Kubemacpool: Parameterize "runAsNonRoot" in the yaml (#1568)

* network, render: Add clusterInfo param to kubemacpool This parameter will be needed in future commits. Signed-off-by: Ram Lavi <ralavi@redhat.com> * network, kubemapcool: Parameterize RunAsNonRoot and RunAsUser When running without securitycontextconstraints deployed on the cluster - these fields need to be set manually in order to comply with PSA. However, when securitycontextconstraints is deplyed these params should be set by it or the manually selected UserID might be out of range [0]. [0] https://issues.redhat.com/browse/CNV-29823 Signed-off-by: Ram Lavi <ralavi@redhat.com> * data, kubemacpool: Run bump script Signed-off-by: Ram Lavi <ralavi@redhat.com> --------- Signed-off-by: Ram Lavi <ralavi@redhat.com>
kubevirt · Jun 20, 2023 · 506000c · 506000c
1 parent 26b0318
commit 506000c
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 8 deletions.
diff --git a/data/kubemacpool/kubemacpool.yaml b/data/kubemacpool/kubemacpool.yaml
@@ -201,8 +201,8 @@ spec:
       priorityClassName: system-cluster-critical
       restartPolicy: Always
       securityContext:
-        runAsNonRoot: true
-        runAsUser: 107
+        runAsNonRoot: {{ .RunAsNonRoot }}
+        runAsUser: {{ .RunAsUser }}
         seccompProfile:
           type: RuntimeDefault
       terminationGracePeriodSeconds: 5
@@ -320,8 +320,8 @@ spec:
       priorityClassName: system-cluster-critical
       restartPolicy: Always
       securityContext:
-        runAsNonRoot: true
-        runAsUser: 107
+        runAsNonRoot: {{ .RunAsNonRoot }}
+        runAsUser: {{ .RunAsUser }}
         seccompProfile:
           type: RuntimeDefault
       terminationGracePeriodSeconds: 5

diff --git a/hack/components/bump-kubemacpool.sh b/hack/components/bump-kubemacpool.sh
@@ -82,6 +82,9 @@ spec:
       - image: "{{ .KubeRbacProxyImage }}"
         imagePullPolicy: "{{ .ImagePullPolicy }}"
         name: kube-rbac-proxy
+      securityContext:
+        runAsNonRoot: "{{ .RunAsNonRoot }}"
+        runAsUser: "{{ .RunAsUser }}"
 EOF
 
     cat <<EOF > config/cnao/cnao_cert-manager_patch.yaml
@@ -106,6 +109,9 @@ spec:
             value: "{{ .CertRotateInterval | default \"4380h0m0s\" }}"
           - name: CERT_OVERLAP_INTERVAL
             value: "{{ .CertOverlapInterval | default \"24h0m0s\" }}"
+      securityContext:
+        runAsNonRoot: "{{ .RunAsNonRoot }}"
+        runAsUser: "{{ .RunAsUser }}"
 EOF
 
     cat <<EOF > config/cnao/cnao_placement_patch.yaml
@@ -153,7 +159,7 @@ mv kustomize $KUBEMACPOOL_PATH
 rm kustomize.tar.gz
 (
     cd $KUBEMACPOOL_PATH
-    ./kustomize build config/cnao | sed "s/'{{ toYaml \(.*\)}}'/{{ toYaml \1}}/"
+    ./kustomize build config/cnao | sed "s/'{{ toYaml \(.*\)}}'/{{ toYaml \1}}/;s/'{{ .RunAsNonRoot }}'/{{ .RunAsNonRoot }}/g;s/'{{ .RunAsUser }}'/{{ .RunAsUser }}/g"
 ) > data/kubemacpool/kubemacpool.yaml
 
 echo 'Get kubemacpool image name and update it under CNAO'

diff --git a/pkg/network/kubemacpool.go b/pkg/network/kubemacpool.go
@@ -96,7 +96,7 @@ func changeSafeKubeMacPool(prev, next *cnao.NetworkAddonsConfigSpec) []error {
 }
 
 // renderLinuxBridge generates the manifests of Linux Bridge
-func renderKubeMacPool(conf *cnao.NetworkAddonsConfigSpec, manifestDir string) ([]*unstructured.Unstructured, error) {
+func renderKubeMacPool(conf *cnao.NetworkAddonsConfigSpec, manifestDir string, clusterInfo *ClusterInfo) ([]*unstructured.Unstructured, error) {
 	if conf.KubeMacPool == nil {
 		return nil, nil
 	}
@@ -115,6 +115,14 @@ func renderKubeMacPool(conf *cnao.NetworkAddonsConfigSpec, manifestDir string) (
 	data.Data["CertRotateInterval"] = conf.SelfSignConfiguration.CertRotateInterval
 	data.Data["CertOverlapInterval"] = conf.SelfSignConfiguration.CertOverlapInterval
 
+	if clusterInfo.SCCAvailable {
+		data.Data["RunAsNonRoot"] = "null"
+		data.Data["RunAsUser"] = "null"
+	} else {
+		data.Data["RunAsNonRoot"] = "true"
+		data.Data["RunAsUser"] = "107"
+	}
+
 	ciphers, tlsMinVersion := SelectCipherSuitesAndMinTLSVersion(conf.TLSSecurityProfile)
 	data.Data["TLSSecurityProfileCiphers"] = strings.Join(ciphers, ",")
 	data.Data["TLSMinVersion"] = TLSVersionToHumanReadable(tlsMinVersion)

diff --git a/pkg/network/network.go b/pkg/network/network.go
@@ -134,7 +134,7 @@ func Render(conf *cnao.NetworkAddonsConfigSpec, manifestDir string, openshiftNet
 	objs = append(objs, o...)
 
 	// render kubeMacPool
-	o, err = renderKubeMacPool(conf, manifestDir)
+	o, err = renderKubeMacPool(conf, manifestDir, clusterInfo)
 	if err != nil {
 		return nil, err
 	}
@@ -206,7 +206,7 @@ func RenderObjsToRemove(prev, conf *cnao.NetworkAddonsConfigSpec, manifestDir st
 	}
 
 	if conf.KubeMacPool == nil {
-		o, err := renderKubeMacPool(prev, manifestDir)
+		o, err := renderKubeMacPool(prev, manifestDir, clusterInfo)
 		if err != nil {
 			return nil, err
 		}