Update CatalogSource Pod security context

Signed-off-by: perdasilva <[email protected]>

Author: perdasilva

Dockerfile

@@ -2,7 +2,7 @@ FROM quay.io/fedora/fedora:34-x86_64 as builder
 LABEL stage=builder
 WORKDIR /build
 
-# install dependencies and go 1.16
+# install dependencies and go 1.17
 
 # copy just enough of the git repo to parse HEAD, used to record version in OLM binaries
 RUN dnf update -y && dnf install -y bash make git mercurial jq wget && dnf upgrade -y

pkg/controller/registry/reconciler/reconciler.go

@@ -113,7 +113,13 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name string, image string, saN
 		pullPolicy = corev1.PullAlways
 	}
 
+	// Security context
 	readOnlyRootFilesystem := false
+	allowPrivilegeEscalation := false
+	runAsNonRoot := true
+
+	// See: https://github.com/operator-framework/operator-registry/blob/master/Dockerfile#L27
+	runAsUser := int64(1001)
 
 	pod := &corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
@@ -167,12 +173,23 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name string, image string, saN
 						},
 					},
 					SecurityContext: &corev1.SecurityContext{
-						ReadOnlyRootFilesystem: &readOnlyRootFilesystem,
+						ReadOnlyRootFilesystem:   &readOnlyRootFilesystem,
+						AllowPrivilegeEscalation: &allowPrivilegeEscalation,
+						Capabilities: &corev1.Capabilities{
+							Drop: []corev1.Capability{"ALL"},
+						},
 					},
 					ImagePullPolicy:          pullPolicy,
 					TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
 				},
 			},
+			SecurityContext: &corev1.PodSecurityContext{
+				RunAsNonRoot: &runAsNonRoot,
+				RunAsUser:    &runAsUser,
+				SeccompProfile: &corev1.SeccompProfile{
+					Type: corev1.SeccompProfileTypeRuntimeDefault,
+				},
+			},
 			NodeSelector: map[string]string{
 				"kubernetes.io/os": "linux",
 			},

pkg/controller/registry/reconciler/reconciler_test.go

@@ -79,8 +79,23 @@ func TestPullPolicy(t *testing.T) {
 
 func TestPodContainerSecurityContext(t *testing.T) {
 	expectedReadOnlyRootFilesystem := false
+	expectedAllowPrivilegeEscalation := false
+	expectedRunAsNonRoot := true
+	expectedRunAsUser := int64(1001)
+
 	expectedContainerSecCtx := &corev1.SecurityContext{
-		ReadOnlyRootFilesystem: &expectedReadOnlyRootFilesystem,
+		ReadOnlyRootFilesystem:   &expectedReadOnlyRootFilesystem,
+		AllowPrivilegeEscalation: &expectedAllowPrivilegeEscalation,
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{"ALL"},
+		},
+	}
+	expectedPodSecCtx := &corev1.PodSecurityContext{
+		RunAsNonRoot: &expectedRunAsNonRoot,
+		RunAsUser:    &expectedRunAsUser,
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
 	}
 
 	catsrc := &v1alpha1.CatalogSource{
@@ -92,7 +107,9 @@ func TestPodContainerSecurityContext(t *testing.T) {
 
 	gotPod := Pod(catsrc, "hello", "busybox", "", map[string]string{}, map[string]string{}, int32(0), int32(0))
 	gotContainerSecCtx := gotPod.Spec.Containers[0].SecurityContext
+	gotPodSecCtx := gotPod.Spec.SecurityContext
 	require.Equal(t, expectedContainerSecCtx, gotContainerSecCtx)
+	require.Equal(t, expectedPodSecCtx, gotPodSecCtx)
 }
 
 func TestPodSchedulingOverrides(t *testing.T) {

test/e2e/collect-ci-artifacts.sh

@@ -14,12 +14,25 @@ echo "Using the ${TEST_ARTIFACTS_DIR} output directory"
 mkdir -p "${TEST_ARTIFACTS_DIR}"
 
 commands=()
+commands+=("describe catalogsources")
+commands+=("describe subscriptions")
+commands+=("describe operatorgroups")
+commands+=("describe clusterserviceversions")
+commands+=("describe installplans")
+commands+=("describe pods")
+commands+=("describe service")
+commands+=("describe configmap")
 commands+=("get catalogsources -o yaml")
 commands+=("get subscriptions -o yaml")
 commands+=("get operatorgroups -o yaml")
 commands+=("get clusterserviceversions -o yaml")
 commands+=("get installplans -o yaml")
+commands+=("get pods -o yaml")
+commands+=("get all -o yaml")
+commands+=("get service -o yaml")
+commands+=("get configmap -o yaml")
 commands+=("get pods -o wide")
+commands+=("get all -o wide")
 commands+=("get events --sort-by .lastTimestamp")
 
 echo "Storing the test artifact output in the ${TEST_ARTIFACTS_DIR} directory"
@@ -28,3 +41,8 @@ for command in "${commands[@]}"; do
     COMMAND_OUTPUT_FILE=${TEST_ARTIFACTS_DIR}/${command// /_}
     ${KUBECTL} -n ${TEST_NAMESPACE} ${command} >> "${COMMAND_OUTPUT_FILE}"
 done
+
+for pod in $(${KUBECTL} -n ${TEST_NAMESPACE} get --no-headers pods | awk '{ print $1 }'); do
+  echo "Collecting logs for pod: ${pod}"
+  ${KUBECTL} -n ${TEST_NAMESPACE} logs ${pod} >> "${TEST_ARTIFACTS_DIR}/${pod}.log"
+done