Skip to content

Commit 0b7970c

Browse files
perdasilvaperdasilva
authored
Sec revert (#2808)
* Revert "Unpack job security updates (#2805)" This reverts commit e568cde. Signed-off-by: perdasilva <[email protected]> * Revert "Update unpack job pod security (#2793)" This reverts commit eedad28. Signed-off-by: perdasilva <[email protected]> * Revert "Update CatalogSource Pod security context (#2782)" This reverts commit 99b51e7. Signed-off-by: perdasilva <[email protected]>
1 parent e568cde commit 0b7970c

File tree

40 files changed

+382
-2239
lines changed

40 files changed

+382
-2239
lines changed

Dockerfile

+1-1
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ FROM quay.io/fedora/fedora:34-x86_64 as builder
22
LABEL stage=builder
33
WORKDIR /build
44

5-
# install dependencies and go 1.17
5+
# install dependencies and go 1.16
66

77
# copy just enough of the git repo to parse HEAD, used to record version in OLM binaries
88
RUN dnf update -y && dnf install -y bash make git mercurial jq wget && dnf upgrade -y

pkg/controller/bundle/bundle_unpacker.go

+21-45
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,6 @@ import (
2828
listersoperatorsv1alpha1 "github.com/operator-framework/operator-lifecycle-manager/pkg/api/client/listers/operators/v1alpha1"
2929
"github.com/operator-framework/operator-lifecycle-manager/pkg/controller/install"
3030
"github.com/operator-framework/operator-lifecycle-manager/pkg/controller/registry/resolver/projection"
31-
"github.com/operator-framework/operator-lifecycle-manager/pkg/controller/security"
3231
)
3332

3433
const (
@@ -191,10 +190,6 @@ func (c *ConfigMapUnpacker) job(cmRef *corev1.ObjectReference, bundlePath string
191190
},
192191
},
193192
}
194-
195-
// Apply Pod security
196-
security.ApplyPodSpecSecurity(&job.Spec.Template.Spec)
197-
198193
job.SetNamespace(cmRef.Namespace)
199194
job.SetName(cmRef.Name)
200195
job.SetOwnerReferences([]metav1.OwnerReference{ownerRef(cmRef)})
@@ -435,7 +430,7 @@ func (c *ConfigMapUnpacker) UnpackBundle(lookup *operatorsv1alpha1.BundleLookup,
435430
return
436431
}
437432

438-
_, err = c.ensureRole(cmRef, c.getRolePolicyRules(cmRef))
433+
_, err = c.ensureRole(cmRef)
439434
if err != nil {
440435
return
441436
}
@@ -610,13 +605,27 @@ func (c *ConfigMapUnpacker) ensureJob(cmRef *corev1.ObjectReference, bundlePath
610605
return
611606
}
612607

613-
func (c *ConfigMapUnpacker) ensureRole(cmRef *corev1.ObjectReference, policyRules []rbacv1.PolicyRule) (role *rbacv1.Role, err error) {
608+
func (c *ConfigMapUnpacker) ensureRole(cmRef *corev1.ObjectReference) (role *rbacv1.Role, err error) {
614609
if cmRef == nil {
615610
return nil, fmt.Errorf("configmap reference is nil")
616611
}
617612

613+
rule := rbacv1.PolicyRule{
614+
APIGroups: []string{
615+
"",
616+
},
617+
Verbs: []string{
618+
"create", "get", "update",
619+
},
620+
Resources: []string{
621+
"configmaps",
622+
},
623+
ResourceNames: []string{
624+
cmRef.Name,
625+
},
626+
}
618627
fresh := &rbacv1.Role{
619-
Rules: policyRules,
628+
Rules: []rbacv1.PolicyRule{rule},
620629
}
621630
fresh.SetNamespace(cmRef.Namespace)
622631
fresh.SetName(cmRef.Name)
@@ -632,43 +641,19 @@ func (c *ConfigMapUnpacker) ensureRole(cmRef *corev1.ObjectReference, policyRule
632641
}
633642

