Merge pull request #175 from booxter/non-root-ovsdb

Run ovn ovsdb-servers as anyuid
openstack-k8s-operators · Dec 12, 2023 · e88353b · e88353b
2 parents 461bbc8 + 8736a3b
commit e88353b
Show file tree

Hide file tree

Showing 7 changed files with 18 additions and 79 deletions.
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -218,6 +218,14 @@ rules:
   - list
   - update
   - watch
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - anyuid
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
 - apiGroups:
   - security.openshift.io
   resourceNames:

diff --git a/controllers/ovndbcluster_controller.go b/controllers/ovndbcluster_controller.go
@@ -91,7 +91,7 @@ func (r *OVNDBClusterReconciler) GetLogger(ctx context.Context) logr.Logger {
 // +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update
 // +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update
 // service account permissions that are needed to grant permission to the above
-// +kubebuilder:rbac:groups="security.openshift.io",resourceNames=anyuid;privileged,resources=securitycontextconstraints,verbs=use
+// +kubebuilder:rbac:groups="security.openshift.io",resourceNames=anyuid,resources=securitycontextconstraints,verbs=use
 // +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch
 
 // Reconcile - OVN DBCluster
@@ -254,7 +254,7 @@ func (r *OVNDBClusterReconciler) reconcileNormal(ctx context.Context, instance *
 	rbacRules := []rbacv1.PolicyRule{
 		{
 			APIGroups:     []string{"security.openshift.io"},
-			ResourceNames: []string{"anyuid", "privileged"},
+			ResourceNames: []string{"anyuid"},
 			Resources:     []string{"securitycontextconstraints"},
 			Verbs:         []string{"use"},
 		},
@@ -621,15 +621,6 @@ func (r *OVNDBClusterReconciler) generateServiceConfigMaps(
 			Labels:        cmLabels,
 			ConfigOptions: templateParameters,
 		},
-		// ConfigMap
-		{
-			Name:          fmt.Sprintf("%s-config-data", instance.Name),
-			Namespace:     instance.Namespace,
-			Type:          util.TemplateTypeConfig,
-			InstanceType:  instance.Kind,
-			Labels:        cmLabels,
-			ConfigOptions: templateParameters,
-		},
 	}
 	return configmap.EnsureConfigMaps(ctx, h, instance, cms, envVars)
 }

diff --git a/pkg/ovndbcluster/statefulset.go b/pkg/ovndbcluster/statefulset.go
@@ -27,7 +27,7 @@ import (
 
 const (
 	// ServiceCommand -
-	ServiceCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start"
+	ServiceCommand = "/usr/local/bin/container-scripts/setup.sh"
 
 	// PvcSuffixEtcOvn -
 	PvcSuffixEtcOvn = "-etc-ovn"
@@ -40,8 +40,6 @@ func StatefulSet(
 	labels map[string]string,
 	annotations map[string]string,
 ) *appsv1.StatefulSet {
-	runAsUser := int64(0)
-
 	livenessProbe := &corev1.Probe{
 		// TODO might need tuning
 		TimeoutSeconds:      5,
@@ -111,7 +109,6 @@ func StatefulSet(
 		serviceName = ServiceNameSB
 	}
 	envVars := map[string]env.Setter{}
-	envVars["KOLLA_CONFIG_STRATEGY"] = env.SetValue("COPY_ALWAYS")
 	envVars["CONFIG_HASH"] = env.SetValue(configHash)
 	// TODO: Make confs customizable
 	envVars["OVN_RUNDIR"] = env.SetValue("/tmp")
@@ -136,13 +133,10 @@ func StatefulSet(
 					ServiceAccountName: instance.RbacResourceName(),
 					Containers: []corev1.Container{
 						{
-							Name:    serviceName,
-							Command: cmd,
-							Args:    args,
-							Image:   instance.Spec.ContainerImage,
-							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
-							},
+							Name:                     serviceName,
+							Command:                  cmd,
+							Args:                     args,
+							Image:                    instance.Spec.ContainerImage,
 							Env:                      env.MergeEnvs([]corev1.EnvVar{}, envVars),
 							VolumeMounts:             GetDBClusterVolumeMounts(instance.Name + PvcSuffixEtcOvn),
 							Resources:                instance.Spec.Resources,

