Skip to content

Back out the default security context functionality as this breaks on OpenShift #771

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 26, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 1 addition & 18 deletions api/v1/coherenceresourcespec_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -193,15 +193,6 @@ type CoherenceResourceSpec struct {
// +optional
Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
// SecurityContext is the PodSecurityContext that will be added to all the Pods in this deployment.
// If no security context is specified the Operator will create one with the following spec
//
// securityContext:
// runAsNonRoot: true
// runAsUser: 1000
// runAsGroup: 2000
// fsGroup: 2000
// fsGroupChangePolicy: "OnRootMismatch"
//
// See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
// +optional
SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"`
Expand Down Expand Up @@ -748,7 +739,7 @@ func (in *CoherenceResourceSpec) CreatePodTemplateSpec(deployment CoherenceResou
ReadinessGates: in.ReadinessGates,
RuntimeClassName: in.RuntimeClassName,
SchedulerName: notNilString(in.SchedulerName),
SecurityContext: in.GetSecurityContext(),
SecurityContext: in.SecurityContext,
ServiceAccountName: in.GetServiceAccountName(),
ShareProcessNamespace: in.ShareProcessNamespace,
Tolerations: in.Tolerations,
Expand Down Expand Up @@ -830,14 +821,6 @@ func (in *CoherenceResourceSpec) GetImagePullSecrets() []corev1.LocalObjectRefer
return secrets
}

// GetSecurityContext returns the Pod security context to use.
func (in *CoherenceResourceSpec) GetSecurityContext() *corev1.PodSecurityContext {
if in == nil || in.SecurityContext == nil {
return operator.DefaultSecurityContext()
}
return in.SecurityContext
}

// GetServiceAccountName returns the service account name for the cluster.
func (in *CoherenceResourceSpec) GetServiceAccountName() string {
if in != nil {
Expand Down
1 change: 0 additions & 1 deletion api/v1/common_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -503,7 +503,6 @@ func createMinimalExpectedPodSpec(deployment coh.CoherenceResource) corev1.PodTe
VolumeSource: emptyVolume,
},
},
SecurityContext: operator.DefaultSecurityContext(),
TopologySpreadConstraints: spec.EnsureTopologySpreadConstraints(deployment),
Affinity: spec.CreateDefaultPodAffinity(deployment),
ServiceAccountName: spec.GetServiceAccountName(),
Expand Down
16 changes: 1 addition & 15 deletions api/v1/constants.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,7 @@

package v1

import (
"github.com/oracle/coherence-operator/pkg/operator"
corev1 "k8s.io/api/core/v1"
)
import "github.com/oracle/coherence-operator/pkg/operator"

const (
// DefaultReplicas is the default number of replicas that will be created for a deployment if no value is specified in the spec
Expand Down Expand Up @@ -77,17 +74,6 @@ const (
// DefaultServiceAccount is the default k8s service account name.
DefaultServiceAccount = "default"

// DefaultRunAsNonRoot is the default value for the runAsNonRoot field in the Pod security context
DefaultRunAsNonRoot = true
// DefaultRunAsUser is the default value for the runAsUser field in the Pod security context
DefaultRunAsUser int64 = 1000
// DefaultRunAsGroup is the default value for the runAsGroup field in the Pod security context
DefaultRunAsGroup int64 = 2000
// DefaultFsGroup is the default value for the fsGroup field in the Pod security context
DefaultFsGroup int64 = DefaultRunAsGroup
// DefaultFSGroupChangePolicy is the default value for the fsGroup field in the Pod security context
DefaultFSGroupChangePolicy = corev1.FSGroupChangeOnRootMismatch

// ContainerNameCoherence is the Coherence container name
ContainerNameCoherence = "coherence"
// ContainerNameOperatorInit is the Operator init-container name
Expand Down
2 changes: 1 addition & 1 deletion controllers/coherence_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -185,7 +185,7 @@ func (in *CoherenceReconciler) Reconcile(ctx context.Context, request ctrl.Reque
in.GetEventRecorder().Event(deployment, coreV1.EventTypeNormal, reconciler.EventReasonUpdated, "added finalizer")
}
// we need to requeue as we have updated the Coherence resource
return ctrl.Result{Requeue: true}, err
return ctrl.Result{RequeueAfter: time.Minute}, err
}
}

