Bind SA to anyuid SCC for running Jupyter notebook server

Signed-off-by: Shiva Krishna, Merla <[email protected]>

Author: shivamerla

test/e2e/nemo-dependencies/jupyter/tasks/main.yml

@@ -20,6 +20,31 @@
     stdin: "{{ lookup('template', 'pvc.yaml.j2') }}"
     executable: /bin/bash
 
+- name: Get Kube API resources
+  command: kubectl api-resources --verbs=list --namespaced -o name
+  register: api_resources
+
+- name: Check if the current cluster is OpenShift
+  set_fact:
+    is_openshift: "{{ 'routes.route.openshift.io' in api_resources.stdout_lines }}"
+
+- name: OpenShift - Prepare RBAC to use anyuid SCC
+  ansible.builtin.template:
+    src: ocp-rbac.yaml.j2
+    dest: jupyter-ocp-rbac.yaml
+  when: is_openshift
+
+- name: OpenShift - apply RBAC to use anyuid SCC
+  command: kubectl apply -f jupyter-ocp-rbac.yaml
+  when: is_openshift
+
+- name: Create a service account
+  ansible.builtin.shell: |
+    kubectl apply -f -
+  args:
+    stdin: "{{ lookup('template', 'serviceaccount.yaml.j2') }}"
+    executable: /bin/bash
+
 - name: Deploy Jupyter Notebook
   ansible.builtin.shell: |
     kubectl apply -f -

test/e2e/nemo-dependencies/jupyter/tasks/uninstall.yaml

@@ -20,3 +20,7 @@
   shell: kubectl delete configmap notebook-config -n {{ namespace }}
   ignore_errors: true
 
+- name: Delete Jupyter ServiceAccount
+  shell: kubectl delete sa jupyter -n {{ namespace }}
+  ignore_errors: true
+

test/e2e/nemo-dependencies/jupyter/templates/deployment.yaml.j2

@@ -12,7 +12,12 @@ spec:
     metadata:
       labels:
         app: jupyter-notebook
+      annotations:
+        openshift.io/scc: anyuid
     spec:
+      serviceAccountName: jupyter
+      securityContext:
+        fsGroup: 2000  # Allows shared access to config volume for group ID 2000
       initContainers:
         - name: copy-notebook-config
           image: busybox
@@ -35,6 +40,11 @@ spec:
           env:
             - name: JUPYTER_TOKEN
               value: "{{ jupyter_token }}"
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 2000
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
           volumeMounts:
             - name: notebook-storage
               mountPath: {{ mount_path }}

test/e2e/nemo-dependencies/jupyter/templates/ocp-rbac.yaml.j2

@@ -0,0 +1,26 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: scc-anyuid
+  namespace: {{ namespace }}
+rules:
+- apiGroups: ['security.openshift.io']
+  resources: ['securitycontextconstraints']
+  verbs: ['use']
+  resourceNames: ['anyuid']
+
+--- 
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: jupyter-scc-anyuid-binding
+  namespace: {{ namespace }}
+subjects:
+- kind: ServiceAccount
+  name: jupyter
+  namespace: {{ namespace }}
+roleRef:
+  kind: Role
+  name: scc-anyuid
+  apiGroup: rbac.authorization.k8s.io

test/e2e/nemo-dependencies/jupyter/templates/serviceaccount.yaml.j2

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: jupyter
+  namespace: {{ namespace }}