634643
// Add the policy rule if necessary
635-
var ruleDiff []rbacv1.PolicyRule
636-
for _, proposed := range policyRules {
637-
if !containsRule(role.Rules, proposed) {
638-
ruleDiff = append(ruleDiff, proposed)
644+
for _, existing := range role.Rules {
645+
if equality.Semantic.DeepDerivative(rule, existing) {
646+
return
639647
}
640648
}
641-
642649
role = role.DeepCopy()
643-
role.Rules = append(role.Rules, ruleDiff...)
650+
role.Rules = append(role.Rules, rule)
644651

645652
role, err = c.client.RbacV1().Roles(role.GetNamespace()).Update(context.TODO(), role, metav1.UpdateOptions{})
646653

647654
return
648655
}
649656

650-
// getRolePolicyRules returns the set of policy rules used by the role attached to the
651-
// bundle unpacker service account. This method lends itself to easier downstream patching when additional
652-
// policy rules are required, e.g. for Openshift SCC
653-
func (c *ConfigMapUnpacker) getRolePolicyRules(cmRef *corev1.ObjectReference) []rbacv1.PolicyRule {
654-
return []rbacv1.PolicyRule{
655-
{
656-
APIGroups: []string{
657-
"",
658-
},
659-
Verbs: []string{
660-
"get", "update",
661-
},
662-
Resources: []string{
663-
"configmaps",
664-
},
665-
ResourceNames: []string{
666-
cmRef.Name,
667-
},
668-
},
669-
}
670-
}
671-
672657
func (c *ConfigMapUnpacker) ensureRoleBinding(cmRef *corev1.ObjectReference) (roleBinding *rbacv1.RoleBinding, err error) {
673658
fresh := &rbacv1.RoleBinding{
674659
Subjects: []rbacv1.Subject{
@@ -748,12 +733,3 @@ func getCondition(job *batchv1.Job, conditionType batchv1.JobConditionType) (con
748733
}
749734
return
750735
}
751-
752-
func containsRule(rules []rbacv1.PolicyRule, rule rbacv1.PolicyRule) bool {
753-
for _, r := range rules {
754-
if equality.Semantic.DeepDerivative(r, rule) {
755-
return true
756-
}
757-
}
758-
return false
759-
}

pkg/controller/bundle/bundle_unpacker_test.go

+7-54
Original file line numberDiff line numberDiff line change
@@ -68,29 +68,6 @@ func TestConfigMapUnpacker(t *testing.T) {
6868
roleBindings []*rbacv1.RoleBinding
6969
}
7070

71-
var expectedReadOnlyRootFilesystem = false
72-
var expectedAllowPrivilegeEscalation = false
73-
var expectedRunAsNonRoot = true
74-
var expectedRunAsUser int64 = 1001
75-
var expectedPrivileged = false
76-
77-
var expectedContainerSecurityContext = &corev1.SecurityContext{
78-
Privileged: &expectedPrivileged,
79-
ReadOnlyRootFilesystem: &expectedReadOnlyRootFilesystem,
80-
AllowPrivilegeEscalation: &expectedAllowPrivilegeEscalation,
81-
Capabilities: &corev1.Capabilities{
82-
Drop: []corev1.Capability{"ALL"},
83-
},
84-
}
85-
86-
var expectedPodSecurityContext = &corev1.PodSecurityContext{
87-
RunAsNonRoot: &expectedRunAsNonRoot,
88-
RunAsUser: &expectedRunAsUser,
89-
SeccompProfile: &corev1.SeccompProfile{
90-
Type: corev1.SeccompProfileTypeRuntimeDefault,
91-
},
92-
}
93-
9471
tests := []struct {
9572
description string
9673
fields fields
@@ -243,7 +220,6 @@ func TestConfigMapUnpacker(t *testing.T) {
243220
Spec: corev1.PodSpec{
244221
RestartPolicy: corev1.RestartPolicyNever,
245222
ImagePullSecrets: []corev1.LocalObjectReference{{Name: "my-secret"}},
246-
SecurityContext: expectedPodSecurityContext,
247223
Containers: []corev1.Container{
248224
{
249225
Name: "extract",
@@ -267,7 +243,6 @@ func TestConfigMapUnpacker(t *testing.T) {
267243
corev1.ResourceMemory: resource.MustParse("50Mi"),
268244
},
269245
},
270-
SecurityContext: expectedContainerSecurityContext,
271246
},
272247
},
273248
InitContainers: []corev1.Container{
@@ -287,7 +262,6 @@ func TestConfigMapUnpacker(t *testing.T) {
287262
corev1.ResourceMemory: resource.MustParse("50Mi"),
288263
},
289264
},
290-
SecurityContext: expectedContainerSecurityContext,
291265
},
292266
{
293267
Name: "pull",
@@ -310,7 +284,6 @@ func TestConfigMapUnpacker(t *testing.T) {
310284
corev1.ResourceMemory: resource.MustParse("50Mi"),
311285
},
312286
},
313-
SecurityContext: expectedContainerSecurityContext,
314287
},
315288
},
316289
Volumes: []corev1.Volume{
@@ -353,7 +326,7 @@ func TestConfigMapUnpacker(t *testing.T) {
353326
"",
354327
},
355328
Verbs: []string{
356-
"get", "update",
329+
"create", "get", "update",
357330
},
358331
Resources: []string{
359332
"configmaps",
@@ -423,8 +396,7 @@ func TestConfigMapUnpacker(t *testing.T) {
423396
Name: pathHash,
424397
},
425398
Spec: corev1.PodSpec{
426-
RestartPolicy: corev1.RestartPolicyNever,
427-
SecurityContext: expectedPodSecurityContext,
399+
RestartPolicy: corev1.RestartPolicyNever,
428400
Containers: []corev1.Container{
429401
{
430402
Name: "extract",
@@ -448,7 +420,6 @@ func TestConfigMapUnpacker(t *testing.T) {
448420
corev1.ResourceMemory: resource.MustParse("50Mi"),
449421
},
450422
},
451-
SecurityContext: expectedContainerSecurityContext,
452423
},
453424
},
454425
InitContainers: []corev1.Container{
@@ -468,7 +439,6 @@ func TestConfigMapUnpacker(t *testing.T) {
468439
corev1.ResourceMemory: resource.MustParse("50Mi"),
469440
},
470441
},
471-
SecurityContext: expectedContainerSecurityContext,
472442
},
473443
{
474444
Name: "pull",
@@ -491,7 +461,6 @@ func TestConfigMapUnpacker(t *testing.T) {
491461
corev1.ResourceMemory: resource.MustParse("50Mi"),
492462
},
493463
},
494-
SecurityContext: expectedContainerSecurityContext,
495464
},
496465
},
497466
Volumes: []corev1.Volume{
@@ -645,8 +614,7 @@ func TestConfigMapUnpacker(t *testing.T) {
645614
Name: pathHash,
646615
},
647616
Spec: corev1.PodSpec{
648-
RestartPolicy: corev1.RestartPolicyNever,
649-
SecurityContext: expectedPodSecurityContext,
617+
RestartPolicy: corev1.RestartPolicyNever,
650618
Containers: []corev1.Container{
651619
{
652620
Name: "extract",
@@ -670,7 +638,6 @@ func TestConfigMapUnpacker(t *testing.T) {
670638
corev1.ResourceMemory: resource.MustParse("50Mi"),
671639
},
672640
},
673-
SecurityContext: expectedContainerSecurityContext,
674641
},
675642
},
676643
InitContainers: []corev1.Container{
@@ -690,7 +657,6 @@ func TestConfigMapUnpacker(t *testing.T) {
690657
corev1.ResourceMemory: resource.MustParse("50Mi"),
691658
},
692659
