application-stacks · kabicin · Oct 3, 2023 · Oct 3, 2023 · Oct 4, 2023 · Oct 5, 2023
diff --git a/api/v1/runtimecomponent_types.go b/api/v1/runtimecomponent_types.go
@@ -143,9 +143,9 @@ type RuntimeComponentSpec struct {
 	// +operator-sdk:csv:customresourcedefinitions:order=24,type=spec,displayName="Affinity"
 	Affinity *RuntimeComponentAffinity `json:"affinity,omitempty"`
 
-	// Security context for the application container.
+	// Security context for the application pod and container.
 	// +operator-sdk:csv:customresourcedefinitions:order=25,type=spec,displayName="Security Context"
-	SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"`
+	SecurityContext *RuntimeComponentSecurityContext `json:"securityContext,omitempty"`
 
 	// +operator-sdk:csv:customresourcedefinitions:order=26,type=spec,displayName="Topology Spread Constraints"
 	TopologySpreadConstraints *RuntimeComponentTopologySpreadConstraints `json:"topologySpreadConstraints,omitempty"`
@@ -162,6 +162,11 @@ type RuntimeComponentTopologySpreadConstraints struct {
 	DisableOperatorDefaults *bool `json:"disableOperatorDefaults,omitempty"`
 }
 
+// Define the security context object for the application pod and container
+type RuntimeComponentSecurityContext struct {
+	common.AppSecurityContext `json:",omitempty"`
+}
+
 // Defines the service account
 type RuntimeComponentServiceAccount struct {
 	// Whether the Service Account token should be mounted into the application pods. Defaults to true.
@@ -926,8 +931,22 @@ func (a *RuntimeComponentAffinity) GetNodeAffinityLabels() map[string]string {
 	return a.NodeAffinityLabels
 }
 
+func (sc *RuntimeComponentSecurityContext) GetContainerSecurityContext() *corev1.SecurityContext {
+	if sc == nil {
+		return nil
+	}
+	return common.GetSecurityContext(&sc.AppSecurityContext)
+}
+
+func (sc *RuntimeComponentSecurityContext) PatchPodSecurityContext(podSecurityContext *corev1.PodSecurityContext) *corev1.PodSecurityContext {
+	if sc == nil {
+		return podSecurityContext
+	}
+	return common.PatchPodSecurityContext(&sc.AppSecurityContext, podSecurityContext)
+}
+
 // GetSecurityContext returns container security context
-func (cr *RuntimeComponent) GetSecurityContext() *corev1.SecurityContext {
+func (cr *RuntimeComponent) GetSecurityContext() common.BaseComponentSecurityContext {
 	return cr.Spec.SecurityContext
 }
 

diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go
diff --git a/bundle/manifests/rc.app.stacks_runtimecomponents.yaml b/bundle/manifests/rc.app.stacks_runtimecomponents.yaml
@@ -3523,7 +3523,7 @@ spec:
                     type: string
                 type: object
               securityContext:
-                description: Security context for the application container.
+                description: Security context for the application pod and container.
                 properties:
                   allowPrivilegeEscalation:
                     description: 'AllowPrivilegeEscalation controls whether a process
@@ -3552,6 +3552,28 @@ spec:
                           type: string
                         type: array
                     type: object
+                  fsGroup:
+                    description: "A special supplemental group that applies to all
+                      containers in a pod. Some volume types allow the Kubelet to
+                      change the ownership of that volume to be owned by the pod:
+                      \n 1. The owning GID will be the FSGroup 2. The setgid bit is
+                      set (new files created in the volume will be owned by FSGroup)
+                      3. The permission bits are OR'd with rw-rw---- \n If unset,
+                      the Kubelet will not modify the ownership and permissions of
+                      any volume. Note that this field cannot be set when spec.os.name
+                      is windows."
+                    format: int64
+                    type: integer
+                  fsGroupChangePolicy:
+                    description: 'fsGroupChangePolicy defines behavior of changing
+                      ownership and permission of the volume before being exposed
+                      inside Pod. This field will only apply to volume types which
+                      support fsGroup based ownership(and permissions). It will have
+                      no effect on ephemeral volume types such as: secret, configmaps
+                      and emptydir. Valid values are "OnRootMismatch" and "Always".
+                      If not specified, "Always" is used. Note that this field cannot
+                      be set when spec.os.name is windows.'
+                    type: string
                   privileged:
                     description: Run container in privileged mode. Processes in privileged
                       containers are essentially equivalent to root on the host. Defaults
@@ -3644,6 +3666,34 @@ spec:
                     required:
                     - type
                     type: object
+                  supplementalGroups:
+                    description: A list of groups applied to the first process run
+                      in each container, in addition to the container's primary GID.  If
+                      unspecified, no groups will be added to any container. Note
+                      that this field cannot be set when spec.os.name is windows.
+                    items:
+                      format: int64
+                      type: integer
+                    type: array
+                  sysctls:
+                    description: Sysctls hold a list of namespaced sysctls used for
+                      the pod. Pods with unsupported sysctls (by the container runtime)
+                      might fail to launch. Note that this field cannot be set when
+                      spec.os.name is windows.
+                    items:
+                      description: Sysctl defines a kernel parameter to be set
+                      properties:
+                        name:
+                          description: Name of a property to set
+                          type: string
+                        value:
+                          description: Value of a property to set
+                          type: string
+                      required:
+                      - name
+                      - value
+                      type: object
+                    type: array
                   windowsOptions:
                     description: The Windows specific settings applied to all containers.
                       If unspecified, the options from the PodSecurityContext will

diff --git a/bundle/manifests/runtime-component.clusterserviceversion.yaml b/bundle/manifests/runtime-component.clusterserviceversion.yaml
@@ -342,7 +342,7 @@ spec:
         path: affinity
       - displayName: Storage
         path: statefulSet.storage
-      - description: Security context for the application container.
+      - description: Security context for the application pod and container.
         displayName: Security Context
         path: securityContext
       - description: A convenient field to set the size of the persisted storage.

