[v1.24.x] OCPBUGS-1666: Expose flag to enable/disable PodSecurity (#6080)

openshift-cherrypick-robot · web-flow · commit 0b763cdf1025 · 2022-10-13T17:04:10.000-04:00
* OCPBUGS-1666: Expose flag to enable/disable PodSecurity

Added --security-context-config flag to enable seccompprofile.
It defaults to enabled to support k8s 1.25. You can disable it
with --security-context-config=legacy

Signed-off-by: jesus m. rodriguez &lt;jesusr@redhat.com&gt;

* fix test-sanity: update docs &amp; fix test.

* Ignoring error from Set call in test
* Update .cncf maintainers
* Update run bundle(-upgrade) CLI docs
* Add allowed values to the security-context-config flag.
* Default to Restricted, and add the default value in the help text.
* Update changelog to indicate that we're updating run bundle subcommand

Signed-off-by: jesus m. rodriguez &lt;jmrodri@gmail.com&gt;

* Fix typo in changelog
* Removed the "default: restricted" from the help text.

This was being duplicated because we had it in the text but were not
setting the value to a default value. Once we set the value to the
default cobra realized this and would output "(default: restricted)".

So removing the manually entered text fixes the duplicate.

Signed-off-by: jesus m. rodriguez &lt;jesusr@redhat.com&gt;
diff --git a/changelog/fragments/enable-seccompprofile-run-bundle.yaml b/changelog/fragments/enable-seccompprofile-run-bundle.yaml
@@ -0,0 +1,18 @@
+# entries is a list of entries to include in
+# release notes and/or the migration guide
+entries:
+  - description: >
+      For operator-sdk run bundle and bundle-upgrade subcommands: Added --security-context-config
+      flag to enable seccompprofile. It defaults to restricted to support k8s 1.25. You can disable it
+      with --security-context-config=legacy
+
+    # kind is one of:
+    # - addition
+    # - change
+    # - deprecation
+    # - removal
+    # - bugfix
+    kind: "bugfix"
+
+    # Is this a breaking change?
+    breaking: false
diff --git a/internal/olm/operator/registry/fbcindex/fbc_registry_pod.go b/internal/olm/operator/registry/fbcindex/fbc_registry_pod.go
@@ -72,6 +72,10 @@ type FBCRegistryPod struct { //nolint:maligned
 	// This directory has the File-Based Catalog representation of a catalog index.
 	FBCIndexRootDir string
 
+	// SecurityContext defines the security context which will enable the
+	// SecurityContext on the Pod
+	SecurityContext string
+
 	cfg *operator.Configuration
 }
 
@@ -115,6 +119,15 @@ func (f *FBCRegistryPod) Create(ctx context.Context, cfg *operator.Configuration
 		return nil, fmt.Errorf("error setting owner reference: %w", err)
 	}
 
+	// Add security context if the user passed in the --security-context-config flag
+	if f.SecurityContext == "restricted" {
+		f.pod.Spec.SecurityContext = &corev1.PodSecurityContext{
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: corev1.SeccompProfileTypeRuntimeDefault,
+			},
+		}
+	}
+
 	if err := f.cfg.Client.Create(ctx, f.pod); err != nil {
 		return nil, fmt.Errorf("error creating pod: %w", err)
 	}
@@ -230,11 +243,19 @@ func (f *FBCRegistryPod) podForBundleRegistry(cs *v1alpha1.CatalogSource) (*core
 			// TODO: remove when OpenShift 4.10 and Kubernetes 1.19 be no longer supported
 			// Why not set SeccompProfile?
 			// This option can only work in OCP versions >= 4.11 and Kubernetes versions >= 19.
-			//SecurityContext: &corev1.PodSecurityContext{
-			//	SeccompProfile: &corev1.SeccompProfile{
-			//		Type: corev1.SeccompProfileTypeRuntimeDefault,
-			//	},
-			//},
+			//
+			// 2022-09-27 (jesusr): We added a --security-context-config flag to run bundle
+			// that will add the following stanza to the pod. This will allow
+			// users to selectively enable this stanza. Once this context
+			// becomes the default, we should uncomment this code and remove the
+			// --security-context-config flag.
+			// ---- end of update comment
+			//
+			// SecurityContext: &corev1.PodSecurityContext{
+			//     SeccompProfile: &corev1.SeccompProfile{
+			//         Type: corev1.SeccompProfileTypeRuntimeDefault,
+			//     },
+			// },
 			Volumes: []corev1.Volume{
 				{
 					Name: k8sutil.TrimDNS1123Label(cm.Name + "-volume"),
diff --git a/internal/olm/operator/registry/index/registry_pod.go b/internal/olm/operator/registry/index/registry_pod.go
@@ -84,6 +84,10 @@ type SQLiteRegistryPod struct { //nolint:maligned
 	// UseHTTP uses plain HTTP for container image registries while pulling bundles.
 	UseHTTP bool `json:"UseHTTP"`
 
