Bug 1459271 - [RFE] [TD] SmartState Analysis and OpenSCAP Pod shouldn't need privileged permissions
[RFE] [TD] SmartState Analysis and OpenSCAP Pod shouldn't need privileged per...
Status: CLOSED WONTFIX
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: SmartState Analysis (Show other bugs)
5.8.0
Unspecified Unspecified
unspecified Severity unspecified
: GA
: cfme-future
Assigned To: Nimrod Shneor
brahmani
container
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-06 13:01 EDT by Federico Simoncelli
Modified: 2018-05-06 01:11 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-05-06 01:11:21 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: Container Management


Attachments (Terms of Use)

  None (edit)
Description Federico Simoncelli 2017-06-06 13:01:29 EDT
Description of problem:
We should drop the need for a privileged Pod to run SmartState Analysis and OpenSCAP.

This will deliver improved security and reliability (no interaction with the Node docker daemon).

On one side the performance will increase (no interaction with docker daemon) on the other we won't be able to leverage the local node image cache (in case the image was already local).

Also this will allow to schedule and run inspection on infrastructure that do not allow privileged Pods (e.g. OpenShift/Kubernetes PaaS).

References:
https://github.com/openshift/image-inspector/issues/35
https://github.com/openshift/image-inspector/pull/37
Comment 3 Scott Weiss 2017-12-11 11:33:45 EST
the relevant PR for this bug is now located at https://github.com/openshift/image-inspector/pull/58
Comment 4 Scott Weiss 2017-12-11 11:35:04 EST
related PR on the manageiq side of things: https://github.com/ManageIQ/manageiq-providers-kubernetes/pull/50

Note You need to log in before you can comment on or make changes to this bug.