feat: configure workspace security context for container builds

[AObuchow]

What does this PR do?

Configures the workspace.containerSecurityContext field of the Che-Operator-owned DWOC depending on the value of devEnvironments.disableContainerBuildCapabilities in the Che Cluster CR.

If devEnvironments.disableContainerBuildCapabilities is set to false, then the DWOC's workspace.containerSecurityContext is configured as follows:

containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    add:
    - SETGID
    - SETUID

If devEnvironments.disableContainerBuildCapabilities is set to true, then the DWOC's workspace.containerSecurityContext field is cleared.

Screenshot/screencast of this PR

n/a

What issues does this PR fix or reference?

eclipse-che/che#21770

How to test this PR?

Some extra automated tests were added for this PR.

In terms of manual testing, there are 2 relevant cases (the first one concerns the core functionality this PR adds, and the second one ensures that the appropriate SCC is used when testing Che on OpenShift):

Ensuring the Che-Operator-owned DWOC is correctly configured (Minikube)

1. Deploy an image of DevWorkspace-Operator that has the changes from this PR to your cluster. I have an image hosted at: quay.io/aobuchow/dwo-container-security-context.

# In the DevWorkspace-Operator repo:
export DWO_IMG=quay.io/aobuchow/dwo-container-security-context

minikube addons enable ingress && make install_cert_manager && make install

2. Build an image of Che-Operator using the changes from this PR. There is already one hosted at quay.io/aobuchow/che-operator:next
3. Deploy Che-Operator using the image from step 1: chectl server:deploy --installer operator -p minikube --che-operator-image=quay.io/aobuchow/che-operator:next
4. Ensure the Che-Operator-owned DWOC does not have the workspace.containerSecurityContext field by default.
   oc describe dwoc -n eclipse-che

apiVersion: controller.devfile.io/v1alpha1  
config:  
 workspace:  
kind: DevWorkspaceOperatorConfig  
metadata:  
 creationTimestamp: "2022-10-26T20:09:23Z"  
 generation: 2  
 name: devworkspace-config  
 namespace: eclipse-che  
(...)

5. Set devEnvironments.disableContainerBuildCapabilities to true the Che Cluster CR:
6. Ensure the Che-Operator-owned DWOC now has the workspace.containerSecurityContext field configured with the correct container security context:
   oc describe dwoc -n eclipse-che

 apiVersion: controller.devfile.io/v1alpha1  
 config:  
  workspace:  
+    containerSecurityContext:  
+      allowPrivilegeEscalation: false  
+      capabilities:  
+        add:  
+        - SETGID  
+        - SETUID  
 kind: DevWorkspaceOperatorConfig  
 metadata:  
  creationTimestamp: "2022-10-26T20:09:23Z"  
  generation: 2  
  name: devworkspace-config  
  namespace: eclipse-che  
(...)

7. Set devEnvironments.disableContainerBuildCapabilities to false the Che Cluster CR.
8. Ensure that the workspace.containerSecurityContext field has been cleared from the Che-Operator-owned DWOC:
   oc describe dwoc -n eclipse-che

apiVersion: controller.devfile.io/v1alpha1  
config:  
 workspace:  
kind: DevWorkspaceOperatorConfig  
metadata:  
 creationTimestamp: "2022-10-26T20:09:23Z"  
 generation: 2  
 name: devworkspace-config  
 namespace: eclipse-che  
(...)

Ensuring containers can be built on OpenShift with an SCC present that has higher priority than container-build

1. Install a version of DWO (with the changes from this PR) using OLM. The easiest way to do this is to oc apply -f apply the following catalogsource and then install DWO from OperatorHub:

apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: devworkspace-operator-catalog
  namespace: openshift-marketplace
spec:
  sourceType: grpc
  image: quay.io/aobuchow/devworkspace-operator-index:next
  publisher: Red Hat
  displayName: DevWorkspace Operator Catalog
  updateStrategy:
    registryPoll:
      interval: 5m

2. Deploy Che using the operator image built from the current PR:
   chectl server:deploy -p openshift --che-operator-image=quay.io/aobuchow/che-operator:next
3. Set devEnvironments.disableContainerBuildCapabilities to false the Che Cluster CR.
4. Follow the SCC related instructions from this PR though do not create the workspace that uses the controller.devfile.io/scc attribute yet. Note: For Step 3. Let the user creating the DevWorkspace use the container-build SCC requires you to have a user other than kube:admin on your cluster. I personally create other users with HTPasswd
5. Apply a higher priority SCC to the cluster
6. As a user that has access to the container-build SCC (other than kube:admin), create a workspace that uses the controller.devfile.io/scc attribute (Step 4 from the SCC PR)
7. Check the workspace deployment and ensure the openshift.io/scc: container-build annotation is set.

PR Checklist

As the author of this Pull Request I made sure that:

• The Eclipse Contributor Agreement is valid
• Code produced is complete
• Code builds without errors
• Tests are covering the bugfix
• Custom resource definition file is up to date
• OLM bundles are up to date
• The repository devfile is up to date and works
• Sections What issues does this PR fix or reference and How to test this PR completed
• Relevant user documentation updated
• Relevant contributing documentation updated
• CI/CD changes implemented, documented and communicated

Reviewers

Reviewers, please comment how you tested the PR when approving it.

[openshift-ci]

Hi @AObuchow. Thanks for your PR.

I'm waiting for a eclipse-che member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[codecov]

Codecov Report

Merging #1549 (70eeb4e) into main (21b652e) will increase coverage by 1.53%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main    #1549      +/-   ##
==========================================
+ Coverage   59.02%   60.56%   +1.53%     
==========================================
  Files          74       73       -1     
  Lines        6418     6306     -112     
==========================================
+ Hits         3788     3819      +31     
+ Misses       2261     2147     -114     
+ Partials      369      340      -29     

Impacted Files	Coverage Δ
...eploy/dev-workspace-config/dev_workspace_config.go	90.74% <100.00%> (+0.54%)	⬆️
api/v2/checluster_types.go	30.43% <0.00%> (-1.39%)	⬇️
api/v2/checluster_webhook.go	0.00% <0.00%> (ø)
api/v2/zz_generated.deepcopy.go	0.00% <0.00%> (ø)
controllers/che/checluster_controller.go	0.00% <0.00%> (ø)
pkg/deploy/pluginregistry/openvsxurl_reconciler.go
controllers/usernamespace/namespacecache.go	81.35% <0.00%> (+1.72%)	⬆️
pkg/common/operator-defaults/defaults.go	20.61% <0.00%> (+3.30%)	⬆️
pkg/deploy/clusterrolebinding.go	86.84% <0.00%> (+4.34%)	⬆️
pkg/deploy/sync.go	68.25% <0.00%> (+4.61%)	⬆️
... and 3 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[AObuchow]

@tolusha Sorry about that, will fix failing tests

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: AObuchow, tolusha

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@AObuchow: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/v11-devworkspace-happy-path	825d048	link	true	/test v11-devworkspace-happy-path

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-merge-robot]

@AObuchow: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tolusha]

closed in favor of #1576