Expand Down
11 changes: 1 addition & 10 deletions docs/about/04_coherence_spec.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -332,16 +332,7 @@ For example: +
effect: "NoSchedule" + +
+
ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + m| []https://{k8s-doc-link}/#toleration-v1-core[corev1.Toleration] | false
m| securityContext | SecurityContext is the PodSecurityContext that will be added to all the Pods in this deployment. If no security context is specified the Operator will create one with the following spec +
+
securityContext: + +
runAsNonRoot: true + +
runAsUser: 1000 + +
runAsGroup: 2000 + +
fsGroup: 2000 + +
fsGroupChangePolicy: "OnRootMismatch" + +
+
See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ m| *https://{k8s-doc-link}/#podsecuritycontext-v1-core[corev1.PodSecurityContext] | false
m| securityContext | SecurityContext is the PodSecurityContext that will be added to all the Pods in this deployment. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ m| *https://{k8s-doc-link}/#podsecuritycontext-v1-core[corev1.PodSecurityContext] | false
m| containerSecurityContext | ContainerSecurityContext is the SecurityContext that will be added to the Coherence container in each Pod in this deployment. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ m| *https://{k8s-doc-link}/#securitycontext-v1-core[corev1.SecurityContext] | false
m| shareProcessNamespace | Share a single process namespace between all the containers in a pod. When this is set containers will be able to view and signal processes from other containers in the same pod, and the first process in each container will not be assigned PID 1. HostPID and ShareProcessNamespace cannot both be set. Optional: Default to false. m| *bool | false
m| hostIPC | Use the host's ipc namespace. Optional: Default to false. m| *bool | false
Expand Down
1 change: 0 additions & 1 deletion docs/installation/011_install_manifests.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -130,4 +130,3 @@ Or on MacOS, where `sed` is slightly different:
----
sed -i '' -e 's/replicas: 3/replicas: 1/g' coherence-operator.yaml
----

132 changes: 0 additions & 132 deletions docs/other/045_security_context.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -16,25 +16,6 @@ Kubernetes allows you to configure a https://kubernetes.io/docs/tasks/configure-

For more details see the Kubernetes https://kubernetes.io/docs/tasks/configure-pod-container/security-context/[Security Context] documentation.

=== The Default Security Context

The Coherence Operator configures a default security context for the Coherence Pods is none is specified in the `Coherence` resource yaml.
The default security context looks like this:
[source,yaml]
----
securityContext:
runAsNonRoot: true
runAsUser: 1000650000
runAsGroup: 1000650000
fsGroup: 1000650000
fsGroupChangePolicy: "OnRootMismatch"
----

It is possible to change the values used for the default security context by specifying them when the Operator is installed.
See the <<config,Configure The Default Security Context>> section below.

It is possible to override this as described below.

=== Setting the Pod Security Context

To specify security settings for a Pod, include the `securityContext` field in the Coherence resource specification.
Expand Down Expand Up @@ -77,116 +58,3 @@ spec:
capabilities:
add: ["NET_ADMIN", "SYS_TIME"]
----

[#config]
=== Configure The Default Security Context

As already mentioned above the default security context created by the operator looks like this:

[source,yaml]
----
securityContext:
runAsNonRoot: true
runAsUser: 1000650000
runAsGroup: 1000650000
fsGroup: 1000650000
fsGroupChangePolicy: "OnRootMismatch"
----

The default values used for `runAsUser`, `runAsGroup` and `fsGroup` can be configured using the Operator's configuration file.

When the Operator is installed using the default installation it will read an optional configuration file from
an optional `ConfigMap`. The `ConfigMap` must be created in the same namespace as the operator is running and
should be named `coherence-operator`. The config map should contain a yaml file named `coherence-operator.yaml`.

[IMPORTANT]
====
The `coherence-operator` config map MUST be created before the Operator is installed, even if the yaml file
that it contains is empty.

The Operator will watch the config file for changes, so if the `ConfigMap` is updated after the Operator is started,
the changes will take effect. If the `ConfigMap` does not exist when the Operator is started then the config file
cannot be mounted for the Operator to watch.
====


==== Disable The Default Security Context

To disable the creation of a default Pod security context for Coherence Pods, create a configuration file
name `coherence-operator.yaml` with the following contents.

[source]
.coherence-operator.yaml
----
coherenceSecurityContext:
enabled: false
----

Create the `ConfigMap` using the configuration file in the same namespace that the operator will be installed into.
For example, if the operator is to be installed into a namespace named `coherence` the `ConfigMap` can be created
using the following command:

[source,bash]
----
kubectl -n coherence create configmap coherence-operator \
--from-file=coherence-operator.yaml
----

With the `coherenceSecurityContext.enabled` field set to false, the Operator will not apply a default security context
to the Coherence Pods. This may be useful in environments such as OpenShift which already apply a default security
configuration to Pods.

==== Change The Default Security Context

In the configuration file, any field under the `coherenceSecurityContext` section will be applied to
the default security context and override the operators default values.

For example, a `ConfigMap` could be created with the following file:

[source]
.coherence-operator.yaml
----
coherenceSecurityContext:
runAsUser: 1000
----

This will override the `runAsUser` field to be set to `1000` resulting in a default security context as shown below:

[source,yaml]
----
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000650000
fsGroup: 1000650000
fsGroupChangePolicy: "OnRootMismatch"
----

If the config file contains an empty value, this will result in the corresponding value being unset in the
security context.
This is useful for unsetting fields that the operator has default values for such as `runAsUser`, `runAsGroup`,
`runAsNonRoot`, `fsGroup` and `fsGroupChangePolicy`.


