From fee17ee4e3790a187be4028ee03c1bdb4656644a Mon Sep 17 00:00:00 2001
From: Jeff Mesnil <jmesnil@redhat.com>
Date: Tue, 11 Apr 2023 16:15:09 +0200
Subject: [PATCH] [#266] Updated Pod security standards

* Revert the default security context

Signed-off-by: Jeff Mesnil <jmesnil@redhat.com>
---
 api/v1alpha1/wildflyserver_types.go           |  2 --
 .../crd/bases/wildfly.org_wildflyservers.yaml |  3 ++-
 go.sum                                        |  2 --
 pkg/resources/statefulsets/statefulset.go     | 21 -------------------
 4 files changed, 2 insertions(+), 26 deletions(-)

diff --git a/api/v1alpha1/wildflyserver_types.go b/api/v1alpha1/wildflyserver_types.go
index 277cc387..c4745004 100644
--- a/api/v1alpha1/wildflyserver_types.go
+++ b/api/v1alpha1/wildflyserver_types.go
@@ -68,8 +68,6 @@ type WildFlyServerSpec struct {
 	// More info: https://pkg.go.dev/k8s.io/api@v0.18.14/core/v1#ResourceRequirements
 	Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
 	// SecurityContext defines the security capabilities required to run the application.
-	// If omitted, a default security context is created which runs with a non-root "jboss (185)" user without priviledges
-	// escalation and all security capabilities dropped.
 	SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"`
 }
 
diff --git a/config/crd/bases/wildfly.org_wildflyservers.yaml b/config/crd/bases/wildfly.org_wildflyservers.yaml
index 17cd09bf..35882dfb 100644
--- a/config/crd/bases/wildfly.org_wildflyservers.yaml
+++ b/config/crd/bases/wildfly.org_wildflyservers.yaml
@@ -251,7 +251,8 @@ spec:
                 type: array
                 x-kubernetes-list-type: set
               securityContext:
-                description: SecurityContext
+                description: SecurityContext defines the security capabilities required
+                  to run the application.
                 properties:
                   allowPrivilegeEscalation:
                     description: 'AllowPrivilegeEscalation controls whether a process
diff --git a/go.sum b/go.sum
index a5f77821..9bab4bea 100644
--- a/go.sum
+++ b/go.sum
@@ -696,7 +696,6 @@ golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzB
 golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.2 h1:Gz96sIWK3OalVv/I/qNygP42zyoKp3xptRVCWRFEBvo=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1090,7 +1089,6 @@ k8s.io/gengo v0.0.0-20200114144118-36b2048a9120/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8
 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/gengo v0.0.0-20200428234225-8167cfdcfc14/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/gengo v0.0.0-20201113003025-83324d819ded/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
-k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c h1:GohjlNKauSai7gN4wsJkeZ3WAJx4Sh+oT/b5IYn5suA=
 k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
 k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
diff --git a/pkg/resources/statefulsets/statefulset.go b/pkg/resources/statefulsets/statefulset.go
index 80aec472..a8acf8d5 100644
--- a/pkg/resources/statefulsets/statefulset.go
+++ b/pkg/resources/statefulsets/statefulset.go
@@ -56,15 +56,6 @@ func NewStatefulSet(w *wildflyv1alpha1.WildFlyServer, labels map[string]string,
 		wildflyImageTypeAnnotation = resources.ImageTypeBootable
 	}
 
-	allowPrivilegeEscalation := new(bool)
-	*allowPrivilegeEscalation = false
-
-	runAsNonRoot := new(bool)
-	*runAsNonRoot = true
-
-	jbossUser := new(int64)
-	*jbossUser = 185
-
 	statefulSet := &appsv1.StatefulSet{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: "apps/v1",
@@ -133,18 +124,6 @@ func NewStatefulSet(w *wildflyv1alpha1.WildFlyServer, labels map[string]string,
 	// if the user specified the securityContext directive propagate it to the container (required for HPA).
 	if w.Spec.SecurityContext != nil {
 		statefulSet.Spec.Template.Spec.Containers[0].SecurityContext = *&w.Spec.SecurityContext
-	} else {
-		// otherwise, use a default security context without any security priviledges
-		statefulSet.Spec.Template.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{
-			AllowPrivilegeEscalation: allowPrivilegeEscalation,
-			Capabilities: &corev1.Capabilities{
-				Drop: []corev1.Capability{
-					"ALL",
-				},
-			},
-			RunAsNonRoot: runAsNonRoot,
-			RunAsUser:    jbossUser,
-		}
 	}
 
 	if len(w.Spec.EnvFrom) > 0 {