Revert "Update CatalogSource Pod security context (#2782)"

This reverts commit 99b51e7.

Signed-off-by: perdasilva <[email protected]>

Author: perdasilva

Diff for: Dockerfile

@@ -2,7 +2,7 @@ FROM quay.io/fedora/fedora:34-x86_64 as builder
 LABEL stage=builder
 WORKDIR /build
 
-# install dependencies and go 1.17
+# install dependencies and go 1.16
 
 # copy just enough of the git repo to parse HEAD, used to record version in OLM binaries
 RUN dnf update -y && dnf install -y bash make git mercurial jq wget && dnf upgrade -y

Diff for: pkg/controller/registry/reconciler/reconciler.go

@@ -113,13 +113,7 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name string, image string, saN
 		pullPolicy = corev1.PullAlways
 	}
 
-	// Security context
 	readOnlyRootFilesystem := false
-	allowPrivilegeEscalation := false
-	runAsNonRoot := true
-
-	// See: https://github.com/operator-framework/operator-registry/blob/master/Dockerfile#L27
-	runAsUser := int64(1001)
 
 	pod := &corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
@@ -173,23 +167,12 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name string, image string, saN
 						},
 					},
 					SecurityContext: &corev1.SecurityContext{
-						ReadOnlyRootFilesystem:   &readOnlyRootFilesystem,
-						AllowPrivilegeEscalation: &allowPrivilegeEscalation,
-						Capabilities: &corev1.Capabilities{
-							Drop: []corev1.Capability{"ALL"},
-						},
+						ReadOnlyRootFilesystem: &readOnlyRootFilesystem,
 					},
 					ImagePullPolicy:          pullPolicy,
 					TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
 				},
 			},
-			SecurityContext: &corev1.PodSecurityContext{
-				RunAsNonRoot: &runAsNonRoot,
-				RunAsUser:    &runAsUser,
-				SeccompProfile: &corev1.SeccompProfile{
-					Type: corev1.SeccompProfileTypeRuntimeDefault,
-				},
-			},
 			NodeSelector: map[string]string{
 				"kubernetes.io/os": "linux",
 			},

Diff for: pkg/controller/registry/reconciler/reconciler_test.go

@@ -79,23 +79,8 @@ func TestPullPolicy(t *testing.T) {
 
 func TestPodContainerSecurityContext(t *testing.T) {
 	expectedReadOnlyRootFilesystem := false
-	expectedAllowPrivilegeEscalation := false
-	expectedRunAsNonRoot := true
-	expectedRunAsUser := int64(1001)
-
 	expectedContainerSecCtx := &corev1.SecurityContext{
-		ReadOnlyRootFilesystem:   &expectedReadOnlyRootFilesystem,
-		AllowPrivilegeEscalation: &expectedAllowPrivilegeEscalation,
-		Capabilities: &corev1.Capabilities{
-			Drop: []corev1.Capability{"ALL"},
-		},
-	}
-	expectedPodSecCtx := &corev1.PodSecurityContext{
-		RunAsNonRoot: &expectedRunAsNonRoot,
-		RunAsUser:    &expectedRunAsUser,
-		SeccompProfile: &corev1.SeccompProfile{
-			Type: corev1.SeccompProfileTypeRuntimeDefault,
-		},
+		ReadOnlyRootFilesystem: &expectedReadOnlyRootFilesystem,
 	}
 
 	catsrc := &v1alpha1.CatalogSource{
@@ -107,9 +92,7 @@ func TestPodContainerSecurityContext(t *testing.T) {
 
 	gotPod := Pod(catsrc, "hello", "busybox", "", map[string]string{}, map[string]string{}, int32(0), int32(0))
 	gotContainerSecCtx := gotPod.Spec.Containers[0].SecurityContext
-	gotPodSecCtx := gotPod.Spec.SecurityContext
 	require.Equal(t, expectedContainerSecCtx, gotContainerSecCtx)
-	require.Equal(t, expectedPodSecCtx, gotPodSecCtx)
 }
 
 func TestPodSchedulingOverrides(t *testing.T) {

Diff for: scripts/build_test_images.sh

@@ -1,43 +1,19 @@
 #!/usr/bin/env bash
 
-set -e
-
-CATALOG_DIR=./test/catalogs
-CATALOG_DOCKER=${CATALOG_DIR}/catalog.Dockerfile
-
-# Given an image and a catalog name
-# This functions builds the image and pushes it to the repository
-function build_and_push() {
-  IMG_NAME=$1
-  CATALOG_NAME=$2
-  docker build -t "${IMG_NAME}" -f "${CATALOG_DOCKER}" "${CATALOG_DIR}/${CATALOG_NAME}"
-  docker push "${IMG_NAME}"
-}
-
-# olmtest images
-
 # Busybox Operator Index Image
-catalogs=( 1.0.0 2.0.0 )
-for c in "${catalogs[@]}"; do
-  build_and_push "quay.io/olmtest/busybox-dependencies-index:${c}-with-ListBundles-method" "busybox-${c}"
-done
-
-# single bundle index
-catalogs=( pdb-v1 objects objects-upgrade-samename objects-upgrade-diffname )
-for c in "${catalogs[@]}"; do
-  build_and_push "quay.io/olmtest/single-bundle-index:${c}" "single-bundle-index-${c}"
-done
+docker build -t quay.io/olmtest/busybox-bundle:1.0.0 ./test/images/busybox-index/busybox/1.0.0
+docker build -t quay.io/olmtest/busybox-bundle:2.0.0 ./test/images/busybox-index/busybox/2.0.0
 
-# catsrc-update-test catalogs
-catalogs=( old new related )
-for c in "${catalogs[@]}"; do
-  build_and_push "quay.io/olmtest/catsrc-update-test:${c}" "catsrc-update-test-${c}"
-done
+docker build -t quay.io/olmtest/busybox-dependency-bundle:1.0.0 ./test/images/busybox-index/busybox-dependency/1.0.0
+docker build -t quay.io/olmtest/busybox-dependency-bundle:2.0.0 ./test/images/busybox-index/busybox-dependency/2.0.0
 
-# operator-framework images
+docker push quay.io/olmtest/busybox-bundle:1.0.0
+docker push quay.io/olmtest/busybox-bundle:2.0.0
+docker push quay.io/olmtest/busybox-dependency-bundle:1.0.0
+docker push quay.io/olmtest/busybox-dependency-bundle:2.0.0
 
-# ci-index
-build_and_push quay.io/operator-framework/ci-index:latest "ci-index"
+opm index add --bundles quay.io/olmtest/busybox-dependency-bundle:1.0.0,quay.io/olmtest/busybox-bundle:1.0.0 --tag quay.io/olmtest/busybox-dependencies-index:1.0.0-with-ListBundles-method -c docker
+docker push quay.io/olmtest/busybox-dependencies-index:1.0.0-with-ListBundles-method
 
-# webhook-operator-index
-build_and_push quay.io/operator-framework/webhook-operator-index:0.0.3 "webhook-operator-index-0.0.3"
+opm index add --bundles quay.io/olmtest/busybox-dependency-bundle:2.0.0,quay.io/olmtest/busybox-bundle:2.0.0 --tag quay.io/olmtest/busybox-dependencies-index:2.0.0-with-ListBundles-method --from-index quay.io/olmtest/busybox-dependencies-index:1.0.0-with-ListBundles-method -c docker
+docker push quay.io/olmtest/busybox-dependencies-index:2.0.0-with-ListBundles-method