Ensure that the Pod Security Standards are commented in the default scaffold (#5872)

* bump kb to latest commit

Signed-off-by: Bryce Palmer <[email protected]>

* bump helm-operator-plugins

Signed-off-by: Bryce Palmer <[email protected]>

* Signed-off-by: Bryce Palmer <[email protected]>

bump latest changes on kb

* fix sanity

Co-authored-by: Bryce Palmer <[email protected]>

Author: camilamacedo86

changelog/fragments/kb-800fdeec6e5c.yaml

@@ -1,55 +1,6 @@
 # entries is a list of entries to include in
 # release notes and/or the migration guide
 entries:
-  - description: >
-      For Golang/Ansible/Helm/HybridHelm language-based operators (go/v3, ansible/v1, helm/v1, hybrid.helm/v1-alpha): applying restrictive SCC for all containers scaffolded by the tool (will not work with k8s versions < 1.19).
-      ([More info](https://github.com/kubernetes-sigs/kubebuilder/pull/2700)). Important: You might be affected while updating Kubernetes to 1.25, Hence,  ensure that the containers
-      used in your project are restrictive or defined with the property labels `pod-security.kubernetes.io` on clusters ([More info](https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-admission-labels-for-namespaces)). Therefore, we suggest
-      that you begin to configure the projects according to the best practices. ([More info](https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/))
-    kind: "change"
-
-    # Is this a breaking change?
-    breaking: false
-    migration:
-      header: For Golang/Ansible/Helm/HybridHelm language-based operators (go/v3, ansible/v1, helm/v1, hybrid.helm/v1-alpha)
-      body: |
-        Following the steps
-        1) In `config/kdefault/manager_auth_proxy_patch.go` ensure the following security context:
-
-        ```yaml
-        ...
-        spec:
-          containers:
-          - name: kube-rbac-proxy
-            securityContext:
-              allowPrivilegeEscalation: false
-              capabilities:
-                drop:
-                  - ALL
-        ...
-        ```
-
-        2) In the `config/manager/manager.yaml` ensure the following security context:
-
-        ```yaml
-        spec:
-          securityContext:
-            runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          containers:
-            - command:
-                - /manager
-              image: controller:latest
-              name: manager
-              securityContext:
-                allowPrivilegeEscalation: false
-                capabilities:
-                  drop:
-                    - ALL
-        ```
-        3) Run make bundle tagert to ensure that the above changes are also applied to
-        your bundles.
   - description: >
       For Golang-based language (go/v2), fix issue introduced by removing the GO111MODULE=on from Dockerfile. ([More info](https://github.com/kubernetes-sigs/kubebuilder/pull/2678))
 

go.mod

@@ -14,7 +14,7 @@ require (
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/gomega v1.18.1
 	github.com/operator-framework/api v0.15.0
-	github.com/operator-framework/helm-operator-plugins v0.0.12-0.20220608155702-d3967d2ae2ac
+	github.com/operator-framework/helm-operator-plugins v0.0.12-0.20220613184440-7329cace347f
 	github.com/operator-framework/java-operator-plugins v0.5.1
 	github.com/operator-framework/operator-lib v0.11.0
 	github.com/operator-framework/operator-manifest-tools v0.2.1
@@ -42,7 +42,7 @@ require (
 	k8s.io/kubectl v0.24.0
 	sigs.k8s.io/controller-runtime v0.12.1
 	sigs.k8s.io/controller-tools v0.9.0
-	sigs.k8s.io/kubebuilder/v3 v3.0.0-alpha.0.0.20220608134342-eea565cb3f50
+	sigs.k8s.io/kubebuilder/v3 v3.0.0-alpha.0.0.20220613215411-7a05e3d4fe6d
 	sigs.k8s.io/yaml v1.3.0
 )
 

