Add support for different OpenShift versions in Redis scc

Signed-off-by: mjiao <mjiao@redhat.com>
redhat-sap · Jul 15, 2024 · 0bb7662 · 0bb7662
1 parent 7d7d12d
commit 0bb7662
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -116,6 +116,11 @@ The following steps will install the Redis Enterprise Operator and use its featu
     oc apply -f sap-edge/edge-integration-cell/external-redis/subscription.yaml
     ```
 5. Apply the Security Context Constraint (SCC):
+   - For OpenShift versions earlier than 4.16, use:
+    ```bash
+    oc apply -f sap-edge/edge-integration-cell/external-redis/security_context_constraint_v2.yaml
+    ```
+   - For OpenShift versions 4.16 and later, use
     ```bash
     oc apply -f sap-edge/edge-integration-cell/external-redis/security_context_constraint.yaml
     ```

diff --git a/edge-integration-cell/external-redis/security_context_constraint.yaml b/edge-integration-cell/external-redis/security_context_constraint.yaml
@@ -8,7 +8,7 @@
 apiVersion: security.openshift.io/v1
 kind: SecurityContextConstraints
 metadata:
-  name: redis-enterprise-scc-v2
+  name: redis-enterprise-scc
   annotations:
     kubernetes.io/description: redis-enterprise-scc is the minimal SCC needed to run Redis Enterprise nodes on Kubernetes.
       It provides the same features as restricted-v2 SCC, but allows pods to enable the SYS_RESOURCE capability,

diff --git a/edge-integration-cell/external-redis/security_context_constraint_v2.yaml b/edge-integration-cell/external-redis/security_context_constraint_v2.yaml
@@ -0,0 +1,39 @@
+# SPDX-FileCopyrightText: 2024 SAP edge team
+# SPDX-FileContributor: Manjun Jiao (@mjiao)
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: redis-enterprise-scc-v2
+  annotations:
+    kubernetes.io/description: redis-enterprise-scc is the minimal SCC needed to run Redis Enterprise nodes on Kubernetes.
+      It provides the same features as restricted-v2 SCC, but allows pods to enable the SYS_RESOURCE capability,
+      which is required by Redis Enterprise nodes to manage file descriptor limits and OOM scores for database shards.
+      Additionally, it requires pods to run as UID/GID 1001, which are the UID/GID used within the Redis Enterprise node containers.
+allowedCapabilities:
+  - SYS_RESOURCE
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: false
+allowPrivilegedContainer: false
+readOnlyRootFilesystem: false
+runAsUser:
+  type: MustRunAs
+  uid: 1001
+fsGroup:
+  type: MustRunAs
+  ranges:
+    - min: 1001
+      max: 1001
+seLinuxContext:
+  type: MustRunAs
+seccompProfiles:
+  - runtime/default
+supplementalGroups:
+  type: RunAsAny