Bug 1459271 - [RFE] [TD] SmartState Analysis and OpenSCAP Pod shouldn't need privileged permissions
Summary: [RFE] [TD] SmartState Analysis and OpenSCAP Pod shouldn't need privileged per...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: SmartState Analysis
Version: 5.8.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: GA
: cfme-future
Assignee: Nimrod Shneor
QA Contact: brahmani
URL:
Whiteboard: container
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-06-06 17:01 UTC by Federico Simoncelli
Modified: 2018-05-06 05:11 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-06 05:11:21 UTC
Category: ---
Cloudforms Team: Container Management
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Federico Simoncelli 2017-06-06 17:01:29 UTC 
Description of problem:
We should drop the need for a privileged Pod to run SmartState Analysis and OpenSCAP.

This will deliver improved security and reliability (no interaction with the Node docker daemon).

On one side the performance will increase (no interaction with docker daemon) on the other we won't be able to leverage the local node image cache (in case the image was already local).

Also this will allow to schedule and run inspection on infrastructure that do not allow privileged Pods (e.g. OpenShift/Kubernetes PaaS).

References:
https://github.com/openshift/image-inspector/issues/35
https://github.com/openshift/image-inspector/pull/37
Comment 3 Scott Weiss 2017-12-11 16:33:45 UTC 
the relevant PR for this bug is now located at https://github.com/openshift/image-inspector/pull/58
Comment 4 Scott Weiss 2017-12-11 16:35:04 UTC 
related PR on the manageiq side of things: https://github.com/ManageIQ/manageiq-providers-kubernetes/pull/50
Note You need to log in before you can comment on or make changes to this bug.