Add support for podSecurityContext

Fixes: open-telemetry#468
ekarlso · Oct 24, 2021 · 763db45 · 763db45
1 parent a45ce3d
commit 763db45
Show file tree

Hide file tree

Showing 12 changed files with 1,387 additions and 1,164 deletions.
diff --git a/api/otelcol/v1alpha1/opentelemetrycollector_types.go b/api/otelcol/v1alpha1/opentelemetrycollector_types.go
@@ -66,6 +66,8 @@ type OpenTelemetryCollectorSpec struct {
 	// +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors=true
 	SecurityContext *v1.SecurityContext `json:"securityContext,omitempty"`
 
+	PodSecurityContext *v1.PodSecurityContext `json:"podSecurityContext,omitempty"`
+
 	// HostNetwork indicates if the pod should run in the host networking namespace.
 	// +optional
 	// +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors=true

diff --git a/api/otelcol/v1alpha1/zz_generated.deepcopy.go b/api/otelcol/v1alpha1/zz_generated.deepcopy.go
diff --git a/bundle/manifests/opentelemetry-operator.clusterserviceversion.yaml b/bundle/manifests/opentelemetry-operator.clusterserviceversion.yaml
@@ -21,7 +21,7 @@ metadata:
     containerImage: quay.io/opentelemetry/opentelemetry-operator
     createdAt: "2020-12-16T13:37:00+00:00"
     description: Provides the OpenTelemetry components, including the Collector
-    operators.operatorframework.io/builder: operator-sdk-v1.10.0+git
+    operators.operatorframework.io/builder: operator-sdk-v1.13.1
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v2
     repository: github.com/open-telemetry/opentelemetry-operator
     support: OpenTelemetry Community
@@ -304,7 +304,7 @@ spec:
     containerPort: 443
     deploymentName: opentelemetry-operator-controller-manager
     failurePolicy: Fail
-    generateName: vopentelemetrycollectorcreateupdate.kb.io
+    generateName: mopentelemetrycollector.kb.io
     rules:
     - apiGroups:
       - opentelemetry.io
@@ -317,35 +317,36 @@ spec:
       - opentelemetrycollectors
     sideEffects: None
     targetPort: 9443
-    type: ValidatingAdmissionWebhook
-    webhookPath: /validate-opentelemetry-io-v1alpha1-opentelemetrycollector
+    type: MutatingAdmissionWebhook
+    webhookPath: /mutate-opentelemetry-io-v1alpha1-opentelemetrycollector
   - admissionReviewVersions:
     - v1
     - v1beta1
     containerPort: 443
     deploymentName: opentelemetry-operator-controller-manager
     failurePolicy: Ignore
-    generateName: vopentelemetrycollectordelete.kb.io
+    generateName: mpod.kb.io
     rules:
     - apiGroups:
-      - opentelemetry.io
+      - ""
       apiVersions:
-      - v1alpha1
+      - v1
       operations:
-      - DELETE
+      - CREATE
+      - UPDATE
       resources:
-      - opentelemetrycollectors
+      - pods
     sideEffects: None
     targetPort: 9443
-    type: ValidatingAdmissionWebhook
-    webhookPath: /validate-opentelemetry-io-v1alpha1-opentelemetrycollector
+    type: MutatingAdmissionWebhook
+    webhookPath: /mutate-v1-pod
   - admissionReviewVersions:
     - v1
     - v1beta1
     containerPort: 443
     deploymentName: opentelemetry-operator-controller-manager
     failurePolicy: Fail
-    generateName: mopentelemetrycollector.kb.io
+    generateName: vopentelemetrycollectorcreateupdate.kb.io
     rules:
     - apiGroups:
       - opentelemetry.io
@@ -358,26 +359,25 @@ spec:
       - opentelemetrycollectors
     sideEffects: None
     targetPort: 9443
-    type: MutatingAdmissionWebhook
-    webhookPath: /mutate-opentelemetry-io-v1alpha1-opentelemetrycollector
+    type: ValidatingAdmissionWebhook
+    webhookPath: /validate-opentelemetry-io-v1alpha1-opentelemetrycollector
   - admissionReviewVersions:
     - v1
     - v1beta1
     containerPort: 443
     deploymentName: opentelemetry-operator-controller-manager
     failurePolicy: Ignore
-    generateName: mpod.kb.io
+    generateName: vopentelemetrycollectordelete.kb.io
     rules:
     - apiGroups:
-      - ""
+      - opentelemetry.io
       apiVersions:
-      - v1
+      - v1alpha1
       operations:
-      - CREATE
-      - UPDATE
+      - DELETE
       resources:
-      - pods
+      - opentelemetrycollectors
     sideEffects: None
     targetPort: 9443
-    type: MutatingAdmissionWebhook
-    webhookPath: /mutate-v1-pod
+    type: ValidatingAdmissionWebhook
+    webhookPath: /validate-opentelemetry-io-v1alpha1-opentelemetrycollector
diff --git a/bundle/manifests/opentelemetry.io_opentelemetrycollectors.yaml b/bundle/manifests/opentelemetry.io_opentelemetrycollectors.yaml
diff --git a/config/crd/bases/opentelemetry.io_opentelemetrycollectors.yaml b/config/crd/bases/opentelemetry.io_opentelemetrycollectors.yaml
diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
@@ -1,2 +1,8 @@
 resources:
 - manager.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+images:
+- name: controller
+  newName: quay.io/opentelemetry/opentelemetry-operator
+  newTag: v0.37.0
diff --git a/pkg/collector/daemonset.go b/pkg/collector/daemonset.go
@@ -54,6 +54,7 @@ func DaemonSet(cfg config.Config, logger logr.Logger, otelcol v1alpha1.OpenTelem
 					Volumes:            Volumes(cfg, otelcol),
 					Tolerations:        otelcol.Spec.Tolerations,
 					HostNetwork:        otelcol.Spec.HostNetwork,
+					SecurityContext:    otelcol.Spec.PodSecurityContext,
 				},
 			},
 		},

