From 05b932a739eb3d1674252ee04be90c803c5643b3 Mon Sep 17 00:00:00 2001
From: Tyler Phelan <tylerp@vmware.com>
Date: Thu, 4 Mar 2021 17:33:15 -0500
Subject: [PATCH 1/2] Configure the pod security context to match the builder
 config user and group

- This explicitly sets the user:group to run as for each container as well as the volume groups
- This is useful for when MustRunAs is set in a pod security policy
---
 pkg/apis/build/v1alpha1/build_pod.go      | 14 ++++++--------
 pkg/apis/build/v1alpha1/build_pod_test.go |  6 +++---
 2 files changed, 9 insertions(+), 11 deletions(-)

diff --git a/pkg/apis/build/v1alpha1/build_pod.go b/pkg/apis/build/v1alpha1/build_pod.go
index d186d64fd..54afb80f4 100644
--- a/pkg/apis/build/v1alpha1/build_pod.go
+++ b/pkg/apis/build/v1alpha1/build_pod.go
@@ -214,11 +214,7 @@ func (b *Build) BuildPod(images BuildPodImages, secrets []corev1.Secret, taints
 					corev1.Container{
 						Name:  "prepare",
 						Image: images.buildInit(config.OS),
-						SecurityContext: &corev1.SecurityContext{
-							RunAsUser:  &config.Uid,
-							RunAsGroup: &config.Gid,
-						},
-						Args: secretArgs,
+						Args:  secretArgs,
 						Env: append(
 							b.Spec.Source.Source().BuildEnvVars(),
 							corev1.EnvVar{
@@ -476,7 +472,9 @@ func podSecurityContext(config BuildPodBuilderConfig) *corev1.PodSecurityContext
 	}
 
 	return &corev1.PodSecurityContext{
-		FSGroup: &config.Gid,
+		FSGroup:    &config.Gid,
+		RunAsUser:  &config.Uid,
+		RunAsGroup: &config.Gid,
 	}
 }
 
@@ -550,7 +548,7 @@ func (b *Build) notarySecretVolume() corev1.Volume {
 	}
 }
 
-func (b *Build) rebasePod(secrets []corev1.Secret, images BuildPodImages, buildPodBuilderConfig BuildPodBuilderConfig) (*corev1.Pod, error) {
+func (b *Build) rebasePod(secrets []corev1.Secret, images BuildPodImages, config BuildPodBuilderConfig) (*corev1.Pod, error) {
 	secretVolumes, secretVolumeMounts, secretArgs := b.setupSecretVolumesAndArgs(secrets, dockerSecrets)
 
 	return &corev1.Pod{
@@ -617,7 +615,7 @@ func (b *Build) rebasePod(secrets []corev1.Secret, images BuildPodImages, buildP
 					Image: images.RebaseImage,
 					Args: args(a(
 						"--run-image",
-						buildPodBuilderConfig.RunImage,
+						config.RunImage,
 						"--last-built-image",
 						b.Spec.LastBuild.Image,
 						"--report",
diff --git a/pkg/apis/build/v1alpha1/build_pod_test.go b/pkg/apis/build/v1alpha1/build_pod_test.go
index 9f0a3d405..4646d0258 100644
--- a/pkg/apis/build/v1alpha1/build_pod_test.go
+++ b/pkg/apis/build/v1alpha1/build_pod_test.go
@@ -214,10 +214,12 @@ func testBuildPod(t *testing.T, when spec.G, it spec.S) {
 			assert.Equal(t, map[string]string{"kubernetes.io/os": "linux"}, pod.Spec.NodeSelector)
 		})
 
-		it("configures the FS Mount Group with the supplied group", func() {
+		it("configures the pod security context to match the builder config user and group", func() {
 			pod, err := build.BuildPod(config, secrets, nil, buildPodBuilderConfig)
 			require.NoError(t, err)
 
+			assert.Equal(t, buildPodBuilderConfig.Uid, *pod.Spec.SecurityContext.RunAsUser)
+			assert.Equal(t, buildPodBuilderConfig.Gid, *pod.Spec.SecurityContext.RunAsGroup)
 			assert.Equal(t, buildPodBuilderConfig.Gid, *pod.Spec.SecurityContext.FSGroup)
 		})
 
@@ -360,8 +362,6 @@ func testBuildPod(t *testing.T, when spec.G, it spec.S) {
 
 			assert.Equal(t, pod.Spec.InitContainers[0].Name, "prepare")
 			assert.Equal(t, pod.Spec.InitContainers[0].Image, config.BuildInitImage)
-			assert.Equal(t, buildPodBuilderConfig.Uid, *pod.Spec.InitContainers[0].SecurityContext.RunAsUser)
-			assert.Equal(t, buildPodBuilderConfig.Gid, *pod.Spec.InitContainers[0].SecurityContext.RunAsGroup)
 			assert.Contains(t, pod.Spec.InitContainers[0].Env,
 				corev1.EnvVar{
 					Name:  "PLATFORM_ENV_VARS",

From ba2be359e950b6f5495708026b989535983ccc08 Mon Sep 17 00:00:00 2001
From: Tyler Phelan <tylerp@vmware.com>
Date: Fri, 5 Mar 2021 15:10:55 -0500
Subject: [PATCH 2/2] remove unneeded removeSecurityContext

---
 pkg/apis/build/v1alpha1/build_pod.go | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/pkg/apis/build/v1alpha1/build_pod.go b/pkg/apis/build/v1alpha1/build_pod.go
index 54afb80f4..b0504b3bd 100644
--- a/pkg/apis/build/v1alpha1/build_pod.go
+++ b/pkg/apis/build/v1alpha1/build_pod.go
@@ -250,7 +250,7 @@ func (b *Build) BuildPod(images BuildPodImages, secrets []corev1.Secret, taints
 							projectMetadataVolume,
 						),
 					},
-					ifWindows(config.OS, addNetworkWaitLauncherVolume(), removeSecurityContext())...,
+					ifWindows(config.OS, addNetworkWaitLauncherVolume())...,
 				)
 				step(
 					corev1.Container{
@@ -515,13 +515,6 @@ func userprofileHomeEnv() stepModifier {
 	}
 }
 
-func removeSecurityContext() stepModifier {
-	return func(container corev1.Container) corev1.Container {
-		container.SecurityContext = nil
-		return container
-	}
-}
-
 func noOpModifer(container corev1.Container) corev1.Container {
 	return container
 }