From 6fad63290e2499bff308f6c90e7c8649918de0c6 Mon Sep 17 00:00:00 2001 From: Frederic Gurr Date: Tue, 14 Jan 2025 21:48:17 +0100 Subject: [PATCH] CephFS Migrations --- instances/ee4j.servlet/config.jsonnet | 1 + instances/ee4j.servlet/target/config.json | 5 +- .../target/jenkins/configuration.yml | 4 + .../target/k8s/configmap-jenkins-config.yml | 4 + .../ee4j.servlet/target/k8s/statefulset.json | 7 +- .../foundation-internal.infra/config.jsonnet | 1 + .../target/config.json | 5 +- .../target/jenkins/configuration.yml | 4 + .../target/k8s/configmap-jenkins-config.yml | 4 + .../target/k8s/statefulset.json | 7 +- .../target/k8s/temp_scc.json | 295 ++++++++++++++++++ .../foundation-internal.webdev/config.jsonnet | 1 + .../target/config.json | 1 + .../target/k8s/statefulset.json | 7 +- 14 files changed, 339 insertions(+), 7 deletions(-) create mode 100644 instances/foundation-internal.infra/target/k8s/temp_scc.json diff --git a/instances/ee4j.servlet/config.jsonnet b/instances/ee4j.servlet/config.jsonnet index 076815cd84..eb6e12ff67 100644 --- a/instances/ee4j.servlet/config.jsonnet +++ b/instances/ee4j.servlet/config.jsonnet @@ -8,4 +8,5 @@ "dashboard-view", ], }, + seLinuxLevel: "s0:c53,c12", } diff --git a/instances/ee4j.servlet/target/config.json b/instances/ee4j.servlet/target/config.json index e631f3b1d6..51b0d96a9d 100644 --- a/instances/ee4j.servlet/target/config.json +++ b/instances/ee4j.servlet/target/config.json @@ -475,8 +475,8 @@ "id": "2.479.2", "key_fingerprint": "5BA31D57EF5975CA", "plugin_manager": { - "jar": "https://github.com/jenkinsci/plugin-installation-manager-tool/releases/download/2.13.0/jenkins-plugin-manager-2.13.0.jar", - "version": "2.13.0" + "jar": "https://github.com/jenkinsci/plugin-installation-manager-tool/releases/download/2.13.2/jenkins-plugin-manager-2.13.2.jar", + "version": "2.13.2" }, "pluginroot": "/var/cache/jenkins/plugins", "plugins": [ @@ -658,6 +658,7 @@ }, "generate": false }, + "seLinuxLevel": "s0:c53,c12", "secrets": { "dockerconfigjson": { "dockerconfigjson-for-pull-as-default": { diff --git a/instances/ee4j.servlet/target/jenkins/configuration.yml b/instances/ee4j.servlet/target/jenkins/configuration.yml index 0e4087855c..f23f987521 100644 --- a/instances/ee4j.servlet/target/jenkins/configuration.yml +++ b/instances/ee4j.servlet/target/jenkins/configuration.yml @@ -117,6 +117,8 @@ jenkins: containerCapStr: "2" jenkinsUrl: "http://jenkins-ui.servlet.svc.cluster.local/servlet" jenkinsTunnel: "jenkins-discovery.servlet.svc.cluster.local:50000" + garbageCollection: + timeout: 300 maxRequestsPerHostStr: "32" namespace: "servlet" podRetention: "never" @@ -566,6 +568,8 @@ tool: home: "/opt/tools/java/adoptopenjdk/openj9-jdk-8/latest" - name: "temurin-latest" home: "/opt/tools/java/temurin/latest" + - name: "temurin-jdk23-latest" + home: "/opt/tools/java/temurin/jdk-23/latest" - name: "temurin-jdk22-latest" home: "/opt/tools/java/temurin/jdk-22/latest" - name: "temurin-jdk21-latest" diff --git a/instances/ee4j.servlet/target/k8s/configmap-jenkins-config.yml b/instances/ee4j.servlet/target/k8s/configmap-jenkins-config.yml index 6d1c901d17..46a6cda293 100644 --- a/instances/ee4j.servlet/target/k8s/configmap-jenkins-config.yml +++ b/instances/ee4j.servlet/target/k8s/configmap-jenkins-config.yml @@ -140,6 +140,8 @@ data: containerCapStr: "2" jenkinsUrl: "http://jenkins-ui.servlet.svc.cluster.local/servlet" jenkinsTunnel: "jenkins-discovery.servlet.svc.cluster.local:50000" + garbageCollection: + timeout: 300 maxRequestsPerHostStr: "32" namespace: "servlet" podRetention: "never" @@ -589,6 +591,8 @@ data: home: "/opt/tools/java/adoptopenjdk/openj9-jdk-8/latest" - name: "temurin-latest" home: "/opt/tools/java/temurin/latest" + - name: "temurin-jdk23-latest" + home: "/opt/tools/java/temurin/jdk-23/latest" - name: "temurin-jdk22-latest" home: "/opt/tools/java/temurin/jdk-22/latest" - name: "temurin-jdk21-latest" diff --git a/instances/ee4j.servlet/target/k8s/statefulset.json b/instances/ee4j.servlet/target/k8s/statefulset.json index bf9b0914a0..3b7ac94aa9 100644 --- a/instances/ee4j.servlet/target/k8s/statefulset.json +++ b/instances/ee4j.servlet/target/k8s/statefulset.json @@ -119,7 +119,12 @@ "cpu": "250m" } }, - "securityContext": { }, + "securityContext": { + "seLinuxOptions": { + "level": "s0:c53,c12", + "type": "spc_t" + } + }, "volumeMounts": [ { "mountPath": "/var/jenkins", diff --git a/instances/foundation-internal.infra/config.jsonnet b/instances/foundation-internal.infra/config.jsonnet index d5906f6014..8980471205 100644 --- a/instances/foundation-internal.infra/config.jsonnet +++ b/instances/foundation-internal.infra/config.jsonnet @@ -44,4 +44,5 @@ local permissionsTemplates = import '../../templates/permissions.libsonnet'; namespace: "foundation-internal-infra" } }, + seLinuxLevel: "s0:c27,c24", } diff --git a/instances/foundation-internal.infra/target/config.json b/instances/foundation-internal.infra/target/config.json index 3dd141e0b8..c866359279 100644 --- a/instances/foundation-internal.infra/target/config.json +++ b/instances/foundation-internal.infra/target/config.json @@ -491,8 +491,8 @@ "id": "2.479.2", "key_fingerprint": "5BA31D57EF5975CA", "plugin_manager": { - "jar": "https://github.com/jenkinsci/plugin-installation-manager-tool/releases/download/2.13.0/jenkins-plugin-manager-2.13.0.jar", - "version": "2.13.0" + "jar": "https://github.com/jenkinsci/plugin-installation-manager-tool/releases/download/2.13.2/jenkins-plugin-manager-2.13.2.jar", + "version": "2.13.2" }, "pluginroot": "/var/cache/jenkins/plugins", "plugins": [ @@ -674,6 +674,7 @@ }, "generate": false }, + "seLinuxLevel": "s0:c27,c24", "secrets": { "dockerconfigjson": { "dockerconfigjson-for-pull-as-default": { diff --git a/instances/foundation-internal.infra/target/jenkins/configuration.yml b/instances/foundation-internal.infra/target/jenkins/configuration.yml index 1d07bb228b..897b8a57d6 100644 --- a/instances/foundation-internal.infra/target/jenkins/configuration.yml +++ b/instances/foundation-internal.infra/target/jenkins/configuration.yml @@ -108,6 +108,8 @@ jenkins: containerCapStr: "6" jenkinsUrl: "http://jenkins-ui.foundation-internal-infra.svc.cluster.local/ci/infra" jenkinsTunnel: "jenkins-discovery.foundation-internal-infra.svc.cluster.local:50000" + garbageCollection: + timeout: 300 maxRequestsPerHostStr: "32" namespace: "foundation-internal-infra" podRetention: "never" @@ -632,6 +634,8 @@ tool: home: "/opt/tools/java/adoptopenjdk/openj9-jdk-8/latest" - name: "temurin-latest" home: "/opt/tools/java/temurin/latest" + - name: "temurin-jdk23-latest" + home: "/opt/tools/java/temurin/jdk-23/latest" - name: "temurin-jdk22-latest" home: "/opt/tools/java/temurin/jdk-22/latest" - name: "temurin-jdk21-latest" diff --git a/instances/foundation-internal.infra/target/k8s/configmap-jenkins-config.yml b/instances/foundation-internal.infra/target/k8s/configmap-jenkins-config.yml index 7862f48d85..bb36762a14 100644 --- a/instances/foundation-internal.infra/target/k8s/configmap-jenkins-config.yml +++ b/instances/foundation-internal.infra/target/k8s/configmap-jenkins-config.yml @@ -131,6 +131,8 @@ data: containerCapStr: "6" jenkinsUrl: "http://jenkins-ui.foundation-internal-infra.svc.cluster.local/ci/infra" jenkinsTunnel: "jenkins-discovery.foundation-internal-infra.svc.cluster.local:50000" + garbageCollection: + timeout: 300 maxRequestsPerHostStr: "32" namespace: "foundation-internal-infra" podRetention: "never" @@ -655,6 +657,8 @@ data: home: "/opt/tools/java/adoptopenjdk/openj9-jdk-8/latest" - name: "temurin-latest" home: "/opt/tools/java/temurin/latest" + - name: "temurin-jdk23-latest" + home: "/opt/tools/java/temurin/jdk-23/latest" - name: "temurin-jdk22-latest" home: "/opt/tools/java/temurin/jdk-22/latest" - name: "temurin-jdk21-latest" diff --git a/instances/foundation-internal.infra/target/k8s/statefulset.json b/instances/foundation-internal.infra/target/k8s/statefulset.json index 9404a0e6cc..8c34f48127 100644 --- a/instances/foundation-internal.infra/target/k8s/statefulset.json +++ b/instances/foundation-internal.infra/target/k8s/statefulset.json @@ -119,7 +119,12 @@ "cpu": "1000m" } }, - "securityContext": { }, + "securityContext": { + "seLinuxOptions": { + "level": "s0:c27,c24", + "type": "spc_t" + } + }, "volumeMounts": [ { "mountPath": "/var/jenkins", diff --git a/instances/foundation-internal.infra/target/k8s/temp_scc.json b/instances/foundation-internal.infra/target/k8s/temp_scc.json new file mode 100644 index 0000000000..d67b7d2f40 --- /dev/null +++ b/instances/foundation-internal.infra/target/k8s/temp_scc.json @@ -0,0 +1,295 @@ +{ + "allowHostDirVolumePlugin": false, + "allowHostIPC": false, + "allowHostNetwork": false, + "allowHostPID": false, + "allowHostPorts": false, + "allowPrivilegeEscalation": false, + "allowPrivilegedContainer": false, + "allowedCapabilities": [ + "NET_BIND_SERVICE" + ], + "apiVersion": "security.openshift.io/v1", + "defaultAddCapabilities": null, + "fsGroup": { + "type": "RunAsAny" + }, + "groups": [], + "kind": "SecurityContextConstraints", + "metadata": { + "annotations": { + "include.release.openshift.io/ibm-cloud-managed": "true", + "include.release.openshift.io/self-managed-high-availability": "true", + "include.release.openshift.io/single-node-developer": "true", + "kubectl.kubernetes.io/last-applied-configuration": "{\"allowHostDirVolumePlugin\":false,\"allowHostIPC\":false,\"allowHostNetwork\":false,\"allowHostPID\":false,\"allowHostPorts\":false,\"allowPrivilegeEscalation\":false,\"allowPrivilegedContainer\":false,\"allowedCapabilities\":[\"NET_BIND_SERVICE\"],\"apiVersion\":\"security.openshift.io/v1\",\"defaultAddCapabilities\":null,\"fsGroup\":{\"type\":\"RunAsAny\"},\"groups\":[],\"kind\":\"SecurityContextConstraints\",\"metadata\":{\"annotations\":{\"include.release.openshift.io/ibm-cloud-managed\":\"true\",\"include.release.openshift.io/self-managed-high-availability\":\"true\",\"include.release.openshift.io/single-node-developer\":\"true\",\"kubernetes.io/description\":\"EF restricted-v2 without selinux allowing to us large ceph storage\"},\"creationTimestamp\":\"2024-07-26T15:12:42Z\",\"generation\":239,\"name\":\"restricted-v2-selinux-scc\",\"resourceVersion\":\"1277901408\",\"uid\":\"afef0b2d-3f3d-4ea5-83f2-2da14d8ed65d\"},\"priority\":null,\"readOnlyRootFilesystem\":false,\"requiredDropCapabilities\":[\"ALL\"],\"runAsUser\":{\"type\":\"MustRunAsRange\"},\"seLinuxContext\":{\"seLinuxOptions\":{\"type\":\"spc_t\"},\"type\":\"MustRunAs\"},\"seccompProfiles\":[\"runtime/default\"],\"supplementalGroups\":{\"type\":\"RunAsAny\"},\"users\":[\"system:serviceaccount:automotive:automotive\",\"system:serviceaccount:app4mc:app4mc\",\"system:serviceaccount:bluechi:bluechi\",\"system:serviceaccount:ecal:ecal\",\"system:serviceaccount:mdmbl:mdmbl\",\"system:serviceaccount:mosaic:mosaic\",\"system:serviceaccount:openpass:openpass\",\"system:serviceaccount:scm:scm\",\"system:serviceaccount:sphinx:sphinx\",\"system:serviceaccount:sumo:sumo\",\"system:serviceaccount:tractusx:tractusx\",\"system:serviceaccount:repo-eclipse-org:default\",\"system:serviceaccount:develocity-staging:default\",\"system:serviceaccount:develocity-staging:gradle-build-cache-node\",\"system:serviceaccount:develocity-staging:gradle-database\",\"system:serviceaccount:develocity-staging:gradle-embedded-object-storage\",\"system:serviceaccount:develocity-staging:gradle-enterprise-app\",\"system:serviceaccount:develocity-staging:gradle-enterprise-app-background-processor\",\"system:serviceaccount:develocity-staging:gradle-enterprise-operator\",\"system:serviceaccount:develocity-staging:gradle-keycloak\",\"system:serviceaccount:develocity-staging:gradle-metrics\",\"system:serviceaccount:develocity-staging:gradle-monitoring\",\"system:serviceaccount:develocity-staging:gradle-proxy\",\"system:serviceaccount:develocity-staging:gradle-test-distribution-broker\",\"system:serviceaccount:emt4j:emt4j\",\"system:serviceaccount:mc:mc\",\"system:serviceaccount:aas4j:aas4j\",\"system:serviceaccount:basyx:basyx\",\"system:serviceaccount:esmf:esmf\",\"system:serviceaccount:emfcloud:emfcloud\",\"system:serviceaccount:glsp:glsp\",\"system:serviceaccount:sprotty:sprotty\",\"system