From 5b9b4fcf668c835ff28f5bd0e657ae9f49b4df32 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Dulko?= <mdulko@redhat.com>
Date: Tue, 27 Mar 2018 16:14:36 +0200
Subject: [PATCH] Add `privileged` SCC to SA in OpenShift DevStack

In containerized OpenShift deployments we're not attaching `privileged`
SCC to `kuryr-controller` SA created by DevStack plugin. This causes
kuryr-controller Deployment and kuryr-cni DaemonSet to fail as
`kuryr-controller` SA lacks permissions to run privileged containers.

This commit solves that by using `oadm` to attach the SCC to SA.

Change-Id: I2c827cd986a17e08c94558c852b4a225cfe057a6
Closes-Bug: 1759287
(cherry picked from commit 08ce5650516f10d1ee1f07f5b3c667c7abb3c6c7)
---
 devstack/plugin.sh | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/devstack/plugin.sh b/devstack/plugin.sh
index eba5c290f..b2e5050b7 100644
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@@ -143,6 +143,11 @@ function run_containerized_kuryr_resources {
     /usr/local/bin/kubectl create -f \
         "${k8s_data_dir}/service_account.yml" \
         || die $LINENO "Failed to create kuryr-kubernetes ServiceAccount."
+
+    if is_service_enabled openshift-master; then
+        # NOTE(dulek): For OpenShift add privileged SCC to serviceaccount.
+        /usr/local/bin/oadm policy add-scc-to-user privileged -n kube-system -z kuryr-controller
+    fi
     /usr/local/bin/kubectl create -f \
         "${k8s_data_dir}/controller_deployment.yml" \
         || die $LINENO "Failed to create kuryr-kubernetes Deployment."