go.sum

@@ -867,8 +867,8 @@ github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFSt
 github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw=
 github.com/operator-framework/api v0.15.0 h1:4f9i0drtqHj7ykLoHxv92GR43S7MmQHhmFQkfm5YaGI=
 github.com/operator-framework/api v0.15.0/go.mod h1:scnY9xqSeCsOdtJtNoHIXd7OtHZ14gj1hkDA4+DlgLY=
-github.com/operator-framework/helm-operator-plugins v0.0.12-0.20220608155702-d3967d2ae2ac h1:a00NNxt4JF/Cg31c37+DhBzjIurdXUKAoxPdOxpvdV4=
-github.com/operator-framework/helm-operator-plugins v0.0.12-0.20220608155702-d3967d2ae2ac/go.mod h1:XRYBnRxeOF8UVOsXj24pL4QMjvd2D72SzKmGCcsoOGs=
+github.com/operator-framework/helm-operator-plugins v0.0.12-0.20220613184440-7329cace347f h1:lS/IvqlvEQGIwXE0VlW+mOCmFEXBKywNbGQDrK++r/g=
+github.com/operator-framework/helm-operator-plugins v0.0.12-0.20220613184440-7329cace347f/go.mod h1:D7zPPwmIFBqHtWigU2iJiLuZ0v7hOJOb1/VC+/UuBAQ=
 github.com/operator-framework/java-operator-plugins v0.5.1 h1:HmiTocc61d/uqVPY/7EUR6ZTHDVeZ5/fgy7uo1QIBFc=
 github.com/operator-framework/java-operator-plugins v0.5.1/go.mod h1:UnUHAWY203Xw1j6Xpiirp/psJJaSRYcjenc0NH2+aVw=
 github.com/operator-framework/operator-lib v0.11.0 h1:eYzqpiOfq9WBI4Trddisiq/X9BwCisZd3rIzmHRC9Z8=
@@ -1801,8 +1801,8 @@ sigs.k8s.io/controller-tools v0.9.0 h1:b/vSEPpA8hiMiyzDfLbZdCn3hoAcy3/868OHhYtHY
 sigs.k8s.io/controller-tools v0.9.0/go.mod h1:NUkn8FTV3Sad3wWpSK7dt/145qfuQ8CKJV6j4jHC5rM=
 sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 h1:kDi4JBNAsJWfz1aEXhO8Jg87JJaPNLh5tIzYHgStQ9Y=
 sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2/go.mod h1:B+TnT182UBxE84DiCz4CVE26eOSDAeYCpfDnC2kdKMY=
-sigs.k8s.io/kubebuilder/v3 v3.0.0-alpha.0.0.20220608134342-eea565cb3f50 h1:yPiqoNv2s1zA0BV/+ztL24M4PrnMl9BA8jksK9Ju344=
-sigs.k8s.io/kubebuilder/v3 v3.0.0-alpha.0.0.20220608134342-eea565cb3f50/go.mod h1:2o0wAP/Qi4vLA5tlmKOCTZdWUlkdewvkNi3o5Ko6eSw=
+sigs.k8s.io/kubebuilder/v3 v3.0.0-alpha.0.0.20220613215411-7a05e3d4fe6d h1:VKHPL8DAxw5EAZyF01fRkSU41Yk+hpYpUEIrstg6e4Y=
+sigs.k8s.io/kubebuilder/v3 v3.0.0-alpha.0.0.20220613215411-7a05e3d4fe6d/go.mod h1:2o0wAP/Qi4vLA5tlmKOCTZdWUlkdewvkNi3o5Ko6eSw=
 sigs.k8s.io/kustomize/api v0.11.4 h1:/0Mr3kfBBNcNPOW5Qwk/3eb8zkswCwnqQxxKtmrTkRo=
 sigs.k8s.io/kustomize/api v0.11.4/go.mod h1:k+8RsqYbgpkIrJ4p9jcdPqe8DprLxFUUO0yNOq8C+xI=
 sigs.k8s.io/kustomize/cmd/config v0.10.6/go.mod h1:/S4A4nUANUa4bZJ/Edt7ZQTyKOY9WCER0uBS1SW2Rco=

hack/generate/samples/internal/ansible/memcached.go

@@ -81,6 +81,9 @@ func (ma *Memcached) Run() {
 		"#- ../prometheus", "#")
 	pkg.CheckError("enabling prometheus metrics", err)
 