diff --git a/pkg/collector/daemonset_test.go b/pkg/collector/daemonset_test.go
@@ -18,6 +18,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"github.com/open-telemetry/opentelemetry-operator/api/otelcol/v1alpha1"
@@ -93,3 +94,30 @@ func TestDaemonsetPodAnnotations(t *testing.T) {
 	assert.Equal(t, "my-instance-collector", ds.Name)
 	assert.Equal(t, testPodAnnotationValues, ds.Spec.Template.Annotations)
 }
+
+func TestDaemonstPodSecurityContext(t *testing.T) {
+	runAsNonRoot := true
+	runAsUser := int64(1337)
+	runasGroup := int64(1338)
+
+	otelcol := v1alpha1.OpenTelemetryCollector{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "my-instance",
+		},
+		Spec: v1alpha1.OpenTelemetryCollectorSpec{
+			PodSecurityContext: &v1.PodSecurityContext{
+				RunAsNonRoot: &runAsNonRoot,
+				RunAsUser:    &runAsUser,
+				RunAsGroup:   &runasGroup,
+			},
+		},
+	}
+
+	cfg := config.New()
+
+	d := DaemonSet(cfg, logger, otelcol)
+
+	assert.Equal(t, &runAsNonRoot, d.Spec.Template.Spec.SecurityContext.RunAsNonRoot)
+	assert.Equal(t, &runAsUser, d.Spec.Template.Spec.SecurityContext.RunAsUser)
+	assert.Equal(t, &runasGroup, d.Spec.Template.Spec.SecurityContext.RunAsGroup)
+}
diff --git a/pkg/collector/deployment.go b/pkg/collector/deployment.go
@@ -54,6 +54,7 @@ func Deployment(cfg config.Config, logger logr.Logger, otelcol v1alpha1.OpenTele
 					Containers:         []corev1.Container{Container(cfg, logger, otelcol)},
 					Volumes:            Volumes(cfg, otelcol),
 					Tolerations:        otelcol.Spec.Tolerations,
+					SecurityContext:    otelcol.Spec.PodSecurityContext,
 				},
 			},
 		},

