From 2b1a40110247c14047c301ce46e5ece926dfb150 Mon Sep 17 00:00:00 2001 From: Husni Alhamdani Date: Wed, 8 Nov 2023 15:33:33 -0600 Subject: [PATCH 1/4] Add Pod securityContext for target allocator Signed-off-by: Husni Alhamdani --- .chloggen/fix-ta-pod-security-context.yaml | 16 +++ apis/v1alpha1/opentelemetrycollector_types.go | 4 + apis/v1alpha1/zz_generated.deepcopy.go | 5 + ...ntelemetry.io_opentelemetrycollectors.yaml | 128 ++++++++++++++++++ .../manifests/targetallocator/deployment.go | 1 + .../targetallocator/deployment_test.go | 56 ++++++++ .../targetallocator-features/00-assert.yaml | 2 + .../targetallocator-features/00-install.yaml | 1 + 8 files changed, 213 insertions(+) create mode 100755 .chloggen/fix-ta-pod-security-context.yaml diff --git a/.chloggen/fix-ta-pod-security-context.yaml b/.chloggen/fix-ta-pod-security-context.yaml new file mode 100755 index 0000000000..c186419b1e --- /dev/null +++ b/.chloggen/fix-ta-pod-security-context.yaml @@ -0,0 +1,16 @@ +# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix' +change_type: breaking + +# The name of the component, or a single word describing the area of concern, (e.g. operator, target allocator, github action) +component: target allocator + +# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). +note: Use Pod securityContext for target allocator + +# One or more tracking issues related to the change +issues: [2495] + +# (Optional) One or more lines of additional information to render under the primary note. +# These lines will be padded with 2 spaces and then inserted directly into the document. +# Use pipe (|) for multiline entries. +subtext: Bring back PodSecurityContext as it was removed in the previous changes. diff --git a/apis/v1alpha1/opentelemetrycollector_types.go b/apis/v1alpha1/opentelemetrycollector_types.go index c8f19daf5a..db894716e6 100644 --- a/apis/v1alpha1/opentelemetrycollector_types.go +++ b/apis/v1alpha1/opentelemetrycollector_types.go @@ -327,6 +327,10 @@ type OpenTelemetryTargetAllocator struct { // the targetallocator. // +optional SecurityContext *v1.SecurityContext `json:"securityContext,omitempty"` + // PodSecurityContext configures the pod security context for the + // targetallocator. + // +optional + PodSecurityContext *v1.PodSecurityContext `json:"podSecurityContext,omitempty"` // TopologySpreadConstraints embedded kubernetes pod configuration option, // controls how pods are spread across your cluster among failure-domains // such as regions, zones, nodes, and other user-defined topology domains diff --git a/apis/v1alpha1/zz_generated.deepcopy.go b/apis/v1alpha1/zz_generated.deepcopy.go index f04bcac833..62be78954c 100644 --- a/apis/v1alpha1/zz_generated.deepcopy.go +++ b/apis/v1alpha1/zz_generated.deepcopy.go @@ -979,6 +979,11 @@ func (in *OpenTelemetryTargetAllocator) DeepCopyInto(out *OpenTelemetryTargetAll *out = new(v1.SecurityContext) (*in).DeepCopyInto(*out) } + if in.PodSecurityContext != nil { + in, out := &in.PodSecurityContext, &out.PodSecurityContext + *out = new(v1.PodSecurityContext) + (*in).DeepCopyInto(*out) + } if in.TopologySpreadConstraints != nil { in, out := &in.TopologySpreadConstraints, &out.TopologySpreadConstraints *out = make([]v1.TopologySpreadConstraint, len(*in)) diff --git a/config/crd/bases/opentelemetry.io_opentelemetrycollectors.yaml b/config/crd/bases/opentelemetry.io_opentelemetrycollectors.yaml index 2153f723ee..cbb808876a 100644 --- a/config/crd/bases/opentelemetry.io_opentelemetrycollectors.yaml +++ b/config/crd/bases/opentelemetry.io_opentelemetrycollectors.yaml @@ -5195,6 +5195,134 @@ spec: the eviction, i.e. even in the absence of the evicted pod. x-kubernetes-int-or-string: true type: object + podSecurityContext: + description: PodSecurityContext configures the pod security context + for the targetallocator. + properties: + fsGroup: + description: "A special supplemental group that applies to + all containers in a pod. Some volume types allow the Kubelet + to change the ownership of that volume to be owned by the + pod: \n 1." + format: int64 + type: integer + fsGroupChangePolicy: + description: fsGroupChangePolicy defines behavior of changing + ownership and permission of the volume before being exposed + inside Pod. + type: string + runAsGroup: + description: The GID to run the entrypoint of the container + process. Uses runtime default if unset. May also be set + in SecurityContext. