From e42fc7c4c09d2639b10281c06fb9e4959c81df71 Mon Sep 17 00:00:00 2001 From: Niklas Treml Date: Wed, 28 Feb 2024 13:36:50 +0100 Subject: [PATCH] fix: pass complete security context to pods Signed-off-by: Niklas Treml Signed-off-by: Szilard Parrag --- pkg/resources/fluentd/appconfigmap.go | 16 +++++----------- pkg/resources/fluentd/drainjob.go | 10 ++-------- pkg/resources/fluentd/statefulset.go | 8 +------- 3 files changed, 8 insertions(+), 26 deletions(-) diff --git a/pkg/resources/fluentd/appconfigmap.go b/pkg/resources/fluentd/appconfigmap.go index 1dac41421..c6189939f 100644 --- a/pkg/resources/fluentd/appconfigmap.go +++ b/pkg/resources/fluentd/appconfigmap.go @@ -262,17 +262,11 @@ func (r *Reconciler) newCheckPod(hashKey string, fluentdSpec v1beta1.FluentdSpec Tolerations: fluentdSpec.Tolerations, Affinity: fluentdSpec.Affinity, PriorityClassName: fluentdSpec.PodPriorityClassName, - SecurityContext: &corev1.PodSecurityContext{ - RunAsNonRoot: fluentdSpec.Security.PodSecurityContext.RunAsNonRoot, - FSGroup: fluentdSpec.Security.PodSecurityContext.FSGroup, - RunAsUser: fluentdSpec.Security.PodSecurityContext.RunAsUser, - RunAsGroup: fluentdSpec.Security.PodSecurityContext.RunAsGroup, - SeccompProfile: fluentdSpec.Security.PodSecurityContext.SeccompProfile, - }, - Volumes: volumes, - ImagePullSecrets: fluentdSpec.Image.ImagePullSecrets, - InitContainers: initContainer, - Containers: container, + SecurityContext: fluentdSpec.Security.PodSecurityContext, + Volumes: volumes, + ImagePullSecrets: fluentdSpec.Image.ImagePullSecrets, + InitContainers: initContainer, + Containers: container, }, } if fluentdSpec.ConfigCheckAnnotations != nil { diff --git a/pkg/resources/fluentd/drainjob.go b/pkg/resources/fluentd/drainjob.go index 7d7a29c7b..3b056f7e5 100644 --- a/pkg/resources/fluentd/drainjob.go +++ b/pkg/resources/fluentd/drainjob.go @@ -65,14 +65,8 @@ func (r *Reconciler) drainerJobFor(pvc corev1.PersistentVolumeClaim, fluentdSpec Affinity: fluentdSpec.Affinity, TopologySpreadConstraints: fluentdSpec.TopologySpreadConstraints, PriorityClassName: fluentdSpec.PodPriorityClassName, - SecurityContext: &corev1.PodSecurityContext{ - RunAsNonRoot: fluentdSpec.Security.PodSecurityContext.RunAsNonRoot, - FSGroup: fluentdSpec.Security.PodSecurityContext.FSGroup, - RunAsUser: fluentdSpec.Security.PodSecurityContext.RunAsUser, - RunAsGroup: fluentdSpec.Security.PodSecurityContext.RunAsGroup, - SeccompProfile: fluentdSpec.Security.PodSecurityContext.SeccompProfile, - }, - RestartPolicy: corev1.RestartPolicyNever, + SecurityContext: fluentdSpec.Security.PodSecurityContext, + RestartPolicy: corev1.RestartPolicyNever, }, }, } diff --git a/pkg/resources/fluentd/statefulset.go b/pkg/resources/fluentd/statefulset.go index 85d842d50..2fc0d16f4 100644 --- a/pkg/resources/fluentd/statefulset.go +++ b/pkg/resources/fluentd/statefulset.go @@ -125,13 +125,7 @@ func (r *Reconciler) statefulsetSpec() *appsv1.StatefulSetSpec { PriorityClassName: r.fluentdSpec.PodPriorityClassName, DNSPolicy: r.fluentdSpec.DNSPolicy, DNSConfig: r.fluentdSpec.DNSConfig, - SecurityContext: &corev1.PodSecurityContext{ - RunAsNonRoot: r.fluentdSpec.Security.PodSecurityContext.RunAsNonRoot, - FSGroup: r.fluentdSpec.Security.PodSecurityContext.FSGroup, - RunAsUser: r.fluentdSpec.Security.PodSecurityContext.RunAsUser, - RunAsGroup: r.fluentdSpec.Security.PodSecurityContext.RunAsGroup, - SeccompProfile: r.fluentdSpec.Security.PodSecurityContext.SeccompProfile, - }, + SecurityContext: r.fluentdSpec.Security.PodSecurityContext, }, }, ServiceName: r.Logging.QualifiedName(ServiceName + "-headless"),