Prometheus Security Context (#973)

* Prometheus Security Context Signed-off-by: Daniel Valdivia <18384552+dvaldivia@users.noreply.github.com> * Missing files Signed-off-by: Daniel Valdivia <18384552+dvaldivia@users.noreply.github.com>
2021-08-23 21:06:32 -07:00
parent 0ae0338a8f
commit 8c82124a57
5 changed files with 288 additions and 3 deletions
--- a/operatorapi/embedded_spec.go
+++ b/operatorapi/embedded_spec.go
@@ -2611,6 +2611,10 @@ func init() {
        "image": {
          "type": "string"
        },
+        "securityContext": {
+          "type": "object",
+          "$ref": "#/definitions/securityContext"
+        },
        "storageClass": {
          "type": "string",
          "default": ""
@@ -2680,6 +2684,32 @@ func init() {
        }
      }
    },
+    "securityContext": {
+      "type": "object",
+      "required": [
+        "runAsUser",
+        "runAsGroup",
+        "runAsNonRoot",
+        "fsGroup"
+      ],
+      "properties": {
+        "fsGroup": {
+          "type": "integer",
+          "format": "int64"
+        },
+        "runAsGroup": {
+          "type": "integer",
+          "format": "int64"
+        },
+        "runAsNonRoot": {
+          "type": "boolean"
+        },
+        "runAsUser": {
+          "type": "integer",
+          "format": "int64"
+        }
+      }
+    },
    "subscriptionValidateRequest": {
      "type": "object",
      "properties": {
@@ -6143,6 +6173,10 @@ func init() {
        "image": {
          "type": "string"
        },
+        "securityContext": {
+          "type": "object",
+          "$ref": "#/definitions/securityContext"
+        },
        "storageClass": {
          "type": "string",
          "default": ""
@@ -6212,6 +6246,32 @@ func init() {
        }
      }
    },
+    "securityContext": {
+      "type": "object",
+      "required": [
+        "runAsUser",
+        "runAsGroup",
+        "runAsNonRoot",
+        "fsGroup"
+      ],
+      "properties": {
+        "fsGroup": {
+          "type": "integer",
+          "format": "int64"
+        },
+        "runAsGroup": {
+          "type": "integer",
+          "format": "int64"
+        },
+        "runAsNonRoot": {
+          "type": "boolean"
+        },
+        "runAsUser": {
+          "type": "integer",
+          "format": "int64"
+        }
+      }
+    },
    "subscriptionValidateRequest": {
      "type": "object",
      "properties": {
--- a/operatorapi/operator_tenants.go
+++ b/operatorapi/operator_tenants.go
@@ -395,11 +395,11 @@ func getTenantCreds(ctx context.Context, client K8sClientI, tenant *miniov2.Tena
 }

 func getTenant(ctx context.Context, operatorClient OperatorClientI, namespace, tenantName string) (*miniov2.Tenant, error) {
-	minInst, err := operatorClient.TenantGet(ctx, namespace, tenantName, metav1.GetOptions{})
+	tenant, err := operatorClient.TenantGet(ctx, namespace, tenantName, metav1.GetOptions{})
 	if err != nil {
 		return nil, err
 	}
-	return minInst, nil
+	return tenant, nil
 }

 func isPrometheusEnabled(annotations map[string]string) bool {
@@ -1309,6 +1309,16 @@ func getTenantCreatedResponse(session *models.Principal, params operator_api.Cre
 	if prometheusImage != "" {
 		minInst.Spec.Prometheus.Image = prometheusImage
 	}
+	// if security context for prometheus is present, configure it.
+	if tenantReq.PrometheusConfiguration != nil && tenantReq.PrometheusConfiguration.SecurityContext != nil {
+		sc := tenantReq.PrometheusConfiguration.SecurityContext
+		minInst.Spec.Prometheus.SecurityContext = &corev1.PodSecurityContext{
+			RunAsUser:    sc.RunAsUser,
+			RunAsGroup:   sc.RunAsGroup,
+			RunAsNonRoot: sc.RunAsNonRoot,
+			FSGroup:      sc.FsGroup,
+		}
+	}

 	// expose services
 	minInst.Spec.ExposeServices = &miniov2.ExposeServices{