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run as a non-root + user. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container + process. Defaults to user specified in image metadata if + unspecified. May also be set in SecurityContext. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to all containers. + If unspecified, the container runtime will allocate a random + SELinux context for each container. May also be set in + SecurityContext. + properties: + level: + description: Level is SELinux level label that applies + to the container. + type: string + role: + description: Role is a SELinux role label that applies + to the container. + type: string + type: + description: Type is a SELinux type label that applies + to the container. + type: string + user: + description: User is a SELinux user label that applies + to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by the containers + in this pod. Note that this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile defined + in a file on the node should be used. The profile must + be preconfigured on the node to work. + type: string + type: + description: "type indicates which kind of seccomp profile + will be applied. Valid options are: \n Localhost - a + profile defined in a file on the node should be used." + type: string + required: + - type + type: object + supplementalGroups: + description: A list of groups applied to the first process + run in each container, in addition to the container's primary + GID, the fsGroup (if specified), and group memberships defined + in the container image for th + items: + format: int64 + type: integer + type: array + sysctls: + description: Sysctls hold a list of namespaced sysctls used + for the pod. Pods with unsupported sysctls (by the container + runtime) might fail to launch. Note that this field cannot + be set when spec.os. + items: + description: Sysctl defines a kernel parameter to be set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + windowsOptions: + description: The Windows specific settings applied to all + containers. If unspecified, the options within a container's + SecurityContext will be used. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the GMSA admission + webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential spec named + by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the + GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container should + be run as a 'Host Process' container. + type: boolean + runAsUserName: + description: The UserName in Windows to run the entrypoint + of the container process. Defaults to the user specified + in image metadata if unspecified. May also be set in + PodSecurityContext. + type: string + type: object + type: object prometheusCR: description: PrometheusCR defines the configuration for the retrieval of PrometheusOperator CRDs ( servicemonitor.monitoring.coreos.com/v1 diff --git a/internal/manifests/targetallocator/deployment.go b/internal/manifests/targetallocator/deployment.go index 287d0a7cfe..c202c1443c 100644 --- a/internal/manifests/targetallocator/deployment.go +++ b/internal/manifests/targetallocator/deployment.go @@ -59,6 +59,7 @@ func Deployment(params manifests.Params) (*appsv1.Deployment, error) { Tolerations: params.OtelCol.Spec.TargetAllocator.Tolerations, TopologySpreadConstraints: params.OtelCol.Spec.TargetAllocator.TopologySpreadConstraints, Affinity: params.OtelCol.Spec.TargetAllocator.Affinity, + SecurityContext: params.OtelCol.Spec.TargetAllocator.PodSecurityContext, }, }, }, diff --git a/internal/manifests/targetallocator/deployment_test.go b/internal/manifests/targetallocator/deployment_test.go index 9194aae78d..3bd1f81b82 100644 --- a/internal/manifests/targetallocator/deployment_test.go +++ b/internal/manifests/targetallocator/deployment_test.go @@ -67,6 +67,62 @@ var testAffinityValue = &v1.Affinity{ }, } +var runAsUser int64 = 1000 +var runAsGroup int64 = 1000 + +var testSecurityContextValue = &v1.PodSecurityContext{ + RunAsUser: &runAsUser, + RunAsGroup: &runAsGroup, +} + +func TestDeploymentSecurityContext(t *testing.T) { + // Test default + otelcol1 := v1alpha1.OpenTelemetryCollector{ + ObjectMeta: metav1.ObjectMeta{ + Name: "my-instance", + }, + } + + cfg := config.New() + + params1 := manifests.Params{ + OtelCol: otelcol1, + Config: cfg, + Log: logger, + } + d1, err := Deployment(params1) + if err != nil { + t.Fatal(err) + } + assert.Empty(t, d1.Spec.Template.Spec.SecurityContext) + + // Test SecurityContext + otelcol2 := v1alpha1.OpenTelemetryCollector{ + ObjectMeta: metav1.ObjectMeta{ + Name: "my-instance-securitycontext", + }, + Spec: v1alpha1.OpenTelemetryCollectorSpec{ + TargetAllocator: v1alpha1.OpenTelemetryTargetAllocator{ + PodSecurityContext: testSecurityContextValue, + }, + }, + } + + cfg = config.New() + + params2 := manifests.Params{ + OtelCol: otelcol2, + Config: cfg, + Log: logger, + } + + d2, err := Deployment(params2) + if err != nil { + t.Fatal(err) + } + assert.Equal(t, *testSecurityContextValue, *d2.Spec.Template.Spec.SecurityContext) +} + func TestDeploymentNewDefault(t *testing.T) { // prepare otelcol := collectorInstance() diff --git a/tests/e2e/targetallocator-features/00-assert.yaml b/tests/e2e/targetallocator-features/00-assert.yaml index 3ea88ac8c6..e3449c9f5f 100644 --- a/tests/e2e/targetallocator-features/00-assert.yaml +++ b/tests/e2e/targetallocator-features/00-assert.yaml @@ -56,6 +56,8 @@ spec: operator: In values: - "true" + securityContext: + runAsUser: 1000 containers: - name: ta-container args: diff --git a/tests/e2e/targetallocator-features/00-install.yaml b/tests/e2e/targetallocator-features/00-install.yaml index d55a5a2d6d..072c8c4fe7 100644 --- a/tests/e2e/targetallocator-features/00-install.yaml +++ b/tests/e2e/targetallocator-features/00-install.yaml @@ -51,6 +51,7 @@ spec: securityContext: runAsUser: 1000 runAsGroup: 3000 + fsGroup: 3000 privileged: true affinity: nodeAffinity: From 9ad50fb2e9d617eca6bd75bf310e53527c302818 Mon Sep 17 00:00:00 2001 From: Husni Alhamdani Date: Wed, 10 Jan 2024 17:58:32 +0100 Subject: [PATCH 2/4] Add Pod securityContext for target allocator Signed-off-by: Husni Alhamdani --- .chloggen/fix-ta-pod-security-context.yaml | 2 +- tests/e2e/targetallocator-features/00-install.yaml | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.chloggen/fix-ta-pod-security-context.yaml b/.chloggen/fix-ta-pod-security-context.yaml index c186419b1e..4e19535e26 100755 --- a/.chloggen/fix-ta-pod-security-context.yaml +++ b/.chloggen/fix-ta-pod-security-context.yaml @@ -1,5 +1,5 @@ # One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix' -change_type: breaking +change_type: enhancement # The name of the component, or a single word describing the area of concern, (e.g. operator, target allocator, github action) component: target allocator diff --git a/tests/e2e/targetallocator-features/00-install.yaml b/tests/e2e/targetallocator-features/00-install.yaml index 072c8c4fe7..b859af8fac 100644 --- a/tests/e2e/targetallocator-features/00-install.yaml +++ b/tests/e2e/targetallocator-features/00-install.yaml @@ -51,8 +51,11 @@ spec: securityContext: runAsUser: 1000 runAsGroup: 3000 - fsGroup: 3000 privileged: true + podSecurityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: From 4373d0a5c5ca9afcac52f386c6749884c9c39ee7 Mon Sep 17 00:00:00 2001 From: Husni Alhamdani Date: Wed, 10 Jan 2024 18:09:53 +0100 Subject: [PATCH 3/4] Add Pod securityContext for target allocator Signed-off-by: Husni Alhamdani --- ...ntelemetry.io_opentelemetrycollectors.yaml | 128 ++++++++++++++++++ 1 file changed, 128 insertions(+) diff --git a/bundle/manifests/opentelemetry.io_opentelemetrycollectors.yaml b/bundle/manifests/opentelemetry.io_opentelemetrycollectors.yaml index 9592e98c3b..0e5983e97f 100644 --- a/bundle/manifests/opentelemetry.io_opentelemetrycollectors.yaml +++ b/bundle/manifests/opentelemetry.io_opentelemetrycollectors.yaml @@ -5198,6 +5198,134 @@ spec: the eviction, i.e. even in the absence of the evicted pod. x-kubernetes-int-or-string: true type: object + podSecurityContext: + description: PodSecurityContext configures the pod security context + for the targetallocator. + properties: + fsGroup: + description: "A special supplemental group that applies to + all containers in a pod. Some volume types allow the Kubelet + to change the ownership of that volume to be owned by the + pod: \n 1." + format: int64 + type: integer + fsGroupChangePolicy: + description: fsGroupChangePolicy defines behavior of changing + ownership and permission of the volume before being exposed + inside Pod. + type: string + runAsGroup: + description: The GID to run the entrypoint of the container + process. Uses runtime default if unset. May also be set + in SecurityContext. