#221 Generate SecurityContext and fix + add tests

cloudogu · Dec 13, 2024 · 7d98b21 · 7d98b21
1 parent a469400
commit 7d98b21
Show file tree

Hide file tree

Showing 13 changed files with 826 additions and 88 deletions.
diff --git a/controllers/dogu_controller_test.go b/controllers/dogu_controller_test.go
@@ -557,7 +557,7 @@ func Test_buildResourceDiff(t *testing.T) {
 		{
 			name: "upgrade-diff",
 			args: args{objOld: oldDoguResource, objNew: newDoguResource},
-			want: "  &v2.Dogu{\n  \tTypeMeta:   {},\n  \tObjectMeta: {},\n  \tSpec: v2.DoguSpec{\n  \t\tName:        \"ns/dogu\",\n- \t\tVersion:     \"1.2.3-4\",\n+ \t\tVersion:     \"1.2.3-5\",\n  \t\tResources:   {},\n  \t\tSupportMode: false,\n  \t\t... // 3 identical fields\n  \t},\n  \tStatus: {},\n  }\n",
+			want: "  &v2.Dogu{\n  \tTypeMeta:   {},\n  \tObjectMeta: {},\n  \tSpec: v2.DoguSpec{\n  \t\tName:      \"ns/dogu\",\n- \t\tVersion:   \"1.2.3-4\",\n+ \t\tVersion:   \"1.2.3-5\",\n  \t\tResources: {},\n  \t\tSecurity:  {},\n  \t\t... // 4 identical fields\n  \t},\n  \tStatus: {},\n  }\n",
 		},
 		{
 			name: "delete-diff",

diff --git a/controllers/resource/interfaces.go b/controllers/resource/interfaces.go
@@ -35,7 +35,7 @@ type doguConfigGetter interface {
 }
 
 type securityContextGenerator interface {
-	Generate(ctx context.Context, dogu *cesappcore.Dogu, doguResource *k8sv2.Dogu) (*v1.PodSecurityContext, *v1.SecurityContext)
+	Generate(dogu *cesappcore.Dogu, doguResource *k8sv2.Dogu) (*v1.PodSecurityContext, *v1.SecurityContext)
 }
 
 // ResourceUpserter includes functionality to generate and create all the necessary K8s resources for a given dogu.

diff --git a/controllers/resource/mock_securityContextGenerator_test.go b/controllers/resource/mock_securityContextGenerator_test.go
diff --git a/controllers/resource/podSpecBuilder.go b/controllers/resource/podSpecBuilder.go
@@ -26,6 +26,8 @@ type podSpecBuilder struct {
 	specContainerVolumeMounts    []corev1.VolumeMount
 	specContainerEnvVars         []corev1.EnvVar
 	specContainerResourcesReq    corev1.ResourceRequirements
+	specPodSecurityContext       *corev1.PodSecurityContext
+	specContainerSecurityContext *corev1.SecurityContext
 }
 
 func newPodSpecBuilder(doguResource *k8sv2.Dogu, dogu *core.Dogu) *podSpecBuilder {
@@ -143,6 +145,13 @@ func (p *podSpecBuilder) serviceAccount() *podSpecBuilder {
 	return p
 }
 
+func (p *podSpecBuilder) securityContext(podSecurityContext *corev1.PodSecurityContext, containerSecurityContext *corev1.SecurityContext) *podSpecBuilder {
+	p.specPodSecurityContext = podSecurityContext
+	p.specContainerSecurityContext = containerSecurityContext
+
+	return p
+}
+
 func (p *podSpecBuilder) build() *corev1.PodTemplateSpec {
 	result := &corev1.PodTemplateSpec{
 		ObjectMeta: metav1.ObjectMeta{
@@ -156,6 +165,7 @@ func (p *podSpecBuilder) build() *corev1.PodTemplateSpec {
 			EnableServiceLinks: &p.specEnableServiceLinks,
 			ServiceAccountName: p.specServiceAccountName,
 			InitContainers:     p.specInitContainers,
+			SecurityContext:    p.specPodSecurityContext,
 			Containers: []corev1.Container{{
 				Name:            p.theDoguResource.Name,
 				Image:           p.theDogu.Image + ":" + p.theDogu.Version,
@@ -167,6 +177,7 @@ func (p *podSpecBuilder) build() *corev1.PodTemplateSpec {
 				VolumeMounts:    p.specContainerVolumeMounts,
 				Env:             p.specContainerEnvVars,
 				Resources:       p.specContainerResourcesReq,
+				SecurityContext: p.specContainerSecurityContext,
 			}},
 		},
 	}

diff --git a/controllers/resource/resource_generator.go b/controllers/resource/resource_generator.go
@@ -53,19 +53,27 @@ const (
 // resourceGenerator generate k8s resources for a given dogu. All resources will be referenced with the dogu resource
 // as controller
 type resourceGenerator struct {
-	scheme                *runtime.Scheme
-	requirementsGenerator requirementsGenerator
-	hostAliasGenerator    hostAliasGenerator
-	additionalImages      map[string]string
+	scheme                   *runtime.Scheme
+	requirementsGenerator    requirementsGenerator
+	hostAliasGenerator       hostAliasGenerator
+	securityContextGenerator securityContextGenerator
+	additionalImages         map[string]string
 }
 
