OCPBUGS-77404: bugfix: mount /etc/containers so image controllers respect cluster-wide image registry configurations

[everettraven]

Description

Fixes OCPBUGS-77404 by updating the openshift-controller-manager deployment to mount the /etc/containers directory from the host that the image controllers using the containers/image package will read for registry configurations.

The Machine Configuration Operator is responsible for syncing cluster configurations through the image APIs to this directory on the nodes.

In order to do this, the SCC needed to be adjusted to one that allowed host path mounting. To limit the changes as much as possible I updated the SCC to hostaccess from restricted-v3 so that we can mount the host path but prevent running the container as root, maintaining the user namespace security boundary.

Summary by CodeRabbit

• Chores
  • Controller now requests an elevated SCC and is granted permission via a new role and rolebinding.
  • The operator syncs the cluster pull-secret into the controller namespace at startup.
• New Features
  • Controller mounts host container configuration read-only and exposes a registry auth file via environment for image pulls.

[openshift-ci-robot]

@everettraven: This pull request references Jira Issue OCPBUGS-77404, which is invalid:

• expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Description

Fixes OCPBUGS-77404 by updating the openshift-controller-manager deployment to mount the /etc/containers directory from the host that the image controllers using the containers/image package will read for registry configurations.

The Machine Configuration Operator is responsible for syncing cluster configurations through the image APIs to this directory on the nodes.

In order to do this, the SCC needed to be adjusted to one that allowed host path mounting. To limit the changes as much as possible I updated the SCC to hostaccess from restricted-v3 so that we can mount the host path but prevent running the container as root, maintaining the user namespace security boundary.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 20660431-e360-4e19-8be0-690bcb2e68f0

📥 Commits

Reviewing files that changed from the base of the PR and between 1ed86f9 and 1643cc1.

📒 Files selected for processing (2)

• bindata/assets/openshift-controller-manager/scc-rolebinding.yaml
• pkg/operator/starter.go

🚧 Files skipped from review as they are similar to previous changes (2)

• bindata/assets/openshift-controller-manager/scc-rolebinding.yaml
• pkg/operator/starter.go

---

Walkthrough

Deployment and operator changes: the controller-manager now requests the hostaccess SCC, mounts the node /etc/containers read-only, sets REGISTRY_AUTH_FILE=/var/run/secrets/image-auth/auth.json, adds RBAC to allow using the hostaccess SCC, syncs the global pull-secret into the operator namespace, and updates related tests.

Changes

Controller manager hostaccess and related wiring

Layer / File(s)	Summary
Security context and host volume mount bindata/assets/openshift-controller-manager/deploy.yaml	Pod annotation changed to request hostaccess; added REGISTRY_AUTH_FILE env; added read-only etc-containers volumeMount at /etc/containers; defined etc-containers hostPath volume.
RBAC Role and RoleBinding bindata/assets/openshift-controller-manager/scc-role.yaml, bindata/assets/openshift-controller-manager/scc-rolebinding.yaml	Added system:openshift-controller-manager:hostaccess-role Role permitting use on securitycontextconstraints/hostaccess and a RoleBinding for openshift-controller-manager-sa.
Operator startup and static assets pkg/operator/starter.go	Configure resourceSyncer.SyncSecret for openshift-config/pull-secret → operator namespace; include new SCC Role and RoleBinding manifests in static resource controller assets.
Tests: expected config and env updates pkg/operator/sync_openshiftcontrollermanager_v311_00_test.go	Reformat expected controller lists in config tests and add REGISTRY_AUTH_FILE entries to expected env in TestDeploymentWithProxy cases; small formatting edits.

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	❓ Inconclusive	Custom check specifies "Ginkgo test code" quality review (It blocks, BeforeEach/AfterEach, Eventually/Consistently), but the PR modifies standard Go testing (*testing.T) with t.Run() subtests, not...	Clarify whether the check applies to standard Go testing patterns (t.Run, *testing.T) or only Ginkgo-style tests; this PR contains only standard Go testing.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly and specifically describes the main change: mounting /etc/containers to enable image controllers to respect cluster-wide registry configurations, with reference to the bug ticket OCPBUGS-77404.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The repository does not use Ginkgo testing framework (0 Ginkgo imports/patterns found). It uses standard Go testing with testing.T. Check for Ginkgo test names is not applicable.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. The PR modifies manifests, operator code, and standard Go unit tests but does not introduce new Ginkgo e2e tests that would need MicroShift compatibili...
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. The repository contains only unit/integration tests using standard Go testing, not e2e tests. The check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR does not introduce new scheduling constraints. The deployment's existing required anti-affinity with maxUnavailable:1 and master nodeSelector predate this PR; the changes here only add /etc...
Ote Binary Stdout Contract	✅ Passed	PR introduces no process-level stdout writes: resourceSyncer.SyncSecret() call returns error; test updates are within test functions; klog properly configured to stderr via component-base/cli.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR does not add any new Ginkgo e2e tests. Changes are limited to Kubernetes manifests, operator code, and standard Go unit tests.
No-Weak-Crypto	✅ Passed	PR contains no cryptographic code: changes are deployment YAML, RBAC manifests, and configuration updates with no MD5, SHA1, DES, RC4, 3DES, Blowfish, or ECB usage detected.
Container-Privileges	✅ Passed	Deployment manifest contains no privileged: true, hostPID, hostNetwork, hostIPC, or SYS_ADMIN capabilities. allowPrivilegeEscalation is explicitly false; hostUsers: false prevents running as root.
No-Sensitive-Data-In-Logs	✅ Passed	The PR adds pull-secret synchronization and REGISTRY_AUTH_FILE env var pointing to auth.json path. Secret data changes are only logged at klog.V(4) debug level with masked values (OLD/NEW/MODIFIED)...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign kaleemsiddiqu for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[everettraven]

