Che Operator Security Context Defined Posture Parameters

[ArvinB]

What does this PR do?

It fully declares the securityContext under operator Pod

Screenshot/screencast of this PR

N/A

What issues does this PR fix or reference?

eclipse-che/che#19737

How to test this PR?

Tested on OpenShift 4.7.8 using Wazi Developer for Workspaces 1.2.5 (based on Red Hat CodeReady Workspaces 2.7 (Che 7.26)).

PR Checklist

As the author of this Pull Request I made sure that:

• The Eclipse Contributor Agreement is valid
• Code produced is complete
• Code builds without errors
• Tests are covering the bugfix
• Custom resource definition file is up to date
• Nightly OLM bundle is up to date
• The repository devfile is up to date and works
• Sections What issues does this PR fix or reference and How to test this PR completed
• Relevant user documentation updated
• Relevant contributing documentation updated
• CI/CD changes implemented, documented and communicated

Reviewers

Reviewers, please comment how you tested the PR when approving it.

[nickboldt]

Seems OK, but I don't know the ramifications of this change. Do we also need to set new defaults in che.properties or in user docs / guides?

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ArvinB, nickboldt

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ArvinB]

@ArvinB: The following test failed, say /retest to rerun all failed tests:
Test name Commit Details Rerun command
ci/prow/v7-devworkspace-happy-path 5d21736 link /test v7-devworkspace-happy-path

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

It would seem that most PRs are failing to pass the happy-path test suite. Perhaps a /retest might work?

[tolusha]

Changes in operator.yaml are pretty safe because they reflect their default values
But setting runAsNonRoot and allowPrivilegeEscalation might have side effects.

I assume that the target platform of this changes is OpenShift and deployment method is olm.
So, I propose the following:

1. Remove runAsNonRoot and allowPrivilegeEscalation from operator.yaml
2. Revert all other changes in csv files.
3. If we need something specifically for OpenShift then let's update OpenShift csv file like here [1]
4. Launch olm/update-resources.sh to generate csv files.

[1] https://github.com/eclipse-che/che-operator/blob/main/olm/update-resources.sh#L192-L221

[ArvinB]

@tolusha I completed your recommendation.

I assume running:

Launch olm/update-resources.sh to generate csv files.

...is for testing purposes only? I was able to successfully generate the csv files, but I did not deliver them into this PR?

Thanks.

[tolusha]

@ArvinB

.is for testing purposes only? I was able to successfully generate the csv files, but I did not deliver them into this PR?

pls add them to the PR.

[ArvinB]

@tolusha Update the PR thank you.

[ArvinB]

/retest

[ArvinB]

@tolusha Good to merge?

[tolusha]

@ArvinB
I've run the PR checks.

[tolusha]

We can ignore minikube tests for now, they are known problem.
Regarding resources and bundle-version checks. It turned out that fields with default values doesn't appear in CSV file.
My bad, we need those changes [1]. Once you add them pls run olm/update-resources.sh and commit changes. Thank you.

[1] 416f78b#diff-82b7ba34bc00ed0fcaa5f46c8eea16961909f41152e2477c016195ac74b66729R227-R229

[ArvinB]

We can ignore minikube tests for now, they are known problem.
Regarding resources and bundle-version checks. It turned out that fields with default values doesn't appear in CSV file.
My bad, we need those changes [1]. Once you add them pls run olm/update-resources.sh and commit changes. Thank you.

[1] 416f78b#diff-82b7ba34bc00ed0fcaa5f46c8eea16961909f41152e2477c016195ac74b66729R227-R229

Changes made @tolusha
Thank you!

[tolusha]

bundle-version version check failed.
Pls run olm/update-resources.sh one more time and commit changes (it will increase nightly bundle version from 174 to 175).
Thank you.

[ArvinB]

@tolusha Done. However, I get a conflict after pushing in your requested changes. Any suggestions?

[tolusha]

No problem. Resolve conflicts by taking your changes.

[ArvinB]

/retest

[tolusha]

/test v7-devworkspace-happy-path

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ArvinB, nickboldt, tolusha

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tolusha]

/test v7-devworkspace-happy-path