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run as a non-root + user. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container + process. Defaults to user specified in image metadata if + unspecified. May also be set in SecurityContext. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to all containers. + If unspecified, the container runtime will allocate a random + SELinux context for each container. May also be set in + SecurityContext. + properties: + level: + description: Level is SELinux level label that applies + to the container. + type: string + role: + description: Role is a SELinux role label that applies + to the container. + type: string + type: + description: Type is a SELinux type label that applies + to the container. + type: string + user: + description: User is a SELinux user label that applies + to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by the containers + in this pod. Note that this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile defined + in a file on the node should be used. The profile must + be preconfigured on the node to work. + type: string + type: + description: "type indicates which kind of seccomp profile + will be applied. Valid options are: \n Localhost - a + profile defined in a file on the node should be used." + type: string + required: + - type + type: object + supplementalGroups: + description: A list of groups applied to the first process + run in each container, in addition to the container's primary + GID, the fsGroup (if specified), and group memberships defined + in the container image for th + items: + format: int64 + type: integer + type: array + sysctls: + description: Sysctls hold a list of namespaced sysctls used + for the pod. Pods with unsupported sysctls (by the container + runtime) might fail to launch. Note that this field cannot + be set when spec.os. + items: + description: Sysctl defines a kernel parameter to be set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + windowsOptions: + description: The Windows specific settings applied to all + containers. If unspecified, the options within a container's + SecurityContext will be used. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the GMSA admission + webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential spec named + by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the + GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container should + be run as a 'Host Process' container. + type: boolean + runAsUserName: + description: The UserName in Windows to run the entrypoint + of the container process. Defaults to the user specified + in image metadata if unspecified. May also be set in + PodSecurityContext. + type: string + type: object + type: object prometheusCR: description: PrometheusCR defines the configuration for the retrieval of PrometheusOperator CRDs ( servicemonitor.monitoring.coreos.com/v1 From 3e50f2246234f29e84ef88193c03dba1557bf165 Mon Sep 17 00:00:00 2001 From: Husni Alhamdani Date: Wed, 10 Jan 2024 18:20:06 +0100 Subject: [PATCH 4/4] Add Pod securityContext for target allocator Signed-off-by: Husni Alhamdani --- tests/e2e/targetallocator-features/00-assert.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/e2e/targetallocator-features/00-assert.yaml b/tests/e2e/targetallocator-features/00-assert.yaml index e3449c9f5f..1877956c5a 100644 --- a/tests/e2e/targetallocator-features/00-assert.yaml +++ b/tests/e2e/targetallocator-features/00-assert.yaml @@ -58,6 +58,8 @@ spec: - "true" securityContext: runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 containers: - name: ta-container args: