OCPBUGS-20192: Add necessary security constraints to router deployment

Setting the filesystem to read only in the router container prevents it from rendering the haproxy config, and causes haproxy to be unable to start. Adding the security context constraint readOnlyRootFilesystem: false makes sure the security profile it is assigned does not require a read only filesystem.
openshift · Oct 13, 2023 · 9822f2a · 9822f2a
1 parent d8a3150
commit 9822f2a
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 7 deletions.
diff --git a/pkg/manifests/assets/router/deployment.yaml b/pkg/manifests/assets/router/deployment.yaml
@@ -20,6 +20,7 @@ spec:
           securityContext:
             # See https://bugzilla.redhat.com/2007246
             allowPrivilegeEscalation: true
+            readOnlyRootFilesystem: false
           terminationMessagePolicy: FallbackToLogsOnError
           # Merged at runtime.
           env:

diff --git a/pkg/operator/controller/ingress/deployment_test.go b/pkg/operator/controller/ingress/deployment_test.go
@@ -16,6 +16,7 @@ import (
 
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/utils/pointer"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -76,9 +77,12 @@ func checkRouterContainerSecurityContext(t *testing.T, deployment *appsv1.Deploy
 
 	for _, container := range deployment.Spec.Template.Spec.Containers {
 		if container.Name == routerContainerName {
-			if v := container.SecurityContext.AllowPrivilegeEscalation; v == nil || *v != true {
+			if allowPrivEsc := container.SecurityContext.AllowPrivilegeEscalation; allowPrivEsc == nil || !*allowPrivEsc {
 				t.Errorf("%s container does not have securityContext.allowPrivilegeEscalation: true", routerContainerName)
 			}
+			if readOnlyFS := container.SecurityContext.ReadOnlyRootFilesystem; readOnlyFS == nil || *readOnlyFS {
+				t.Errorf("%s container does not have securityContext.readOnlyRootFilesystem: false", routerContainerName)
+			}
 		}
 	}
 }
@@ -1568,13 +1572,16 @@ func Test_deploymentConfigChanged(t *testing.T) {
 			expect: true,
 		},
 		{
-			description: "if the router container security context changes",
+			description: "if the router container .securityContext.allowPrivilegeEscalation changes",
 			mutate: func(deployment *appsv1.Deployment) {
-				v := true
-				sc := &corev1.SecurityContext{
-					AllowPrivilegeEscalation: &v,
-				}
-				deployment.Spec.Template.Spec.Containers[0].SecurityContext = sc
+				deployment.Spec.Template.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = pointer.Bool(false)
+			},
+			expect: true,
+		},
+		{
+			description: "if the router container .securityContext.readOnlyRootFilesystem changes",
+			mutate: func(deployment *appsv1.Deployment) {
+				deployment.Spec.Template.Spec.Containers[0].SecurityContext.ReadOnlyRootFilesystem = pointer.Bool(true)
 			},
 			expect: true,
 		},
@@ -1762,6 +1769,10 @@ func Test_deploymentConfigChanged(t *testing.T) {
 											Protocol:      corev1.ProtocolTCP,
 										},
 									},
+									SecurityContext: &corev1.SecurityContext{
+										AllowPrivilegeEscalation: pointer.Bool(true),
+										ReadOnlyRootFilesystem:   pointer.Bool(false),
+									},
 								},
 							},
 							Affinity: &corev1.Affinity{