diff --git a/api/v1/coherenceresourcespec_types.go b/api/v1/coherenceresourcespec_types.go index e7549ff3..6e9001f2 100644 --- a/api/v1/coherenceresourcespec_types.go +++ b/api/v1/coherenceresourcespec_types.go @@ -193,15 +193,6 @@ type CoherenceResourceSpec struct { // +optional Tolerations []corev1.Toleration `json:"tolerations,omitempty"` // SecurityContext is the PodSecurityContext that will be added to all the Pods in this deployment. - // If no security context is specified the Operator will create one with the following spec - // - // securityContext: - // runAsNonRoot: true - // runAsUser: 1000 - // runAsGroup: 2000 - // fsGroup: 2000 - // fsGroupChangePolicy: "OnRootMismatch" - // // See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ // +optional SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"` @@ -748,7 +739,7 @@ func (in *CoherenceResourceSpec) CreatePodTemplateSpec(deployment CoherenceResou ReadinessGates: in.ReadinessGates, RuntimeClassName: in.RuntimeClassName, SchedulerName: notNilString(in.SchedulerName), - SecurityContext: in.GetSecurityContext(), + SecurityContext: in.SecurityContext, ServiceAccountName: in.GetServiceAccountName(), ShareProcessNamespace: in.ShareProcessNamespace, Tolerations: in.Tolerations, @@ -830,14 +821,6 @@ func (in *CoherenceResourceSpec) GetImagePullSecrets() []corev1.LocalObjectRefer return secrets } -// GetSecurityContext returns the Pod security context to use. -func (in *CoherenceResourceSpec) GetSecurityContext() *corev1.PodSecurityContext { - if in == nil || in.SecurityContext == nil { - return operator.DefaultSecurityContext() - } - return in.SecurityContext -} - // GetServiceAccountName returns the service account name for the cluster. func (in *CoherenceResourceSpec) GetServiceAccountName() string { if in != nil { diff --git a/api/v1/common_test.go b/api/v1/common_test.go index d5075ba7..e8bf465c 100644 --- a/api/v1/common_test.go +++ b/api/v1/common_test.go @@ -503,7 +503,6 @@ func createMinimalExpectedPodSpec(deployment coh.CoherenceResource) corev1.PodTe VolumeSource: emptyVolume, }, }, - SecurityContext: operator.DefaultSecurityContext(), TopologySpreadConstraints: spec.EnsureTopologySpreadConstraints(deployment), Affinity: spec.CreateDefaultPodAffinity(deployment), ServiceAccountName: spec.GetServiceAccountName(), diff --git a/api/v1/constants.go b/api/v1/constants.go index 4afac0d9..1279f7dc 100644 --- a/api/v1/constants.go +++ b/api/v1/constants.go @@ -6,10 +6,7 @@ package v1 -import ( - "github.com/oracle/coherence-operator/pkg/operator" - corev1 "k8s.io/api/core/v1" -) +import "github.com/oracle/coherence-operator/pkg/operator" const ( // DefaultReplicas is the default number of replicas that will be created for a deployment if no value is specified in the spec @@ -77,17 +74,6 @@ const ( // DefaultServiceAccount is the default k8s service account name. DefaultServiceAccount = "default" - // DefaultRunAsNonRoot is the default value for the runAsNonRoot field in the Pod security context - DefaultRunAsNonRoot = true - // DefaultRunAsUser is the default value for the runAsUser field in the Pod security context - DefaultRunAsUser int64 = 1000 - // DefaultRunAsGroup is the default value for the runAsGroup field in the Pod security context - DefaultRunAsGroup int64 = 2000 - // DefaultFsGroup is the default value for the fsGroup field in the Pod security context - DefaultFsGroup int64 = DefaultRunAsGroup - // DefaultFSGroupChangePolicy is the default value for the fsGroup