(catsrc) introduce spec.runAsRoot field

anik120 · anik120 · commit 5ec1b23ba04c · 2022-08-25T13:20:02.000-04:00
With the [change](operator-framework/operator-registry#974) in opm being copied to a /tmp folder rather than / (root), a registry pod created in a namespace labled enforce:restricted for the Pod Security Admission controller is created by the catalog operator with the (appropriate securityContext details) https://github.com/operator-framework/operator-lifecycle-manager/pull/2820/files#diff-fffdeef1fc140a5dc5dc92dda323f567a6e46fc2ecbb0b91ba907acd02bde50dR185-R210 to run it in restricted mode. However, Catalogs built with a version of opm that does not contain the above change still needs privileged permission to run in a namespace that has to be labeled as enforce:privileged for the PSA controller. This PR introduces a new field, spec.runAsRoot, so that admins can indiciate their intent to allow to run the old CatalogSource in a privileged mode. When the catalog operator sees this field set to true, it will not set the securityContext in the registry pod to `runAsNonRoot:true`. Instead, it will set the securityContext to `runAsNonRoot:false`.
diff --git a/crds/operators.coreos.com_catalogsources.yaml b/crds/operators.coreos.com_catalogsources.yaml
@@ -120,6 +120,9 @@ spec:
                   type: integer
                 publisher:
                   type: string
+                runAsRoot:
+                  description: RunAsRoot allows admins to indicate that they wish to run the CatalogSource pod in a privileged more as root
+                  type: boolean
                 secrets:
                   description: Secrets represent set of secrets that can be used to access the contents of the catalog. It is best to keep this list small, since each will need to be tried for every catalog entry.
                   type: array
diff --git a/crds/operators.coreos.com_clusterserviceversions.yaml b/crds/operators.coreos.com_clusterserviceversions.yaml
@@ -678,7 +678,6 @@ spec:
                                       metadata:
                                         description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata'
                                         type: object
-                                        x-kubernetes-preserve-unknown-fields: true
                                       spec:
                                         description: 'Specification of the desired behavior of the pod. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
                                         type: object
diff --git a/crds/zz_defs.go b/crds/zz_defs.go
diff --git a/pkg/operators/v1alpha1/catalogsource_types.go b/pkg/operators/v1alpha1/catalogsource_types.go
@@ -3,11 +3,12 @@ package v1alpha1
 import (
 	"encoding/json"
 	"fmt"
+	"time"
+
 	"github.com/sirupsen/logrus"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
-	"time"
 )
 
 const (
@@ -88,6 +89,11 @@ type CatalogSourceSpec struct {
 	// +optional
 	Secrets []string `json:"secrets,omitempty"`
 
+	// RunAsRoot allows admins to indicate that they wish to run the CatalogSource pod in a privileged
+	// more as root
+	// +optional
+	RunAsRoot bool `json:"runAsRoot,omitempty"`
+
 	// Metadata
 	DisplayName string `json:"displayName,omitempty"`
 	Description string `json:"description,omitempty"`