:serviceaccount:jkube:jkube\",\"system:serviceaccount:theia:theia\",\"system:serviceaccount:ls:ls\",\"system:serviceaccount:pde:pde\",\"system:serviceaccount:ee4j:ee4j\",\"system:serviceaccount:ca:ca\",\"system:serviceaccount:cdi:cdi\",\"system:serviceaccount:cu:cu\",\"system:serviceaccount:data:data\",\"system:serviceaccount:ejb:ejb\",\"system:serviceaccount:epicyro:epicyro\",\"system:serviceaccount:exousia:exousia\",\"system:serviceaccount:expressly:expressly\",\"system:serviceaccount:faces:faces\",\"system:serviceaccount:interceptors:interceptors\",\"system:serviceaccount:jaf:jaf\",\"system:serviceaccount:jakartaconfig:jakartaconfig\",\"system:serviceaccount:jakartaee-stable:jakartaee-stable\",\"system:serviceaccount:jaxb:jaxb\",\"system:serviceaccount:jca:jca\",\"system:serviceaccount:jpa:jpa\",\"system:serviceaccount:jsonb:jsonb\",\"system:serviceaccount:jstl:jstl\",\"system:serviceaccount:messaging:messaging\",\"system:serviceaccount:mvc:mvc\",\"system:serviceaccount:parsson:parsson\",\"system:serviceaccount:rest:rest\",\"system:serviceaccount:soteria:soteria\",\"system:serviceaccount:starter:starter\",\"system:serviceaccount:wasp:wasp\",\"system:serviceaccount:jakartaee-spec-committee:jakartaee-spec-committee\",\"system:serviceaccount:hawkbit:hawkbit\",\"system:serviceaccount:keypop:keypop\",\"system:serviceaccount:babel:babel\",\"system:serviceaccount:ice:ice\",\"system:serviceaccount:opencert:opencert\",\"system:serviceaccount:tinydtls:tinydtls\",\"system:serviceaccount:bpmn2:bpmn2\",\"system:serviceaccount:geomesa:geomesa\",\"system:serviceaccount:uml2:uml2\",\"system:serviceaccount:geotrellis:geotrellis\",\"system:serviceaccount:proj4j:proj4j\",\"system:serviceaccount:spatial4j:spatial4j\",\"system:serviceaccount:jts:jts\",\"system:serviceaccount:jakartaee-tck:jakartaee-tck\",\"system:serviceaccount:henshin:henshin\",\"system:serviceaccount:glassfish:glassfish\",\"system:serviceaccount:grizzly:grizzly\",\"system:serviceaccount:gendoc:gendoc\",\"system:serviceaccount:eclemma:eclemma\",\"system:serviceaccount:ecoretools:ecoretools\",\"system:serviceaccount:efxclipse:efxclipse\",\"system:serviceaccount:usssdk:usssdk\",\"system:serviceaccount:subversive:subversive\",\"system:serviceaccount:tm:tm\",\"system:serviceaccount:jetty:jetty\",\"system:serviceaccount:pdt:pdt\",\"system:serviceaccount:capra:capra\",\"system:serviceaccount:esf:esf\",\"system:serviceaccount:texlipse:texlipse\",\"system:serviceaccount:dltk:dltk\",\"system:serviceaccount:aspectj:aspectj\",\"system:serviceaccount:emfatic:emfatic\",\"system:serviceaccount:virgo:virgo\",\"system:serviceaccount:packages:packages\",\"system:serviceaccount:cbi:cbi\",\"system:serviceaccount:xsemantics:xsemantics\",\"system:serviceaccount:milo:milo\",\"system:serviceaccount:edc:edc\",\"system:serviceaccount:etrice:etrice\",\"system:serviceaccount:lsp4e:lsp4e\",\"system:serviceaccount:oomph:oomph\",\"system:serviceaccount:efbt:efbt\",\"system:serviceaccount:xwt:xwt\",\"system:serviceaccount:mdht:mdht\",\"system:serviceaccount:uomo:uomo\",\"system:serviceaccount:qvtd:qvtd\",\"system:serviceaccount:objectteams:objectteams\",\"system:serviceaccount:acute:acute\",\"system:serviceaccount:set:set\",\"system:serviceaccount:sparkplug:sparkplug\",\"system:serviceaccount:osgi-technology:osgi-technology\",\"system:serviceaccount:collections:collections\",\"system:serviceaccount:swtbot:swtbot\",\"system:serviceaccount:modisco:modisco\",\"system:serviceaccount:trace4cps:trace4cps\",\"system:serviceaccount:tea:tea\",\"system:serviceaccount:elk:elk\",\"system:serviceaccount:shellwax:shellwax\",\"system:serviceaccount:mpc:mpc\",\"system:serviceaccount:emfstore:emfstore\",\"system:serviceaccount:jnosql:jnosql\",\"system:serviceaccount:ocl:ocl\",\"system:serviceaccount:eef:eef\",\"system:serviceaccount:amalgam:amalgam\",\"system:serviceaccount:corrosion:corrosion\",\"system:serviceaccount:tcf:tcf\",\"system:serviceaccount:packager:packager\",\"system:serviceaccount:handly:handly\",\"system:serviceaccount:edapt:edapt\",\"system:serviceaccount:chemclipse:chemclipse\",\"system:serviceaccount:leshan:leshan\",\"system:serviceaccount:datatools:datatools\",\"system:serviceaccount:sw360:sw360\",\"system:serviceaccount:passage:passage\",\"system:serviceaccount:lsp4jakarta:lsp4jakarta\",\"system:serviceaccount:dash:dash\",\"system:serviceaccount:gemini:gemini\",\"system:serviceaccount:jaxws:jaxws\",\"system:serviceaccount:lsat:lsat\",\"system:serviceaccount:embed-cdt:embed-cdt\",\"system:serviceaccount:nebula:nebula\",\"system:serviceaccount:jsonp:jsonp\",\"system:serviceaccount:emf:emf\",\"system:serviceaccount:birt:birt\",\"system:serviceaccount:steady:steady\",\"system:serviceaccount:tyrus:tyrus\",\"system:serviceaccount:zenoh:zenoh\",\"system:serviceaccount:repairnator:repairnator\",\"system:serviceaccount:cdo:cdo\",\"system:serviceaccount:statet:statet\",\"system:serviceaccount:atl:atl\",\"system:serviceaccount:reddeer:reddeer\",\"system:serviceaccount:epsilon:epsilon\",\"system:serviceaccount:californium:californium\",\"system:serviceaccount:webtools:webtools\",\"system:serviceaccount:hawk:hawk\",\"system:serviceaccount:ditto:ditto\",\"system:serviceaccount:validation:validation\",\"system:serviceaccount:cognicrypt:cognicrypt\",\"system:serviceaccount:rap:rap\",\"system:serviceaccount:swtchart:swtchart\",\"system:serviceaccount:tahu:tahu\",\"system:serviceaccount:tm4e:tm4e\",\"system:serviceaccount:lsp4j:lsp4j\",\"system:serviceaccount:jaxb-impl:jaxb-impl\",\"system:serviceaccount:emfservices:emfservices\",\"system:serviceaccount:yasson:yasson\",\"system:serviceaccount:krazo:krazo\",\"system:serviceaccount:security:security\",\"system:serviceaccount:kiso-testing:kiso-testing\",\"system:serviceaccount:che:che\",\"system:serviceaccount:windowbuilder:windowbuilder\",\"system:serviceaccount:simrel:simrel\",\"system:serviceaccount:egit:egit\",\"system:serviceaccount:jakartaee-platform:jakartaee-platform\",\"system:serviceaccount:packaging:packaging\",\"system:serviceaccount:4diac:4diac\",\"system:serviceaccount:mat:mat\",\"system:serviceaccount:lyo:lyo\",\"system:serviceaccount:gmf-runtime:gmf-runtime\",\"system:serviceaccount:emf-parsley:emf-parsley\",\"system:serviceaccount:lemminx:lemminx\",\"system:serviceaccount:metro:metro\",\"system:serviceaccount:angus:angus\",\"system:serviceaccount:emfcompare:emfcompare\",\"system:serviceaccount:acceleo:acceleo\",\"system:serviceaccount:jta:jta\",\"system:serviceaccount:qvt-oml:qvt-oml\",\"system:serviceaccount:hono:hono\",\"system:serviceaccount:gemoc:gemoc\",\"system:serviceaccount:wildwebdeveloper:wildwebdeveloper\",\"system:serviceaccount:viatra:viatra\",\"system:serviceaccount:nosql:nosql\",\"system:serviceaccount:websocket:websocket\",\"system:serviceaccount:tycho:tycho\",\"system:serviceaccount:orbit:orbit\",\"system:serviceaccount:egf:egf\",\"system:serviceaccount:m2e:m2e\",\"system:serviceaccount:lsp4mp:lsp4mp\",\"system:serviceaccount:mylyn:mylyn\",\"system:serviceaccount:che4z:che4z\",\"system:serviceaccount:jgit:jgit\",\"system:serviceaccount:gef:gef\",\"system:serviceaccount:nattable:nattable\",\"system:serviceaccount:xpect:xpect\",\"system:serviceaccount:sensinact:sensinact\",\"system:serviceaccount:mail:mail\",\"system:serviceaccount:microprofile:microprofile\",\"system:serviceaccount:jsp:jsp\",\"system:serviceaccount:keyple:keyple\",\"system:serviceaccount:scout:scout\",\"system:serviceaccount:el:el\",\"system:serviceaccount:mwe:mwe\",\"system:serviceaccount:amlen:amlen\",\"system:serviceaccount:orb:orb\",\"system:serviceaccount:diffmerge:diffmerge\",\"system:serviceaccount:papyrus:papyrus\",\"system:serviceaccount:linuxtools:linuxtools\",\"system:serviceaccount:chess:chess\",\"system:serviceaccount:graphiti:graphiti\",\"system:serviceaccount:kitalpha:kitalpha\",\"system:serviceaccount:rcptt:rcptt\",\"system:serviceaccount:escet:escet\",\"system:serviceaccount:comma:comma\",\"system:serviceaccount:tracecompass:tracecompass\",\"system:serviceaccount:justj:justj\",\"system:serviceaccount:infra:infra\",\"system:serviceaccount:foundation-internal-infra:infra\"],\"volumes\":[\"configMap\",\"csi\",\"downwardAPI\",\"emptyDir\",\"ephemeral\",\"persistentVolumeClaim\",\"projected\",\"secret\"]}\n", + "kubernetes.io/description": "EF