Modifying the SELinux label only for the deployment config that has the pod which mounts the legacy application PVC

Ensure that the legacy application and openshift-storage pods use the same SELinux labels on the files, by modifying the SELinux label on the deployment config that has the pod which mounts the legacy application.

Procedure

  1. Create a new scc with the MustRunAs and seLinuxOptions options, with the Multi Category Security (MCS) that the openshift-storage project uses.
    Example YAML file:
    cat << EOF >> scc.yaml
    allowHostDirVolumePlugin: false
    allowHostIPC: false
    allowHostNetwork: false
    allowHostPID: false
    allowHostPorts: false
    allowPrivilegeEscalation: true
    allowPrivilegedContainer: false
    allowedCapabilities: null
    apiVersion: security.openshift.io/v1
    defaultAddCapabilities: null
    fsGroup:
      type: MustRunAs
    groups:
    - system:authenticated
    kind: SecurityContextConstraints
    metadata:
      annotations:
      name: restricted-pvselinux
    priority: null
    readOnlyRootFilesystem: false
    requiredDropCapabilities:
    - KILL
    - MKNOD
    - SETUID
    - SETGID
    runAsUser:
      type: MustRunAsRange
    seLinuxContext:
      seLinuxOptions:
        level: s0:c26,c0
      type: MustRunAs
    supplementalGroups:
      type: RunAsAny
    users: []
    volumes:
    - configMap
    - downwardAPI
    - emptyDir
    - persistentVolumeClaim
    - projected
    - secret
    EOF
    oc create -f scc.yaml
  2. Create a service account for the deployment and add it to the newly created scc.
    1. Create a service account, where <service_account_name> is the name of the service account.
      oc create serviceaccount <service_account_name>

      For example:

      oc create serviceaccount testnamespacesa
    2. Add the service account to the newly created scc:
      oc adm policy add-scc-to-user restricted-pvselinux -z <service_account_name>

      For example:

      oc adm policy add-scc-to-user restricted-pvselinux -z testname
  3. Patch the legacy application deployment so that it uses the newly created service account.
    This allows you to specify the SELinux label in the deployment.
    oc patch dc/<pod_name> '{"spec":{"template":{"spec":{"serviceAccountName": "<service_account_name>"}}}}'
    For example:
    oc patch dc/cephfs-write-workload-generator-no-cache --patch '{"spec":{"template":{"spec":{"serviceAccountName": "testnamespacesa"}}}}'
  4. Edit the deployment to specify the security context to use at the SELinux label in the deployment configuration:
    oc edit dc <pod_name> -n <application_namespace>
    Add the following lines:
    spec:
     template:
        metadata:
          securityContext:
            seLinuxOptions:
              Level: <security_context_value>
                
    security_context_value

    You can find this value when you run the command to create a dedicated folder for S3 inside the NSFS share on the CephFS PV and PVC of the legacy application pod.

    For example:

    oc edit dc cephfs-write-workload-generator-no-cache -n testnamespace
    spec:
     template:
        metadata:
          securityContext:
            seLinuxOptions:
              level: s0:c26,c0
  5. Ensure that the security context to be used at the SELinux label in the deployment configuration is specified correctly.
    oc get dc <pod_name> -n <application_namespace> -o yaml | grep -A 2 securityContext
    For example:
    oc get dc cephfs-write-workload-generator-no-cache -n testnamespace -o yaml | grep -A 2 securityContext
    securityContext:
            seLinuxOptions:
              level: s0:c26,c0

    The legacy application is restarted and begins using the same SELinux labels as the openshift-storage namespace.