[ksd] Parameterize "runAsNonRoot" in the yaml (#1499)

* [ksd] paramererize "RunAsNonRoot" and "runAsUser" in the yaml It is needed since on openshift the SCC is responsible to put it back with RunAsUser from the valid range. Signed-off-by: Alona Paz <alkaplan@redhat.com> * [ksd] run secondarydns bump script Signed-off-by: Alona Paz <alkaplan@redhat.com> Signed-off-by: Alona Paz <alkaplan@redhat.com>
kubevirt · Jan 11, 2023 · a326b08 · a326b08
1 parent 7867ecb
commit a326b08
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 2 deletions.
diff --git a/data/kube-secondary-dns/secondarydns.yaml b/data/kube-secondary-dns/secondarydns.yaml
@@ -76,8 +76,8 @@ spec:
     spec:
       serviceAccountName: secondary
       securityContext:
-        runAsUser: 1000
-        runAsNonRoot: true
+        runAsUser: {{ .RunAsUser }}
+        runAsNonRoot: {{ .RunAsNonRoot }}
         seccompProfile:
           type: "RuntimeDefault"
       containers:

diff --git a/hack/components/bump-kube-secondary-dns.sh b/hack/components/bump-kube-secondary-dns.sh
@@ -26,6 +26,8 @@ function __parametize_by_object() {
       ./Deployment_secondary-dns.yaml)
         yaml-utils::update_param ${f} metadata.namespace '{{ .Namespace }}'
         yaml-utils::update_param ${f} spec.template.spec.containers[0].image '{{ .CoreDNSImage }}'
+        yaml-utils::update_param ${f} spec.template.spec.securityContext.runAsNonRoot '{{ .RunAsNonRoot }}'
+        yaml-utils::update_param ${f} spec.template.spec.securityContext.runAsUser '{{ .RunAsUser }}'
         yaml-utils::update_param ${f} spec.template.spec.containers[1].image '{{ .KubeSecondaryDNSImage }}'
         yaml-utils::set_param ${f} spec.template.spec.containers[0].imagePullPolicy '{{ .ImagePullPolicy }}'
         yaml-utils::set_param ${f} spec.template.spec.containers[1].imagePullPolicy '{{ .ImagePullPolicy }}'

diff --git a/pkg/network/kube_secondary_dns_controller.go b/pkg/network/kube_secondary_dns_controller.go
@@ -26,6 +26,13 @@ func renderKubeSecondaryDNS(conf *cnao.NetworkAddonsConfigSpec, manifestDir stri
 	data.Data["NameServerIp"] = conf.KubeSecondaryDNS.NameServerIP
 	data.Data["KubeSecondaryDNSImage"] = os.Getenv("KUBE_SECONDARY_DNS_IMAGE")
 	data.Data["CoreDNSImage"] = os.Getenv("CORE_DNS_IMAGE")
+	if clusterInfo.SCCAvailable {
+		data.Data["RunAsNonRoot"] = "null"
+		data.Data["RunAsUser"] = "null"
+	} else {
+		data.Data["RunAsNonRoot"] = "true"
+		data.Data["RunAsUser"] = "1000"
+	}
 
 	objs, err := render.RenderDir(filepath.Join(manifestDir, "kube-secondary-dns"), &data)
 	if err != nil {