restricted-v2 without selinux allowing to us large ceph storage" + }, + "creationTimestamp": "2024-07-26T15:12:42Z", + "generation": 240, + "name": "restricted-v2-selinux-scc", + "resourceVersion": "1277977798", + "uid": "afef0b2d-3f3d-4ea5-83f2-2da14d8ed65d" + }, + "priority": null, + "readOnlyRootFilesystem": false, + "requiredDropCapabilities": [ + "ALL" + ], + "runAsUser": { + "type": "MustRunAsRange" + }, + "seLinuxContext": { + "seLinuxOptions": { + "type": "spc_t" + }, + "type": "MustRunAs" + }, + "seccompProfiles": [ + "runtime/default" + ], + "supplementalGroups": { + "type": "RunAsAny" + }, + "users": [ + "system:serviceaccount:automotive:automotive", + "system:serviceaccount:app4mc:app4mc", + "system:serviceaccount:bluechi:bluechi", + "system:serviceaccount:ecal:ecal", + "system:serviceaccount:mdmbl:mdmbl", + "system:serviceaccount:mosaic:mosaic", + "system:serviceaccount:openpass:openpass", + "system:serviceaccount:scm:scm", + "system:serviceaccount:sphinx:sphinx", + "system:serviceaccount:sumo:sumo", + "system:serviceaccount:tractusx:tractusx", + "system:serviceaccount:repo-eclipse-org:default", + "system:serviceaccount:develocity-staging:default", + "system:serviceaccount:develocity-staging:gradle-build-cache-node", + "system:serviceaccount:develocity-staging:gradle-database", + "system:serviceaccount:develocity-staging:gradle-embedded-object-storage", + "system:serviceaccount:develocity-staging:gradle-enterprise-app", + "system:serviceaccount:develocity-staging:gradle-enterprise-app-background-processor", + "system:serviceaccount:develocity-staging:gradle-enterprise-operator", + "system:serviceaccount:develocity-staging:gradle-keycloak", + "system:serviceaccount:develocity-staging:gradle-metrics", + "system:serviceaccount:develocity-staging:gradle-monitoring", + "system:serviceaccount:develocity-staging:gradle-proxy", + "system:serviceaccount:develocity-staging:gradle-test-distribution-broker", + "system:serviceaccount:emt4j:emt4j", + "system:serviceaccount:mc:mc", + "system:serviceaccount:aas4j:aas4j", + "system:serviceaccount:basyx:basyx", + "system:serviceaccount:esmf:esmf", + "system:serviceaccount:emfcloud:emfcloud", + "system:serviceaccount:glsp:glsp", + "system:serviceaccount:sprotty:sprotty", + "system:serviceaccount:jkube:jkube", + "system:serviceaccount:theia:theia", + "system:serviceaccount:ls:ls", + "system:serviceaccount:pde:pde", + "system:serviceaccount:ee4j:ee4j", + "system:serviceaccount:ca:ca", + "system:serviceaccount:cdi:cdi", + "system:serviceaccount:cu:cu", + "system:serviceaccount:data:data", + "system:serviceaccount:ejb:ejb", + "system:serviceaccount:epicyro:epicyro", + "system:serviceaccount:exousia:exousia", + "system:serviceaccount:expressly:expressly", + "system:serviceaccount:faces:faces", + "system:serviceaccount:interceptors:interceptors", + "system:serviceaccount:jaf:jaf", + "system:serviceaccount:jakartaconfig:jakartaconfig", + "system:serviceaccount:jakartaee-stable:jakartaee-stable", + "system:serviceaccount:jaxb:jaxb", + "system:serviceaccount:jca:jca", + "system:serviceaccount:jpa:jpa", + "system:serviceaccount:jsonb:jsonb", + "system:serviceaccount:jstl:jstl", + "system:serviceaccount:messaging:messaging", + "system:serviceaccount:mvc:mvc", + "system:serviceaccount:parsson:parsson", + "system:serviceaccount:rest:rest", + "system:serviceaccount:soteria:soteria", + "system:serviceaccount:starter:starter", + "system:serviceaccount:wasp:wasp", + "system:serviceaccount:jakartaee-spec-committee:jakartaee-spec-committee", + "system:serviceaccount:hawkbit:hawkbit", + "system:serviceaccount:keypop:keypop", + "system:serviceaccount:babel:babel", + "system:serviceaccount:ice:ice", + "system:serviceaccount:opencert:opencert", + "system:serviceaccount:tinydtls:tinydtls", + "system:serviceaccount:bpmn2:bpmn2", + "system:serviceaccount:geomesa:geomesa", + "system:serviceaccount:uml2:uml2", + "system:serviceaccount:geotrellis:geotrellis", + "system:serviceaccount:proj4j:proj4j", + "system:serviceaccount:spatial4j:spatial4j", + "system:serviceaccount:jts:jts", + "system:serviceaccount:jakartaee-tck:jakartaee-tck", + "system:serviceaccount:henshin:henshin", + "system:serviceaccount:glassfish:glassfish", + "system:serviceaccount:grizzly:grizzly", + "system:serviceaccount:gendoc:gendoc", + "system:serviceaccount:eclemma:eclemma", + "system:serviceaccount:ecoretools:ecoretools", + "system:serviceaccount:efxclipse:efxclipse", + "system:serviceaccount:usssdk:usssdk", + "system:serviceaccount:subversive:subversive", + "system:serviceaccount:tm:tm", + "system:serviceaccount:jetty:jetty", + "system:serviceaccount:pdt:pdt", + "system:serviceaccount:capra:capra", + "system:serviceaccount:esf:esf", + "system:serviceaccount:texlipse:texlipse", + "system:serviceaccount:dltk:dltk", + "system:serviceaccount:aspectj:aspectj", + "system:serviceaccount:emfatic:emfatic", + "system:serviceaccount:virgo:virgo", + "system:serviceaccount:packages:packages", + "system:serviceaccount:cbi:cbi", + "system:serviceaccount:xsemantics:xsemantics", + "system:serviceaccount:milo:milo", + "system:serviceaccount:edc:edc", + "system:serviceaccount:etrice:etrice", + "system:serviceaccount:lsp4e:lsp4e", + "system:serviceaccount:oomph:oomph", + "system:serviceaccount:efbt:efbt", + "system:serviceaccount:xwt:xwt", + "system:serviceaccount:mdht:mdht", + "system:serviceaccount:uomo:uomo", + "system:serviceaccount:qvtd:qvtd", + "system:serviceaccount:objectteams:objectteams", + "system:serviceaccount:acute:acute", + "system:serviceaccount:set:set", + "system:serviceaccount:sparkplug:sparkplug", + "system:serviceaccount:osgi-technology:osgi-technology", + "system:serviceaccount:collections:collections", + "system:serviceaccount:swtbot:swtbot", + "system:serviceaccount:modisco:modisco", + "system:serviceaccount:trace4cps:trace4cps", + "system:serviceaccount:tea:tea", + "system:serviceaccount:elk:elk", + "system:serviceaccount:shellwax:shellwax", + "system:serviceaccount:mpc:mpc", + "system:serviceaccount:emfstore:emfstore", + "system:serviceaccount:jnosql:jnosql", + "system:serviceaccount:ocl:ocl", + "system:serviceaccount:eef:eef", + "system:serviceaccount:amalgam:amalgam", + "system:serviceaccount:corrosion:corrosion", + "system:serviceaccount:tcf:tcf", + "system:serviceaccount:packager:packager", + "system:serviceaccount:handly:handly", + "system:serviceaccount:edapt:edapt", + "system:serviceaccount:chemclipse:chemclipse", + "system:serviceaccount:leshan:leshan", + "system:serviceaccount:datatools:datatools", + "system:serviceaccount:sw360:sw360", + "system:serviceaccount:passage:passage", + "system:serviceaccount:lsp4jakarta:lsp4jakarta", + "system:serviceaccount:dash:dash", + "system:serviceaccount:gemini:gemini", + "system:serviceaccount:jaxws:jaxws", + "system:serviceaccount:lsat:lsat", + "system:serviceaccount:embed-cdt:embed-cdt", + "system:serviceaccount:nebula:nebula", + "system:serviceaccount:jsonp:jsonp", + "system:serviceaccount:emf:emf", + "system:serviceaccount:birt:birt", + "system:serviceaccount:steady:steady", + "system:serviceaccount:tyrus:tyrus", + "system:serviceaccount:zenoh:zenoh", + "system:serviceaccount:repairnator:repairnator", + "system:serviceaccount:cdo:cdo", + "system:serviceaccount:statet:statet", + "system:serviceaccount:atl:atl", + "system:serviceaccount:reddeer:reddeer", + "system:serviceaccount:epsilon:epsilon", + "system:serviceaccount:californium:californium", + "system:serviceaccount:webtools:webtools", + "system:serviceaccount:hawk:hawk", + "system:serviceaccount:ditto:ditto", + "system:serviceaccount:validation:validation", + "system:serviceaccount:cognicrypt:cognicrypt", + "system:serviceaccount:rap:rap", + "system:serviceaccount:swtchart:swtchart", + "system:serviceaccount:tahu:tahu", + "system:serviceaccount:tm4e:tm4e", + "system:serviceaccount:lsp4j:lsp4j", + "system:serviceaccount:jaxb-impl:jaxb-impl", + "system:serviceaccount:emfservices:emfservices", + "system:serviceaccount:yasson:yasson", + "system:serviceaccount:krazo:krazo", + "system:serviceaccount:security:security", + "system:serviceaccount:kiso-testing:kiso-testing", + "system:serviceaccount:che:che", + "system:serviceaccount:windowbuilder:windowbuilder", + "system:serviceaccount:simrel:simrel", + "system:serviceaccount:egit:egit", + "system:serviceaccount:jakartaee-platform:jakartaee-platform", + "system:serviceaccount:packaging:packaging", + "system:serviceaccount:4diac:4diac", + "system:serviceaccount:mat:mat", + "system:serviceaccount:lyo:lyo", + "system:serviceaccount:gmf-runtime:gmf-runtime", + "system:serviceaccount:emf-parsley:emf-parsley", + "system:serviceaccount:lemminx:lemminx", + "system:serviceaccount:metro:metro", + "system:serviceaccount:angus:angus", + "system:serviceaccount:emfcompare:emfcompare", + "system:serviceaccount:acceleo:acceleo", + "system:serviceaccount:jta:jta", + "system:serviceaccount:qvt-oml:qvt-oml", + "system:serviceaccount:hono:hono", + "system:serviceaccount:gemoc:gemoc", + "system:serviceaccount:wildwebdeveloper:wildwebdeveloper", + "system:serviceaccount:viatra:viatra", + "system:serviceaccount:nosql:nosql", + "system:serviceaccount:websocket:websocket", + "system:serviceaccount:tycho:tycho", + "system:serviceaccount:orbit:orbit", + "system:serviceaccount:egf:egf", + "system:serviceaccount:m2e:m2e", + "system:serviceaccount:lsp4mp:lsp4mp", + "system:serviceaccount:mylyn:mylyn", + "system:serviceaccount:che4z:che4z", + "system:serviceaccount:jgit:jgit", + "system:serviceaccount:gef:gef", + "system:serviceaccount:nattable:nattable", + "system:serviceaccount:xpect:xpect", + "system:serviceaccount:sensinact:sensinact", + "system:serviceaccount:mail:mail", + "system:serviceaccount:microprofile:microprofile", + "system:serviceaccount:jsp:jsp", + "system:serviceaccount:keyple:keyple", + "system:serviceaccount:scout:scout", + "system:serviceaccount:el:el", + "system:serviceaccount:mwe:mwe", + "system:serviceaccount:amlen:amlen", + "system:serviceaccount:orb:orb", + "system:serviceaccount:diffmerge:diffmerge", + "system:serviceaccount:papyrus:papyrus", + "system:serviceaccount:linuxtools:linuxtools", + "system:serviceaccount:chess:chess", + "system:serviceaccount:graphiti:graphiti", + "system:serviceaccount:kitalpha:kitalpha", + "system:serviceaccount:rcptt:rcptt", + "system:serviceaccount:escet:escet", + "system:serviceaccount:comma:comma", + "system:serviceaccount:tracecompass:tracecompass", + "system:serviceaccount:justj:justj", + "system:serviceaccount:foundation-internal-infra:infra" + ], + "volumes": [ + "configMap", + "csi", + "downwardAPI", + "emptyDir", + "ephemeral", + "persistentVolumeClaim", + "projected", + "secret" + ] +} diff --git a/instances/foundation-internal.webdev/config.jsonnet b/instances/foundation-internal.webdev/config.jsonnet index 0c0b53cff5..dfb49d0907 100644 --- a/instances/foundation-internal.webdev/config.jsonnet +++ b/instances/foundation-internal.webdev/config.jsonnet @@ -39,4 +39,5 @@ local permissionsTemplates = import '../../templates/permissions.libsonnet'; secrets+: { "gerrit-trigger-plugin": {}, }, + seLinuxLevel: "s0:c28,c2", } diff --git a/instances/foundation-internal.webdev/target/config.json b/instances/foundation-internal.webdev/target/config.json index 31166723bd..277797a28f 100644 --- a/instances/foundation-internal.webdev/target/config.json +++ b/instances/foundation-internal.webdev/target/config.json @@ -639,6 +639,7 @@ }, "generate": false }, + "seLinuxLevel": "s0:c28,c2", "secrets": { "dockerconfigjson": { "dockerconfigjson-for-pull-as-default": { diff --git a/instances/foundation-internal.webdev/target/k8s/statefulset.json b/instances/foundation-internal.webdev/target/k8s/statefulset.json index 78b7e14d3d..b70db3bf86 100644 --- a/instances/foundation-internal.webdev/target/k8s/statefulset.json +++ b/instances/foundation-internal.webdev/target/k8s/statefulset.json @@ -119,7 +119,12 @@ "cpu": "4000m" } }, - "securityContext": { }, + "securityContext": { + "seLinuxOptions": { + "level": "s0:c28,c2", + "type": "spc_t" + } + }, "volumeMounts": [ { "mountPath": "/var/jenkins",