Open Question: Does this automatically handle pull secrets for private registries as well?

[everettraven]

It doesn't, but I've opened openshift/openshift-controller-manager#447 to help with this.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

bindata/assets/openshift-controller-manager/deploy.yaml (2)

60-63: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add resource limits for memory and CPU.

The coding guidelines require resource limits on every container. Currently, only resource requests are defined. Without limits, the controller-manager pod could consume unbounded resources, potentially impacting control plane stability.

📊 Proposed fix to add resource limits

         resources:
           requests:
             memory: 100Mi
             cpu: 100m
+          limits:
+            memory: 200Mi
+            cpu: 200m

Note: Adjust limit values based on observed resource usage patterns.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@bindata/assets/openshift-controller-manager/deploy.yaml` around lines 60 -
63, The resources block currently only sets requests (memory: 100Mi, cpu: 100m);
add a limits section alongside requests to enforce upper bounds (e.g., limits:
memory: 200Mi, cpu: 200m or other values tuned to observed usage) so the
openshift-controller-manager container cannot consume unbounded resources;
update the same resources mapping (the resources key for the controller-manager
container) to include a limits subsection with both memory and cpu entries.

Source: Coding guidelines

---

49-54: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add explicit runAsNonRoot: true to the container securityContext.

While the hostaccess SCC may enforce non-root execution, the manifest should explicitly declare runAsNonRoot: true for defense in depth and to match the PR's stated goal of "preventing running the container as root." Without this setting, the security guarantee depends entirely on the SCC, which could change.

🔒 Proposed fix to add explicit runAsNonRoot

       - name: controller-manager
         securityContext:
+          runAsNonRoot: true
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
           capabilities:

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@bindata/assets/openshift-controller-manager/deploy.yaml` around lines 49 -
54, The container's securityContext is missing an explicit runAsNonRoot setting;
update the container spec's securityContext (the existing securityContext block
that contains readOnlyRootFilesystem, allowPrivilegeEscalation, and
capabilities.drop) to add runAsNonRoot: true so the pod manifest explicitly
prevents running as UID 0 (defense in depth) while preserving the other keys
(readOnlyRootFilesystem, allowPrivilegeEscalation, capabilities.drop).

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@bindata/assets/openshift-controller-manager/deploy.yaml`:
- Line 36: The Deployment currently sets openshift.io/required-scc: hostaccess
which is too permissive—either replace it with the restricted-v3 SCC or wire a
purpose-built custom SCC and document why elevated host access is required;
additionally, in the podSpec/container securityContext ensure runAsNonRoot: true
is set, explicitly set automountServiceAccountToken: false at the podSpec level,
and add resources.limits for the controller container to complement existing
resources.requests so limits are enforced.

---

Outside diff comments:
In `@bindata/assets/openshift-controller-manager/deploy.yaml`:
- Around line 60-63: The resources block currently only sets requests (memory:
100Mi, cpu: 100m); add a limits section alongside requests to enforce upper
bounds (e.g., limits: memory: 200Mi, cpu: 200m or other values tuned to observed
usage) so the openshift-controller-manager container cannot consume unbounded
resources; update the same resources mapping (the resources key for the
controller-manager container) to include a limits subsection with both memory
and cpu entries.
- Around line 49-54: The container's securityContext is missing an explicit
runAsNonRoot setting; update the container spec's securityContext (the existing
securityContext block that contains readOnlyRootFilesystem,
allowPrivilegeEscalation, and capabilities.drop) to add runAsNonRoot: true so
the pod manifest explicitly prevents running as UID 0 (defense in depth) while
preserving the other keys (readOnlyRootFilesystem, allowPrivilegeEscalation,
capabilities.drop).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 0f6912d5-6a19-4d54-a6d9-64aca0dbe28d

📥 Commits

Reviewing files that changed from the base of the PR and between 34f95b0 and a7aa392.

