Default to legacy PSA settings

awgreene · awgreene · commit b3ec2cd1f22e · 2022-12-14T05:52:59.000-08:00
Problem: OLM recently introduced a few changes to default to running its
workloads in a restricted mode. As a part of these changes,
catalogSources built with earlier versions of OPM will not run as
expected unless the catalogSource yaml is configured to run in a legacy
version. Unfortunately, these legacy catalogs cannot be ran in
restricted namespaces, which includes the `olm` namespace which is used
to define global catalogSources.

Solution: Provide users ample time to convert to the new restricted
fromat by defaulting to legacy restrictions and reclassify the `olm`
namespace as a baseline privilege namespace.

Signed-off-by: Alexander Greene &lt;greene.al1991@gmail.com&gt;
diff --git a/pkg/controller/registry/reconciler/reconciler.go b/pkg/controller/registry/reconciler/reconciler.go
@@ -195,11 +195,7 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name string, image string, saN
 		},
 	}
 
-	if source.Spec.GrpcPodConfig != nil {
-		if source.Spec.GrpcPodConfig.SecurityContextConfig == operatorsv1alpha1.Restricted {
-			addSecurityContext(pod, runAsUser)
-		}
-	} else {
+	if source.Spec.GrpcPodConfig != nil && source.Spec.GrpcPodConfig.SecurityContextConfig == operatorsv1alpha1.Restricted {
 		addSecurityContext(pod, runAsUser)
 	}
 
diff --git a/pkg/controller/registry/reconciler/reconciler_test.go b/pkg/controller/registry/reconciler/reconciler_test.go
@@ -88,25 +88,57 @@ func TestPodContainerSecurityContext(t *testing.T) {
 		expectedContainerSecurityContext *corev1.SecurityContext
 	}{
 		{
-			title: "NoSpecDefined/PodContainsSecurityConfigForPSARestricted",
+			title: "NoSpecDefined/PodContainsSecurityConfigForPSALegacy",
 			inputCatsrc: &v1alpha1.CatalogSource{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "test",
 					Namespace: "testns",
 				},
 			},
-			expectedContainerSecurityContext: &corev1.SecurityContext{
-				ReadOnlyRootFilesystem:   pointer.Bool(false),
-				AllowPrivilegeEscalation: pointer.Bool(false),
-				Capabilities: &corev1.Capabilities{
-					Drop: []corev1.Capability{"ALL"},
+			expectedContainerSecurityContext: nil,
+			expectedSecurityContext:          nil,
+		},
+		{
+			title: "SpecDefined/NoGRPCPodConfig/PodContainsSecurityConfigForPSALegacy",
+			inputCatsrc: &v1alpha1.CatalogSource{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test",
+					Namespace: "testns",
 				},
+				Spec: v1alpha1.CatalogSourceSpec{},
 			},
-			expectedSecurityContext: &corev1.PodSecurityContext{
-				SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
-				RunAsUser:      pointer.Int64(workloadUserID),
-				RunAsNonRoot:   pointer.Bool(true),
+			expectedContainerSecurityContext: nil,
+			expectedSecurityContext:          nil,
+		},
+		{
+			title: "SpecDefined/GRPCPodConfigDefined/PodContainsSecurityConfigForPSALegacy",
+			inputCatsrc: &v1alpha1.CatalogSource{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test",
+					Namespace: "testns",
+				},
+				Spec: v1alpha1.CatalogSourceSpec{
+					GrpcPodConfig: &v1alpha1.GrpcPodConfig{},
+				},
+			},
+			expectedContainerSecurityContext: nil,
+			expectedSecurityContext:          nil,
+		},
+		{
+			title: "SpecDefined/SecurityContextConfig:Legacy/PodContainsSecurityConfigForPSALegacy",
+			inputCatsrc: &v1alpha1.CatalogSource{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test",
+					Namespace: "testns",
+				},
+				Spec: v1alpha1.CatalogSourceSpec{
+					GrpcPodConfig: &v1alpha1.GrpcPodConfig{
+						SecurityContextConfig: v1alpha1.Legacy,
+					},
+				},
 			},
+			expectedContainerSecurityContext: nil,
+			expectedSecurityContext:          nil,
 		},
 		{
 			title: "SpecDefined/SecurityContextConfig:Restricted/PodContainsSecurityConfigForPSARestricted",
diff --git a/test/e2e/catalog_e2e_test.go b/test/e2e/catalog_e2e_test.go
@@ -1425,7 +1425,7 @@ var _ = Describe("Starting CatalogSource e2e tests", func() {
 				return nil
 			}).Should(BeNil())
 		})
-		When("A CatalogSource built with opm v1.21.0 (<v1.23.2)is created without spec.GrpcPodConfig.SecurityContextConfig set to legacy", func() {
+		When("A CatalogSource built with opm v1.21.0 (<v1.23.2)is created with spec.GrpcPodConfig.SecurityContextConfig set to restricted", func() {
 			var sourceName string
 			BeforeEach(func() {
 				sourceName = genName("catalog-")
@@ -1442,6 +1442,9 @@ var _ = Describe("Starting CatalogSource e2e tests", func() {
 					Spec: v1alpha1.CatalogSourceSpec{
 						SourceType: v1alpha1.SourceTypeGrpc,
 						Image:      "quay.io/olmtest/old-opm-catsrc:v1.21.0",
+						GrpcPodConfig: &v1alpha1.GrpcPodConfig{
+							SecurityContextConfig: operatorsv1alpha1.Restricted,
+						},
 					},
 				}
 

Original file line number	Diff line number	Diff line change
`@@ -195,11 +195,7 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name string, image string, saN`
`195`	`195`	`},`
`196`	`196`	`}`
`197`	`197`
`198`		`- if source.Spec.GrpcPodConfig != nil {`
`199`		`- if source.Spec.GrpcPodConfig.SecurityContextConfig == operatorsv1alpha1.Restricted {`
`200`		`- addSecurityContext(pod, runAsUser)`
`201`		`- }`
`202`		`- } else {`
	`198`	`+ if source.Spec.GrpcPodConfig != nil && source.Spec.GrpcPodConfig.SecurityContextConfig == operatorsv1alpha1.Restricted {`
`203`	`199`	`addSecurityContext(pod, runAsUser)`
`204`	`200`	`}`
`205`	`201`