Revert "Update unpack job pod security (#2793)"

This reverts commit eedad28.

Signed-off-by: perdasilva <[email protected]>

Author: perdasilva

Diff for: pkg/controller/bundle/bundle_unpacker.go

@@ -28,7 +28,6 @@ import (
 	listersoperatorsv1alpha1 "github.com/operator-framework/operator-lifecycle-manager/pkg/api/client/listers/operators/v1alpha1"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/controller/install"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/controller/registry/resolver/projection"
-	"github.com/operator-framework/operator-lifecycle-manager/pkg/controller/security"
 )
 
 const (
@@ -191,10 +190,6 @@ func (c *ConfigMapUnpacker) job(cmRef *corev1.ObjectReference, bundlePath string
 			},
 		},
 	}
-
-	// Apply Pod security
-	security.ApplyPodSpecSecurity(&job.Spec.Template.Spec)
-
 	job.SetNamespace(cmRef.Namespace)
 	job.SetName(cmRef.Name)
 	job.SetOwnerReferences([]metav1.OwnerReference{ownerRef(cmRef)})

Diff for: pkg/controller/bundle/bundle_unpacker_test.go

@@ -68,29 +68,6 @@ func TestConfigMapUnpacker(t *testing.T) {
 		roleBindings []*rbacv1.RoleBinding
 	}
 
-	var expectedReadOnlyRootFilesystem = false
-	var expectedAllowPrivilegeEscalation = false
-	var expectedRunAsNonRoot = true
-	var expectedRunAsUser int64 = 1001
-	var expectedPrivileged = false
-
-	var expectedContainerSecurityContext = &corev1.SecurityContext{
-		Privileged:               &expectedPrivileged,
-		ReadOnlyRootFilesystem:   &expectedReadOnlyRootFilesystem,
-		AllowPrivilegeEscalation: &expectedAllowPrivilegeEscalation,
-		Capabilities: &corev1.Capabilities{
-			Drop: []corev1.Capability{"ALL"},
-		},
-	}
-
-	var expectedPodSecurityContext = &corev1.PodSecurityContext{
-		RunAsNonRoot: &expectedRunAsNonRoot,
-		RunAsUser:    &expectedRunAsUser,
-		SeccompProfile: &corev1.SeccompProfile{
-			Type: corev1.SeccompProfileTypeRuntimeDefault,
-		},
-	}
-
 	tests := []struct {
 		description string
 		fields      fields
@@ -243,7 +220,6 @@ func TestConfigMapUnpacker(t *testing.T) {
 								Spec: corev1.PodSpec{
 									RestartPolicy:    corev1.RestartPolicyNever,
 									ImagePullSecrets: []corev1.LocalObjectReference{{Name: "my-secret"}},
-									SecurityContext:  expectedPodSecurityContext,
 									Containers: []corev1.Container{
 										{
 											Name:    "extract",
@@ -267,7 +243,6 @@ func TestConfigMapUnpacker(t *testing.T) {
 													corev1.ResourceMemory: resource.MustParse("50Mi"),
 												},
 											},
-											SecurityContext: expectedContainerSecurityContext,
 										},
 									},
 									InitContainers: []corev1.Container{
@@ -287,7 +262,6 @@ func TestConfigMapUnpacker(t *testing.T) {
 													corev1.ResourceMemory: resource.MustParse("50Mi"),
 												},
 											},
-											SecurityContext: expectedContainerSecurityContext,
 										},
 										{
 											Name:            "pull",
@@ -310,7 +284,6 @@ func TestConfigMapUnpacker(t *testing.T) {
 													corev1.ResourceMemory: resource.MustParse("50Mi"),
 												},
 											},
-											SecurityContext: expectedContainerSecurityContext,
 										},
 									},
 									Volumes: []corev1.Volume{
@@ -423,8 +396,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 									Name: pathHash,
 								},
 								Spec: corev1.PodSpec{
-									RestartPolicy:   corev1.RestartPolicyNever,
-									SecurityContext: expectedPodSecurityContext,
+									RestartPolicy: corev1.RestartPolicyNever,
 									Containers: []corev1.Container{
 										{
 											Name:    "extract",
@@ -448,7 +420,6 @@ func TestConfigMapUnpacker(t *testing.T) {
 													corev1.ResourceMemory: resource.MustParse("50Mi"),
 												},
 											},
-											SecurityContext: expectedContainerSecurityContext,
 										},
 									},
 									InitContainers: []corev1.Container{
@@ -468,7 +439,6 @@ func TestConfigMapUnpacker(t *testing.T) {
 													corev1.ResourceMemory: resource.MustParse("50Mi"),
 												},
 											},
-											SecurityContext: expectedContainerSecurityContext,
 										},
 										{
 											Name:            "pull",
@@ -491,7 +461,6 @@ func TestConfigMapUnpacker(t *testing.T) {
 													corev1.ResourceMemory: resource.MustParse("50Mi"),
 												},
 											},
-											SecurityContext: expectedContainerSecurityContext,
 										},
 									},
 									Volumes: []corev1.Volume{
@@ -645,8 +614,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 									Name: pathHash,
 								},
 								Spec: corev1.PodSpec{
-									RestartPolicy:   corev1.RestartPolicyNever,
-									SecurityContext: expectedPodSecurityContext,
+									RestartPolicy: corev1.RestartPolicyNever,
 									Containers: []corev1.Container{
 										{
 											Name:    "extract",
@@ -670,7 +638,6 @@ func TestConfigMapUnpacker(t *testing.T) {
 													corev1.ResourceMemory: resource.MustParse("50Mi"),
 												},
 											},
-											SecurityContext: expectedContainerSecurityContext,
 										},
 									},
 									InitContainers: []corev1.Container{
@@ -690,7 +657,6 @@ func TestConfigMapUnpacker(t *testing.T) {
 													corev1.ResourceMemory: resource.MustParse("50Mi"),
 												},
 											},
-											SecurityContext: expectedContainerSecurityContext,
 										},
 										{
 											Name:            "pull",
@@ -713,7 +679,6 @@ func TestConfigMapUnpacker(t *testing.T) {
 													corev1.ResourceMemory: resource.MustParse("50Mi"),
 												},
 											},
-											SecurityContext: expectedContainerSecurityContext,
 										},
 									},
 									Volumes: []corev1.Volume{
@@ -861,8 +826,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 									Name: pathHash,
 								},
 								Spec: corev1.PodSpec{
-									RestartPolicy:   corev1.RestartPolicyNever,
-									SecurityContext: expectedPodSecurityContext,
+									RestartPolicy: corev1.RestartPolicyNever,
 									Containers: []corev1.Container{
 										{
 											Name:    "extract",
@@ -886,7 +850,6 @@ func TestConfigMapUnpacker(t *testing.T) {
 													corev1.ResourceMemory: resource.MustParse("50Mi"),
 												},
 											},
-											SecurityContext: expectedContainerSecurityContext,
 										},
 									},
 									InitContainers: []corev1.Container{
@@ -906,7 +869,6 @@ func TestConfigMapUnpacker(t *testing.T) {
 													corev1.ResourceMemory: resource.MustParse("50Mi"),
 												},
 											},
-											SecurityContext: expectedContainerSecurityContext,
 										},
 										{
 											Name:            "pull",
@@ -929,7 +891,6 @@ func TestConfigMapUnpacker(t *testing.T) {
 													corev1.ResourceMemory: resource.MustParse("50Mi"),
 												},
 											},
-											SecurityContext: expectedContainerSecurityContext,
 										},
 									},
 									Volumes: []corev1.Volume{
@@ -1047,8 +1008,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 									Name: pathHash,
 								},
 								Spec: corev1.PodSpec{
-									RestartPolicy:   corev1.RestartPolicyNever,
-									SecurityContext: expectedPodSecurityContext,
+									RestartPolicy: corev1.RestartPolicyNever,
 									Containers: []corev1.Container{
 										{
 											Name:    "extract",
@@ -1072,7 +1032,6 @@ func TestConfigMapUnpacker(t *testing.T) {
 													corev1.ResourceMemory: resource.MustParse("50Mi"),
 												},
 											},
-											SecurityContext: expectedContainerSecurityContext,
 										},
 									},
 									InitContainers: []corev1.Container{
@@ -1092,7 +1051,6 @@ func TestConfigMapUnpacker(t *testing.T) {
 													corev1.ResourceMemory: resource.MustParse("50Mi"),
 												},
 											},
-											SecurityContext: expectedContainerSecurityContext,
 										},
 										{
 											Name:            "pull",
@@ -1115,7 +1073,6 @@ func TestConfigMapUnpacker(t *testing.T) {
 													corev1.ResourceMemory: resource.MustParse("50Mi"),
 												},
 											},
-											SecurityContext: expectedContainerSecurityContext,
 										},
 									},
 									Volumes: []corev1.Volume{
@@ -1244,8 +1201,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 									Name: pathHash,
 								},
 								Spec: corev1.PodSpec{
-									RestartPolicy:   corev1.RestartPolicyNever,
-									SecurityContext: expectedPodSecurityContext,
+									RestartPolicy: corev1.RestartPolicyNever,
 									Containers: []corev1.Container{
 										{
 											Name:    "extract",
@@ -1269,7 +1225,6 @@ func TestConfigMapUnpacker(t *testing.T) {
 													corev1.ResourceMemory: resource.MustParse("50Mi"),
 												},
 											},
-											SecurityContext: expectedContainerSecurityContext,
 										},
 									},
 									InitContainers: []corev1.Container{
@@ -1289,7 +1244,6 @@ func TestConfigMapUnpacker(t *testing.T) {
 													corev1.ResourceMemory: resource.MustParse("50Mi"),
 												},
 											},
-											SecurityContext: expectedContainerSecurityContext,
 										},
 										{
 											Name:            "pull",
@@ -1312,7 +1266,6 @@ func TestConfigMapUnpacker(t *testing.T) {
 													corev1.ResourceMemory: resource.MustParse("50Mi"),
 												},
 											},
-											SecurityContext: expectedContainerSecurityContext,
 										},
 									},
 									Volumes: []corev1.Volume{

Diff for: pkg/controller/registry/reconciler/reconciler.go

@@ -12,7 +12,6 @@ import (
 	"k8s.io/apimachinery/pkg/util/rand"
 
 	operatorsv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1"
-	"github.com/operator-framework/operator-lifecycle-manager/pkg/controller/security"
 	controllerclient "github.com/operator-framework/operator-lifecycle-manager/pkg/lib/controller-runtime/client"
 	hashutil "github.com/operator-framework/operator-lifecycle-manager/pkg/lib/kubernetes/pkg/util/hash"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/operatorclient"
@@ -114,6 +113,14 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name string, image string, saN
 		pullPolicy = corev1.PullAlways
 	}
 
+	// Security context
+	readOnlyRootFilesystem := false
+	allowPrivilegeEscalation := false
+	runAsNonRoot := true
+
+	// See: https://github.com/operator-framework/operator-registry/blob/master/Dockerfile#L27
+	runAsUser := int64(1001)
+
 	pod := &corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			GenerateName: source.GetName() + "-",
@@ -165,20 +172,31 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name string, image string, saN
 							corev1.ResourceMemory: resource.MustParse("50Mi"),
 						},
 					},
+					SecurityContext: &corev1.SecurityContext{
+						ReadOnlyRootFilesystem:   &readOnlyRootFilesystem,
+						AllowPrivilegeEscalation: &allowPrivilegeEscalation,
+						Capabilities: &corev1.Capabilities{
+							Drop: []corev1.Capability{"ALL"},
+						},
+					},
 					ImagePullPolicy:          pullPolicy,
 					TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
 				},
 			},
+			SecurityContext: &corev1.PodSecurityContext{
+				RunAsNonRoot: &runAsNonRoot,
+				RunAsUser:    &runAsUser,
+				SeccompProfile: &corev1.SeccompProfile{
+					Type: corev1.SeccompProfileTypeRuntimeDefault,
+				},
+			},
 			NodeSelector: map[string]string{
 				"kubernetes.io/os": "linux",
 			},
 			ServiceAccountName: saName,
 		},
 	}
 
-	// Update pod security
-	security.ApplyPodSpecSecurity(&pod.Spec)
-
 	// Override scheduling options if specified
 	if source.Spec.GrpcPodConfig != nil {
 		grpcPodConfig := source.Spec.GrpcPodConfig

Diff for: pkg/controller/registry/reconciler/reconciler_test.go

@@ -82,10 +82,8 @@ func TestPodContainerSecurityContext(t *testing.T) {
 	expectedAllowPrivilegeEscalation := false
 	expectedRunAsNonRoot := true
 	expectedRunAsUser := int64(1001)
-	expectedPrivileged := false
 
 	expectedContainerSecCtx := &corev1.SecurityContext{
-		Privileged:               &expectedPrivileged,
 		ReadOnlyRootFilesystem:   &expectedReadOnlyRootFilesystem,
 		AllowPrivilegeEscalation: &expectedAllowPrivilegeEscalation,
 		Capabilities: &corev1.Capabilities{