Support restricted PSA for worker pods

cluster-sync/clean.sh

@@ -16,10 +16,6 @@ OPERATOR_MANIFEST=./_out/manifests/release/cdi-operator.yaml
 LABELS=("operator.cdi.kubevirt.io" "cdi.kubevirt.io" "prometheus.cdi.kubevirt.io")
 NAMESPACES=(default kube-system cdi)
 
-set +e
-_kubectl patch cdi ${CR_NAME} --type=json -p '[{ "op": "remove", "path": "/metadata/finalizers" }]'
-set -e
-
 _kubectl get ot --all-namespaces -o=custom-columns=NAME:.metadata.name,NAMESPACE:.metadata.namespace,FINALIZERS:.metadata.finalizers --no-headers | grep objectTransfer | while read p; do
     arr=($p)
     name="${arr[0]}"
@@ -52,10 +48,14 @@ if [ -f "${OPERATOR_CR_MANIFEST}" ]; then
 	echo "Cleaning CR object ..."
     if _kubectl get crd cdis.cdi.kubevirt.io ; then
         _kubectl delete --ignore-not-found -f "${OPERATOR_CR_MANIFEST}"
-        _kubectl wait cdis.cdi.kubevirt.io/${CR_NAME} --for=delete | echo "this is fine"
+        _kubectl wait cdis.cdi.kubevirt.io/${CR_NAME} --for=delete --timeout=30s | echo "this is fine"
     fi
 fi
 
+set +e
+_kubectl patch cdi ${CR_NAME} --type=json -p '[{ "op": "remove", "path": "/metadata/finalizers" }]'
+set -e
+
 if [ "${CDI_CLEAN}" == "all" ] && [ -f "${OPERATOR_MANIFEST}" ]; then
 	echo "Deleting operator ..."
     _kubectl delete --ignore-not-found -f "${OPERATOR_MANIFEST}"

cmd/cdi-cloner/BUILD.bazel

@@ -52,5 +52,6 @@ container_image(
         ":cdi-cloner",
         ":cloner_startup.sh",
     ],
+    user = "1001",
     visibility = ["//visibility:public"],
 )

cmd/cdi-cloner/clone-source.go

@@ -146,12 +146,38 @@ func validateMount() {
 }
 
 func newTarReader(preallocation bool) (io.ReadCloser, error) {
-	args := "cv"
+	excludeMap := map[string]struct{}{
+		"lost+found": struct{}{},
+	}
+
+	args := []string{"/usr/bin/tar", "cv"}
 	if !preallocation {
 		// -S is used to handle sparse files. It can only be used when preallocation is not requested
-		args = "S" + args
+		args = append(args, "-S")
 	}
-	cmd := exec.Command("/usr/bin/tar", args, ".")
+
+	files, err := os.ReadDir(mountPoint)
+	if err != nil {
+		return nil, err
+	}
+
+	var tarFiles []string
+	for _, f := range files {
+		if _, ok := excludeMap[f.Name()]; ok {
+			continue
+		}
+		tarFiles = append(tarFiles, f.Name())
+	}
+
+	if len(tarFiles) > 0 {
+		args = append(args, tarFiles...)
+	} else {
+		args = append(args, "--files-from", "/dev/null")
+	}
+
+	klog.Infof("Executing %+v", args)
+
+	cmd := exec.Command(args[0], args[1:]...)
 	cmd.Dir = mountPoint
 
 	stdout, err := cmd.StdoutPipe()

cmd/cdi-importer/BUILD.bazel

@@ -49,6 +49,7 @@ container_image(
         "//tools/cdi-image-size-detection",
         "//tools/cdi-source-update-poller",
     ],
+    user = "1001",
     visibility = ["//visibility:public"],
 )
 

cmd/cdi-uploadserver/BUILD.bazel

@@ -39,6 +39,7 @@ container_image(
         "-alsologtostderr",
     ],
     files = [":cdi-uploadserver"],
+    user = "1001",
     visibility = ["//visibility:public"],
 )
 

pkg/controller/clone-controller.go

@@ -23,7 +23,6 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/record"
-	"k8s.io/utils/pointer"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
@@ -573,7 +572,7 @@ func MakeCloneSourcePodSpec(sourceVolumeMode corev1.PersistentVolumeMode, image,
 		}
 	}
 
-	preallocationRequested, _ := targetPvc.Annotations[AnnPreallocationRequested]
+	preallocationRequested := targetPvc.Annotations[AnnPreallocationRequested]
 
 	pod := &corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
@@ -592,15 +591,6 @@ func MakeCloneSourcePodSpec(sourceVolumeMode corev1.PersistentVolumeMode, image,
 			},
 		},
 		Spec: corev1.PodSpec{
-			SecurityContext: &corev1.PodSecurityContext{
-				RunAsUser: &[]int64{0}[0],
-				SELinuxOptions: &corev1.SELinuxOptions{
-					User:  "system_u",
-					Role:  "system_r",
-					Type:  "spc_t",
-					Level: "s0",
-				},
-			},
 			Containers: []corev1.Container{
 				{
 					Name:            common.ClonerSourcePodName,
@@ -653,14 +643,6 @@ func MakeCloneSourcePodSpec(sourceVolumeMode corev1.PersistentVolumeMode, image,
 							Protocol:      corev1.ProtocolTCP,
 						},
 					},
-					SecurityContext: &corev1.SecurityContext{
-						Capabilities: &corev1.Capabilities{
-							Drop: []corev1.Capability{
-								"ALL",
-							},
-						},
-						AllowPrivilegeEscalation: pointer.BoolPtr(false),
-					},
 				},
 			},
 			RestartPolicy: corev1.RestartPolicyOnFailure,
@@ -670,7 +652,6 @@ func MakeCloneSourcePodSpec(sourceVolumeMode corev1.PersistentVolumeMode, image,
 					VolumeSource: corev1.VolumeSource{
 						PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{
 							ClaimName: sourcePvcName,
-							ReadOnly:  true,
 						},
 					},
 				},
@@ -733,6 +714,7 @@ func MakeCloneSourcePodSpec(sourceVolumeMode corev1.PersistentVolumeMode, image,
 			{
 				Name:      DataVolName,
 				MountPath: common.ClonerMountPath,
+				ReadOnly:  true,
 			},
 		}
 		addVars = []corev1.EnvVar{
@@ -749,6 +731,7 @@ func MakeCloneSourcePodSpec(sourceVolumeMode corev1.PersistentVolumeMode, image,
 
 	pod.Spec.Containers[0].Env = append(pod.Spec.Containers[0].Env, addVars...)
 	SetPodPvcAnnotations(pod, targetPvc)
+	SetRestrictedSecurityContext(&pod.Spec)
 	return pod
 }
 

pkg/controller/clone-controller_test.go

@@ -840,9 +840,6 @@ func createSourcePod(pvc *corev1.PersistentVolumeClaim, pvcUID string) *corev1.P
 			},
 		},
 		Spec: corev1.PodSpec{
-			SecurityContext: &corev1.PodSecurityContext{
-				RunAsUser: &[]int64{0}[0],
-			},
 			Containers: []corev1.Container{
 				{
 					Name:            common.ClonerSourcePodName,
@@ -929,9 +926,6 @@ func createSourcePod(pvc *corev1.PersistentVolumeClaim, pvcUID string) *corev1.P
 				Value: common.WriteBlockPath,
 			},
 		}
-		pod.Spec.SecurityContext = &corev1.PodSecurityContext{
-			RunAsUser: &[]int64{0}[0],
-		}
 	} else {
 		pod.Spec.Containers[0].VolumeMounts = []corev1.VolumeMount{
 			{

pkg/controller/dataimportcron-controller.go

@@ -41,7 +41,6 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/client-go/tools/record"
-	"k8s.io/utils/pointer"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/event"
@@ -752,14 +751,6 @@ func (r *DataImportCronReconciler) newCronJob(cron *cdiv1.DataImportCron) (*batc
 		return nil, err
 	}
 	container := corev1.Container{
-		SecurityContext: &corev1.SecurityContext{
-			Capabilities: &corev1.Capabilities{
-				Drop: []corev1.Capability{
-					"ALL",
-				},
-			},
-			AllowPrivilegeEscalation: pointer.BoolPtr(false),
-		},
 		Name:  "cdi-source-update-poller",
 		Image: r.image,
 		Command: []string{
@@ -873,6 +864,7 @@ func (r *DataImportCronReconciler) newCronJob(cron *cdiv1.DataImportCron) (*batc
 	if err := sdk.SetLastAppliedConfiguration(cronJob, AnnLastAppliedConfig); err != nil {
 		return nil, err
 	}
+	SetRestrictedSecurityContext(&cronJob.Spec.JobTemplate.Spec.Template.Spec)
 	return cronJob, nil
 }
 

pkg/controller/datavolume-controller.go

@@ -47,7 +47,6 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/record"
-	"k8s.io/utils/pointer"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
@@ -1630,14 +1629,6 @@ func (r *DatavolumeReconciler) createExpansionPod(pvc *corev1.PersistentVolumeCl
 					ImagePullPolicy: corev1.PullPolicy(r.pullPolicy),
 					Command:         []string{"/bin/bash"},
 					Args:            []string{"-c", "echo", "'hello cdi'"},
-					SecurityContext: &corev1.SecurityContext{
-						Capabilities: &corev1.Capabilities{
-							Drop: []corev1.Capability{
-								"ALL",
-							},
-						},
-						AllowPrivilegeEscalation: pointer.BoolPtr(false),
-					},
 				},
 			},
 			RestartPolicy: corev1.RestartPolicyOnFailure,
@@ -1677,6 +1668,8 @@ func (r *DatavolumeReconciler) createExpansionPod(pvc *corev1.PersistentVolumeCl
 		return nil, err
 	}
 
+	SetRestrictedSecurityContext(&pod.Spec)
+
 	if err := r.client.Create(context.TODO(), pod); err != nil {
 		if !k8serrors.IsAlreadyExists(err) {
 			return nil, err
@@ -3149,6 +3142,8 @@ func (r *DatavolumeReconciler) makeSizeDetectionPodSpec(
 		},
 	}
 
