Modifying the SELinux label only for the deployment config that has the pod which mounts the legacy application PVC

Ensure that the legacy application and openshift-storage pods use the same SELinux labels on the files, by modifying the SELinux label on the deployment config that has the pod which mounts the legacy application.

1. Create a new scc with the MustRunAs and seLinuxOptions options, with the Multi Category Security (MCS) that the openshift-storage project uses.
   Example YAML file:

   cat << EOF >> scc.yaml

   allowHostDirVolumePlugin: false
   allowHostIPC: false
   allowHostNetwork: false
   allowHostPID: false
   allowHostPorts: false
   allowPrivilegeEscalation: true
   allowPrivilegedContainer: false
   allowedCapabilities: null
   apiVersion: security.openshift.io/v1
   defaultAddCapabilities: null
   fsGroup:
     type: MustRunAs
   groups:
   - system:authenticated
   kind: SecurityContextConstraints
   metadata:
     annotations:
     name: restricted-pvselinux
   priority: null
   readOnlyRootFilesystem: false
   requiredDropCapabilities:
   - KILL
   - MKNOD
   - SETUID
   - SETGID
   runAsUser:
     type: MustRunAsRange
   seLinuxContext:
     seLinuxOptions:
       level: s0:c26,c0
     type: MustRunAs
   supplementalGroups:
     type: RunAsAny
   users: []
   volumes:
   - configMap
   - downwardAPI
   - emptyDir
   - persistentVolumeClaim
   - projected
   - secret
   EOF

   oc create -f scc.yaml

2. Create a service account for the deployment and add it to the newly created scc.
   1. Create a service account, where <service_account_name> is the name of the service account.

      oc create serviceaccount <service_account_name>

      For example:

      oc create serviceaccount testnamespacesa

   2. Add the service account to the newly created scc:

      oc adm policy add-scc-to-user restricted-pvselinux -z <service_account_name>

      For example:

      oc adm policy add-scc-to-user restricted-pvselinux -z testname

3. Patch the legacy application deployment so that it uses the newly created service account.
   This allows you to specify the SELinux label in the deployment.

   oc patch dc/<pod_name> '{"spec":{"template":{"spec":{"serviceAccountName": "<service_account_name>"}}}}'

   For example:

   oc patch dc/cephfs-write-workload-generator-no-cache --patch '{"spec":{"template":{"spec":{"serviceAccountName": "testnamespacesa"}}}}'

4. Edit the deployment to specify the security context to use at the SELinux label in the deployment configuration:

   oc edit dc <pod_name> -n <application_namespace>

   Add the following lines:

   spec:
    template:
       metadata:
         securityContext:
           seLinuxOptions:
             Level: <security_context_value>
               

   security_context_value

   You can find this value when you run the command to create a dedicated folder for S3 inside the NSFS share on the CephFS PV and PVC of the legacy application pod.

   For example:

   oc edit dc cephfs-write-workload-generator-no-cache -n testnamespace

   spec:
    template:
       metadata:
         securityContext:
           seLinuxOptions:
             level: s0:c26,c0

5. Ensure that the security context to be used at the SELinux label in the deployment configuration is specified correctly.

   oc get dc <pod_name> -n <application_namespace> -o yaml | grep -A 2 securityContext

   For example:

   oc get dc cephfs-write-workload-generator-no-cache -n testnamespace -o yaml | grep -A 2 securityContext

   securityContext:
           seLinuxOptions:
             level: s0:c26,c0

   The legacy application is restarted and begins using the same SELinux labels as the openshift-storage namespace.