For example, the default `runAsUser` value is `1000650000`.
The configuration file can be created with a `runAsUser` field with no value as shown below

[source]
.coherence-operator.yaml
----
coherenceSecurityContext:
runAsUser:
----

This will result in a security context with the `runAsUser` unset.

[source,yaml]
----
securityContext:
runAsNonRoot: true
runAsUser:
runAsGroup: 1000650000
fsGroup: 1000650000
fsGroupChangePolicy: "OnRootMismatch"
----

63 changes: 0 additions & 63 deletions pkg/operator/operator.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ import (
"github.com/spf13/viper"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/util/version"
"k8s.io/utils/ptr"
"os"
"path/filepath"
ctrl "sigs.k8s.io/controller-runtime"
Expand Down Expand Up @@ -47,25 +46,6 @@ const (
CertTypeManual = "manual"
CertManagerIssuerName = "coherence-webhook-server-issuer"

// DefaultRunAsNonRoot is the default value for the runAsNonRoot field in the Pod security context
DefaultRunAsNonRoot = true
// DefaultRunAsUser is the default value for the runAsUser field in the Pod security context
DefaultRunAsUser int64 = 1000650000
// DefaultRunAsGroup is the default value for the runAsGroup field in the Pod security context
DefaultRunAsGroup int64 = 1000650000
// DefaultFsGroup is the default value for the fsGroup field in the Pod security context
DefaultFsGroup int64 = DefaultRunAsGroup
// DefaultFSGroupChangePolicy is the default value for the fsGroup field in the Pod security context
DefaultFSGroupChangePolicy = corev1.FSGroupChangeOnRootMismatch

ConfigKeyCoherenceSecurityContext = "coherenceSecurityContext"
ConfigKeyCoherenceSecurityContextEnabled = "enabled"
ConfigKeyCoherenceSecurityContextRunAsUser = "runAsUser"
ConfigKeyCoherenceSecurityContextRunAsGroup = "runAsGroup"
ConfigKeyCoherenceSecurityContextRunAsNonRoot = "runAsNonRoot"
ConfigKeyCoherenceSecurityContextFsGroup = "fsGroup"
ConfigKeyCoherenceSecurityContextFSGroupChangePolicy = "fSGroupChangePolicy"

DefaultMutatingWebhookName = "coherence-operator-mutating-webhook-configuration"
DefaultValidatingWebhookName = "coherence-operator-validating-webhook-configuration"

Expand Down Expand Up @@ -641,46 +621,3 @@ func RemoveFromUInt16Array(arr []uint16, toRemove uint16) []uint16 {
}
return arr
}

// DefaultSecurityContext returns the default Pod security context that the Operator will apply
// to Coherence pods. The values used can be overridden using command line args.
func DefaultSecurityContext() *corev1.PodSecurityContext {
v := GetViper()

m := v.GetStringMap(ConfigKeyCoherenceSecurityContext)
if m == nil {
m = make(map[string]interface{})
}

enabled, found := m[strings.ToLower(ConfigKeyCoherenceSecurityContextEnabled)]
if found && enabled == false {
return nil
}

sc := &corev1.PodSecurityContext{}

if v.IsSet(ConfigKeyCoherenceSecurityContext) {
err := v.UnmarshalKey(ConfigKeyCoherenceSecurityContext, sc)
if err != nil {
setupLog.Error(err, "unable to unmarshal coherenceSecurityContext from Operator config file")
}
}

if _, found := m[strings.ToLower(ConfigKeyCoherenceSecurityContextRunAsUser)]; !found {
sc.RunAsUser = ptr.To(DefaultRunAsUser)
}
if _, found := m[strings.ToLower(ConfigKeyCoherenceSecurityContextRunAsGroup)]; !found {
sc.RunAsGroup = ptr.To(DefaultRunAsGroup)
}
if _, found := m[strings.ToLower(ConfigKeyCoherenceSecurityContextRunAsNonRoot)]; !found {
sc.RunAsNonRoot = ptr.To(DefaultRunAsNonRoot)
}
if _, found := m[strings.ToLower(ConfigKeyCoherenceSecurityContextFsGroup)]; !found {
sc.FSGroup = ptr.To(DefaultFsGroup)
}
if _, found := m[strings.ToLower(ConfigKeyCoherenceSecurityContextFSGroupChangePolicy)]; !found {
sc.FSGroupChangePolicy = ptr.To(DefaultFSGroupChangePolicy)
}

return sc
}
3 changes: 0 additions & 3 deletions pkg/runner/TestOperatorWithDefaultSecurityContextFsGroup.yaml

This file was deleted.

This file was deleted.

This file was deleted.

This file was deleted.

This file was deleted.

This file was deleted.

This file was deleted.

Loading