+	SetRestrictedSecurityContext(&pod.Spec)
+
 	return pod
 }
 
@@ -3185,14 +3180,6 @@ func (r *DatavolumeReconciler) makeSizeDetectionContainerSpec(volName string) *c
 				Name:      volName,
 			},
 		},
-		SecurityContext: &corev1.SecurityContext{
-			Capabilities: &corev1.Capabilities{
-				Drop: []corev1.Capability{
-					"ALL",
-				},
-			},
-			AllowPrivilegeEscalation: pointer.BoolPtr(false),
-		},
 	}
 
 	// Get and assign container's default resource requirements

pkg/controller/import-controller.go

@@ -19,7 +19,6 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/client-go/tools/record"
-	"k8s.io/utils/pointer"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
@@ -943,7 +942,7 @@ func createImporterPod(log logr.Logger, client client.Client, args *importerPodA
 // makeNodeImporterPodSpec creates and returns the node docker cache based importer pod spec based on the passed-in importImage and pvc.
 func makeNodeImporterPodSpec(args *importerPodArgs) *corev1.Pod {
 	// importer pod name contains the pvc name
-	podName, _ := args.pvc.Annotations[AnnImportPod]
+	podName := args.pvc.Annotations[AnnImportPod]
 
 	volumes := []corev1.Volume{
 		{
@@ -995,14 +994,6 @@ func makeNodeImporterPodSpec(args *importerPodArgs) *corev1.Pod {
 							Name:      "shared-volume",
 						},
 					},
-					SecurityContext: &corev1.SecurityContext{
-						Capabilities: &corev1.Capabilities{
-							Drop: []corev1.Capability{
-								"ALL",
-							},
-						},
-						AllowPrivilegeEscalation: pointer.BoolPtr(false),
-					},
 				},
 			},
 			Containers: []corev1.Container{
@@ -1018,14 +1009,6 @@ func makeNodeImporterPodSpec(args *importerPodArgs) *corev1.Pod {
 							Name:      "shared-volume",
 						},
 					},
-					SecurityContext: &corev1.SecurityContext{
-						Capabilities: &corev1.Capabilities{
-							Drop: []corev1.Capability{
-								"ALL",
-							},
-						},
-						AllowPrivilegeEscalation: pointer.BoolPtr(false),
-					},
 				},
 			},
 			RestartPolicy:     corev1.RestartPolicyOnFailure,
@@ -1072,13 +1055,15 @@ func makeNodeImporterPodSpec(args *importerPodArgs) *corev1.Pod {
 		Name:      "shared-volume",
 	})
 
+	SetRestrictedSecurityContext(&pod.Spec)
+
 	return pod
 }
 
 // makeImporterPodSpec creates and return the importer pod spec based on the passed-in endpoint, secret and pvc.
 func makeImporterPodSpec(args *importerPodArgs) *corev1.Pod {
 	// importer pod name contains the pvc name
-	podName, _ := args.pvc.Annotations[AnnImportPod]
+	podName := args.pvc.Annotations[AnnImportPod]
 
 	blockOwnerDeletion := true
 	isController := true
@@ -1230,6 +1215,8 @@ func makeImporterPodSpec(args *importerPodArgs) *corev1.Pod {
 		pod.Spec.Volumes = append(pod.Spec.Volumes, vol)
 	}
 
+	SetRestrictedSecurityContext(&pod.Spec)
+
 	return pod
 }
 
@@ -1247,23 +1234,12 @@ func setImporterPodCommons(pod *corev1.Pod, podEnvVar *importPodEnvVar, pvc *cor
 
 	if getVolumeMode(pvc) == corev1.PersistentVolumeBlock {
 		pod.Spec.Containers[0].VolumeDevices = addVolumeDevices()
-		pod.Spec.SecurityContext = &corev1.PodSecurityContext{
-			RunAsUser: &[]int64{0}[0],
-		}
 	} else {
 		pod.Spec.Containers[0].VolumeMounts = addImportVolumeMounts()
 	}
 
 	pod.Spec.Containers[0].Env = makeImportEnv(podEnvVar, ownerUID)
 
-	if podEnvVar.contentType == string(cdiv1.DataVolumeKubeVirt) {
-		// Set the fsGroup on the security context to the QemuSubGid
-		if pod.Spec.SecurityContext == nil {
-			pod.Spec.SecurityContext = &corev1.PodSecurityContext{}
-		}
-		fsGroup := common.QemuSubGid
-		pod.Spec.SecurityContext.FSGroup = &fsGroup
-	}
 	SetPodPvcAnnotations(pod, pvc)
 }
 
@@ -1280,14 +1256,6 @@ func makeImporterContainerSpec(image, verbose, pullPolicy string) *corev1.Contai
 				Protocol:      corev1.ProtocolTCP,
 			},
 		},
-		SecurityContext: &corev1.SecurityContext{
-			Capabilities: &corev1.Capabilities{
-				Drop: []corev1.Capability{
-					"ALL",
-				},
-			},
-			AllowPrivilegeEscalation: pointer.BoolPtr(false),
-		},
 	}
 }