Default to legacy PSA settings

awgreene · awgreene · commit dc25cb0a49ce · 2022-12-13T18:56:34.000-08:00
Problem: OLM recently introduced a few changes to default to running its
workloads in a restricted mode. As a part of these changes,
catalogSources built with earlier versions of OPM will not run as
expected unless the catalogSource yaml is configured to run in a legacy
version. Unfortunately, these legacy catalogs cannot be ran in
restricted namespaces, which includes the `olm` namespace which is used
to define global catalogSources.

Solution: Provide users ample time to convert to the new restricted
fromat by defaulting to legacy restrictions and reclassify the `olm`
namespace as a baseline privilege namespace.

Signed-off-by: Alexander Greene &lt;greene.al1991@gmail.com&gt;
diff --git a/pkg/controller/registry/reconciler/reconciler.go b/pkg/controller/registry/reconciler/reconciler.go
@@ -195,11 +195,7 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name string, image string, saN
 		},
 	}
 
-	if source.Spec.GrpcPodConfig != nil {
-		if source.Spec.GrpcPodConfig.SecurityContextConfig == operatorsv1alpha1.Restricted {
-			addSecurityContext(pod, runAsUser)
-		}
-	} else {
+	if source.Spec.GrpcPodConfig != nil && source.Spec.GrpcPodConfig.SecurityContextConfig == operatorsv1alpha1.Restricted {
 		addSecurityContext(pod, runAsUser)
 	}
 
diff --git a/pkg/controller/registry/reconciler/reconciler_test.go b/pkg/controller/registry/reconciler/reconciler_test.go
@@ -88,25 +88,57 @@ func TestPodContainerSecurityContext(t *testing.T) {
 		expectedContainerSecurityContext *corev1.SecurityContext
 	}{
 		{
-			title: "NoSpecDefined/PodContainsSecurityConfigForPSARestricted",
+			title: "NoSpecDefined/PodContainsSecurityConfigForPSALegacy",
 			inputCatsrc: &v1alpha1.CatalogSource{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "test",
 					Namespace: "testns",
 				},
 			},
-			expectedContainerSecurityContext: &corev1.SecurityContext{
-				ReadOnlyRootFilesystem:   pointer.Bool(false),
-				AllowPrivilegeEscalation: pointer.Bool(false),
-				Capabilities: &corev1.Capabilities{
-					Drop: []corev1.Capability{"ALL"},
+			expectedContainerSecurityContext: nil,
+			expectedSecurityContext:          nil,
+		},
+		{
+			title: "SpecDefined/NoGRPCPodConfig/PodContainsSecurityConfigForPSALegacy",
+			inputCatsrc: &v1alpha1.CatalogSource{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test",
+					Namespace: "testns",
 				},
+				Spec: v1alpha1.CatalogSourceSpec{},
 			},
-			expectedSecurityContext: &corev1.PodSecurityContext{
-				SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
-				RunAsUser:      pointer.Int64(workloadUserID),
-				RunAsNonRoot:   pointer.Bool(true),
+			expectedContainerSecurityContext: nil,
+			expectedSecurityContext:          nil,
+		},
+		{
+			title: "SpecDefined/GRPCPodConfigDefined/PodContainsSecurityConfigForPSALegacy",
+			inputCatsrc: &v1alpha1.CatalogSource{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test",
+					Namespace: "testns",
+				},
+				Spec: v1alpha1.CatalogSourceSpec{
+					GrpcPodConfig: &v1alpha1.GrpcPodConfig{},
+				},
+			},
+			expectedContainerSecurityContext: nil,
+			expectedSecurityContext:          nil,
+		},
+		{
+			title: "SpecDefined/SecurityContextConfig:Legacy/PodContainsSecurityConfigForPSALegacy",
+			inputCatsrc: &v1alpha1.CatalogSource{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test",
+					Namespace: "testns",
+				},
+				Spec: v1alpha1.CatalogSourceSpec{
+					GrpcPodConfig: &v1alpha1.GrpcPodConfig{
+						SecurityContextConfig: v1alpha1.Legacy,
+					},
+				},
 			},
+			expectedContainerSecurityContext: nil,
+			expectedSecurityContext:          nil,
 		},
 		{
 			title: "SpecDefined/SecurityContextConfig:Restricted/PodContainsSecurityConfigForPSARestricted",
diff --git a/test/e2e/catalog_e2e_test.go b/test/e2e/catalog_e2e_test.go
@@ -1451,6 +1451,7 @@ var _ = Describe("Starting CatalogSource e2e tests", func() {
 				}).Should(Succeed())
 			})
 			It("The registry pod fails to become come up because of lack of permission", func() {
+				Skip("This test will not work until catalogSources run in restricted mode by default")
 				Eventually(func() (bool, error) {
 					podList, err := c.KubernetesInterface().CoreV1().Pods(ns.GetName()).List(context.TODO(), metav1.ListOptions{})
 					if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -195,11 +195,7 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name string, image string, saN`
`195`	`195`	`},`
`196`	`196`	`}`
`197`	`197`
`198`		`- if source.Spec.GrpcPodConfig != nil {`
`199`		`- if source.Spec.GrpcPodConfig.SecurityContextConfig == operatorsv1alpha1.Restricted {`
`200`		`- addSecurityContext(pod, runAsUser)`
`201`		`- }`
`202`		`- } else {`
	`198`	`+ if source.Spec.GrpcPodConfig != nil && source.Spec.GrpcPodConfig.SecurityContextConfig == operatorsv1alpha1.Restricted {`
`203`	`199`	`addSecurityContext(pod, runAsUser)`
`204`	`200`	`}`
`205`	`201`