From 0bb7662f3dbcbb84d7a51a54e4270037b0851982 Mon Sep 17 00:00:00 2001
From: mjiao <mjiao@redhat.com>
Date: Mon, 15 Jul 2024 10:53:09 +0200
Subject: [PATCH] Add support for different OpenShift versions in Redis scc

Signed-off-by: mjiao <mjiao@redhat.com>
---
 README.md                                     |  5 +++
 .../security_context_constraint.yaml          |  2 +-
 .../security_context_constraint_v2.yaml       | 39 +++++++++++++++++++
 3 files changed, 45 insertions(+), 1 deletion(-)
 create mode 100644 edge-integration-cell/external-redis/security_context_constraint_v2.yaml

diff --git a/README.md b/README.md
index 973c193..9d64e39 100644
--- a/README.md
+++ b/README.md
@@ -116,6 +116,11 @@ The following steps will install the Redis Enterprise Operator and use its featu
     oc apply -f sap-edge/edge-integration-cell/external-redis/subscription.yaml
     ```
 5. Apply the Security Context Constraint (SCC):
+   - For OpenShift versions earlier than 4.16, use:
+    ```bash
+    oc apply -f sap-edge/edge-integration-cell/external-redis/security_context_constraint_v2.yaml
+    ```
+   - For OpenShift versions 4.16 and later, use
     ```bash
     oc apply -f sap-edge/edge-integration-cell/external-redis/security_context_constraint.yaml
     ```
diff --git a/edge-integration-cell/external-redis/security_context_constraint.yaml b/edge-integration-cell/external-redis/security_context_constraint.yaml
index 9ee0226..901c693 100644
--- a/edge-integration-cell/external-redis/security_context_constraint.yaml
+++ b/edge-integration-cell/external-redis/security_context_constraint.yaml
@@ -8,7 +8,7 @@
 apiVersion: security.openshift.io/v1
 kind: SecurityContextConstraints
 metadata:
-  name: redis-enterprise-scc-v2
+  name: redis-enterprise-scc
   annotations:
     kubernetes.io/description: redis-enterprise-scc is the minimal SCC needed to run Redis Enterprise nodes on Kubernetes.
       It provides the same features as restricted-v2 SCC, but allows pods to enable the SYS_RESOURCE capability,
diff --git a/edge-integration-cell/external-redis/security_context_constraint_v2.yaml b/edge-integration-cell/external-redis/security_context_constraint_v2.yaml
new file mode 100644
index 0000000..71b0e1a
--- /dev/null
+++ b/edge-integration-cell/external-redis/security_context_constraint_v2.yaml
@@ -0,0 +1,39 @@
+# SPDX-FileCopyrightText: 2024 SAP edge team
+# SPDX-FileContributor: Manjun Jiao (@mjiao)
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: redis-enterprise-scc-v2
+  annotations:
+    kubernetes.io/description: redis-enterprise-scc is the minimal SCC needed to run Redis Enterprise nodes on Kubernetes.
+      It provides the same features as restricted-v2 SCC, but allows pods to enable the SYS_RESOURCE capability,
+      which is required by Redis Enterprise nodes to manage file descriptor limits and OOM scores for database shards.
+      Additionally, it requires pods to run as UID/GID 1001, which are the UID/GID used within the Redis Enterprise node containers.
+allowedCapabilities:
+  - SYS_RESOURCE
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: false
+allowPrivilegedContainer: false
+readOnlyRootFilesystem: false
+runAsUser:
+  type: MustRunAs
+  uid: 1001
+fsGroup:
+  type: MustRunAs
+  ranges:
+    - min: 1001
+      max: 1001
+seLinuxContext:
+  type: MustRunAs
+seccompProfiles:
+  - runtime/default
+supplementalGroups:
+  type: RunAsAny