diff --git a/common/common.go b/common/common.go
@@ -59,3 +59,36 @@ func GetDefaultMicroProfileLivenessProbe(ba BaseComponent) *corev1.Probe {
 func GetComponentNameLabel(ba BaseComponent) string {
 	return ba.GetGroupName() + "/name"
 }
+
+func GetSecurityContext(asc *AppSecurityContext) *corev1.SecurityContext {
+	if asc == nil {
+		return nil
+	}
+	sc := asc.SecurityContext
+	securityContext := &corev1.SecurityContext{}
+	sc.DeepCopyInto(securityContext)
+	return securityContext
+}
+
+func PatchPodSecurityContext(asc *AppSecurityContext, podSecurityContext *corev1.PodSecurityContext) *corev1.PodSecurityContext {
+	if asc == nil {
+		return podSecurityContext
+	}
+	if podSecurityContext == nil {
+		podSecurityContext = &corev1.PodSecurityContext{}
+	}
+	sc := asc.IsolatedPodSecurityContext
+	if len(sc.SupplementalGroups) > 0 {
+		podSecurityContext.SupplementalGroups = sc.SupplementalGroups
+	}
+	if sc.FSGroup != nil {
+		podSecurityContext.FSGroup = sc.FSGroup
+	}
+	if len(sc.Sysctls) > 0 {
+		podSecurityContext.Sysctls = sc.Sysctls
+	}
+	if sc.FSGroupChangePolicy != nil {
+		podSecurityContext.FSGroupChangePolicy = sc.FSGroupChangePolicy
+	}
+	return podSecurityContext
+}
diff --git a/common/types.go b/common/types.go
@@ -196,6 +196,55 @@ type BaseComponentTopologySpreadConstraints interface {
 	GetDisableOperatorDefaults() *bool
 }
 
+// Define PodSecurityContext without overlapping fields in SecurityContext
+// This struct is based upon the PodSecurityContext specification in https://github.com/kubernetes/api/blob/v0.24.2/core/v1/types.go
+// +kubebuilder:object:generate=true
+type IsolatedPodSecurityContext struct {
+	// A list of groups applied to the first process run in each container, in addition
+	// to the container's primary GID.  If unspecified, no groups will be added to
+	// any container.
+	// Note that this field cannot be set when spec.os.name is windows.
+	// +optional
+	SupplementalGroups []int64 `json:"supplementalGroups,omitempty"`
+	// A special supplemental group that applies to all containers in a pod.
+	// Some volume types allow the Kubelet to change the ownership of that volume
+	// to be owned by the pod:
+	//
+	// 1. The owning GID will be the FSGroup
+	// 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+	// 3. The permission bits are OR'd with rw-rw----
+	//
+	// If unset, the Kubelet will not modify the ownership and permissions of any volume.
+	// Note that this field cannot be set when spec.os.name is windows.
+	// +optional
+	FSGroup *int64 `json:"fsGroup,omitempty"`
+	// Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+	// sysctls (by the container runtime) might fail to launch.
+	// Note that this field cannot be set when spec.os.name is windows.
+	// +optional
+	Sysctls []corev1.Sysctl `json:"sysctls,omitempty"`
+	// fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+	// before being exposed inside Pod. This field will only apply to
+	// volume types which support fsGroup based ownership(and permissions).
+	// It will have no effect on ephemeral volume types such as: secret, configmaps
+	// and emptydir.
+	// Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+	// Note that this field cannot be set when spec.os.name is windows.
+	// +optional
+	FSGroupChangePolicy *corev1.PodFSGroupChangePolicy `json:"fsGroupChangePolicy,omitempty"`
+}
+
+// +kubebuilder:object:generate=true
+type AppSecurityContext struct {
+	IsolatedPodSecurityContext `json:",omitempty"`
+	corev1.SecurityContext     `json:",omitempty"`
+}
+
+type BaseComponentSecurityContext interface {
+	GetContainerSecurityContext() *corev1.SecurityContext
+	PatchPodSecurityContext(*corev1.PodSecurityContext) *corev1.PodSecurityContext
+}
+
 // BaseComponent represents basic kubernetes application
 type BaseComponent interface {
 	GetApplicationImage() string
@@ -229,6 +278,6 @@ type BaseComponent interface {
 	GetRoute() BaseComponentRoute
 	GetAffinity() BaseComponentAffinity
 	GetTopologySpreadConstraints() BaseComponentTopologySpreadConstraints
-	GetSecurityContext() *corev1.SecurityContext
+	GetSecurityContext() BaseComponentSecurityContext
 	GetManageTLS() *bool
 }
diff --git a/common/zz_generated.deepcopy.go b/common/zz_generated.deepcopy.go