 // NewResourceGenerator creates a new generator for k8s resources
-func NewResourceGenerator(scheme *runtime.Scheme, requirementsGenerator requirementsGenerator, hostAliasGenerator hostAliasGenerator, additionalImages map[string]string) *resourceGenerator {
+func NewResourceGenerator(
+	scheme *runtime.Scheme,
+	requirementsGenerator requirementsGenerator,
+	hostAliasGenerator hostAliasGenerator,
+	securityContextGenerator securityContextGenerator,
+	additionalImages map[string]string,
+) *resourceGenerator {
 	return &resourceGenerator{
-		scheme:                scheme,
-		requirementsGenerator: requirementsGenerator,
-		hostAliasGenerator:    hostAliasGenerator,
-		additionalImages:      additionalImages,
+		scheme:                   scheme,
+		requirementsGenerator:    requirementsGenerator,
+		hostAliasGenerator:       hostAliasGenerator,
+		securityContextGenerator: securityContextGenerator,
+		additionalImages:         additionalImages,
 	}
 }
 
@@ -89,17 +97,6 @@ func (r *resourceGenerator) CreateDoguDeployment(ctx context.Context, doguResour
 
 	deployment.Spec = buildDeploymentSpec(doguResource.GetDoguNameLabel(), podTemplate)
 
-	fsGroupChangePolicy := corev1.FSGroupChangeOnRootMismatch
-
-	if len(dogu.Volumes) > 0 {
-		group, _ := strconv.Atoi(dogu.Volumes[0].Group)
-		gid := int64(group)
-		deployment.Spec.Template.Spec.SecurityContext = &corev1.PodSecurityContext{
-			FSGroup:             &gid,
-			FSGroupChangePolicy: &fsGroupChangePolicy,
-		}
-	}
-
 	err = ctrl.SetControllerReference(doguResource, deployment, r.scheme)
 	if err != nil {
 		return nil, wrapControllerReferenceError(err)
@@ -143,6 +140,8 @@ func (r *resourceGenerator) GetPodTemplate(ctx context.Context, doguResource *k8
 		return nil, err
 	}
 
+	podSecurityContext, containerSecurityContext := r.securityContextGenerator.Generate(dogu, doguResource)
+
 	podTemplate := newPodSpecBuilder(doguResource, dogu).
 		labels(GetAppLabel().Add(doguResource.GetPodLabels())).
 		hostAliases(hostAliases).
@@ -158,6 +157,7 @@ func (r *resourceGenerator) GetPodTemplate(ctx context.Context, doguResource *k8
 		containerEnvVars(envVars).
 		containerResourceRequirements(resourceRequirements).
 		serviceAccount().
+		securityContext(podSecurityContext, containerSecurityContext).
 		build()
 
 	return podTemplate, nil
@@ -197,9 +197,22 @@ func getChownInitContainer(dogu *core.Dogu, doguResource *k8sv2.Dogu, chownInitI
 		commands = append(commands, chownCommand)
 	}
 
+	runAsNonRoot := false
+	readOnlyRootFilesystem := false
 	return &corev1.Container{
-		Name:         chownInitContainerName,
-		Image:        chownInitImage,
+		Name:  chownInitContainerName,
+		Image: chownInitImage,
+		SecurityContext: &corev1.SecurityContext{
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"ALL"},
+				Add:  []corev1.Capability{"CHOWN"},
+			},
+			RunAsNonRoot:           &runAsNonRoot,
+			ReadOnlyRootFilesystem: &readOnlyRootFilesystem,
+			SELinuxOptions:         &corev1.SELinuxOptions{},
+			SeccompProfile:         &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeUnconfined},
+			AppArmorProfile:        &corev1.AppArmorProfile{Type: corev1.AppArmorProfileTypeUnconfined},
+		},
 		Command:      []string{"sh", "-c", strings.Join(commands, " && ")},
 		VolumeMounts: createDoguVolumeMounts(doguResource, dogu),
 	}, nil