Bug 1813289

Summary: Restic and Velero pods can be assigned the incorrect SCC
Product: OpenShift Container Platform Reporter: John Matthews <jmatthew>
Component: Migration ToolingAssignee: Jason Montleon <jmontleo>
Status: CLOSED DUPLICATE QA Contact: Xin jiang <xjiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.3.0CC: dymurray, jmatthew, jmontleo, xjiang
Target Milestone: ---   
Target Release: 4.4.0   
Hardware: Unspecified   
OS: Unspecified   
URL: https://github.com/konveyor/mig-operator/pull/257
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1813067 Environment:
Last Closed: 2020-03-23 13:18:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1813067    
Bug Blocks:    

Description John Matthews 2020-03-13 13:16:13 UTC 
+++ This bug was initially created as a clone of Bug #1813067 +++

Description of problem:
Velero is assigned wide open permissions. This was done because we need access to pretty much any resource we need to back up. However, the verb list is probably way less restrictive than it can be.

https://github.com/konveyor/mig-operator/blob/master/deploy/olm-catalog/konveyor-operator/v1.2.0/konveyor-operator.v1.2.0.clusterserviceversion.yaml#L679-L688

Version-Release number of selected component (if applicable):
CAM <= 1.1.1

How reproducible:


Steps to Reproduce:
1. Create an SCC that allows running privileged pods as root but restricts filesystem write access to the container.
2. Install CAM

Actual results:
Failures because of the missing permission

Expected results:
Velero/Restic use the correct SCC.

Additional info:
At a mimimum we can probably remove the use verb for (almost?) all resources and give ourselves the ability to use just the one SCC.

https://github.com/konveyor/mig-operator/pull/257/files

We may even be able to reduce this to just get/list in the clusterrole and provide wider permissions in a role scoped to the namespace so we velero can watch, create, update, patch, and delete its resources. That may take more time to figure out accurately than the above though.
Comment 3 John Matthews 2020-03-23 13:18:15 UTC 
Closing this BZ in favor of it's original that is already aligned to 4.4.0
Closing this to avoid the duplicate situation for 4.4.0 we have now.

*** This bug has been marked as a duplicate of bug 1813067 ***