Certified Operator Build Guide
  • Introduction
  • What is an Operator?
  • Pre-Requisites
  • Helm Operators
    • Building a Helm Operator
      • Using a Single Image Variable (Red Hat Marketplace)
      • Dockerfile Requirements
      • Update the Controller Manager
      • Building and Pushing Image
  • Ansible Operators
    • Building an Ansible Operator
      • Using a Single Image Variable (Red Hat Marketplace)
      • Dockerfile Requirements
      • Update the Controller Manager
      • Building and Pushing Image
  • Golang Operator Gotcha's
    • Writing to the Status Subresource
  • OpenShift Deployment
    • Operator Metadata
      • Update CRDs from v1beta1
      • Creating the Metadata Bundle
      • Adjusting the ClusterServiceVersion
      • Reviewing your Metadata Bundle
      • Metadata Bundle Image
        • Managing OpenShift Versions
    • Installing an OpenShift Environment
    • Deploying onto OpenShift
  • Troubleshooting and Resources
    • Creating an Ansible Role From a Helm Chart
    • Security Context Constraints
    • Connect Metadata Test Results
    • Red Hat Marketplace Requirements
  • Appendix
    • What if I've already published a Community Operator?
      • Consuming Applications from RHCC
      • Applying Security Context Constraints
      • Choosing a Unique Package Name
      • Assembling the Metadata Bundle
    • Community Operators
    • AWS OpenShift 4 Cluster Quick Start Guide
    • Using Third Party Network Operators with OpenShift
      • Appendix A - CNI Operator Manifests
      • Appendix B - Cluster Network Status
      • Appendix C - Operator Group Manifest
      • Appendix D - Subscription Manifest
    • Bundle Maintenance After Migration
    • Frequently Asked Questions (FAQ)
    • Multi-Arch Operator Certification
      • Glossary of Terms
      • Requirements and Limitations
      • Building a Multi-Arch Operator Image
      • Scanning and Publishing
      • Updating the Bundle Image
Powered by GitBook
On this page
  • Adding an SCC to the Operator Metadata
  • Managing SCCs for Multiple Service Accounts
  1. Appendix
  2. What if I've already published a Community Operator?

Applying Security Context Constraints

Security Context Constraints (SCC's) must be applied in order to run privileged or setuid containers on OpenShift, which is a distinct requirement over that of vanilla Kubernetes.

Adding an SCC to the Operator Metadata

SCC's must be applied to the service account which will run the application/operand pods that get managed by the operator. This is done by editing the CSV yaml file from the metadata bundle of your community operator.

Below is an example SCC applied to a named service account in a hypothetical CSV yaml file:

apiVersion: operators.coreos.com/v1alpha1
kind: ClusterServiceVersion
metadata:
...
spec:
  ...
  install:
    ...
    spec:
      deployments:
        ...
      permissions:
        ...
      clusterPermissions:
      - rules:
        - apiGroups:
          - security.openshift.io
          resources:
          - securitycontextconstraints
          resourceNames:
          - anyuid
          verbs:
          - use
        serviceAccountName: example-application

Managing SCCs for Multiple Service Accounts

It's worth noting that the clusterPermissions field is an array, so you can list multiple service accounts with a corresponding SCC (or SCCs) applied to each service account. See the below example:

apiVersion: operators.coreos.com/v1alpha1
kind: ClusterServiceVersion
metadata:
...
spec:
  ...
  install:
    ...
    spec:
      deployments:
        ...
      permissions:
        ...
      clusterPermissions:
      - rules:
        - apiGroups:
          - security.openshift.io
          resources:
          - securitycontextconstraints
          resourceNames:
          - anyuid
          verbs:
          - use
        serviceAccountName: example-app1
      - rules:
        - apiGroups:
          - security.openshift.io
          resources:
          - securitycontextconstraints
          resourceNames:
          - anyuid
          verbs:
          - use
        serviceAccountName: example-app2
PreviousConsuming Applications from RHCCNextChoosing a Unique Package Name

Last updated 3 years ago

In the bottom half of the yaml snippet above, in the clusterPermissions field, the SCC named anyuid is applied to the service account named example-application. These two fields are the only things you'd need to change accordingly, depending on what service account name you're using, and the desired SCC name (see the list of names in the ). In your case, the service account could simply be the default service account in the current namespace, which would be the case if you didn't create or specify a named service account for your operand in the deployment, pod spec, or whatever K8s object the operator is managing.

official OCP docs