Add support to configure SecurityContext/allowPrivilegeEscalation for the deployed containers

[gowrishdc]

Description
Related Issue in spring cloud data flow project: issue created in dataflow project for the same

Note: I believe the code fix is probably in this project so adding /linking it here to get attention.

Require the Stream and Task PODS that are created by the deploy process have the capability to control controller level securityContext/allowPrivilegeEscalation attribute.

The resulting deployment creates the securityContext/allowPrivilegeEscalation for the container sections. However, it does not create the securityContext for the initContainers that are created for the "log" sink application which has a deployment count of 3. As part of that the App is "scaled" deployed with initContainer that does not have the securityContext.

The security policy stops all deployment that does not have securityContext/allowPrivilegeEscalation: false and that is causing this stream deployment to fail with this error message:

Error Message: [psp-allow-privilege-escalation-container] OPA-GATEKEEPER CONSTRAINT: Container index-provider is attempting to run without a required securityContext/allowPrivilegeEscalation, Allowed = false.]

Steps to reproduce:

> stream create --name "words" --definition "http --server.port=9001 | splitter --expression=payload.split(' ') | log"
> stream deploy --name "words" --propertiesFile words-stream.properties
> cat words-stream.properties
app.http.server.port=9001
app.splitter.expression=payload.split(' ')
app.splitter.producer.partitionKeyExpression=payload
deployer.log.count=3

deployer.http.kubernetes.deployment-labels=applicationid:123456
deployer.log.kubernetes.deployment-labels=applicationid:123456
deployer.splitter.kubernetes.deployment-labels=applicationid:123456

deployer.http.kubernetes.containerSecurityContext={allowPrivilegeEscalation: false}
deployer.log.kubernetes.containerSecurityContext={allowPrivilegeEscalation: false}
deployer.splitter.kubernetes.containerSecurityContext={allowPrivilegeEscalation: false}

Please let me know if you need more information.

Additional information:

spring-cloud-deployer-kubernetes/src/main/java/org/springframework/cloud/deployer/spi/kubernetes/KubernetesAppDeployer.java

Line 314 in e6f4b23

podSpec.getInitContainers().add(createStatefulSetInitContainer(statefulSetInitContainerImageName));

spring-cloud-deployer-kubernetes/src/main/java/org/springframework/cloud/deployer/spi/kubernetes/KubernetesAppDeployer.java

Lines 491 to 506 in e6f4b23

	private Container createStatefulSetInitContainer(String imageName) {
	List<String> command = new LinkedList<>();
	String commandString = String
	.format("%s && %s", setIndexProperty("INSTANCE_INDEX"), setIndexProperty("spring.application.index"));
	command.add("sh");
	command.add("-c");
	command.add(commandString);
	return new ContainerBuilder().withName("index-provider")
	.withImage(imageName)
	.withImagePullPolicy("IfNotPresent")
	.withCommand(command)
	.withVolumeMounts(new VolumeMountBuilder().withName("config").withMountPath("/config").build())
	.build();
	}

Should the initContainer need something like this that is done for the container section:

spring-cloud-deployer-kubernetes/src/main/java/org/springframework/cloud/deployer/spi/kubernetes/AbstractKubernetesDeployer.java

Lines 256 to 259 in e6f4b23

	SecurityContext containerSecurityContext = this.deploymentPropertiesResolver.getContainerSecurityContext(deploymentProperties);
	if (containerSecurityContext != null) {
	container.setSecurityContext(containerSecurityContext);
	}

[corneil]

We will need to add ContainerSecurityContext to InitContainer and ensure that the creation of the init container uses the properties.
We will prioritize this for SCDF 2.10.1 which is planned for early in the new year.

[onobc]

Closed via de4ed59