diff --git a/pkg/ovndbcluster/volumes.go b/pkg/ovndbcluster/volumes.go
@@ -6,26 +6,9 @@ import corev1 "k8s.io/api/core/v1"
 // TODO: merge to GetVolumes when other controllers also switched to current config
 // mechanism.
 func GetDBClusterVolumes(name string) []corev1.Volume {
-	var config0640AccessMode int32 = 0640
 	var scriptsVolumeDefaultMode int32 = 0755
 
 	return []corev1.Volume{
-		{
-			Name: "etc-machine-id",
-			VolumeSource: corev1.VolumeSource{
-				HostPath: &corev1.HostPathVolumeSource{
-					Path: "/etc/machine-id",
-				},
-			},
-		},
-		{
-			Name: "etc-localtime",
-			VolumeSource: corev1.VolumeSource{
-				HostPath: &corev1.HostPathVolumeSource{
-					Path: "/etc/localtime",
-				},
-			},
-		},
 		{
 			Name: "scripts",
 			VolumeSource: corev1.VolumeSource{
@@ -37,50 +20,18 @@ func GetDBClusterVolumes(name string) []corev1.Volume {
 				},
 			},
 		},
-		{
-			Name: "config-data",
-			VolumeSource: corev1.VolumeSource{
-				ConfigMap: &corev1.ConfigMapVolumeSource{
-					DefaultMode: &config0640AccessMode,
-					LocalObjectReference: corev1.LocalObjectReference{
-						Name: name + "-config-data",
-					},
-				},
-			},
-		},
 	}
 
 }
 
 // GetDBClusterVolumeMounts - OVN DBCluster VolumeMounts
 func GetDBClusterVolumeMounts(name string) []corev1.VolumeMount {
 	return []corev1.VolumeMount{
-		{
-			Name:      "etc-machine-id",
-			MountPath: "/etc/machine-id",
-			ReadOnly:  true,
-		},
-		{
-			Name:      "etc-localtime",
-			MountPath: "/etc/localtime",
-			ReadOnly:  true,
-		},
 		{
 			Name:      "scripts",
 			MountPath: "/usr/local/bin/container-scripts",
 			ReadOnly:  true,
 		},
-		{
-			Name:      "config-data",
-			MountPath: "/var/lib/config-data",
-			ReadOnly:  false,
-		},
-		{
-			Name:      "config-data",
-			MountPath: "/var/lib/kolla/config_files/config.json",
-			SubPath:   "ovn-dbcluster.json",
-			ReadOnly:  true,
-		},
 		{
 			Name:      name,
 			MountPath: "/etc/ovn",

diff --git a/templates/ovndbcluster/config/ovn-dbcluster.json b/templates/ovndbcluster/config/ovn-dbcluster.json
diff --git a/tests/functional/ovndbcluster_controller_test.go b/tests/functional/ovndbcluster_controller_test.go
@@ -72,10 +72,9 @@ var _ = Describe("OVNDBCluster controller", func() {
 				}
 				th.AssertConfigMapDoesNotExist(cm)
 			},
-			Entry("config-data CM", "config-data"),
 			Entry("scripts CM", "scripts"),
 		)
-		DescribeTable("should eventually create the config maps with OwnerReferences set",
+		DescribeTable("should eventually create the config map with OwnerReferences set",
 			func(cmName string) {
 				cm := types.NamespacedName{
 					Namespace: OVNDBClusterName.Namespace,
@@ -89,7 +88,6 @@ var _ = Describe("OVNDBCluster controller", func() {
 				Expect(th.GetConfigMap(cm).ObjectMeta.OwnerReferences[0].Name).To(Equal(OVNDBClusterName.Name))
 				Expect(th.GetConfigMap(cm).ObjectMeta.OwnerReferences[0].Kind).To(Equal("OVNDBCluster"))
 			},
-			Entry("config-data CM", "config-data"),
 			Entry("scripts CM", "scripts"),
 		)
 

diff --git a/tests/kuttl/common/assert_sample_deployment.yaml b/tests/kuttl/common/assert_sample_deployment.yaml
@@ -182,7 +182,7 @@ apiVersion: v1
 kind: Pod
 metadata:
   annotations:
-    openshift.io/scc: privileged
+    openshift.io/scc: anyuid
   labels:
     service: ovsdbserver-nb
   name: ovsdbserver-nb-0
@@ -191,7 +191,7 @@ apiVersion: v1
 kind: Pod
 metadata:
   annotations:
-    openshift.io/scc: privileged
+    openshift.io/scc: anyuid
   labels:
     service: ovsdbserver-sb
   name: ovsdbserver-sb-0