Change securityContext on operator, so that scc is 'restricted'

This change will allow the SCC to be 'restricted', otherwise it will be 'privileged' Signed-off-by: Andrej Krejcir <akrejcir@redhat.com>
kubevirt · Aug 20, 2021 · 0ce711f · 0ce711f
1 parent 42d6863
commit 0ce711f
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 1 deletion.
diff --git a/config/manager/manager.template.yaml b/config/manager/manager.template.yaml
@@ -19,7 +19,7 @@ spec:
       serviceAccountName: ssp-operator
       priorityClassName: system-cluster-critical
       securityContext:
-        runAsUser: 1000
+        runAsNonRoot: true
       containers:
       - command:
         - /manager

diff --git a/tests/misc_test.go b/tests/misc_test.go
@@ -3,6 +3,9 @@ package tests
 import (
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
+	core "k8s.io/api/core/v1"
+	validator "kubevirt.io/ssp-operator/internal/operands/template-validator"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	lifecycleapi "kubevirt.io/controller-lifecycle-operator-sdk/pkg/sdk/api"
 
@@ -73,3 +76,40 @@ var _ = Describe("Observed generation", func() {
 		Expect(err).ToNot(HaveOccurred())
 	})
 })
+
+var _ = Describe("SCC annotation", func() {
+	const (
+		sccAnnotation = "openshift.io/scc"
+		sccRestricted = "restricted"
+	)
+
+	BeforeEach(func() {
+		waitUntilDeployed()
+	})
+
+	It("operator pod should have 'restricted' scc annotation", func() {
+		pods := &core.PodList{}
+		err := apiClient.List(ctx, pods, client.MatchingLabels{"control-plane": "ssp-operator"})
+
+		Expect(err).ToNot(HaveOccurred())
+		Expect(pods.Items).ToNot(BeEmpty())
+
+		for _, pod := range pods.Items {
+			Expect(pod.Annotations).To(HaveKeyWithValue(sccAnnotation, sccRestricted), "Expected pod %s/%s to have scc 'restricted'", pod.Namespace, pod.Name)
+		}
+	})
+
+	It("template validator pods should have 'restricted' scc annotation", func() {
+		pods := &core.PodList{}
+		err := apiClient.List(ctx, pods,
+			client.InNamespace(strategy.GetNamespace()),
+			client.MatchingLabels{validator.KubevirtIo: validator.VirtTemplateValidator})
+
+		Expect(err).ToNot(HaveOccurred())
+		Expect(pods.Items).ToNot(BeEmpty())
+
+		for _, pod := range pods.Items {
+			Expect(pod.Annotations).To(HaveKeyWithValue(sccAnnotation, sccRestricted), "Expected pod %s/%s to have scc 'restricted'", pod.Namespace, pod.Name)
+		}
+	})
+})