field in the Pod security context - DefaultFSGroupChangePolicy = corev1.FSGroupChangeOnRootMismatch - // ContainerNameCoherence is the Coherence container name ContainerNameCoherence = "coherence" // ContainerNameOperatorInit is the Operator init-container name diff --git a/controllers/coherence_controller.go b/controllers/coherence_controller.go index 7e5eff4c..e81e910e 100644 --- a/controllers/coherence_controller.go +++ b/controllers/coherence_controller.go @@ -185,7 +185,7 @@ func (in *CoherenceReconciler) Reconcile(ctx context.Context, request ctrl.Reque in.GetEventRecorder().Event(deployment, coreV1.EventTypeNormal, reconciler.EventReasonUpdated, "added finalizer") } // we need to requeue as we have updated the Coherence resource - return ctrl.Result{Requeue: true}, err + return ctrl.Result{RequeueAfter: time.Minute}, err } } diff --git a/docs/about/04_coherence_spec.adoc b/docs/about/04_coherence_spec.adoc index 81e9376d..eb40cdf9 100644 --- a/docs/about/04_coherence_spec.adoc +++ b/docs/about/04_coherence_spec.adoc @@ -332,16 +332,7 @@ For example: + effect: "NoSchedule" + + + ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + m| []https://{k8s-doc-link}/#toleration-v1-core[corev1.Toleration] | false -m| securityContext | SecurityContext is the PodSecurityContext that will be added to all the Pods in this deployment. If no security context is specified the Operator will create one with the following spec + - + - securityContext: + + - runAsNonRoot: true + + - runAsUser: 1000 + + - runAsGroup: 2000 + + - fsGroup: 2000 + + - fsGroupChangePolicy: "OnRootMismatch" + + - + -See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ m| *https://{k8s-doc-link}/#podsecuritycontext-v1-core[corev1.PodSecurityContext] | false +m| securityContext | SecurityContext is the PodSecurityContext that will be added to all the Pods in this deployment. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ m| *https://{k8s-doc-link}/#podsecuritycontext-v1-core[corev1.PodSecurityContext] | false m| containerSecurityContext | ContainerSecurityContext is the SecurityContext that will be added to the Coherence container in each Pod in this deployment. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ m| *https://{k8s-doc-link}/#securitycontext-v1-core[corev1.SecurityContext] | false m| shareProcessNamespace | Share a single process namespace between all the containers in a pod. When this is set containers will be able to view and signal processes from other containers in the same pod, and the first process in each container will not be assigned PID 1. HostPID and ShareProcessNamespace cannot both be set. Optional: Default to false. m| *bool | false m| hostIPC | Use the host's ipc namespace. Optional: Default to false. m| *bool | false diff --git a/docs/installation/011_install_manifests.adoc b/docs/installation/011_install_manifests.adoc index 715a5e42..2f412e6c 100644 --- a/docs/installation/011_install_manifests.adoc +++ b/docs/installation/011_install_manifests.adoc @@ -130,4 +130,3 @@ Or on MacOS, where `sed` is slightly different: ---- sed -i '' -e 's/replicas: 3/replicas: 1/g' coherence-operator.yaml ---- - diff --git a/docs/other/045_security_context.adoc b/docs/other/045_security_context.adoc index 868bb394..bde70e6c 100644 --- a/docs/other/045_security_context.adoc +++ b/docs/other/045_security_context.adoc @@ -16,25 +16,6 @@ Kubernetes allows you to configure a https://kubernetes.io/docs/tasks/configure- For more details see the Kubernetes