From 0298d1508a5aebcdab471f41cf0152601c23769a Mon Sep 17 00:00:00 2001
From: Michael Henriksen <mhenriks@redhat.com>
Date: Thu, 25 Aug 2022 11:16:05 -0400
Subject: [PATCH] remove root worker pods

Signed-off-by: Michael Henriksen <mhenriks@redhat.com>
---
 pkg/controller/clone-controller.go       | 1 -
 pkg/controller/clone-controller_test.go  | 6 ------
 pkg/controller/import-controller.go      | 3 ---
 pkg/controller/import-controller_test.go | 4 ----
 pkg/controller/upload-controller.go      | 6 +++---
 pkg/controller/upload-controller_test.go | 3 ---
 6 files changed, 3 insertions(+), 20 deletions(-)

diff --git a/pkg/controller/clone-controller.go b/pkg/controller/clone-controller.go
index fd48baf1bd..b151dc4de1 100644
--- a/pkg/controller/clone-controller.go
+++ b/pkg/controller/clone-controller.go
@@ -593,7 +593,6 @@ func MakeCloneSourcePodSpec(sourceVolumeMode corev1.PersistentVolumeMode, image,
 		},
 		Spec: corev1.PodSpec{
 			SecurityContext: &corev1.PodSecurityContext{
-				RunAsUser: &[]int64{0}[0],
 				SELinuxOptions: &corev1.SELinuxOptions{
 					User:  "system_u",
 					Role:  "system_r",
diff --git a/pkg/controller/clone-controller_test.go b/pkg/controller/clone-controller_test.go
index b19a0cf4e4..fa489f742c 100644
--- a/pkg/controller/clone-controller_test.go
+++ b/pkg/controller/clone-controller_test.go
@@ -840,9 +840,6 @@ func createSourcePod(pvc *corev1.PersistentVolumeClaim, pvcUID string) *corev1.P
 			},
 		},
 		Spec: corev1.PodSpec{
-			SecurityContext: &corev1.PodSecurityContext{
-				RunAsUser: &[]int64{0}[0],
-			},
 			Containers: []corev1.Container{
 				{
 					Name:            common.ClonerSourcePodName,
@@ -929,9 +926,6 @@ func createSourcePod(pvc *corev1.PersistentVolumeClaim, pvcUID string) *corev1.P
 				Value: common.WriteBlockPath,
 			},
 		}
-		pod.Spec.SecurityContext = &corev1.PodSecurityContext{
-			RunAsUser: &[]int64{0}[0],
-		}
 	} else {
 		pod.Spec.Containers[0].VolumeMounts = []corev1.VolumeMount{
 			{
diff --git a/pkg/controller/import-controller.go b/pkg/controller/import-controller.go
index 9e68805618..fafb90aa1d 100644
--- a/pkg/controller/import-controller.go
+++ b/pkg/controller/import-controller.go
@@ -1247,9 +1247,6 @@ func setImporterPodCommons(pod *corev1.Pod, podEnvVar *importPodEnvVar, pvc *cor
 
 	if getVolumeMode(pvc) == corev1.PersistentVolumeBlock {
 		pod.Spec.Containers[0].VolumeDevices = addVolumeDevices()
-		pod.Spec.SecurityContext = &corev1.PodSecurityContext{
-			RunAsUser: &[]int64{0}[0],
-		}
 	} else {
 		pod.Spec.Containers[0].VolumeMounts = addImportVolumeMounts()
 	}
diff --git a/pkg/controller/import-controller_test.go b/pkg/controller/import-controller_test.go
index 75a660eff4..f174d06ecb 100644
--- a/pkg/controller/import-controller_test.go
+++ b/pkg/controller/import-controller_test.go
@@ -785,7 +785,6 @@ var _ = Describe("Create Importer Pod", func() {
 		if getVolumeMode(pvc) == corev1.PersistentVolumeBlock {
 			Expect(pod.Spec.Containers[0].VolumeDevices[0].Name).To(Equal(DataVolName))
 			Expect(pod.Spec.Containers[0].VolumeDevices[0].DevicePath).To(Equal(common.WriteBlockPath))
-			Expect(pod.Spec.SecurityContext.RunAsUser).To(Equal(&[]int64{0}[0]))
 			if scratchPvcName != nil {
 				By("Verifying scratch space is set if available")
 				Expect(len(pod.Spec.Containers[0].VolumeMounts)).To(Equal(1))
@@ -1299,9 +1298,6 @@ func createImporterTestPod(pvc *corev1.PersistentVolumeClaim, dvname string, scr
 	pod.Spec.Containers[0].Env = env
 	if volumeMode == corev1.PersistentVolumeBlock {
 		pod.Spec.Containers[0].VolumeDevices = addVolumeDevices()
-		pod.Spec.SecurityContext = &corev1.PodSecurityContext{
-			RunAsUser: &[]int64{0}[0],
-		}
 	} else {
 		pod.Spec.Containers[0].VolumeMounts = addImportVolumeMounts()
 	}
diff --git a/pkg/controller/upload-controller.go b/pkg/controller/upload-controller.go
index d96ea5490c..fc1346810c 100644
--- a/pkg/controller/upload-controller.go
+++ b/pkg/controller/upload-controller.go
@@ -739,9 +739,6 @@ func (r *UploadReconciler) makeUploadPodSpec(args UploadPodArgs, resourceRequire
 			},
 		},
 		Spec: v1.PodSpec{
-			SecurityContext: &v1.PodSecurityContext{
-				RunAsUser: &[]int64{0}[0],
-			},
 			Containers: []v1.Container{
 				{
 					Name:            common.UploadServerPodname,
@@ -843,6 +840,9 @@ func (r *UploadReconciler) makeUploadPodSpec(args UploadPodArgs, resourceRequire
 	}
 
 	if !checkPVC(args.PVC, AnnCloneRequest, r.log.WithValues("Name", args.PVC.Name, "Namspace", args.PVC.Namespace)) {
+		if pod.Spec.SecurityContext == nil {
+			pod.Spec.SecurityContext = &v1.PodSecurityContext{}
+		}
 		pod.Spec.SecurityContext.FSGroup = &fsGroup
 	}
 
diff --git a/pkg/controller/upload-controller_test.go b/pkg/controller/upload-controller_test.go
index c13fb960c1..448cdb8db3 100644
--- a/pkg/controller/upload-controller_test.go
+++ b/pkg/controller/upload-controller_test.go
@@ -680,9 +680,6 @@ func createUploadClonePod(pvc *corev1.PersistentVolumeClaim, clientName string)
 			},
 		},
 		Spec: corev1.PodSpec{
-			SecurityContext: &corev1.PodSecurityContext{
-				RunAsUser: &[]int64{0}[0],
-			},
 			Containers: []corev1.Container{
 				{
 					Name:            "cdi-upload-server",