📒 Files selected for processing (1)

• bindata/assets/openshift-controller-manager/deploy.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Search for existing custom SCC definitions in the repository
rg -n "kind:\s*SecurityContextConstraints" -A 20

Repository: openshift/cluster-openshift-controller-manager-operator

Length of output: 81

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="bindata/assets/openshift-controller-manager/deploy.yaml"

echo "== File size =="
wc -l "$FILE"

echo "== SCC annotation occurrences (context) =="
rg -n "openshift\.io/required-scc|required-scc" "$FILE" -n

echo "== runAsNonRoot occurrences =="
rg -n "runAsNonRoot" "$FILE" || true

echo "== resources.limits occurrences =="
rg -n "resources:|limits:" "$FILE"

echo "== Extract: container securityContext/resources/volumes around likely sections =="
# show around where the reviewer cited lines (roughly); adjust if file differs
sed -n '1,130p' "$FILE" | nl -ba | sed -n '1,130p'
sed -n '90,180p' "$FILE" | nl -ba | sed -n '1,120p'

echo "== hostPath volume /etc/containers mount check =="
rg -n "etc/containers|hostPath|readOnly" "$FILE"

echo "== Anti-affinity / topology-related scheduling constraints =="
rg -n "antiAffinity|requiredDuringSchedulingIgnoredDuringExecution|topologyKey|hostname" "$FILE" || true

Repository: openshift/cluster-openshift-controller-manager-operator

Length of output: 499

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Search for any custom SCC definitions/usage in repo =="
rg -n "SecurityContextConstraints" -S . || true
rg -n "hostaccess|openshift\.io/required-scc" -S . || true
rg -n "SecurityContextConstraint" -S . || true

Repository: openshift/cluster-openshift-controller-manager-operator

Length of output: 19745

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="bindata/assets/openshift-controller-manager/deploy.yaml"

echo "== Extract around SCC (lines 1-60) =="
awk 'NR<=60{print NR ":" $0}' "$FILE"

echo "== Extract around resources (55-95) =="
awk 'NR>=55 && NR<=95{print NR ":" $0}' "$FILE"

echo "== Extract around hostPath/volumes (95-140) =="
awk 'NR>=95 && NR<=140{print NR ":" $0}' "$FILE"

echo "== Extract last lines (141-200) =="
awk 'NR>=141 && NR<=200{print NR ":" $0}' "$FILE"

echo "== Field presence checks =="
for pat in \
  "runAsNonRoot" \
  "allowPrivilegeEscalation" \
  "readOnlyRootFilesystem" \
  "capabilities:" \
  "automountServiceAccountToken" \
  "limits:" \
  "livenessProbe" \
  "readinessProbe" \
  "hostPID" \
  "hostNetwork" \
  "hostIPC" \
  "privileged" \
  "antiAffinity" \
  "topologyKey"; do
  echo "-- $pat"
  rg -n "$pat" "$FILE" || true
done

echo "== Search for custom SCC manifests outside vendor =="
rg -n --glob '!vendor/**' "kind:\s*SecurityContextConstraints" -S . || true

Repository: openshift/cluster-openshift-controller-manager-operator

Length of output: 6288

---

Major security hardening gaps in controller-manager OpenShift Deployment

        openshift.io/required-scc: hostaccess

• hostaccess is less restricted than restricted-v3 and doesn’t align with the guideline requiring a restricted/custom-scoped SCC—either justify the need or wire a custom SCC.
• Missing runAsNonRoot: true at pod/container securityContext (defense-in-depth).
• Missing resources.limits (only resources.requests are set).
• automountServiceAccountToken is not explicitly set to false.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@bindata/assets/openshift-controller-manager/deploy.yaml` at line 36, The
Deployment currently sets openshift.io/required-scc: hostaccess which is too
permissive—either replace it with the restricted-v3 SCC or wire a purpose-built
custom SCC and document why elevated host access is required; additionally, in
the podSpec/container securityContext ensure runAsNonRoot: true is set,
explicitly set automountServiceAccountToken: false at the podSpec level, and add
resources.limits for the controller container to complement existing
resources.requests so limits are enforced.

Source: Coding guidelines

[ehearne-redhat]

I think we need to remove this as e2e-upgrade reports

event happened 36 times, something is wrong: namespace/openshift-controller-manager hmsg/827f4eb8d4 replicaset/controller-manager-99bbc9cc8 - reason/FailedCreate Error creating: pods "controller-manager-99bbc9cc8-" is forbidden: unable to validate against any security context constraint: [metadata.annotations[seccomp.security.alpha.kubernetes.io/pod]: Forbidden: seccomp may not be set, metadata.annotations[container.seccomp.security.alpha.kubernetes.io/controller-manager]: Forbidden: seccomp may not be set] (21:59:34Z) result=reject }

[ehearne-redhat]

@bpalmer The changes in general look fine to me, the seccomp concern is the only one I have. Could you take a look at that and let me know if this is an issue? I dont see any mention https://docs.redhat.com/en/documentation/openshift_container_platform/4.22/html/authentication_and_authorization/managing-pod-security-policies#default-sccs_configuring-internal-oauth about it not being allowed.