diff --git a/pkg/collector/deployment_test.go b/pkg/collector/deployment_test.go
@@ -86,3 +86,30 @@ func TestDeploymentPodAnnotations(t *testing.T) {
 	assert.Equal(t, "my-instance-collector", d.Name)
 	assert.Equal(t, testPodAnnotationValues, d.Spec.Template.Annotations)
 }
+
+func TestDeploymenttPodSecurityContext(t *testing.T) {
+	runAsNonRoot := true
+	runAsUser := int64(1337)
+	runasGroup := int64(1338)
+
+	otelcol := v1alpha1.OpenTelemetryCollector{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "my-instance",
+		},
+		Spec: v1alpha1.OpenTelemetryCollectorSpec{
+			PodSecurityContext: &v1.PodSecurityContext{
+				RunAsNonRoot: &runAsNonRoot,
+				RunAsUser:    &runAsUser,
+				RunAsGroup:   &runasGroup,
+			},
+		},
+	}
+
+	cfg := config.New()
+
+	d := Deployment(cfg, logger, otelcol)
+
+	assert.Equal(t, &runAsNonRoot, d.Spec.Template.Spec.SecurityContext.RunAsNonRoot)
+	assert.Equal(t, &runAsUser, d.Spec.Template.Spec.SecurityContext.RunAsUser)
+	assert.Equal(t, &runasGroup, d.Spec.Template.Spec.SecurityContext.RunAsGroup)
+}
diff --git a/pkg/collector/statefulset.go b/pkg/collector/statefulset.go
@@ -54,6 +54,7 @@ func StatefulSet(cfg config.Config, logger logr.Logger, otelcol v1alpha1.OpenTel
 					Containers:         []corev1.Container{Container(cfg, logger, otelcol)},
 					Volumes:            Volumes(cfg, otelcol),
 					Tolerations:        otelcol.Spec.Tolerations,
+					SecurityContext:    otelcol.Spec.PodSecurityContext,
 				},
 			},
 			Replicas:             otelcol.Spec.Replicas,

diff --git a/pkg/collector/statefulset_test.go b/pkg/collector/statefulset_test.go
@@ -20,6 +20,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
@@ -144,3 +145,30 @@ func TestStatefulSetPodAnnotations(t *testing.T) {
 	assert.Equal(t, "my-instance-collector", ss.Name)
 	assert.Equal(t, testPodAnnotationValues, ss.Spec.Template.Annotations)
 }
+
+func TestStatefulSetPodSecurityContext(t *testing.T) {
+	runAsNonRoot := true
+	runAsUser := int64(1337)
+	runasGroup := int64(1338)
+
+	otelcol := v1alpha1.OpenTelemetryCollector{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "my-instance",
+		},
+		Spec: v1alpha1.OpenTelemetryCollectorSpec{
+			PodSecurityContext: &v1.PodSecurityContext{
+				RunAsNonRoot: &runAsNonRoot,
+				RunAsUser:    &runAsUser,
+				RunAsGroup:   &runasGroup,
+			},
+		},
+	}
+
+	cfg := config.New()
+
+	d := StatefulSet(cfg, logger, otelcol)
+
+	assert.Equal(t, &runAsNonRoot, d.Spec.Template.Spec.SecurityContext.RunAsNonRoot)
+	assert.Equal(t, &runAsUser, d.Spec.Template.Spec.SecurityContext.RunAsUser)
+	assert.Equal(t, &runasGroup, d.Spec.Template.Spec.SecurityContext.RunAsGroup)
+}