCC, we were able to create velero and restic without any problem.
Comment 8 errata-xmlrpc 2020-05-28 11:06:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:2328