+	// SecurityContext defines the security context which will enable the
+	// SecurityContext on the Pod
+	SecurityContext string
+
 	// pod represents a kubernetes *corev1.pod that will be created on a cluster using an index image
 	pod *corev1.Pod
 
@@ -128,6 +132,15 @@ func (rp *SQLiteRegistryPod) Create(ctx context.Context, cfg *operator.Configura
 		return nil, fmt.Errorf("error setting owner reference: %w", err)
 	}
 
+	// Add security context if the user passed in the --security-context-config flag
+	if rp.SecurityContext == "restricted" {
+		rp.pod.Spec.SecurityContext = &corev1.PodSecurityContext{
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: corev1.SeccompProfileTypeRuntimeDefault,
+			},
+		}
+	}
+
 	if err := rp.cfg.Client.Create(ctx, rp.pod); err != nil {
 		return nil, fmt.Errorf("error creating pod: %w", err)
 	}
@@ -239,11 +252,19 @@ func (rp *SQLiteRegistryPod) podForBundleRegistry() (*corev1.Pod, error) {
 			// TODO: remove when OpenShift 4.10 and Kubernetes 1.19 be no longer supported
 			// Why not set SeccompProfile?
 			// This option can only work in OCP versions >= 4.11 and Kubernetes versions >= 19.
-			//SecurityContext: &corev1.PodSecurityContext{
-			//	SeccompProfile: &corev1.SeccompProfile{
-			//		Type: corev1.SeccompProfileTypeRuntimeDefault,
-			//	},
-			//},
+			//
+			// 2022-09-27 (jesusr): We added a --security-context-config flag to run bundle
+			// that will add the following stanza to the pod. This will allow
+			// users to selectively enable this stanza. Once this context
+			// becomes the default, we should uncomment this code and remove the
+			// --security-context-config flag.
+			// ---- end of update comment
+			//
+			// SecurityContext: &corev1.PodSecurityContext{
+			//     SeccompProfile: &corev1.SeccompProfile{
+			//         Type: corev1.SeccompProfileTypeRuntimeDefault,
+			//     },
+			// },
 			Containers: []corev1.Container{
 				{
 					Name:  defaultContainerName,
diff --git a/internal/olm/operator/registry/index_image.go b/internal/olm/operator/registry/index_image.go
@@ -52,6 +52,44 @@ const (
 	registryPodNameAnnotation = operatorFrameworkGroup + "/registry-pod-name"
 )
 
+// TODO: Change this to use the values in operator-framework/api
+// once the release containing the enums is pulled into SDK
+type SecurityContextType string
+
+const (
+	Legacy     SecurityContextType = "legacy"
+	Restricted SecurityContextType = "restricted"
+)
+
+// SecurityContext represents the enum from the CatalogSource API
+// It is also being used by the binding flags to allow validation of the enum
+// values
+type SecurityContext struct {
+	ContextType SecurityContextType
+}
+
+func (sc *SecurityContext) String() string {
+	return string(sc.ContextType)
+}
+
+func (sc *SecurityContext) Set(value string) error {
+	switch value {
+	case "legacy", "restricted":
+		sc.ContextType = SecurityContextType(value)
+		return nil
+	default:
+		return fmt.Errorf("must be one of \"legacy\", or \"restricted\"")
+	}
+}
+
+func (sc *SecurityContext) IsEmpty() bool {
+	return sc.ContextType == ""
+}
+
+func (sc *SecurityContext) Type() string {
+	return "SecurityContext"
+}
+
 type IndexImageCatalogCreator struct {
 	SkipTLS         bool
 	SkipTLSVerify   bool
@@ -67,6 +105,7 @@ type IndexImageCatalogCreator struct {
 	PreviousBundles []string
 	cfg             *operator.Configuration
 	ChannelName     string
+	SecurityContext SecurityContext
 }
 
 var _ CatalogCreator = &IndexImageCatalogCreator{}
@@ -98,6 +137,10 @@ func (c *IndexImageCatalogCreator) BindFlags(fs *pflag.FlagSet) {
 		"while pulling bundles")
 	fs.BoolVar(&c.UseHTTP, "use-http", false, "use plain HTTP for container image registries "+
 		"while pulling bundles")
+
+	// default to Restricted
+	c.SecurityContext = SecurityContext{ContextType: Restricted}
+	fs.Var(&c.SecurityContext, "security-context-config", "specifies the security context to use for the catalog pod. allowed: 'restricted', 'legacy'.")
 }
 
