fedora-coreos-pipeline: drop privileged service account

The FCOS pipeline doesn't require any special privileges, so let's drop the `fcos-sa` service account and the associated SCC.
2022-03-03 15:51:07 -05:00 · 2022-03-03 15:51:07 -05:00 · 9244b4c122
commit 9244b4c122
parent 1e304a8467
3 changed files with 0 additions and 50 deletions
--- a/roles/openshift-apps/fedora-coreos-pipeline/defaults/main.yaml
+++ b/roles/openshift-apps/fedora-coreos-pipeline/defaults/main.yaml
@ -1,10 +1,8 @@
 project_name: fedora-coreos-pipeline
 project_description: Fedora CoreOS Pipeline
-project_service_account: fcos-sa
 appowners: []
 ocp_service_account: root
 project_templates:
  - project.yaml
  - group.yaml
  - rolebinding.yaml
-  - securitycontextconstraints.yaml
--- a/roles/openshift-apps/fedora-coreos-pipeline/tasks/main.yaml
+++ b/roles/openshift-apps/fedora-coreos-pipeline/tasks/main.yaml
@ -19,13 +19,3 @@
 - name: oc apply resources
  command: "/root/bin/oc apply -f /root/ocp4/openshift-apps/{{project_name}}/{{ item }}"
  with_items: "{{ project_templates }}"
-
-# create the service account
- name: create service account
-  command: "/root/bin/oc create sa {{ project_service_account }} -n {{ project_name }}"
-  register: sa_resource_create
-  failed_when: sa_resource_create.stderr != '' and 'already exists' not in sa_resource_create.stderr
-
-# apply the anyuid-setfcap SCC to the service account
- name: create service account
-  command: "/root/bin/oc adm policy add-scc-to-user anyuid-setfcap -z {{ project_service_account }}"
--- a/roles/openshift-apps/fedora-coreos-pipeline/templates/securitycontextconstraints.yaml
+++ b/roles/openshift-apps/fedora-coreos-pipeline/templates/securitycontextconstraints.yaml
@ -1,38 +0,0 @@
-allowHostDirVolumePlugin: false
-allowHostIPC: false
-allowHostNetwork: false
-allowHostPID: false
-allowHostPorts: false
-allowPrivilegeEscalation: true
-allowPrivilegedContainer: false
-allowedCapabilities: null
-apiVersion: security.openshift.io/v1
-defaultAddCapabilities:
- CAP_SETFCAP
-fsGroup:
-  type: RunAsAny
-groups:
- system:cluster-admins
-kind: SecurityContextConstraints
-metadata:
-  annotations:
-    kubernetes.io/description: custom scc for anyuid + CAP_SETFCAP defaultAddCapability
-  name: anyuid-setfcap
-priority: 10
-readOnlyRootFilesystem: false
-requiredDropCapabilities:
- MKNOD
-runAsUser:
-  type: RunAsAny
-seLinuxContext:
-  type: MustRunAs
-supplementalGroups:
-  type: RunAsAny
-volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
-