From 0b70ab32c2c49b9f274e94291436da0a971da9c0 Mon Sep 17 00:00:00 2001 From: Scott Exton Date: Tue, 18 Apr 2023 11:00:47 +1000 Subject: [PATCH] We no longer need to run as the '1000' user. --- README.md | 2 +- src/api/v1/ibmsecurityverifydirectory_types.go | 2 +- .../ibmsecurityverifydirectory_create.go | 16 ++-------------- .../ibmsecurityverifydirectory_proxy.go | 8 +------- src/test/env/proxy-configmap.yaml | 5 ++++- src/test/env/server-configmap.yaml | 1 - src/utils/names.go | 1 - 7 files changed, 9 insertions(+), 26 deletions(-) diff --git a/README.md b/README.md index c389fa0..37e31ab 100644 --- a/README.md +++ b/README.md @@ -304,7 +304,7 @@ The `IBMSecurityVerifyDirectory` custom resource definition contains the followi |spec.pods.envFrom[]|A list of sources to populate environment variables in the container. Further information can be found at [https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/]().| |No |spec.pods.env[]|A list of environment variables to be added to the pods. Further information can be found at [https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/]().| |No |spec.pods.serviceAccountName|The Kubernetes account which the pods will run as.|default|No -|spec.pods.securityContext|The security context which will be used by the running pods. Further information can be found at [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](). Note that the `runAsUser` field will always be set to `1000`. In an OpenShift environment it is critical that the service account which the pod is set to run as has the security context restraints set so that the `1000` UID is permitted. | |No +|spec.pods.securityContext|The security context which will be used by the running pods. Further information can be found at [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](). The 10.0.0.0 version of IBM Security Verify Directory had a requirement that the container runs as the `1000` user. This can be achieved by setting the `runAsUser` field to `1000`. In later versions the `runAsUser` field can be set to any UID. | |No Please note that if a modification of the LDAP schema is required, using LDAP modification operations, a PVC will also need to be specified for the proxy. In addition to this, the number of proxy replicas should be scaled back to 1 while the LDAP schema modifications take place. The number of proxy replicas can then be scaled back up again after the LDAP schema modifications have been completed. diff --git a/src/api/v1/ibmsecurityverifydirectory_types.go b/src/api/v1/ibmsecurityverifydirectory_types.go index 2c0403c..9c1c261 100644 --- a/src/api/v1/ibmsecurityverifydirectory_types.go +++ b/src/api/v1/ibmsecurityverifydirectory_types.go @@ -138,7 +138,7 @@ type IBMSecurityVerifyDirectoryPods struct { // with. // More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ // +optional - SecurityContext corev1.PodSecurityContext `json:"securityContext,omitempty" protobuf:"bytes,15,opt,name=securityContext"` + SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty" protobuf:"bytes,15,opt,name=securityContext"` } // IBMSecurityVerifyDirectorySpec defines the desired state of diff --git a/src/controllers/ibmsecurityverifydirectory_create.go b/src/controllers/ibmsecurityverifydirectory_create.go index aa5e855..c0480b4 100644 --- a/src/controllers/ibmsecurityverifydirectory_create.go +++ b/src/controllers/ibmsecurityverifydirectory_create.go @@ -361,12 +361,6 @@ func (r *IBMSecurityVerifyDirectoryReconciler) seedReplica( }, ) - /* - * We always need to run as the '1000' user. - */ - - h.directory.Spec.Pods.SecurityContext.RunAsUser = &utils.RunAsUser - /* * Create the job. */ @@ -390,7 +384,7 @@ func (r *IBMSecurityVerifyDirectoryReconciler) seedReplica( Volumes: volumes, ImagePullSecrets: h.directory.Spec.Pods.Image.ImagePullSecrets, ServiceAccountName: h.directory.Spec.Pods.ServiceAccountName, - SecurityContext: &h.directory.Spec.Pods.SecurityContext, + SecurityContext: h.directory.Spec.Pods.SecurityContext, RestartPolicy: corev1.RestartPolicyNever, Containers: []corev1.Container{{ Env: env, @@ -601,12 +595,6 @@ func (r *IBMSecurityVerifyDirectoryReconciler) deployReplica( }, ) - /* - * We always need to run as the '1000' user. - */ - - h.directory.Spec.Pods.SecurityContext.RunAsUser = &utils.RunAsUser - /* * The liveness, and readiness probe definitions. */ @@ -646,7 +634,7 @@ func (r *IBMSecurityVerifyDirectoryReconciler) deployReplica( Volumes: volumes, ImagePullSecrets: h.directory.Spec.Pods.Image.ImagePullSecrets, ServiceAccountName: h.directory.Spec.Pods.ServiceAccountName, - SecurityContext: &h.directory.Spec.Pods.SecurityContext, + SecurityContext: h.directory.Spec.Pods.SecurityContext, Hostname: podName, Containers: []corev1.Container{{ Env: env, diff --git a/src/controllers/ibmsecurityverifydirectory_proxy.go b/src/controllers/ibmsecurityverifydirectory_proxy.go index c6f1bb4..6772cbf 100644 --- a/src/controllers/ibmsecurityverifydirectory_proxy.go +++ b/src/controllers/ibmsecurityverifydirectory_proxy.go @@ -628,12 +628,6 @@ func (r *IBMSecurityVerifyDirectoryReconciler) createProxyDeployment( "app.kubernetes.io/cr-name": name, } - /* - * We always need to run as the '1000' user. - */ - - h.directory.Spec.Pods.SecurityContext.RunAsUser = &utils.RunAsUser - /* * Finalise the deployment definition. */ @@ -663,7 +657,7 @@ func (r *IBMSecurityVerifyDirectoryReconciler) createProxyDeployment( Volumes: volumes, ImagePullSecrets: h.directory.Spec.Pods.Image.ImagePullSecrets, ServiceAccountName: h.directory.Spec.Pods.ServiceAccountName, - SecurityContext: &h.directory.Spec.Pods.SecurityContext, + SecurityContext: h.directory.Spec.Pods.SecurityContext, Hostname: name, Containers: []corev1.Container{{ Env: env, diff --git a/src/test/env/proxy-configmap.yaml b/src/test/env/proxy-configmap.yaml index cde669a..711ffdf 100644 --- a/src/test/env/proxy-configmap.yaml +++ b/src/test/env/proxy-configmap.yaml @@ -8,12 +8,15 @@ apiVersion: v1 kind: ConfigMap metadata: name: isvd-proxy-config - namespace: default data: config.yaml: | general: id: isvd-proxy + ports: + ldap: 9389 + ldaps: 9636 + json-logging: false license: diff --git a/src/test/env/server-configmap.yaml b/src/test/env/server-configmap.yaml index 766367a..527f919 100644 --- a/src/test/env/server-configmap.yaml +++ b/src/test/env/server-configmap.yaml @@ -8,7 +8,6 @@ apiVersion: v1 kind: ConfigMap metadata: name: isvd-server-config - namespace: default data: config.yaml: | general: diff --git a/src/utils/names.go b/src/utils/names.go index ab0898e..dbd4a5e 100644 --- a/src/utils/names.go +++ b/src/utils/names.go @@ -24,7 +24,6 @@ import ( const PVCLabel = "app.kubernetes.io/pvc-name" var ProxyCMKey = "config.yaml" -var RunAsUser int64 = 1000 /*****************************************************************************/