Skip to content

Commit 5987159

Browse files
perdasilvaperdasilva
committed
Refactor catsrc pod creation to use security package
Signed-off-by: perdasilva <[email protected]>
1 parent 9ca98c6 commit 5987159

File tree

1 file changed

+4
-22
lines changed

1 file changed

+4
-22
lines changed

Diff for: pkg/controller/registry/reconciler/reconciler.go

+4-22
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ import (
66
"hash/fnv"
77
"strings"
88

9+
"github.com/operator-framework/operator-lifecycle-manager/pkg/controller/security"
910
corev1 "k8s.io/api/core/v1"
1011
"k8s.io/apimachinery/pkg/api/resource"
1112
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -113,14 +114,6 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name string, image string, saN
113114
pullPolicy = corev1.PullAlways
114115
}
115116

116-
// Security context
117-
readOnlyRootFilesystem := false
118-
allowPrivilegeEscalation := false
119-
runAsNonRoot := true
120-
121-
// See: https://github.com/operator-framework/operator-registry/blob/master/Dockerfile#L27
122-
runAsUser := int64(1001)
123-
124117
pod := &corev1.Pod{
125118
ObjectMeta: metav1.ObjectMeta{
126119
GenerateName: source.GetName() + "-",
@@ -172,31 +165,20 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name string, image string, saN
172165
corev1.ResourceMemory: resource.MustParse("50Mi"),
173166
},
174167
},
175-
SecurityContext: &corev1.SecurityContext{
176-
ReadOnlyRootFilesystem: &readOnlyRootFilesystem,
177-
AllowPrivilegeEscalation: &allowPrivilegeEscalation,
178-
Capabilities: &corev1.Capabilities{
179-
Drop: []corev1.Capability{"ALL"},
180-
},
181-
},
182168
ImagePullPolicy: pullPolicy,
183169
TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
184170
},
185171
},
186-
SecurityContext: &corev1.PodSecurityContext{
187-
RunAsNonRoot: &runAsNonRoot,
188-
RunAsUser: &runAsUser,
189-
SeccompProfile: &corev1.SeccompProfile{
190-
Type: corev1.SeccompProfileTypeRuntimeDefault,
191-
},
192-
},
193172
NodeSelector: map[string]string{
194173
"kubernetes.io/os": "linux",
195174
},
196175
ServiceAccountName: saName,
197176
},
198177
}
199178

179+
// Update pod security
180+
security.ApplyPodSpecSecurity(&pod.Spec)
181+
200182
// Override scheduling options if specified
201183
if source.Spec.GrpcPodConfig != nil {
202184
grpcPodConfig := source.Spec.GrpcPodConfig

0 commit comments

Comments
 (0)