Modifying the SELinux label only for the deployment config that has the pod which mounts the legacy application PVC
Ensure that the legacy application and openshift-storage
pods use the
same SELinux labels on the files, by modifying the SELinux label on the deployment config that has
the pod which mounts the legacy application.
Procedure
- Create a new
scc
with theMustRunAs
andseLinuxOptions
options, with the Multi Category Security (MCS) that theopenshift-storage
project uses.Example YAML file:cat << EOF >> scc.yaml
allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: true allowPrivilegedContainer: false allowedCapabilities: null apiVersion: security.openshift.io/v1 defaultAddCapabilities: null fsGroup: type: MustRunAs groups: - system:authenticated kind: SecurityContextConstraints metadata: annotations: name: restricted-pvselinux priority: null readOnlyRootFilesystem: false requiredDropCapabilities: - KILL - MKNOD - SETUID - SETGID runAsUser: type: MustRunAsRange seLinuxContext: seLinuxOptions: level: s0:c26,c0 type: MustRunAs supplementalGroups: type: RunAsAny users: [] volumes: - configMap - downwardAPI - emptyDir - persistentVolumeClaim - projected - secret EOF
oc create -f scc.yaml
- Create a service account for the deployment and add it to the newly created
scc
.- Create a service account, where <service_account_name> is the
name of the service account.
oc create serviceaccount <service_account_name>
For example:
oc create serviceaccount testnamespacesa
- Add the service account to the newly created
scc
:oc adm policy add-scc-to-user restricted-pvselinux -z <service_account_name>
For example:
oc adm policy add-scc-to-user restricted-pvselinux -z testname
- Create a service account, where <service_account_name> is the
name of the service account.
- Patch the legacy application deployment so that it uses the newly created service
account. This allows you to specify the SELinux label in the deployment.
oc patch dc/<pod_name> '{"spec":{"template":{"spec":{"serviceAccountName": "<service_account_name>"}}}}'
For example:oc patch dc/cephfs-write-workload-generator-no-cache --patch '{"spec":{"template":{"spec":{"serviceAccountName": "testnamespacesa"}}}}'
- Edit the deployment to specify the security context to use at the SELinux label in the
deployment configuration:
oc edit dc <pod_name> -n <application_namespace>
Add the following lines:spec: template: metadata: securityContext: seLinuxOptions: Level: <security_context_value>
- security_context_value
-
You can find this value when you run the command to create a dedicated folder for S3 inside the NSFS share on the CephFS PV and PVC of the legacy application pod.
For example:
oc edit dc cephfs-write-workload-generator-no-cache -n testnamespace
spec: template: metadata: securityContext: seLinuxOptions: level: s0:c26,c0
- Ensure that the security context to be used at the SELinux label in the deployment
configuration is specified correctly.
oc get dc <pod_name> -n <application_namespace> -o yaml | grep -A 2 securityContext
For example:oc get dc cephfs-write-workload-generator-no-cache -n testnamespace -o yaml | grep -A 2 securityContext
securityContext: seLinuxOptions: level: s0:c26,c0
The legacy application is restarted and begins using the same SELinux labels as the
openshift-storage
namespace.