From d27b512c7878884c3b0bb85540f9b9221b0424f9 Mon Sep 17 00:00:00 2001
From: Mario Macias <mmaciasl@redhat.com>
Date: Mon, 9 May 2022 15:41:41 +0200
Subject: [PATCH] NETOBSERV-308: fix vanilla kubernetes deployment

---
 Makefile                                             |  2 ++
 config/rbac/role.yaml                                |  2 ++
 controllers/ebpf/agent_controller.go                 |  5 +++--
 controllers/flowcollector_controller.go              |  2 +-
 controllers/flowcollector_controller_console_test.go |  6 +++---
 controllers/flowcollector_controller_ebpf_test.go    |  2 ++
 controllers/flowcollector_controller_test.go         | 11 ++++++-----
 go.mod                                               |  1 +
 pkg/helper/testhelpers.go                            |  4 ----
 vendor/modules.txt                                   |  1 +
 10 files changed, 21 insertions(+), 15 deletions(-)

diff --git a/Makefile b/Makefile
index c750e05a0..a204b7cd5 100644
--- a/Makefile
+++ b/Makefile
@@ -63,11 +63,13 @@ GOBIN=$(shell go env GOBIN)
 endif
 
 # Image building tool (docker / podman)
+ifndef OCI_BIN
 ifeq (,$(shell which podman 2>/dev/null))
 OCI_BIN=docker
 else
 OCI_BIN=podman
 endif
+endif
 
 DATE=$(shell date -u +"%Y-%m-%dT%H:%M:%SZ")
 
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 620445721..c64a72f1f 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -137,6 +137,8 @@ rules:
   - create
   - delete
   - get
+  - list
+  - watch
 - apiGroups:
   - security.openshift.io
   resources:
diff --git a/controllers/ebpf/agent_controller.go b/controllers/ebpf/agent_controller.go
index bfa24027e..31dd8e22d 100644
--- a/controllers/ebpf/agent_controller.go
+++ b/controllers/ebpf/agent_controller.go
@@ -13,6 +13,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/utils/pointer"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	flowsv1alpha1 "github.com/netobserv/network-observability-operator/api/v1alpha1"
@@ -129,7 +130,6 @@ func (c *AgentController) desired(coll *flowsv1alpha1.FlowCollector) *v1.DaemonS
 	if coll == nil || coll.Spec.Agent != flowsv1alpha1.AgentEBPF {
 		return nil
 	}
-	trueVal := true
 	version := helper.ExtractVersion(coll.Spec.EBPF.Image)
 	return &v1.DaemonSet{
 		ObjectMeta: metav1.ObjectMeta{
@@ -159,7 +159,8 @@ func (c *AgentController) desired(coll *flowsv1alpha1.FlowCollector) *v1.DaemonS
 						Resources:       coll.Spec.EBPF.Resources,
 						// TODO: other parameters when NETOBSERV-201 is implemented
 						SecurityContext: &corev1.SecurityContext{
-							Privileged: &trueVal,
+							Privileged: pointer.Bool(true),
+							RunAsUser:  pointer.Int64(0),
 						},
 						Env: c.envConfig(coll),
 					}},
diff --git a/controllers/flowcollector_controller.go b/controllers/flowcollector_controller.go
index f08326401..7036a7c6c 100644
--- a/controllers/flowcollector_controller.go
+++ b/controllers/flowcollector_controller.go
@@ -52,7 +52,7 @@ func NewFlowCollectorReconciler(client client.Client, scheme *runtime.Scheme) *F
 
 //+kubebuilder:rbac:groups=apps,resources=deployments;daemonsets,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=core,resources=namespaces;services;serviceaccounts;configmaps,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=get;create;delete
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=get;create;delete;watch;list
 //+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=get;list;create;delete;update;watch
 //+kubebuilder:rbac:groups=console.openshift.io,resources=consoleplugins,verbs=get;create;delete;update;patch;list
 //+kubebuilder:rbac:groups=operator.openshift.io,resources=consoles,verbs=get;update;list;update;watch
diff --git a/controllers/flowcollector_controller_console_test.go b/controllers/flowcollector_controller_console_test.go
index 9422e47ab..ca55b7e2e 100644
--- a/controllers/flowcollector_controller_console_test.go
+++ b/controllers/flowcollector_controller_console_test.go
@@ -11,10 +11,10 @@ import (
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/utils/pointer"
 
 	flowsv1alpha1 "github.com/netobserv/network-observability-operator/api/v1alpha1"
 	. "github.com/netobserv/network-observability-operator/controllers/controllerstest"
-	"github.com/netobserv/network-observability-operator/pkg/helper"
 )
 
