Draft: Remove 'gitlab-app' RBAC objects to use 'restricted' SCC (!404) · Merge requests · GitLab.org / Cloud Native / GitLab Operator

Mitchell Nielsen requested to merge 120-restricted-scc into master Mar 04, 2022

Removes the 'gitlab-app'-related RBAC objects. This Service Account and associated RBAC objects served the purpose of binding to the 'anyuid' SecurityContextConstraint.

With recent changes in CNG, we expect that this special case is no longer necessary and can therefore use the default SCC, "restricted". This is the most restrictive SCC.

Further testing will be done with this configuration. If it's found that it won't be doable, we'll investigate using 'nonroot', which is still more restrictive than 'anyuid'.

Update: it looks like this won't be possible until gitlab-org/charts/gitlab!2369 (closed) is merged, as we need to unset the securityContext so OpenShift can inject that configuration.

Closes #120 (closed)

Edited Mar 07, 2022 by Mitchell Nielsen

Draft: Remove 'gitlab-app' RBAC objects to use 'restricted' SCC

Merge request reports