Add support for podSecurityContext

Fixes: open-telemetry#468

api/collector/v1alpha1/opentelemetrycollector_types.go

@@ -66,6 +66,8 @@ type OpenTelemetryCollectorSpec struct {
 	// +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors=true
 	SecurityContext *v1.SecurityContext `json:"securityContext,omitempty"`
 
+	PodSecurityContext *v1.PodSecurityContext `json:"podSecurityContext,omitempty"`
+
 	// HostNetwork indicates if the pod should run in the host networking namespace.
 	// +optional
 	// +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors=true

pkg/collector/daemonset.go

@@ -54,6 +54,7 @@ func DaemonSet(cfg config.Config, logger logr.Logger, otelcol v1alpha1.OpenTelem
 					Volumes:            Volumes(cfg, otelcol),
 					Tolerations:        otelcol.Spec.Tolerations,
 					HostNetwork:        otelcol.Spec.HostNetwork,
+					SecurityContext:    otelcol.Spec.PodSecurityContext,
 				},
 			},
 		},

pkg/collector/daemonset_test.go

@@ -18,6 +18,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"github.com/open-telemetry/opentelemetry-operator/api/collector/v1alpha1"
@@ -93,3 +94,30 @@ func TestDaemonsetPodAnnotations(t *testing.T) {
 	assert.Equal(t, "my-instance-collector", ds.Name)
 	assert.Equal(t, testPodAnnotationValues, ds.Spec.Template.Annotations)
 }
+
+func TestDaemonstPodSecurityContext(t *testing.T) {
+	runAsNonRoot := true
+	runAsUser := int64(1337)
+	runasGroup := int64(1338)
+
+	otelcol := v1alpha1.OpenTelemetryCollector{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "my-instance",
+		},
+		Spec: v1alpha1.OpenTelemetryCollectorSpec{
+			PodSecurityContext: &v1.PodSecurityContext{
+				RunAsNonRoot: &runAsNonRoot,
+				RunAsUser:    &runAsUser,
+				RunAsGroup:   &runasGroup,
+			},
+		},
+	}
+
+	cfg := config.New()
+
+	d := DaemonSet(cfg, logger, otelcol)
+
+	assert.Equal(t, &runAsNonRoot, d.Spec.Template.Spec.SecurityContext.RunAsNonRoot)
+	assert.Equal(t, &runAsUser, d.Spec.Template.Spec.SecurityContext.RunAsUser)
+	assert.Equal(t, &runasGroup, d.Spec.Template.Spec.SecurityContext.RunAsGroup)
+}

pkg/collector/deployment.go

@@ -54,6 +54,7 @@ func Deployment(cfg config.Config, logger logr.Logger, otelcol v1alpha1.OpenTele
 					Containers:         []corev1.Container{Container(cfg, logger, otelcol)},
 					Volumes:            Volumes(cfg, otelcol),
 					Tolerations:        otelcol.Spec.Tolerations,
+					SecurityContext:    otelcol.Spec.PodSecurityContext,
 				},
 			},
 		},

pkg/collector/deployment_test.go

@@ -86,3 +86,30 @@ func TestDeploymentPodAnnotations(t *testing.T) {
 	assert.Equal(t, "my-instance-collector", d.Name)
 	assert.Equal(t, testPodAnnotationValues, d.Spec.Template.Annotations)
 }
+
+func TestDeploymenttPodSecurityContext(t *testing.T) {
+	runAsNonRoot := true
+	runAsUser := int64(1337)
+	runasGroup := int64(1338)
+
+	otelcol := v1alpha1.OpenTelemetryCollector{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "my-instance",
+		},
+		Spec: v1alpha1.OpenTelemetryCollectorSpec{
+			PodSecurityContext: &v1.PodSecurityContext{
+				RunAsNonRoot: &runAsNonRoot,
+				RunAsUser:    &runAsUser,
+				RunAsGroup:   &runasGroup,
+			},
+		},
+	}
+
+	cfg := config.New()
+
+	d := Deployment(cfg, logger, otelcol)
+
+	assert.Equal(t, &runAsNonRoot, d.Spec.Template.Spec.SecurityContext.RunAsNonRoot)
+	assert.Equal(t, &runAsUser, d.Spec.Template.Spec.SecurityContext.RunAsUser)
+	assert.Equal(t, &runasGroup, d.Spec.Template.Spec.SecurityContext.RunAsGroup)
+}

pkg/collector/statefulset.go

@@ -54,6 +54,7 @@ func StatefulSet(cfg config.Config, logger logr.Logger, otelcol v1alpha1.OpenTel
 					Containers:         []corev1.Container{Container(cfg, logger, otelcol)},
 					Volumes:            Volumes(cfg, otelcol),
 					Tolerations:        otelcol.Spec.Tolerations,
+					SecurityContext:    otelcol.Spec.PodSecurityContext,
 				},
 			},
 			Replicas:             otelcol.Spec.Replicas,

pkg/collector/statefulset_test.go

@@ -20,6 +20,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
@@ -144,3 +145,30 @@ func TestStatefulSetPodAnnotations(t *testing.T) {
 	assert.Equal(t, "my-instance-collector", ss.Name)
 	assert.Equal(t, testPodAnnotationValues, ss.Spec.Template.Annotations)
 }
+
+func TestStatefulSetPodSecurityContext(t *testing.T) {
+	runAsNonRoot := true
+	runAsUser := int64(1337)
+	runasGroup := int64(1338)
+
+	otelcol := v1alpha1.OpenTelemetryCollector{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "my-instance",
+		},
+		Spec: v1alpha1.OpenTelemetryCollectorSpec{
+			PodSecurityContext: &v1.PodSecurityContext{
+				RunAsNonRoot: &runAsNonRoot,
+				RunAsUser:    &runAsUser,
+				RunAsGroup:   &runasGroup,
+			},
+		},
+	}
+
+	cfg := config.New()
+
+	d := StatefulSet(cfg, logger, otelcol)
+
+	assert.Equal(t, &runAsNonRoot, d.Spec.Template.Spec.SecurityContext.RunAsNonRoot)
+	assert.Equal(t, &runAsUser, d.Spec.Template.Spec.SecurityContext.RunAsUser)
+	assert.Equal(t, &runasGroup, d.Spec.Template.Spec.SecurityContext.RunAsGroup)
+}