Back out the default security context functionality as this breaks on OpenShift (#771)

Author: thegridman

api/v1/coherenceresourcespec_types.go

@@ -193,15 +193,6 @@ type CoherenceResourceSpec struct {
 	// +optional
 	Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
 	// SecurityContext is the PodSecurityContext that will be added to all the Pods in this deployment.
-	// If no security context is specified the Operator will create one with the following spec
-	//
-	//   securityContext:
-	//     runAsNonRoot: true
-	//     runAsUser: 1000
-	//     runAsGroup: 2000
-	//     fsGroup: 2000
-	//     fsGroupChangePolicy: "OnRootMismatch"
-	//
 	// See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
 	// +optional
 	SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"`
@@ -748,7 +739,7 @@ func (in *CoherenceResourceSpec) CreatePodTemplateSpec(deployment CoherenceResou
 			ReadinessGates:               in.ReadinessGates,
 			RuntimeClassName:             in.RuntimeClassName,
 			SchedulerName:                notNilString(in.SchedulerName),
-			SecurityContext:              in.GetSecurityContext(),
+			SecurityContext:              in.SecurityContext,
 			ServiceAccountName:           in.GetServiceAccountName(),
 			ShareProcessNamespace:        in.ShareProcessNamespace,
 			Tolerations:                  in.Tolerations,
@@ -830,14 +821,6 @@ func (in *CoherenceResourceSpec) GetImagePullSecrets() []corev1.LocalObjectRefer
 	return secrets
 }
 
-// GetSecurityContext returns the Pod security context to use.
-func (in *CoherenceResourceSpec) GetSecurityContext() *corev1.PodSecurityContext {
-	if in == nil || in.SecurityContext == nil {
-		return operator.DefaultSecurityContext()
-	}
-	return in.SecurityContext
-}
-
 // GetServiceAccountName returns the service account name for the cluster.
 func (in *CoherenceResourceSpec) GetServiceAccountName() string {
 	if in != nil {

api/v1/common_test.go

@@ -503,7 +503,6 @@ func createMinimalExpectedPodSpec(deployment coh.CoherenceResource) corev1.PodTe
 					VolumeSource: emptyVolume,
 				},
 			},
-			SecurityContext:           operator.DefaultSecurityContext(),
 			TopologySpreadConstraints: spec.EnsureTopologySpreadConstraints(deployment),
 			Affinity:                  spec.CreateDefaultPodAffinity(deployment),
 			ServiceAccountName:        spec.GetServiceAccountName(),

api/v1/constants.go

@@ -6,10 +6,7 @@
 
 package v1
 
-import (
-	"github.com/oracle/coherence-operator/pkg/operator"
-	corev1 "k8s.io/api/core/v1"
-)
+import "github.com/oracle/coherence-operator/pkg/operator"
 
 const (
 	// DefaultReplicas is the default number of replicas that will be created for a deployment if no value is specified in the spec
@@ -77,17 +74,6 @@ const (
 	// DefaultServiceAccount is the default k8s service account name.
 	DefaultServiceAccount = "default"
 
-	// DefaultRunAsNonRoot is the default value for the runAsNonRoot field in the Pod security context
-	DefaultRunAsNonRoot = true
-	// DefaultRunAsUser is the default value for the runAsUser field in the Pod security context
-	DefaultRunAsUser int64 = 1000
-	// DefaultRunAsGroup is the default value for the runAsGroup field in the Pod security context
-	DefaultRunAsGroup int64 = 2000
-	// DefaultFsGroup is the default value for the fsGroup field in the Pod security context
-	DefaultFsGroup int64 = DefaultRunAsGroup
-	// DefaultFSGroupChangePolicy is the default value for the fsGroup field in the Pod security context
-	DefaultFSGroupChangePolicy = corev1.FSGroupChangeOnRootMismatch
-
 	// ContainerNameCoherence is the Coherence container name
 	ContainerNameCoherence = "coherence"
 	// ContainerNameOperatorInit is the Operator init-container name

controllers/coherence_controller.go

@@ -185,7 +185,7 @@ func (in *CoherenceReconciler) Reconcile(ctx context.Context, request ctrl.Reque
 				in.GetEventRecorder().Event(deployment, coreV1.EventTypeNormal, reconciler.EventReasonUpdated, "added finalizer")
 			}
 			// we need to requeue as we have updated the Coherence resource
-			return ctrl.Result{Requeue: true}, err
+			return ctrl.Result{RequeueAfter: time.Minute}, err
 		}
 	}
 

