Skip to content

Improve checking of availability of securityContextConfig #148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mclasmeier merged 3 commits into from
May 11, 2026
Merged

Improve checking of availability of securityContextConfig #148

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d876f0d
Improve checking of availability of securityContextConfig
May 5, 2026
ce8e532
Unconditionally include securityContextConfig and disable validation
May 7, 2026
6d461c9
Merge branch 'main' into mc/security-context-config-checking
mclasmeier May 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 6 additions & 30 deletions internal/deployer/operator_olm.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,13 +127,6 @@ func (d *Deployer) getOperatorIndexImage() string {
func (d *Deployer) createCatalogSource(ctx context.Context, indexImage string) error {
d.logger.Info("Creating CatalogSource...")

// Check if CatalogSource CRD supports securityContextConfig (OCP 4.14+).
hasSecurityContextConfig, err := d.catalogSourceSupportsSecurityContextConfig(ctx)
if err != nil {
d.logger.Warning("Could not check CatalogSource CRD capabilities, proceeding without securityContextConfig")
hasSecurityContextConfig = false
}

catalogSource := map[string]interface{}{
"apiVersion": "operators.coreos.com/v1alpha1",
"kind": "CatalogSource",
Expand All @@ -145,24 +138,21 @@ func (d *Deployer) createCatalogSource(ctx context.Context, indexImage string) e
"sourceType": "grpc",
"image": indexImage,
"displayName": "StackRox Operator Index",
"grpcPodConfig": map[string]interface{}{
"securityContextConfig": "restricted",
},
},
}

// TODO(ROX-34499): Add security context config if supported.
if hasSecurityContextConfig {
spec := catalogSource["spec"].(map[string]interface{})
spec["grpcPodConfig"] = map[string]interface{}{
"securityContextConfig": "restricted",
}
}

yamlData, err := yaml.Marshal(catalogSource)
if err != nil {
return fmt.Errorf("failed to marshal CatalogSource: %w", err)
}

_, err = d.runKubectl(ctx, k8s.KubectlOptions{
Args: []string{"apply", "-f", "-"},
// Apply with --validate=ignore because securityContextConfig may not
// be in the CatalogSource CRD schema.
Args: []string{"apply", "--validate=ignore", "-f", "-"},
Stdin: bytes.NewReader(yamlData),
})
if err != nil {
Expand All @@ -173,20 +163,6 @@ func (d *Deployer) createCatalogSource(ctx context.Context, indexImage string) e
return nil
}

// catalogSourceSupportsSecurityContextConfig checks if the CatalogSource CRD supports securityContextConfig.
func (d *Deployer) catalogSourceSupportsSecurityContextConfig(ctx context.Context) (bool, error) {
result, err := d.runKubectl(ctx, k8s.KubectlOptions{
Args: []string{"get", "crd", "catalogsources.operators.coreos.com", "-o", "yaml"},
})
if err != nil {
return false, err
}

// TODO(ROX-34499): this is overly optimistic and would incorrectly succeed if an api version
// that contains this had "serving: false"
Comment thread
mclasmeier marked this conversation as resolved.
return strings.Contains(result.Stdout, "securityContextConfig"), nil
}

// createOperatorGroup creates the OperatorGroup.
func (d *Deployer) createOperatorGroup(ctx context.Context) error {
d.logger.Info("Creating OperatorGroup...")
Expand Down
Loading