This is an automated email from the ASF dual-hosted git repository. pcongiusti pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/camel-k.git
commit 7c91174bf24dc3d9e1d5fe12d7647de5237b8a0b Author: Gaelle Fournier <[email protected]> AuthorDate: Tue Sep 12 17:57:57 2023 +0200 feat(core): Remove Openshift security warning message Add the valid openshift security contexts to : * operator pod * integration pod --- pkg/install/operator.go | 11 +++++++++++ pkg/trait/container.go | 14 ++++++++++++++ pkg/util/kubernetes/security.go | 38 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 63 insertions(+) diff --git a/pkg/install/operator.go b/pkg/install/operator.go index 5c5a2e134..9daf61ee0 100644 --- a/pkg/install/operator.go +++ b/pkg/install/operator.go @@ -44,6 +44,7 @@ import ( "github.com/apache/camel-k/v2/pkg/util/knative" "github.com/apache/camel-k/v2/pkg/util/kubernetes" "github.com/apache/camel-k/v2/pkg/util/minikube" + "github.com/apache/camel-k/v2/pkg/util/openshift" "github.com/apache/camel-k/v2/pkg/util/patch" image "github.com/apache/camel-k/v2/pkg/util/registry" ) @@ -243,6 +244,16 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client, // Remove Ingress permissions as it's not needed on OpenShift // This should ideally be removed from the common RBAC manifest. RemoveIngressRoleCustomizer(o) + + if d, ok := o.(*appsv1.Deployment); ok { + securityContext, _ := openshift.GetOpenshiftSecurityContextRestricted(ctx, c, cfg.Namespace) + if securityContext != nil { + d.Spec.Template.Spec.Containers[0].SecurityContext = securityContext + + } else { + d.Spec.Template.Spec.Containers[0].SecurityContext = kubernetes.DefaultOperatorSecurityContext() + } + } } return o diff --git a/pkg/trait/container.go b/pkg/trait/container.go index 141b4f58e..d2409c43e 100644 --- a/pkg/trait/container.go +++ b/pkg/trait/container.go @@ -39,6 +39,7 @@ import ( "github.com/apache/camel-k/v2/pkg/util/envvar" "github.com/apache/camel-k/v2/pkg/util/knative" "github.com/apache/camel-k/v2/pkg/util/kubernetes" + "github.com/apache/camel-k/v2/pkg/util/openshift" ) const ( @@ -200,6 +201,8 @@ func (t *containerTrait) configureContainer(e *Environment) error { } t.configureCapabilities(e) + t.configureSecurityContext(e, &container) + var containers *[]corev1.Container visited := false @@ -339,3 +342,14 @@ func (t *containerTrait) configureCapabilities(e *Environment) { e.ApplicationProperties["camel.context.rest-configuration.component"] = "platform-http" } } + +func (t *containerTrait) configureSecurityContext(e *Environment, container *corev1.Container) { + // get security context from security context constraint configuration in namespace + isOpenShift, _ := openshift.IsOpenShift(e.Client) + if isOpenShift { + securityContext, _ := openshift.GetOpenshiftSecurityContextRestricted(e.Ctx, e.Client, e.Platform.Namespace) + if securityContext != nil { + container.SecurityContext = securityContext + } + } +} diff --git a/pkg/util/kubernetes/security.go b/pkg/util/kubernetes/security.go new file mode 100644 index 000000000..b4a4d7692 --- /dev/null +++ b/pkg/util/kubernetes/security.go @@ -0,0 +1,38 @@ +/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package kubernetes + +import ( + corev1 "k8s.io/api/core/v1" +) + +// DefaultOperatorSecurityContext to ensure a container with low privilege and limited permissions. +func DefaultOperatorSecurityContext() *corev1.SecurityContext { + runAsNonRoot := true + allowPrivilegeEscalation := false + sc := corev1.SecurityContext{ + RunAsNonRoot: &runAsNonRoot, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + AllowPrivilegeEscalation: &allowPrivilegeEscalation, + Capabilities: &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}}, + } + + return &sc +}