 func (c IndexImageCatalogCreator) CreateCatalog(ctx context.Context, name string) (*v1alpha1.CatalogSource, error) {
@@ -478,9 +521,10 @@ func (c IndexImageCatalogCreator) createAnnotatedRegistry(ctx context.Context, c
 	if c.HasFBCLabel {
 		// Initialize and create the FBC registry pod.
 		fbcRegistryPod := fbcindex.FBCRegistryPod{
-			BundleItems: items,
-			IndexImage:  c.IndexImage,
-			FBCContent:  c.FBCContent,
+			BundleItems:     items,
+			IndexImage:      c.IndexImage,
+			FBCContent:      c.FBCContent,
+			SecurityContext: c.SecurityContext.String(),
 		}
 
 		pod, err = fbcRegistryPod.Create(ctx, c.cfg, cs)
@@ -491,12 +535,13 @@ func (c IndexImageCatalogCreator) createAnnotatedRegistry(ctx context.Context, c
 	} else {
 		// Initialize and create registry pod
 		registryPod := index.SQLiteRegistryPod{
-			BundleItems:   items,
-			IndexImage:    c.IndexImage,
-			SecretName:    c.SecretName,
-			CASecretName:  c.CASecretName,
-			SkipTLSVerify: c.SkipTLSVerify,
-			UseHTTP:       c.UseHTTP,
+			BundleItems:     items,
+			IndexImage:      c.IndexImage,
+			SecretName:      c.SecretName,
+			CASecretName:    c.CASecretName,
+			SkipTLSVerify:   c.SkipTLSVerify,
+			UseHTTP:         c.UseHTTP,
+			SecurityContext: c.SecurityContext.String(),
 		}
 
 		if registryPod.DBPath, err = c.getDBPath(ctx); err != nil {
diff --git a/internal/olm/operator/registry/index_image_test.go b/internal/olm/operator/registry/index_image_test.go
@@ -0,0 +1,80 @@
+// Copyright 2020 The Operator-SDK Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package registry
+
+import (
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("IndexImage", func() {
+	Context("SecurityContext", func() {
+		Describe("String", func() {
+			It("should return a string value of the enum", func() {
+				sc := SecurityContext{}
+				Expect(sc.String()).To(Equal(""))
+				sc = SecurityContext{ContextType: Legacy}
+				Expect(sc.String()).To(Equal("legacy"))
+			})
+		})
+		Describe("Set", func() {
+			var sc SecurityContext
+			BeforeEach(func() {
+				sc = SecurityContext{}
+				Expect(sc.String()).To(Equal(""))
+			})
+			It("should not error with valid values", func() {
+				err := sc.Set("legacy")
+				Expect(sc.String()).To(Equal("legacy"))
+				Expect(err).ToNot(HaveOccurred())
+				err = sc.Set("restricted")
+				Expect(sc.String()).To(Equal("restricted"))
+				Expect(err).ToNot(HaveOccurred())
+			})
+			It("should return an error with unsupported values", func() {
+				err := sc.Set("fake")
+				Expect(err).To(HaveOccurred())
+				Expect(err.Error()).To(Equal("must be one of \"legacy\", or \"restricted\""))
+
+				err = sc.Set("")
+				Expect(err).To(HaveOccurred())
+				Expect(err.Error()).To(Equal("must be one of \"legacy\", or \"restricted\""))
+			})
+		})
+		Describe("IsEmpty", func() {
+			var sc SecurityContext
+			BeforeEach(func() {
+				sc = SecurityContext{}
+				Expect(sc.String()).To(Equal(""))
+			})
+			It("should return true default instantiation", func() {
+				Expect(sc.IsEmpty()).To(BeTrue())
+			})
+			It("should return false if set a value", func() {
+				_ = sc.Set("legacy")
+				Expect(sc.IsEmpty()).To(BeFalse())
+
+				_ = sc.Set("restricted")
+				Expect(sc.IsEmpty()).To(BeFalse())
+			})
+		})
+		Describe("Type", func() {
+			It("should return SecurityContext", func() {
+				sc := SecurityContext{}
+				Expect(sc.Type()).To(Equal("SecurityContext"))
+			})
+		})
+	})
+})
diff --git a/website/content/en/docs/cli/operator-sdk_run_bundle-upgrade.md b/website/content/en/docs/cli/operator-sdk_run_bundle-upgrade.md
@@ -19,16 +19,17 @@ operator-sdk run bundle-upgrade <bundle-image> [flags]
 ### Options
 
 ```
-      --ca-secret-name string     Name of a generic secret containing a PEM root certificate file required to pull bundle images. This secret *must* be in the namespace that this command is configured to run in, and the file *must* be encoded under the key "cert.pem"
-  -h, --help                      help for bundle-upgrade
-      --kubeconfig string         Path to the kubeconfig file to use for CLI requests.
-  -n, --namespace string          If present, namespace scope for this CLI request
-      --pull-secret-name string   Name of image pull secret ("type: kubernetes.io/dockerconfigjson") required to pull bundle images. This secret *must* be both in the namespace and an imagePullSecret of the service account that this command is configured to run in
-      --service-account string    Service account name to bind registry objects to. If unset, the default service account is used. This value does not override the operator's service account
-      --skip-tls                  skip authentication of image registry TLS certificate when pulling a bundle image in-cluster
-      --skip-tls-verify           skip TLS certificate verification for container image registries while pulling bundles
-      --timeout duration          Duration to wait for the command to complete before failing (default 2m0s)
-      --use-http                  use plain HTTP for container image registries while pulling bundles
+      --ca-secret-name string                     Name of a generic secret containing a PEM root certificate file required to pull bundle images. This secret *must* be in the namespace that this command is configured to run in, and the file *must* be encoded under the key "cert.pem"
+  -h, --help                                      help for bundle-upgrade
+      --kubeconfig string                         Path to the kubeconfig file to use for CLI requests.
+  -n, --namespace string                          If present, namespace scope for this CLI request
+      --pull-secret-name string                   Name of image pull secret ("type: kubernetes.io/dockerconfigjson") required to pull bundle images. This secret *must* be both in the namespace and an imagePullSecret of the service account that this command is configured to run in
+      --security-context-config SecurityContext   specifies the security context to use for the catalog pod. allowed: 'restricted', 'legacy'. (default restricted)
+      --service-account string                    Service account name to bind registry objects to. If unset, the default service account is used. This value does not override the operator's service account
+      --skip-tls                                  skip authentication of image registry TLS certificate when pulling a bundle image in-cluster
+      --skip-tls-verify                           skip TLS certificate verification for container image registries while pulling bundles
+      --timeout duration                          Duration to wait for the command to complete before failing (default 2m0s)
+      --use-http                                  use plain HTTP for container image registries while pulling bundles
 ```
 