docs/about/04_coherence_spec.adoc

@@ -332,16 +332,7 @@ For example: +
     effect: "NoSchedule" + +
  +
   ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + m| []https://{k8s-doc-link}/#toleration-v1-core[corev1.Toleration] | false
-m| securityContext | SecurityContext is the PodSecurityContext that will be added to all the Pods in this deployment. If no security context is specified the Operator will create one with the following spec +
- +
-  securityContext: + +
-    runAsNonRoot: true + +
-    runAsUser: 1000 + +
-    runAsGroup: 2000 + +
-    fsGroup: 2000 + +
-    fsGroupChangePolicy: "OnRootMismatch" + +
- +
-See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ m| *https://{k8s-doc-link}/#podsecuritycontext-v1-core[corev1.PodSecurityContext] | false
+m| securityContext | SecurityContext is the PodSecurityContext that will be added to all the Pods in this deployment. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ m| *https://{k8s-doc-link}/#podsecuritycontext-v1-core[corev1.PodSecurityContext] | false
 m| containerSecurityContext | ContainerSecurityContext is the SecurityContext that will be added to the Coherence container in each Pod in this deployment. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ m| *https://{k8s-doc-link}/#securitycontext-v1-core[corev1.SecurityContext] | false
 m| shareProcessNamespace | Share a single process namespace between all the containers in a pod. When this is set containers will be able to view and signal processes from other containers in the same pod, and the first process in each container will not be assigned PID 1. HostPID and ShareProcessNamespace cannot both be set. Optional: Default to false. m| *bool | false
 m| hostIPC | Use the host's ipc namespace. Optional: Default to false. m| *bool | false

docs/installation/011_install_manifests.adoc

@@ -130,4 +130,3 @@ Or on MacOS, where `sed` is slightly different:
 ----
 sed -i '' -e 's/replicas: 3/replicas: 1/g' coherence-operator.yaml
 ----
-

docs/other/045_security_context.adoc

@@ -16,25 +16,6 @@ Kubernetes allows you to configure a https://kubernetes.io/docs/tasks/configure-
 
 For more details see the Kubernetes https://kubernetes.io/docs/tasks/configure-pod-container/security-context/[Security Context] documentation.
 
-=== The Default Security Context
-
-The Coherence Operator configures a default security context for the Coherence Pods is none is specified in the `Coherence` resource yaml.
-The default security context looks like this:
-[source,yaml]
-----
-securityContext:
-  runAsNonRoot: true
-  runAsUser: 1000650000
-  runAsGroup: 1000650000
-  fsGroup: 1000650000
-  fsGroupChangePolicy: "OnRootMismatch"
-----
-
-It is possible to change the values used for the default security context by specifying them when the Operator is installed.
-See the <<config,Configure The Default Security Context>> section below.
-
-It is possible to override this as described below.
-
 === Setting the Pod Security Context
 
 To specify security settings for a Pod, include the `securityContext` field in the Coherence resource specification.
@@ -77,116 +58,3 @@ spec:
       capabilities:
         add: ["NET_ADMIN", "SYS_TIME"]
 ----
-
-[#config]
-=== Configure The Default Security Context
-
-As already mentioned above the default security context created by the operator looks like this:
-
-[source,yaml]
-----
-securityContext:
-  runAsNonRoot: true
-  runAsUser: 1000650000
-  runAsGroup: 1000650000
-  fsGroup: 1000650000
-  fsGroupChangePolicy: "OnRootMismatch"
-----
-
-The default values used for `runAsUser`, `runAsGroup` and `fsGroup` can be configured using the Operator's configuration file.
-
-When the Operator is installed using the default installation it will read an optional configuration file from
-an optional `ConfigMap`. The `ConfigMap` must be created in the same namespace as the operator is running and
-should be named `coherence-operator`. The config map should contain a yaml file named `coherence-operator.yaml`.
-
-[IMPORTANT]
-====
-The `coherence-operator` config map MUST be created before the Operator is installed, even if the yaml file
-that it contains is empty.
-
-The Operator will watch the config file for changes, so if the `ConfigMap` is updated after the Operator is started,
-the changes will take effect. If the `ConfigMap` does not exist when the Operator is started then the config file
-cannot be mounted for the Operator to watch.
-====
-
-
-==== Disable The Default Security Context
-
-To disable the creation of a default Pod security context for Coherence Pods, create a configuration file
-name `coherence-operator.yaml` with the following contents.
-
-[source]
-.coherence-operator.yaml
-----
-coherenceSecurityContext:
-  enabled: false
-----
-
-Create the `ConfigMap` using the configuration file in the same namespace that the operator will be installed into.
-For example, if the operator is to be installed into a namespace named `coherence` the `ConfigMap` can be created
-using the following command:
-
-[source,bash]
-----
-kubectl -n coherence create configmap coherence-operator \
-  --from-file=coherence-operator.yaml
-----
-
-With the `coherenceSecurityContext.enabled` field set to false, the Operator will not apply a default security context
-to the Coherence Pods. This may be useful in environments such as OpenShift which already apply a default security
-configuration to Pods.
-
-==== Change The Default Security Context
-
-In the configuration file, any field under the `coherenceSecurityContext` section will be applied to
-the default security context and override the operators default values.
-
-For example, a `ConfigMap` could be created with the following file:
-
-[source]
-.coherence-operator.yaml
-----
-coherenceSecurityContext:
-  runAsUser: 1000
-----
-
-This will override the `runAsUser` field to be set to `1000` resulting in a default security context as shown below:
-
-[source,yaml]
-----
-securityContext:
-  runAsNonRoot: true
-  runAsUser: 1000
-  runAsGroup: 1000650000
-  fsGroup: 1000650000
-  fsGroupChangePolicy: "OnRootMismatch"
-----
-
-If the config file contains an empty value, this will result in the corresponding value being unset in the
-security context.
-This is useful for unsetting fields that the operator has default values for such as `runAsUser`, `runAsGroup`,
-`runAsNonRoot`, `fsGroup` and `fsGroupChangePolicy`.
-
-
-For example, the default `runAsUser` value is `1000650000`.
-The configuration file can be created with a `runAsUser` field with no value as shown below
-
-[source]
-.coherence-operator.yaml
-----
-coherenceSecurityContext:
-  runAsUser:
-----
-
-This will result in a security context with the `runAsUser` unset.
-
-[source,yaml]
-----
-securityContext:
-  runAsNonRoot: true
-  runAsUser:
-  runAsGroup: 1000650000
-  fsGroup: 1000650000
-  fsGroupChangePolicy: "OnRootMismatch"
-----
-

