Skip to content

Commit

Permalink
Fix creation of ova provider in restricted namespaces.
Browse files Browse the repository at this point in the history 
Currently migration to restricted namespaces is working but the provider creation is failing
since the ova-server pod doesn't have proper security configuration to run on such namespaces,
this fix adds the missing parts.

Signed-off-by: Bella Khizgiyaev <bkhizgiy@redhat.com>
  • Loading branch information
@bkhizgiy @ahadas
bkhizgiy authored and ahadas committed Oct 24, 2023
1 parent cf8277d commit 75f3a47
Showing 1 changed file with 9 additions and 0 deletions.
9 changes: 9 additions & 0 deletions pkg/controller/provider/ova-setup.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -193,6 +193,8 @@ func (r *Reconciler) makeOvaProviderPodSpec(pvcName string, providerName string)

nfsVolumeName := fmt.Sprintf("%s-%s", nfsVolumeNamePrefix, providerName)
ovaContainerName := fmt.Sprintf("%s-pod-%s", ovaServer, providerName)
allowPrivilegeEscalation := false
nonRoot := true

return core.PodSpec{
Containers: []core.Container{
Expand All @@ -206,6 +208,13 @@ func (r *Reconciler) makeOvaProviderPodSpec(pvcName string, providerName string)
MountPath: mountPath,
},
},
SecurityContext: &core.SecurityContext{
AllowPrivilegeEscalation: &allowPrivilegeEscalation,
RunAsNonRoot: &nonRoot,
Capabilities: &core.Capabilities{
Drop: []core.Capability{"ALL"},
},
},
},
},
Volumes: []core.Volume{
Expand Down

0 comments on commit 75f3a47

Please sign in to comment.