 ### Options inherited from parent commands
diff --git a/website/content/en/docs/cli/operator-sdk_run_bundle.md b/website/content/en/docs/cli/operator-sdk_run_bundle.md
@@ -28,18 +28,19 @@ operator-sdk run bundle <bundle-image> [flags]
 ### Options
 
 ```
-      --ca-secret-name string           Name of a generic secret containing a PEM root certificate file required to pull bundle images. This secret *must* be in the namespace that this command is configured to run in, and the file *must* be encoded under the key "cert.pem"
-  -h, --help                            help for bundle
-      --index-image string              index image in which to inject bundle (default "quay.io/operator-framework/opm:latest")
-      --install-mode InstallModeValue   install mode
-      --kubeconfig string               Path to the kubeconfig file to use for CLI requests.
-  -n, --namespace string                If present, namespace scope for this CLI request
-      --pull-secret-name string         Name of image pull secret ("type: kubernetes.io/dockerconfigjson") required to pull bundle images. This secret *must* be both in the namespace and an imagePullSecret of the service account that this command is configured to run in
-      --service-account string          Service account name to bind registry objects to. If unset, the default service account is used. This value does not override the operator's service account
-      --skip-tls                        skip authentication of image registry TLS certificate when pulling a bundle image in-cluster
-      --skip-tls-verify                 skip TLS certificate verification for container image registries while pulling bundles
-      --timeout duration                Duration to wait for the command to complete before failing (default 2m0s)
-      --use-http                        use plain HTTP for container image registries while pulling bundles
+      --ca-secret-name string                     Name of a generic secret containing a PEM root certificate file required to pull bundle images. This secret *must* be in the namespace that this command is configured to run in, and the file *must* be encoded under the key "cert.pem"
+  -h, --help                                      help for bundle
+      --index-image string                        index image in which to inject bundle (default "quay.io/operator-framework/opm:latest")
+      --install-mode InstallModeValue             install mode
+      --kubeconfig string                         Path to the kubeconfig file to use for CLI requests.
+  -n, --namespace string                          If present, namespace scope for this CLI request
+      --pull-secret-name string                   Name of image pull secret ("type: kubernetes.io/dockerconfigjson") required to pull bundle images. This secret *must* be both in the namespace and an imagePullSecret of the service account that this command is configured to run in
+      --security-context-config SecurityContext   specifies the security context to use for the catalog pod. allowed: 'restricted', 'legacy'. (default restricted)
+      --service-account string                    Service account name to bind registry objects to. If unset, the default service account is used. This value does not override the operator's service account
+      --skip-tls                                  skip authentication of image registry TLS certificate when pulling a bundle image in-cluster
+      --skip-tls-verify                           skip TLS certificate verification for container image registries while pulling bundles
+      --timeout duration                          Duration to wait for the command to complete before failing (default 2m0s)
+      --use-http                                  use plain HTTP for container image registries while pulling bundles
 ```
 
 ### Options inherited from parent commands
