From a326b089572392fe8d5e0e47b7ffe810a23ef58d Mon Sep 17 00:00:00 2001
From: Alona Paz <alkaplan@redhat.com>
Date: Wed, 11 Jan 2023 13:56:57 +0200
Subject: [PATCH] [ksd] Parameterize "runAsNonRoot" in the yaml (#1499)

* [ksd] paramererize "RunAsNonRoot" and "runAsUser" in the yaml

It is needed since on openshift the SCC is responsible to put it back
with RunAsUser from the valid range.

Signed-off-by: Alona Paz <alkaplan@redhat.com>

* [ksd] run secondarydns bump script

Signed-off-by: Alona Paz <alkaplan@redhat.com>

Signed-off-by: Alona Paz <alkaplan@redhat.com>
---
 data/kube-secondary-dns/secondarydns.yaml    | 4 ++--
 hack/components/bump-kube-secondary-dns.sh   | 2 ++
 pkg/network/kube_secondary_dns_controller.go | 7 +++++++
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/data/kube-secondary-dns/secondarydns.yaml b/data/kube-secondary-dns/secondarydns.yaml
index 6c1e5d915..87f5dbc5b 100644
--- a/data/kube-secondary-dns/secondarydns.yaml
+++ b/data/kube-secondary-dns/secondarydns.yaml
@@ -76,8 +76,8 @@ spec:
     spec:
       serviceAccountName: secondary
       securityContext:
-        runAsUser: 1000
-        runAsNonRoot: true
+        runAsUser: {{ .RunAsUser }}
+        runAsNonRoot: {{ .RunAsNonRoot }}
         seccompProfile:
           type: "RuntimeDefault"
       containers:
diff --git a/hack/components/bump-kube-secondary-dns.sh b/hack/components/bump-kube-secondary-dns.sh
index 6d6d1500f..2c9e45154 100755
--- a/hack/components/bump-kube-secondary-dns.sh
+++ b/hack/components/bump-kube-secondary-dns.sh
@@ -26,6 +26,8 @@ function __parametize_by_object() {
       ./Deployment_secondary-dns.yaml)
         yaml-utils::update_param ${f} metadata.namespace '{{ .Namespace }}'
         yaml-utils::update_param ${f} spec.template.spec.containers[0].image '{{ .CoreDNSImage }}'
+        yaml-utils::update_param ${f} spec.template.spec.securityContext.runAsNonRoot '{{ .RunAsNonRoot }}'
+        yaml-utils::update_param ${f} spec.template.spec.securityContext.runAsUser '{{ .RunAsUser }}'
         yaml-utils::update_param ${f} spec.template.spec.containers[1].image '{{ .KubeSecondaryDNSImage }}'
         yaml-utils::set_param ${f} spec.template.spec.containers[0].imagePullPolicy '{{ .ImagePullPolicy }}'
         yaml-utils::set_param ${f} spec.template.spec.containers[1].imagePullPolicy '{{ .ImagePullPolicy }}'
diff --git a/pkg/network/kube_secondary_dns_controller.go b/pkg/network/kube_secondary_dns_controller.go
index dd329d7f9..3a86bbf98 100644
--- a/pkg/network/kube_secondary_dns_controller.go
+++ b/pkg/network/kube_secondary_dns_controller.go
@@ -26,6 +26,13 @@ func renderKubeSecondaryDNS(conf *cnao.NetworkAddonsConfigSpec, manifestDir stri
 	data.Data["NameServerIp"] = conf.KubeSecondaryDNS.NameServerIP
 	data.Data["KubeSecondaryDNSImage"] = os.Getenv("KUBE_SECONDARY_DNS_IMAGE")
 	data.Data["CoreDNSImage"] = os.Getenv("CORE_DNS_IMAGE")
+	if clusterInfo.SCCAvailable {
+		data.Data["RunAsNonRoot"] = "null"
+		data.Data["RunAsUser"] = "null"
+	} else {
+		data.Data["RunAsNonRoot"] = "true"
+		data.Data["RunAsUser"] = "1000"
+	}
 
 	objs, err := render.RenderDir(filepath.Join(manifestDir, "kube-secondary-dns"), &data)
 	if err != nil {