add scc that forces ray pods to run as user 1000 (#56)

KPostOffice · web-flow · commit 886d6305ccaf · 2023-06-20T16:13:33.000-04:00
Signed-off-by: Kevin &lt;kpostlet@redhat.com&gt;
diff --git a/ray/operator/base/kustomization.yaml b/ray/operator/base/kustomization.yaml
@@ -22,6 +22,7 @@ resources:
 - ../rbac
 - ../manager
 - ../prometheus
+- ../scc
 
 images:
 - name: kuberay/operator
diff --git a/ray/operator/base/params.yaml b/ray/operator/base/params.yaml
@@ -1,3 +1,5 @@
 varReference:
   - path: subjects[]/namespace
     kind: ClusterRoleBinding
+  - path: users[]
+    kind: SecurityContextConstraints
diff --git a/ray/operator/scc/kustomization.yaml b/ray/operator/scc/kustomization.yaml
@@ -0,0 +1,6 @@
+resources:
+- ray_operator_scc.yaml
+
+commonLabels:
+  app.kubernetes.io/name: kuberay
+  app.kubernetes.io/component: kuberay-operator
diff --git a/ray/operator/scc/ray_operator_scc.yaml b/ray/operator/scc/ray_operator_scc.yaml
@@ -0,0 +1,11 @@
+kind: SecurityContextConstraints
+apiVersion: security.openshift.io/v1
+metadata:
+  name: run-as-ray-user
+seLinuxContext:
+  type: MustRunAs
+runAsUser:
+  type: MustRunAs
+  uid: 1000
+users:
+  - 'system:serviceaccount:$(namespace):kuberay-operator'
