From 353dc704d80e7eef34664f78efe8514a0f670722 Mon Sep 17 00:00:00 2001
From: Andrej Krejcir <akrejcir@redhat.com>
Date: Thu, 19 Aug 2021 12:02:12 +0200
Subject: [PATCH] Change securityContext on operator, so that scc is
 'restricted'

This change will allow the SCC to be 'restricted',
otherwise it will be 'privileged'

Signed-off-by: Andrej Krejcir <akrejcir@redhat.com>
---
 config/manager/manager.template.yaml |  2 +-
 tests/misc_test.go                   | 40 ++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+), 1 deletion(-)

diff --git a/config/manager/manager.template.yaml b/config/manager/manager.template.yaml
index 851db2603..3b1089eb3 100644
--- a/config/manager/manager.template.yaml
+++ b/config/manager/manager.template.yaml
@@ -19,7 +19,7 @@ spec:
       serviceAccountName: ssp-operator
       priorityClassName: system-cluster-critical
       securityContext:
-        runAsUser: 1000
+        runAsNonRoot: true
       containers:
       - command:
         - /manager
diff --git a/tests/misc_test.go b/tests/misc_test.go
index e088dcdea..6c747b14f 100644
--- a/tests/misc_test.go
+++ b/tests/misc_test.go
@@ -3,10 +3,13 @@ package tests
 import (
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
+	core "k8s.io/api/core/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	lifecycleapi "kubevirt.io/controller-lifecycle-operator-sdk/pkg/sdk/api"
 
 	sspv1beta1 "kubevirt.io/ssp-operator/api/v1beta1"
+	validator "kubevirt.io/ssp-operator/internal/operands/template-validator"
 )
 
 var _ = Describe("Observed generation", func() {
@@ -73,3 +76,40 @@ var _ = Describe("Observed generation", func() {
 		Expect(err).ToNot(HaveOccurred())
 	})
 })
+
+var _ = Describe("SCC annotation", func() {
+	const (
+		sccAnnotation = "openshift.io/scc"
+		sccRestricted = "restricted"
+	)
+
+	BeforeEach(func() {
+		waitUntilDeployed()
+	})
+
+	It("[test_id:7162] operator pod should have 'restricted' scc annotation", func() {
+		pods := &core.PodList{}
+		err := apiClient.List(ctx, pods, client.MatchingLabels{"control-plane": "ssp-operator"})
+
+		Expect(err).ToNot(HaveOccurred())
+		Expect(pods.Items).ToNot(BeEmpty())
+
+		for _, pod := range pods.Items {
+			Expect(pod.Annotations).To(HaveKeyWithValue(sccAnnotation, sccRestricted), "Expected pod %s/%s to have scc 'restricted'", pod.Namespace, pod.Name)
+		}
+	})
+
+	It("[test_id:7163] template validator pods should have 'restricted' scc annotation", func() {
+		pods := &core.PodList{}
+		err := apiClient.List(ctx, pods,
+			client.InNamespace(strategy.GetNamespace()),
+			client.MatchingLabels{validator.KubevirtIo: validator.VirtTemplateValidator})
+
+		Expect(err).ToNot(HaveOccurred())
+		Expect(pods.Items).ToNot(BeEmpty())
+
+		for _, pod := range pods.Items {
+			Expect(pod.Annotations).To(HaveKeyWithValue(sccAnnotation, sccRestricted), "Expected pod %s/%s to have scc 'restricted'", pod.Namespace, pod.Name)
+		}
+	})
+})