https://kubernetes.io/docs/tasks/configure-pod-container/security-context/[Security Context] documentation. -=== The Default Security Context - -The Coherence Operator configures a default security context for the Coherence Pods is none is specified in the `Coherence` resource yaml. -The default security context looks like this: -[source,yaml] ----- -securityContext: - runAsNonRoot: true - runAsUser: 1000650000 - runAsGroup: 1000650000 - fsGroup: 1000650000 - fsGroupChangePolicy: "OnRootMismatch" ----- - -It is possible to change the values used for the default security context by specifying them when the Operator is installed. -See the <> section below. - -It is possible to override this as described below. - === Setting the Pod Security Context To specify security settings for a Pod, include the `securityContext` field in the Coherence resource specification. @@ -77,116 +58,3 @@ spec: capabilities: add: ["NET_ADMIN", "SYS_TIME"] ---- - -[#config] -=== Configure The Default Security Context - -As already mentioned above the default security context created by the operator looks like this: - -[source,yaml] ----- -securityContext: - runAsNonRoot: true - runAsUser: 1000650000 - runAsGroup: 1000650000 - fsGroup: 1000650000 - fsGroupChangePolicy: "OnRootMismatch" ----- - -The default values used for `runAsUser`, `runAsGroup` and `fsGroup` can be configured using the Operator's configuration file. - -When the Operator is installed using the default installation it will read an optional configuration file from -an optional `ConfigMap`. The `ConfigMap` must be created in the same namespace as the operator is running and -should be named `coherence-operator`. The config map should contain a yaml file named `coherence-operator.yaml`. - -[IMPORTANT] -==== -The `coherence-operator` config map MUST be created before the Operator is installed, even if the yaml file -that it contains is empty. - -The Operator will watch the config file for changes, so if the `ConfigMap` is updated after the Operator is started, -the changes will take effect. If the `ConfigMap` does not exist when the Operator is started then the config file -cannot be mounted for the Operator to watch. -==== - - -==== Disable The Default Security Context - -To disable the creation of a default Pod security context for Coherence Pods, create a configuration file -name `coherence-operator.yaml` with the following contents. - -[source] -.coherence-operator.yaml ----- -coherenceSecurityContext: - enabled: false ----- - -Create the `ConfigMap` using the configuration file in the same namespace that the operator will be installed into. -For example, if the operator is to be installed into a namespace named `coherence` the `ConfigMap` can be created -using the following command: - -[source,bash] ----- -kubectl -n coherence create configmap coherence-operator \ - --from-file=coherence-operator.yaml ----- - -With the `coherenceSecurityContext.enabled` field set to false, the Operator will not apply a default security context -to the Coherence Pods. This may be useful in environments such as OpenShift which already apply a default security -configuration to Pods. - -==== Change The Default Security Context - -In the configuration file, any field under the `coherenceSecurityContext` section will be applied to -the default security context and override the operators default values. - -For example, a `ConfigMap` could be created with the following file: - -[source] -.coherence-operator.yaml ----- -coherenceSecurityContext: - runAsUser: 1000 ----- - -This will override the `runAsUser` field to be set to `1000` resulting in a default security context as shown below: - -[source,yaml] ----- -securityContext: - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000650000 - fsGroup: 1000650000 - fsGroupChangePolicy: "OnRootMismatch" ----- - -If the config file contains an empty value, this will result in the corresponding value being unset in the -security context. -This is useful for unsetting fields that the operator has default values for such as `runAsUser`, `runAsGroup`, -`runAsNonRoot`, `fsGroup` and `fsGroupChangePolicy`. - - -For example, the default `runAsUser` value is `1000650000`. -The configuration file can be created with a `runAsUser` field with no value as shown below - -[source] -.coherence-operator.yaml ----- -coherenceSecurityContext: - runAsUser: ----- - -This will result in a security context with the `runAsUser` unset. - -[source,yaml] ----- -securityContext: - runAsNonRoot: true - runAsUser: - runAsGroup: 1000650000 - fsGroup: 1000650000 - fsGroupChangePolicy: "OnRootMismatch" ----- - diff --git a/pkg/operator/operator.go b/pkg/operator/operator.go index 86b55ce6..84affee8 100644 --- a/pkg/operator/operator.go +++ b/pkg/operator/operator.go @@ -19,7 +19,6 @@ import ( "github.com/spf13/viper" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/util/version" - "k8s.io/utils/ptr" "os" "path/filepath" ctrl "sigs.k8s.io/controller-runtime" @@ -47,25 +46,6 @@ const ( CertTypeManual = "manual" CertManagerIssuerName = "coherence-webhook-server-issuer" - // DefaultRunAsNonRoot is the default value for the runAsNonRoot field in the Pod security context - DefaultRunAsNonRoot = true - // DefaultRunAsUser is the default value for the runAsUser field in the Pod security context - DefaultRunAsUser int64 = 1000650000 - // DefaultRunAsGroup is the default value for the runAsGroup field in the Pod security context - DefaultRunAsGroup int64 = 1000650000 - // DefaultFsGroup is the default value for the fsGroup field in the Pod security context - DefaultFsGroup int64 = DefaultRunAsGroup - // DefaultFSGroupChangePolicy is the default value for the fsGroup field in the Pod security context - DefaultFSGroupChangePolicy = corev1.FSGroupChangeOnRootMismatch - - ConfigKeyCoherenceSecurityContext = "coherenceSecurityContext" - ConfigKeyCoherenceSecurityContextEnabled = "enabled" - ConfigKeyCoherenceSecurityContextRunAsUser = "runAsUser" - ConfigKeyCoherenceSecurityContextRunAsGroup = "runAsGroup" - ConfigKeyCoherenceSecurityContextRunAsNonRoot = "runAsNonRoot" - ConfigKeyCoherenceSecurityContextFsGroup = "fsGroup" - ConfigKeyCoherenceSecurityContextFSGroupChangePolicy = "fSGroupChangePolicy" - DefaultMutatingWebhookName = "coherence-operator-mutating-webhook-configuration" DefaultValidatingWebhookName = "coherence-operator-validating-webhook-configuration" @@ -641,46 +621,3 @@ func RemoveFromUInt16Array(arr []uint16, toRemove uint16) []uint16 { } return arr } - -// DefaultSecurityContext returns the default Pod security context that the Operator will apply -// to Coherence pods. The values used can be overridden using command line args. -func DefaultSecurityContext() *corev1.PodSecurityContext { - v := GetViper() - - m := v.GetStringMap(ConfigKeyCoherenceSecurityContext) - if m == nil { - m = make(map[string]interface{}) - } - - enabled, found := m[strings.ToLower(ConfigKeyCoherenceSecurityContextEnabled)] - if found && enabled == false { - return nil - } - - sc := &corev1.PodSecurityContext{} - - if v.IsSet(ConfigKeyCoherenceSecurityContext) { - err := v.UnmarshalKey(ConfigKeyCoherenceSecurityContext, sc) - if err != nil { - setupLog.Error(err, "unable to unmarshal coherenceSecurityContext from Operator config file") - } - } - - if _, found := m[strings.ToLower(ConfigKeyCoherenceSecurityContextRunAsUser)]; !found { - sc.RunAsUser = ptr.To(DefaultRunAsUser) - } - if _, found := m[strings.ToLower(ConfigKeyCoherenceSecurityContextRunAsGroup)]; !found { - sc.RunAsGroup = ptr.To(DefaultRunAsGroup) - } - if _, found := m[strings.ToLower(ConfigKeyCoherenceSecurityContextRunAsNonRoot)]; !found { - sc.RunAsNonRoot = ptr.To(DefaultRunAsNonRoot) - } - if _, found := m[strings.ToLower(ConfigKeyCoherenceSecurityContextFsGroup)]; !found { - sc.FSGroup = ptr.To(DefaultFsGroup) - } - if _, found := m[strings.ToLower(ConfigKeyCoherenceSecurityContextFSGroupChangePolicy)]; !found { - sc.FSGroupChangePolicy = ptr.To(DefaultFSGroupChangePolicy) - } - - return sc -} diff --git a/pkg/runner/TestOperatorWithDefaultSecurityContextFsGroup.yaml b/pkg/runner/TestOperatorWithDefaultSecurityContextFsGroup.yaml deleted file mode 100644 index 822effb7..00000000 --- a/pkg/runner/TestOperatorWithDefaultSecurityContextFsGroup.yaml +++ /dev/null @@ -1,3 +0,0 @@ -coherenceSecurityContext: - fsGroup: 3000 - diff --git a/pkg/runner/TestOperatorWithDefaultSecurityContextFsGroupChangePolicy.yaml b/pkg/runner/TestOperatorWithDefaultSecurityContextFsGroupChangePolicy.yaml deleted file mode 100644 index 63dae6a6..00000000 --- a/pkg/runner/TestOperatorWithDefaultSecurityContextFsGroupChangePolicy.yaml +++ /dev/null @@ -1,3 +0,0 @@ -coherenceSecurityContext: - fsGroupChangePolicy: Always - diff --git a/pkg/runner/TestOperatorWithDefaultSecurityContextRunAsGroup.yaml b/pkg/runner/TestOperatorWithDefaultSecurityContextRunAsGroup.yaml deleted file mode 100644 index 7889c956..00000000 --- a/pkg/runner/TestOperatorWithDefaultSecurityContextRunAsGroup.yaml +++ /dev/null @@ -1,3 +0,0 @@ -coherenceSecurityContext: - runAsGroup: 2000 - diff --git a/pkg/runner/TestOperatorWithDefaultSecurityContextRunAsNonRootFalse.yaml b/pkg/runner/TestOperatorWithDefaultSecurityContextRunAsNonRootFalse.yaml deleted file mode 100644 index 650e7c9f..00000000 --- a/pkg/runner/TestOperatorWithDefaultSecurityContextRunAsNonRootFalse.yaml +++ /dev/null @@ -1,3 +0,0 @@ -coherenceSecurityContext: - runAsNonRoot: false - diff --git a/pkg/runner/TestOperatorWithDefaultSecurityContextRunAsNonRootTrue.yaml b/pkg/runner/TestOperatorWithDefaultSecurityContextRunAsNonRootTrue.yaml deleted file mode 100644 index 8955ca53..00000000 --- a/pkg/runner/TestOperatorWithDefaultSecurityContextRunAsNonRootTrue.yaml +++ /dev/null @@ -1,3 +0,0 @@ -coherenceSecurityContext: - runAsNonRoot: true - diff --git a/pkg/runner/TestOperatorWithDefaultSecurityContextRunAsUser.yaml b/pkg/runner/TestOperatorWithDefaultSecurityContextRunAsUser.yaml deleted file mode 100644 index 409cf753..00000000 --- a/pkg/runner/TestOperatorWithDefaultSecurityContextRunAsUser.yaml +++ /dev/null @@ -1,3 +0,0 @@ -coherenceSecurityContext: - runAsUser: 1000 - diff --git a/pkg/runner/TestOperatorWithDefaultSecurityContextRunAsUserNil.yaml b/pkg/runner/TestOperatorWithDefaultSecurityContextRunAsUserNil.yaml deleted file mode 100644 index b6148bb7..00000000 --- a/pkg/runner/TestOperatorWithDefaultSecurityContextRunAsUserNil.yaml +++ /dev/null @@ -1,2 +0,0 @@ -coherenceSecurityContext: - runAsUser: diff --git a/pkg/runner/cmd_operator_test.go b/pkg/runner/cmd_operator_test.go index 82e2499b..4ff3bb26 100644 --- a/pkg/runner/cmd_operator_test.go +++ b/pkg/runner/cmd_operator_test.go @@ -11,11 +11,7 @@ import ( . "github.com/onsi/gomega" coh "github.com/oracle/coherence-operator/api/v1" "github.com/oracle/coherence-operator/pkg/operator" - "github.com/oracle/coherence-operator/test/e2e/helper" - corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "os" - "path/filepath" ctrl "sigs.k8s.io/controller-runtime" "strings" "testing" @@ -532,297 +528,3 @@ func defaultCiphers() []uint16 { ciphers = operator.RemoveAllFromUInt16Array(ciphers, operator.DefaultCipherDenyList()...) return ciphers } - -func TestOperatorWithDefaultSecurityContext(t *testing.T) { - g := NewGomegaWithT(t) - - d := &coh.Coherence{ - ObjectMeta: metav1.ObjectMeta{Name: "test"}, - } - - args := []string{"operator", "--dry-run"} - env := EnvVarsFromDeployment(t, d) - - e, err := ExecuteWithArgsAndNewViper(env, args) - g.Expect(err).To(BeNil()) - - operator.SetViper(e.V) - - sc := operator.DefaultSecurityContext() - g.Expect(sc).NotTo(BeNil()) - g.Expect(sc.RunAsNonRoot).NotTo(BeNil()) - g.Expect(*sc.RunAsNonRoot).To(Equal(operator.DefaultRunAsNonRoot)) - g.Expect(sc.RunAsUser).NotTo(BeNil()) - g.Expect(*sc.RunAsUser).To(Equal(operator.DefaultRunAsUser)) - g.Expect(sc.RunAsGroup).NotTo(BeNil()) - g.Expect(*sc.RunAsGroup).To(Equal(operator.DefaultRunAsGroup)) - g.Expect(sc.FSGroup).NotTo(BeNil()) - g.Expect(*sc.FSGroup).To(Equal(operator.DefaultFsGroup)) - g.Expect(sc.FSGroupChangePolicy).NotTo(BeNil()) - g.Expect(*sc.FSGroupChangePolicy).To(Equal(operator.DefaultFSGroupChangePolicy)) -} - -func TestOperatorWithDefaultSecurityContextDisabled(t *testing.T) { - g := NewGomegaWithT(t) - - d := &coh.Coherence{ - ObjectMeta: metav1.ObjectMeta{Name: "test"}, - } - - cfg, err := findConfigFilePath("TestOperatorWithDefaultSecurityContextDisabled.yaml") - g.Expect(err).NotTo(HaveOccurred()) - - args := []string{"operator", "--dry-run", "--config", cfg} - env := EnvVarsFromDeployment(t, d) - - e, err := ExecuteWithArgsAndNewViper(env, args) - g.Expect(err).NotTo(HaveOccurred()) - - operator.SetViper(e.V) - - sc := operator.DefaultSecurityContext() - g.Expect(sc).To(BeNil()) -} - -func TestOperatorWithDefaultSecurityContextRunAsNonRootTrue(t *testing.T) { - g := NewGomegaWithT(t) - - d := &coh.Coherence{ - ObjectMeta: metav1.ObjectMeta{Name: "test"}, - } - - cfg, err := findConfigFilePath("TestOperatorWithDefaultSecurityContextRunAsNonRootTrue.yaml") - g.Expect(err).NotTo(HaveOccurred()) - - args := []string{"operator", "--dry-run", "--config", cfg} - env := EnvVarsFromDeployment(t, d) - - e, err := ExecuteWithArgsAndNewViper(env, args) - g.Expect(err).To(BeNil()) - - operator.SetViper(e.V) - - sc := operator.DefaultSecurityContext() - g.Expect(sc).NotTo(BeNil()) - g.Expect(sc.RunAsNonRoot).NotTo(BeNil()) - g.Expect(*sc.RunAsNonRoot).To(Equal(true)) - g.Expect(sc.RunAsUser).NotTo(BeNil()) - g.Expect(*sc.RunAsUser).To(Equal(operator.DefaultRunAsUser)) - g.Expect(sc.RunAsGroup).NotTo(BeNil()) - g.Expect(*sc.RunAsGroup).To(Equal(operator.DefaultRunAsGroup)) - g.Expect(sc.FSGroup).NotTo(BeNil()) - g.Expect(*sc.FSGroup).To(Equal(operator.DefaultFsGroup)) - g.Expect(sc.FSGroupChangePolicy).NotTo(BeNil()) - g.Expect(*sc.FSGroupChangePolicy).To(Equal(operator.DefaultFSGroupChangePolicy)) -} - -func TestOperatorWithDefaultSecurityContextRunAsNonRootFalse(t *testing.T) { - g := NewGomegaWithT(t) - - d := &coh.Coherence{ - ObjectMeta: metav1.ObjectMeta{Name: "test"}, - } - - cfg, err := findConfigFilePath("TestOperatorWithDefaultSecurityContextRunAsNonRootFalse.yaml") - g.Expect(err).NotTo(HaveOccurred()) - - args := []string{"operator", "--dry-run", "--config", cfg} - env := EnvVarsFromDeployment(t, d) - - e, err := ExecuteWithArgsAndNewViper(env, args) - g.Expect(err).To(BeNil()) - - operator.SetViper(e.V) - - sc := operator.DefaultSecurityContext() - g.Expect(sc).NotTo(BeNil()) - g.Expect(sc.RunAsNonRoot).NotTo(BeNil()) - g.Expect(*sc.RunAsNonRoot).To(Equal(false)) - g.Expect(sc.RunAsUser).NotTo(BeNil()) - g.Expect(*sc.RunAsUser).To(Equal(operator.DefaultRunAsUser)) - g.Expect(sc.RunAsGroup).NotTo(BeNil()) - g.Expect(*sc.RunAsGroup).To(Equal(operator.DefaultRunAsGroup)) - g.Expect(sc.FSGroup).NotTo(BeNil()) - g.Expect(*sc.FSGroup).To(Equal(operator.DefaultFsGroup)) - g.Expect(sc.FSGroupChangePolicy).NotTo(BeNil()) - g.Expect(*sc.FSGroupChangePolicy).To(Equal(operator.DefaultFSGroupChangePolicy)) -} - -func TestOperatorWithDefaultSecurityContextRunAsUser(t *testing.T) { - g := NewGomegaWithT(t) - - d := &coh.Coherence{ - ObjectMeta: metav1.ObjectMeta{Name: "test"}, - } - - cfg, err := findConfigFilePath("TestOperatorWithDefaultSecurityContextRunAsUser.yaml") - g.Expect(err).NotTo(HaveOccurred()) - - args := []string{"operator", "--dry-run", "--config", cfg} - env := EnvVarsFromDeployment(t, d) - - e, err := ExecuteWithArgsAndNewViper(env, args) - g.Expect(err).To(BeNil()) - - operator.SetViper(e.V) - - sc := operator.DefaultSecurityContext() - g.Expect(sc).NotTo(BeNil()) - g.Expect(sc.RunAsNonRoot).NotTo(BeNil()) - g.Expect(*sc.RunAsNonRoot).To(Equal(operator.DefaultRunAsNonRoot)) - g.Expect(sc.RunAsUser).NotTo(BeNil()) - g.Expect(*sc.RunAsUser).To(Equal(int64(1000))) - g.Expect(sc.RunAsGroup).NotTo(BeNil()) - g.Expect(*sc.RunAsGroup).To(Equal(operator.DefaultRunAsGroup)) - g.Expect(sc.FSGroup).NotTo(BeNil()) - g.Expect(*sc.FSGroup).To(Equal(operator.DefaultFsGroup)) - g.Expect(sc.FSGroupChangePolicy).NotTo(BeNil()) - g.Expect(*sc.FSGroupChangePolicy).To(Equal(operator.DefaultFSGroupChangePolicy)) -} - -func TestOperatorWithDefaultSecurityContextRunAsUserUnset(t *testing.T) { - g := NewGomegaWithT(t) - - d := &coh.Coherence{ - ObjectMeta: metav1.ObjectMeta{Name: "test"}, - } - - cfg, err := findConfigFilePath("TestOperatorWithDefaultSecurityContextRunAsUserNil.yaml") - g.Expect(err).NotTo(HaveOccurred()) - - args := []string{"operator", "--dry-run", "--config", cfg} - env := EnvVarsFromDeployment(t, d) - - e, err := ExecuteWithArgsAndNewViper(env, args) - g.Expect(err).To(BeNil()) - - operator.SetViper(e.V) - - sc := operator.DefaultSecurityContext() - g.Expect(sc).NotTo(BeNil()) - g.Expect(sc.RunAsNonRoot).NotTo(BeNil()) - g.Expect(*sc.RunAsNonRoot).To(Equal(operator.DefaultRunAsNonRoot)) - g.Expect(sc.RunAsUser).To(BeNil()) - g.Expect(sc.RunAsGroup).NotTo(BeNil()) - g.Expect(*sc.RunAsGroup).To(Equal(operator.DefaultRunAsGroup)) - g.Expect(sc.FSGroup).NotTo(BeNil()) - g.Expect(*sc.FSGroup).To(Equal(operator.DefaultFsGroup)) - g.Expect(sc.FSGroupChangePolicy).NotTo(BeNil()) - g.Expect(*sc.FSGroupChangePolicy).To(Equal(operator.DefaultFSGroupChangePolicy)) -} - -func TestOperatorWithDefaultSecurityContextRunAsGroup(t *testing.T) { - g := NewGomegaWithT(t) - - d := &coh.Coherence{ - ObjectMeta: metav1.ObjectMeta{Name: "test"}, - } - - cfg, err := findConfigFilePath("TestOperatorWithDefaultSecurityContextRunAsGroup.yaml") - g.Expect(err).NotTo(HaveOccurred()) - - args := []string{"operator", "--dry-run", "--config", cfg} - env := EnvVarsFromDeployment(t, d) - - e, err := ExecuteWithArgsAndNewViper(env, args) - g.Expect(err).To(BeNil()) - - operator.SetViper(e.V) - - sc := operator.DefaultSecurityContext() - g.Expect(sc).NotTo(BeNil()) - g.Expect(sc.RunAsNonRoot).NotTo(BeNil()) - g.Expect(*sc.RunAsNonRoot).To(Equal(operator.DefaultRunAsNonRoot)) - g.Expect(sc.RunAsUser).NotTo(BeNil()) - g.Expect(*sc.RunAsUser).To(Equal(operator.DefaultRunAsUser)) - g.Expect(sc.RunAsGroup).NotTo(BeNil()) - g.Expect(*sc.RunAsGroup).To(Equal(int64(2000))) - g.Expect(sc.FSGroup).NotTo(BeNil()) - g.Expect(*sc.FSGroup).To(Equal(operator.DefaultFsGroup)) - g.Expect(sc.FSGroupChangePolicy).NotTo(BeNil()) - g.Expect(*sc.FSGroupChangePolicy).To(Equal(operator.DefaultFSGroupChangePolicy)) -} - -func TestOperatorWithDefaultSecurityContextFsGroup(t *testing.T) { - g := NewGomegaWithT(t) - - d := &coh.Coherence{ - ObjectMeta: metav1.ObjectMeta{Name: "test"}, - } - - cfg, err := findConfigFilePath("TestOperatorWithDefaultSecurityContextFsGroup.yaml") - g.Expect(err).NotTo(HaveOccurred()) - - args := []string{"operator", "--dry-run", "--config", cfg} - env := EnvVarsFromDeployment(t, d) - - e, err := ExecuteWithArgsAndNewViper(env, args) - g.Expect(err).To(BeNil()) - - operator.SetViper(e.V) - - sc := operator.DefaultSecurityContext() - g.Expect(sc).NotTo(BeNil()) - g.Expect(sc.RunAsNonRoot).NotTo(BeNil()) - g.Expect(*sc.RunAsNonRoot).To(Equal(operator.DefaultRunAsNonRoot)) - g.Expect(sc.RunAsUser).NotTo(BeNil()) - g.Expect(*sc.RunAsUser).To(Equal(operator.DefaultRunAsUser)) - g.Expect(sc.RunAsGroup).NotTo(BeNil()) - g.Expect(*sc.RunAsGroup).To(Equal(operator.DefaultRunAsGroup)) - g.Expect(sc.FSGroup).NotTo(BeNil()) - g.Expect(*sc.FSGroup).To(Equal(int64(3000))) - g.Expect(sc.FSGroupChangePolicy).NotTo(BeNil()) - g.Expect(*sc.FSGroupChangePolicy).To(Equal(operator.DefaultFSGroupChangePolicy)) -} - -func TestOperatorWithDefaultSecurityContextFsGroupChangePolicy(t *testing.T) { - g := NewGomegaWithT(t) - - d := &coh.Coherence{ - ObjectMeta: metav1.ObjectMeta{Name: "test"}, - } - - cfg, err := findConfigFilePath("TestOperatorWithDefaultSecurityContextFsGroupChangePolicy.yaml") - g.Expect(err).NotTo(HaveOccurred()) - - args := []string{"operator", "--dry-run", "--config", cfg} - env := EnvVarsFromDeployment(t, d) - - e, err := ExecuteWithArgsAndNewViper(env, args) - g.Expect(err).To(BeNil()) - - operator.SetViper(e.V) - - sc := operator.DefaultSecurityContext() - g.Expect(sc).NotTo(BeNil()) - g.Expect(sc.RunAsNonRoot).NotTo(BeNil()) - g.Expect(*sc.RunAsNonRoot).To(Equal(operator.DefaultRunAsNonRoot)) - g.Expect(sc.RunAsUser).NotTo(BeNil()) - g.Expect(*sc.RunAsUser).To(Equal(operator.DefaultRunAsUser)) - g.Expect(sc.RunAsGroup).NotTo(BeNil()) - g.Expect(*sc.RunAsGroup).To(Equal(operator.DefaultRunAsGroup)) - g.Expect(sc.FSGroup).NotTo(BeNil()) - g.Expect(*sc.FSGroup).To(Equal(operator.DefaultFsGroup)) - g.Expect(sc.FSGroupChangePolicy).NotTo(BeNil()) - g.Expect(*sc.FSGroupChangePolicy).To(Equal(corev1.PodFSGroupChangePolicy("Always"))) -} - -func findConfigFilePath(cfg string) (string, error) { - cfg, err := helper.FindActualFile(cfg) - if err != nil { - return "", err - } - _, err = os.Stat(cfg) - if err != nil { - return "", err - } - f, err := os.Stat(cfg) - if err != nil { - return "", err - } - path, err := filepath.Abs(f.Name()) - if err != nil { - return "", err - } - return path, nil -}