From 1524f2b0434a3b6fc57881e6cb53e29f0cb5b1b7 Mon Sep 17 00:00:00 2001 From: Arik Hadas Date: Tue, 5 Mar 2024 19:02:08 +0200 Subject: [PATCH] fix VDDK validation on k8s Signed-off-by: Arik Hadas --- .../controller/deployment-controller.yml.j2 | 6 ++++++ pkg/controller/plan/validation.go | 19 ++++++++++++------- pkg/settings/settings.go | 4 ++++ 3 files changed, 22 insertions(+), 7 deletions(-) diff --git a/operator/roles/forkliftcontroller/templates/controller/deployment-controller.yml.j2 b/operator/roles/forkliftcontroller/templates/controller/deployment-controller.yml.j2 index c9fedfcfe..9ad0a79de 100644 --- a/operator/roles/forkliftcontroller/templates/controller/deployment-controller.yml.j2 +++ b/operator/roles/forkliftcontroller/templates/controller/deployment-controller.yml.j2 @@ -49,6 +49,12 @@ spec: {% if k8s_cluster|bool %} - name: API_TLS_CA value: /var/run/secrets/{{ inventory_tls_secret_name }}/ca.crt +{% endif %} + - name: OpenShift +{% if k8s_cluster|bool %} + value: false +{% else %} + value: true {% endif %} {% if controller_log_level is defined and controller_log_level is number %} - name: LOG_LEVEL diff --git a/pkg/controller/plan/validation.go b/pkg/controller/plan/validation.go index af4ffb41e..7fdc249f9 100644 --- a/pkg/controller/plan/validation.go +++ b/pkg/controller/plan/validation.go @@ -883,6 +883,15 @@ func createVddkCheckJob(plan *api.Plan, labels map[string]string, el9 bool, vddk }, }, } + psc := &core.PodSecurityContext{ + SeccompProfile: &core.SeccompProfile{ + Type: core.SeccompProfileTypeRuntimeDefault, + }, + } + if !Settings.OpenShift { + psc.RunAsNonRoot = ptr.To(true) + psc.RunAsUser = ptr.To(qemuUser) + } return &batchv1.Job{ ObjectMeta: meta.ObjectMeta{ GenerateName: fmt.Sprintf("vddk-validator-%s", plan.Name), @@ -900,13 +909,9 @@ func createVddkCheckJob(plan *api.Plan, labels map[string]string, el9 bool, vddk Completions: ptr.To[int32](1), Template: core.PodTemplateSpec{ Spec: core.PodSpec{ - SecurityContext: &core.PodSecurityContext{ - SeccompProfile: &core.SeccompProfile{ - Type: core.SeccompProfileTypeRuntimeDefault, - }, - }, - RestartPolicy: core.RestartPolicyOnFailure, - InitContainers: initContainers, + SecurityContext: psc, + RestartPolicy: core.RestartPolicyOnFailure, + InitContainers: initContainers, Containers: []core.Container{ { Name: "validator", diff --git a/pkg/settings/settings.go b/pkg/settings/settings.go index 83b8baac7..2bbecbfc0 100644 --- a/pkg/settings/settings.go +++ b/pkg/settings/settings.go @@ -11,6 +11,8 @@ import ( // Global var Settings = ControllerSettings{} +const OpenShift = "OpenShift" + // Settings type ControllerSettings struct { // Roles. @@ -29,6 +31,7 @@ type ControllerSettings struct { Profiler // Feature gates. Features + OpenShift bool } // Load settings. @@ -65,6 +68,7 @@ func (r *ControllerSettings) Load() error { if err != nil { return err } + r.OpenShift = getEnvBool(OpenShift, false) return nil }