},
693-
SecurityContext: expectedContainerSecurityContext,
694660
},
695661
{
696662
Name: "pull",
@@ -713,7 +679,6 @@ func TestConfigMapUnpacker(t *testing.T) {
713679
corev1.ResourceMemory: resource.MustParse("50Mi"),
714680
},
715681
},
716-
SecurityContext: expectedContainerSecurityContext,
717682
},
718683
},
719684
Volumes: []corev1.Volume{
@@ -769,7 +734,7 @@ func TestConfigMapUnpacker(t *testing.T) {
769734
"",
770735
},
771736
Verbs: []string{
772-
"get", "update",
737+
"create", "get", "update",
773738
},
774739
Resources: []string{
775740
"configmaps",
@@ -861,8 +826,7 @@ func TestConfigMapUnpacker(t *testing.T) {
861826
Name: pathHash,
862827
},
863828
Spec: corev1.PodSpec{
864-
RestartPolicy: corev1.RestartPolicyNever,
865-
SecurityContext: expectedPodSecurityContext,
829+
RestartPolicy: corev1.RestartPolicyNever,
866830
Containers: []corev1.Container{
867831
{
868832
Name: "extract",
@@ -886,7 +850,6 @@ func TestConfigMapUnpacker(t *testing.T) {
886850
corev1.ResourceMemory: resource.MustParse("50Mi"),
887851
},
888852
},
889-
SecurityContext: expectedContainerSecurityContext,
890853
},
891854
},
892855
InitContainers: []corev1.Container{
@@ -906,7 +869,6 @@ func TestConfigMapUnpacker(t *testing.T) {
906869
corev1.ResourceMemory: resource.MustParse("50Mi"),
907870
},
908871
},
909-
SecurityContext: expectedContainerSecurityContext,
910872
},
911873
{
912874
Name: "pull",
@@ -929,7 +891,6 @@ func TestConfigMapUnpacker(t *testing.T) {
929891
corev1.ResourceMemory: resource.MustParse("50Mi"),
930892
},
931893
},
932-
SecurityContext: expectedContainerSecurityContext,
933894
},
934895
},
935896
Volumes: []corev1.Volume{
@@ -1047,8 +1008,7 @@ func TestConfigMapUnpacker(t *testing.T) {
10471008
Name: pathHash,
10481009
},
10491010
Spec: corev1.PodSpec{
1050-
RestartPolicy: corev1.RestartPolicyNever,
1051-
SecurityContext: expectedPodSecurityContext,
1011+
RestartPolicy: corev1.RestartPolicyNever,
10521012
Containers: []corev1.Container{
10531013
{
10541014
Name: "extract",
@@ -1072,7 +1032,6 @@ func TestConfigMapUnpacker(t *testing.T) {
10721032
corev1.ResourceMemory: resource.MustParse("50Mi"),
10731033
},
10741034
},
1075-
SecurityContext: expectedContainerSecurityContext,
10761035
},
10771036
},
10781037
InitContainers: []corev1.Container{
@@ -1092,7 +1051,6 @@ func TestConfigMapUnpacker(t *testing.T) {
10921051
corev1.ResourceMemory: resource.MustParse("50Mi"),
10931052
},
10941053
},
1095-
SecurityContext: expectedContainerSecurityContext,
10961054
},
10971055
{
10981056
Name: "pull",
@@ -1115,7 +1073,6 @@ func TestConfigMapUnpacker(t *testing.T) {
11151073
corev1.ResourceMemory: resource.MustParse("50Mi"),
11161074
},
11171075
},
1118-
SecurityContext: expectedContainerSecurityContext,
11191076
},
11201077
},
11211078
Volumes: []corev1.Volume{
@@ -1244,8 +1201,7 @@ func TestConfigMapUnpacker(t *testing.T) {
12441201
Name: pathHash,
12451202
},
12461203
Spec: corev1.PodSpec{
1247-
RestartPolicy: corev1.RestartPolicyNever,
1248-
SecurityContext: expectedPodSecurityContext,
1204+
RestartPolicy: corev1.RestartPolicyNever,
12491205
Containers: []corev1.Container{
12501206
{
12511207
Name: "extract",
@@ -1269,7 +1225,6 @@ func TestConfigMapUnpacker(t *testing.T) {
12691225
corev1.ResourceMemory: resource.MustParse("50Mi"),
12701226
},
12711227
},
1272-
SecurityContext: expectedContainerSecurityContext,
12731228
},
12741229
},
12751230
InitContainers: []corev1.Container{
@@ -1289,7 +1244,6 @@ func TestConfigMapUnpacker(t *testing.T) {
12891244
corev1.ResourceMemory: resource.MustParse("50Mi"),
12901245
},
12911246
},
1292-
SecurityContext: expectedContainerSecurityContext,
12931247
},
12941248
{
12951249
Name: "pull",
@@ -1312,7 +1266,6 @@ func TestConfigMapUnpacker(t *testing.T) {
13121266
corev1.ResourceMemory: resource.MustParse("50Mi"),
13131267
},
13141268
},
1315-
SecurityContext: expectedContainerSecurityContext,
13161269
},
13171270
},
13181271
Volumes: []corev1.Volume{

0 commit comments

Comments
 (0)