fix: remove runAsUser/Group to support OpenShift 3

These values are automatically generated by OpenShift and cannot be the ones we have been enforcing until now.
Also update the Dockerfile to run with the numeric user and group -- this allows the deployment to proceed, otherwise Kubernetes cannot infer the UID of the user "snyk" and fails to deploy.

Author: ivanstanev

Dockerfile

@@ -37,7 +37,7 @@ RUN addgroup -S -g 10001 snyk
 RUN adduser -S -G snyk -h /srv/app -u 10001 snyk
 
 WORKDIR /srv/app
-USER snyk:snyk
+USER 10001:10001
 
 COPY --chown=snyk:snyk --from=skopeo-build /usr/bin/skopeo /usr/bin/skopeo
 COPY --chown=snyk:snyk --from=skopeo-build /etc/containers/registries.d/default.yaml /etc/containers/registries.d/default.yaml

scripts/create-operator.sh

@@ -33,17 +33,11 @@ HELM_CHART_LOCATION="${PWD}/${HELM_CHART_NAME}"
 # Also, the end location should be "helm-charts", as this is what the operator-sdk expects when building the Operator image!
 OPERATOR_HELM_CHARTS_LOCATION="${OPERATOR_LOCATION}/helm-charts"
 OPERATOR_HELM_VALUES_LOCATION="${OPERATOR_HELM_CHARTS_LOCATION}/${HELM_CHART_NAME}/values.yaml"
-OPERATOR_HELM_DEPLOYMENT_LOCATION="${OPERATOR_HELM_CHARTS_LOCATION}/${HELM_CHART_NAME}/templates/deployment.yaml"
 
 mkdir -p "${OPERATOR_HELM_CHARTS_LOCATION}"
 
 cp -R "${HELM_CHART_LOCATION}" "${OPERATOR_HELM_CHARTS_LOCATION}"
 
-# The following fields will be automatically generated by OpenShift when deploying the snyk-monitor; we can't hardcode them.
-sed -i.bak "s|runAsUser: 10001|# runAsUser: 10001|g" "${OPERATOR_HELM_DEPLOYMENT_LOCATION}"
-sed -i.bak "s|runAsGroup: 10001|# runAsGroup: 10001|g" "${OPERATOR_HELM_DEPLOYMENT_LOCATION}"
-rm "${OPERATOR_HELM_DEPLOYMENT_LOCATION}.bak"
-
 sed -i.bak "s|IMAGE_TAG_OVERRIDE_WHEN_PUBLISHING|${SNYK_MONITOR_IMAGE_TAG}|g" "${OPERATOR_HELM_VALUES_LOCATION}"
 rm "${OPERATOR_HELM_VALUES_LOCATION}.bak"
 

snyk-monitor-deployment.yaml

@@ -66,8 +66,6 @@ spec:
             cpu: '1'
             memory: '2Gi'
         securityContext:
-          runAsUser: 10001
-          runAsGroup: 10001
           privileged: false
           runAsNonRoot: true
           allowPrivilegeEscalation: false

snyk-monitor/templates/deployment.yaml

@@ -56,8 +56,6 @@ spec:
               cpu: {{ .Values.limits.cpu }}
               memory: {{ .Values.limits.memory }}
           securityContext:
-            runAsUser: 10001
-            runAsGroup: 10001
             privileged: false
             runAsNonRoot: true
             allowPrivilegeEscalation: false

test/helpers/deployment.ts

@@ -62,20 +62,6 @@ export function validateSecureConfiguration(test: tap, deployment: V1Deployment)
   tap.ok(securityContext.allowPrivilegeEscalation === false, 'must explicitly set allowPrivilegeEscalation to false');
   tap.ok(securityContext.privileged === false, 'must explicitly set privileged to false');
   tap.ok(securityContext.runAsNonRoot === true, 'must explicitly set runAsNonRoot to true');
-
-  // On the OpenShift platform we delete runAsUser/runAsGroup from the Operator that creates this Deployment, so we cannot test their presence.
-  if (process.env['TEST_PLATFORM'] !== 'openshift4') {
-    tap.ok(
-      securityContext.runAsUser !== undefined &&
-        securityContext.runAsUser >= 10001,
-      'must explicitly set runAsUser to be 10001 or greater',
-    );
-    tap.ok(
-      securityContext.runAsGroup !== undefined &&
-        securityContext.runAsGroup >= 10001,
-      'must explicitly set runAsGroup to be 10001 or greater',
-    );
-  }
 }
 
 export function validateVolumeMounts(test: tap, deployment: V1Deployment) {