+	err = ma.ctx.UncommentRestrictivePodStandards()
+	pkg.CheckError("creating the bundle", err)
+
 	ma.addingAnsibleTask()
 	ma.addingMoleculeMockData()
 

hack/generate/samples/internal/go/v3/memcached_with_webhooks.go

@@ -80,6 +80,9 @@ func (mh *Memcached) Run() {
 		"--resource", "true")
 	pkg.CheckError("scaffolding apis", err)
 
+	err = mh.ctx.UncommentRestrictivePodStandards()
+	pkg.CheckError("creating the bundle", err)
+
 	log.Infof("implementing the API")
 	mh.implementingAPI()
 

hack/generate/samples/internal/helm/memcached.go

@@ -86,6 +86,9 @@ func (mh *Memcached) Run() {
 		"--helm-chart", helmChartPath)
 	pkg.CheckError("creating the project", err)
 
+	err = mh.ctx.UncommentRestrictivePodStandards()
+	pkg.CheckError("creating the bundle", err)
+
 	log.Infof("customizing the sample")
 	err = kbutil.ReplaceInFile(
 		filepath.Join(mh.ctx.Dir, "config", "samples", "cache_v1alpha1_memcached.yaml"),

internal/testutils/utils.go

@@ -26,6 +26,7 @@ import (
 
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
+	kbutil "sigs.k8s.io/kubebuilder/v3/pkg/plugin/util"
 	kbtestutils "sigs.k8s.io/kubebuilder/v3/test/e2e/utils"
 )
 
@@ -203,3 +204,39 @@ func WrapWarnOutput(_ string, err error) {
 func WrapWarn(err error) {
 	WrapWarnOutput("", err)
 }
+
+func (tc TestContext) UncommentRestrictivePodStandards() error {
+	configManager := filepath.Join(tc.Dir, "config", "manager", "manager.yaml")
+	managerAuth := filepath.Join(tc.Dir, "config", "default", "manager_auth_proxy_patch.yaml")
+
+	if err := kbutil.ReplaceInFile(configManager, `# TODO(user): uncomment for common cases that do not require escalating privileges
+        # capabilities:
+        #   drop:
+        #     - "ALL"`, `  capabilities:
+            drop:
+              - "ALL"`); err != nil {
+		return err
+	}
+
+	if err := kbutil.ReplaceInFile(managerAuth, `# TODO(user): uncomment for common cases that do not require escalating privileges
+        # capabilities:
+        #   drop:
+        #     - "ALL"`, `  capabilities:
+            drop:
+              - "ALL"`); err != nil {
+		return err
+	}
+
+	if err := kbutil.ReplaceInFile(configManager, `# TODO(user): For common cases that do not require escalating privileges
+        # it is recommended to ensure that all your Pods/Containers are restrictive.
+        # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
+        # Please uncomment the following code if your project does NOT have to work on old Kubernetes
+        # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ).
+        # seccompProfile:
+        #   type: RuntimeDefault`, `seccompProfile:
+          type: RuntimeDefault`); err == nil {
+		return err
+	}
+
+	return nil
+}

testdata/ansible/memcached-operator/config/default/manager_auth_proxy_patch.yaml

@@ -14,7 +14,7 @@ spec:
           allowPrivilegeEscalation: false
           capabilities:
             drop:
-              - ALL
+              - "ALL"
         image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"

testdata/ansible/memcached-operator/config/manager/manager.yaml

@@ -41,7 +41,7 @@ spec:
           allowPrivilegeEscalation: false
           capabilities:
             drop:
-              - ALL
+              - "ALL"
         livenessProbe:
           httpGet:
             path: /healthz

testdata/go/v3/memcached-operator/config/default/manager_auth_proxy_patch.yaml

@@ -14,7 +14,7 @@ spec:
           allowPrivilegeEscalation: false
           capabilities:
             drop:
-              - ALL
+              - "ALL"
         image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"