 // Because the simulated Kube server doesn't manage automatic resource cleanup like an actual Kube would do,
@@ -78,7 +78,7 @@ func flowCollectorConsolePluginSpecs() {
 						Image:           "testimg:latest",
 						Register:        true,
 						HPA: &flowsv1alpha1.FlowCollectorHPA{
-							MinReplicas: helper.Int32Ptr(1),
+							MinReplicas: pointer.Int32(1),
 							MaxReplicas: 1,
 							Metrics: []ascv2.MetricSpec{{
 								Type: ascv2.ResourceMetricSourceType,
@@ -86,7 +86,7 @@ func flowCollectorConsolePluginSpecs() {
 									Name: v1.ResourceCPU,
 									Target: ascv2.MetricTarget{
 										Type:               ascv2.UtilizationMetricType,
-										AverageUtilization: helper.Int32Ptr(90),
+										AverageUtilization: pointer.Int32(90),
 									},
 								},
 							}},
diff --git a/controllers/flowcollector_controller_ebpf_test.go b/controllers/flowcollector_controller_ebpf_test.go
index 0ee0173f8..b1e8052f5 100644
--- a/controllers/flowcollector_controller_ebpf_test.go
+++ b/controllers/flowcollector_controller_ebpf_test.go
@@ -81,6 +81,8 @@ func flowCollectorEBPFSpecs() {
 			Expect(len(spec.Containers)).To(Equal(1))
 			Expect(spec.Containers[0].SecurityContext.Privileged).To(Not(BeNil()))
 			Expect(*spec.Containers[0].SecurityContext.Privileged).To(BeTrue())
+			Expect(spec.Containers[0].SecurityContext.RunAsUser).To(Not(BeNil()))
+			Expect(*spec.Containers[0].SecurityContext.RunAsUser).To(Equal(int64(0)))
 			Expect(spec.Containers[0].Env).To(ContainElements(
 				v1.EnvVar{Name: "CACHE_ACTIVE_TIMEOUT", Value: "15s"},
 				v1.EnvVar{Name: "CACHE_MAX_FLOWS", Value: "100"},
diff --git a/controllers/flowcollector_controller_test.go b/controllers/flowcollector_controller_test.go
index 0f0456abd..ebfbb84a8 100644
--- a/controllers/flowcollector_controller_test.go
+++ b/controllers/flowcollector_controller_test.go
@@ -12,6 +12,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/utils/pointer"
 
 	flowsv1alpha1 "github.com/netobserv/network-observability-operator/api/v1alpha1"
 	"github.com/netobserv/network-observability-operator/controllers/constants"
@@ -84,7 +85,7 @@ func flowCollectorControllerSpecs() {
 						LogLevel:        "error",
 						Image:           "testimg:latest",
 						HPA: &flowsv1alpha1.FlowCollectorHPA{
-							MinReplicas: helper.Int32Ptr(1),
+							MinReplicas: pointer.Int32(1),
 							MaxReplicas: 1,
 							Metrics: []ascv2.MetricSpec{{
 								Type: ascv2.ResourceMetricSourceType,
@@ -92,7 +93,7 @@ func flowCollectorControllerSpecs() {
 									Name: v1.ResourceCPU,
 									Target: ascv2.MetricTarget{
 										Type:               ascv2.UtilizationMetricType,
-										AverageUtilization: helper.Int32Ptr(90),
+										AverageUtilization: pointer.Int32(90),
 									},
 								},
 							}},
@@ -107,7 +108,7 @@ func flowCollectorControllerSpecs() {
 						ImagePullPolicy: "Never",
 						Image:           "testimg:latest",
 						HPA: &flowsv1alpha1.FlowCollectorHPA{
-							MinReplicas: helper.Int32Ptr(1),
+							MinReplicas: pointer.Int32(1),
 							MaxReplicas: 1,
 							Metrics: []ascv2.MetricSpec{{
 								Type: ascv2.ResourceMetricSourceType,
@@ -115,7 +116,7 @@ func flowCollectorControllerSpecs() {
 									Name: v1.ResourceCPU,
 									Target: ascv2.MetricTarget{
 										Type:               ascv2.UtilizationMetricType,
-										AverageUtilization: helper.Int32Ptr(90),
+										AverageUtilization: pointer.Int32(90),
 									},
 								},
 							}},
@@ -258,7 +259,7 @@ func flowCollectorControllerSpecs() {
 			// update FlowCollector and verify that HPA spec also changed
 			fc := flowsv1alpha1.FlowCollector{}
 			Expect(k8sClient.Get(ctx, crKey, &fc)).To(Succeed())
-			fc.Spec.FlowlogsPipeline.HPA.MinReplicas = helper.Int32Ptr(2)
+			fc.Spec.FlowlogsPipeline.HPA.MinReplicas = pointer.Int32(2)
 			fc.Spec.FlowlogsPipeline.HPA.MaxReplicas = 2
 			Expect(k8sClient.Update(ctx, &fc)).To(Succeed())
 
diff --git a/go.mod b/go.mod
index febfb2389..22b6caf17 100644
--- a/go.mod
+++ b/go.mod
@@ -13,5 +13,6 @@ require (
 	k8s.io/apimachinery v0.23.5
 	k8s.io/client-go v0.23.5
 	k8s.io/kube-aggregator v0.23.5
+	k8s.io/utils v0.0.0-20211116205334-6203023598ed
 	sigs.k8s.io/controller-runtime v0.11.0
 )
diff --git a/pkg/helper/testhelpers.go b/pkg/helper/testhelpers.go
index 462ac8104..3e30ace12 100644
--- a/pkg/helper/testhelpers.go
+++ b/pkg/helper/testhelpers.go
@@ -17,7 +17,3 @@ func (am AsyncJSON) String() string {
 	}
 	return string(bytes)
 }
-
-func Int32Ptr(v int32) *int32 {
-	return &v
-}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index d155cd6ef..702299a90 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -488,6 +488,7 @@ k8s.io/kube-aggregator/pkg/apis/apiregistration/v1
 k8s.io/kube-openapi/pkg/schemaconv
 k8s.io/kube-openapi/pkg/util/proto
 # k8s.io/utils v0.0.0-20211116205334-6203023598ed
+## explicit
 k8s.io/utils/buffer
 k8s.io/utils/clock
 k8s.io/utils/clock/testing