pkg/operator/operator.go

@@ -19,7 +19,6 @@ import (
 	"github.com/spf13/viper"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/version"
-	"k8s.io/utils/ptr"
 	"os"
 	"path/filepath"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -47,25 +46,6 @@ const (
 	CertTypeManual        = "manual"
 	CertManagerIssuerName = "coherence-webhook-server-issuer"
 
-	// DefaultRunAsNonRoot is the default value for the runAsNonRoot field in the Pod security context
-	DefaultRunAsNonRoot = true
-	// DefaultRunAsUser is the default value for the runAsUser field in the Pod security context
-	DefaultRunAsUser int64 = 1000650000
-	// DefaultRunAsGroup is the default value for the runAsGroup field in the Pod security context
-	DefaultRunAsGroup int64 = 1000650000
-	// DefaultFsGroup is the default value for the fsGroup field in the Pod security context
-	DefaultFsGroup int64 = DefaultRunAsGroup
-	// DefaultFSGroupChangePolicy is the default value for the fsGroup field in the Pod security context
-	DefaultFSGroupChangePolicy = corev1.FSGroupChangeOnRootMismatch
-
-	ConfigKeyCoherenceSecurityContext                    = "coherenceSecurityContext"
-	ConfigKeyCoherenceSecurityContextEnabled             = "enabled"
-	ConfigKeyCoherenceSecurityContextRunAsUser           = "runAsUser"
-	ConfigKeyCoherenceSecurityContextRunAsGroup          = "runAsGroup"
-	ConfigKeyCoherenceSecurityContextRunAsNonRoot        = "runAsNonRoot"
-	ConfigKeyCoherenceSecurityContextFsGroup             = "fsGroup"
-	ConfigKeyCoherenceSecurityContextFSGroupChangePolicy = "fSGroupChangePolicy"
-
 	DefaultMutatingWebhookName   = "coherence-operator-mutating-webhook-configuration"
 	DefaultValidatingWebhookName = "coherence-operator-validating-webhook-configuration"
 
@@ -641,46 +621,3 @@ func RemoveFromUInt16Array(arr []uint16, toRemove uint16) []uint16 {
 	}
 	return arr
 }
-
-// DefaultSecurityContext returns the default Pod security context that the Operator will apply
-// to Coherence pods. The values used can be overridden using command line args.
-func DefaultSecurityContext() *corev1.PodSecurityContext {
-	v := GetViper()
-
-	m := v.GetStringMap(ConfigKeyCoherenceSecurityContext)
-	if m == nil {
-		m = make(map[string]interface{})
-	}
-
-	enabled, found := m[strings.ToLower(ConfigKeyCoherenceSecurityContextEnabled)]
-	if found && enabled == false {
-		return nil
-	}
-
-	sc := &corev1.PodSecurityContext{}
-
-	if v.IsSet(ConfigKeyCoherenceSecurityContext) {
-		err := v.UnmarshalKey(ConfigKeyCoherenceSecurityContext, sc)
-		if err != nil {
-			setupLog.Error(err, "unable to unmarshal coherenceSecurityContext from Operator config file")
-		}
-	}
-
-	if _, found := m[strings.ToLower(ConfigKeyCoherenceSecurityContextRunAsUser)]; !found {
-		sc.RunAsUser = ptr.To(DefaultRunAsUser)
-	}
-	if _, found := m[strings.ToLower(ConfigKeyCoherenceSecurityContextRunAsGroup)]; !found {
-		sc.RunAsGroup = ptr.To(DefaultRunAsGroup)
-	}
-	if _, found := m[strings.ToLower(ConfigKeyCoherenceSecurityContextRunAsNonRoot)]; !found {
-		sc.RunAsNonRoot = ptr.To(DefaultRunAsNonRoot)
-	}
-	if _, found := m[strings.ToLower(ConfigKeyCoherenceSecurityContextFsGroup)]; !found {
-		sc.FSGroup = ptr.To(DefaultFsGroup)
-	}
-	if _, found := m[strings.ToLower(ConfigKeyCoherenceSecurityContextFSGroupChangePolicy)]; !found {
-		sc.FSGroupChangePolicy = ptr.To(DefaultFSGroupChangePolicy)
-	}
-
-	return sc
-}