However it says privileged containers cannot use seccompprofile at https://docs.redhat.com/en/documentation/openshift_container_platform/4.22/html/security_and_compliance/seccomp-profiles .

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

pkg/operator/sync_openshiftcontrollermanager_v311_00_test.go (1)

752-755: ⚡ Quick win

Assert the new mount contract alongside REGISTRY_AUTH_FILE.

These updates only verify the env var. The feature also depends on the matching secret volume/volumeMount for /var/run/secrets/image-auth/auth.json and the /etc/containers host mount, so those regressions would still pass this suite.

This follows the PR objective to mount both the global pull-secret and /etc/containers into the deployment.

Also applies to: 788-791, 819-822

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/operator/sync_openshiftcontrollermanager_v311_00_test.go` around lines
752 - 755, The test currently only asserts the REGISTRY_AUTH_FILE env var; also
assert that the deployment spec includes a Volume referencing the global
pull-secret (a Secret volume whose SecretName equals the cluster pull secret)
and a corresponding VolumeMount mounting that secret to
/var/run/secrets/image-auth/auth.json, and assert a HostPath (or projected host)
Volume and VolumeMount for /etc/containers so the host config is mounted into
the container; update the assertions around REGISTRY_AUTH_FILE (and the other
similar blocks) to check for a Volume with the secret name, a VolumeMount with
MountPath "/var/run/secrets/image-auth" (or the exact file mount), and a
Volume/VolumeMount that mounts "/etc/containers" from the host into the pod spec
to ensure both secret and host mounts are present.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@bindata/assets/openshift-controller-manager/scc-rolebinding.yaml`:
- Around line 7-9: The RoleBinding's roleRef is missing the apiGroup; update the
RoleBinding where roleRef.name is
"system:openshift-controller-manager:hostaccess-role" (the hostaccess
RoleBinding) to include roleRef.apiGroup: rbac.authorization.k8s.io so roleRef
has keys kind, name, and apiGroup like other RoleBindings (e.g.,
route-controller-manager-leader-rolebinding); modify the manifest defining
roleRef to add the apiGroup field accordingly.

---

Nitpick comments:
In `@pkg/operator/sync_openshiftcontrollermanager_v311_00_test.go`:
- Around line 752-755: The test currently only asserts the REGISTRY_AUTH_FILE
env var; also assert that the deployment spec includes a Volume referencing the
global pull-secret (a Secret volume whose SecretName equals the cluster pull
secret) and a corresponding VolumeMount mounting that secret to
/var/run/secrets/image-auth/auth.json, and assert a HostPath (or projected host)
Volume and VolumeMount for /etc/containers so the host config is mounted into
the container; update the assertions around REGISTRY_AUTH_FILE (and the other
similar blocks) to check for a Volume with the secret name, a VolumeMount with
MountPath "/var/run/secrets/image-auth" (or the exact file mount), and a
Volume/VolumeMount that mounts "/etc/containers" from the host into the pod spec
to ensure both secret and host mounts are present.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 1df28a42-a6e6-4738-bd20-49f2979e7e19

📥 Commits

Reviewing files that changed from the base of the PR and between a7aa392 and 1ed86f9.

📒 Files selected for processing (5)

• bindata/assets/openshift-controller-manager/deploy.yaml
• bindata/assets/openshift-controller-manager/scc-role.yaml
• bindata/assets/openshift-controller-manager/scc-rolebinding.yaml
• pkg/operator/starter.go
• pkg/operator/sync_openshiftcontrollermanager_v311_00_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• bindata/assets/openshift-controller-manager/deploy.yaml

[everettraven]

/jira refresh

[openshift-ci-robot]

@everettraven: This pull request references Jira Issue OCPBUGS-77404, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (jitsingh@redhat.com), skipping review request.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@everettraven: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn	1643cc1	link	true	/test e2e-aws-ovn
ci/prow/e2e-aws-operator	1643cc1	link	true	/test e2e-aws-operator
ci/prow/e2e-upgrade	1643cc1	link	true	/test e2e-upgrade

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[everettraven]

This last failure has a really odd failure. It says the openshift-controller-manager-sa service account doesn't exist but I can see an event from when it was created and the audit logs show no sign of that service account being deleted (or created).

Going to see if maybe this was a fluke.

/retest-required