fix(core): Permissions on operator and builder pods for S2I compatibi…

…lity Ref apache#4476 * replase 1000 user by nonRoot option on builder pod * remove 0 (root) user for FS mounts on operator pod
gansheer · Jun 14, 2023 · 173a2eb · 173a2eb
1 parent 2aaedf9
commit 173a2eb
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 8 deletions.
diff --git a/pkg/controller/build/build_pod.go b/pkg/controller/build/build_pod.go
@@ -113,7 +113,7 @@ var (
 )
 
 func newBuildPod(ctx context.Context, c ctrl.Reader, build *v1.Build) (*corev1.Pod, error) {
-	var ugfid int64 = 1000
+	var nonRoot = true
 	pod := &corev1.Pod{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: corev1.SchemeGroupVersion.String(),
@@ -131,9 +131,7 @@ func newBuildPod(ctx context.Context, c ctrl.Reader, build *v1.Build) (*corev1.P
 			ServiceAccountName: platform.BuilderServiceAccount,
 			RestartPolicy:      corev1.RestartPolicyNever,
 			SecurityContext: &corev1.PodSecurityContext{
-				RunAsUser:  &ugfid,
-				RunAsGroup: &ugfid,
-				FSGroup:    &ugfid,
+				RunAsNonRoot: &nonRoot,
 			},
 		},
 	}

diff --git a/pkg/install/operator.go b/pkg/install/operator.go
@@ -205,10 +205,6 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client,
 					fmt.Sprintf("--health-port=%d", cfg.Health.Port))
 				d.Spec.Template.Spec.Containers[0].LivenessProbe.HTTPGet.Port = intstr.FromInt(int(cfg.Health.Port))
 			}
-			var ugfid int64 = 0
-			d.Spec.Template.Spec.SecurityContext = &corev1.PodSecurityContext{
-				FSGroup: &ugfid,
-			}
 		}
 
 		if cfg.Global {