From 991f7bf689cd1ad0762c94edb145e7b93feb43d6 Mon Sep 17 00:00:00 2001
From: Michel Thebeau <Michel.Thebeau@windriver.com>
Date: Wed, 1 Sep 2021 19:01:40 -0400
Subject: [PATCH] run admission webhooks as non-root

The webhooks will not run as root with pod security policies enabled.
The error reported is "container has runAsNonRoot and image will run as
root".

Use the same securityContext as Portieris chart; run as 'portieris'
service account (Values.securityContext.runAsUser)

Fix subsequent jobs that fail with the absent securityContext,
permissions necessary to run those jobs.  Add the 'patch' verb to
customresourcedefinitions for portieris service account.

Depends-On: I4682765efddc217e792b37c659ae5833379bf054
Closes-Bug: 1895722
Change-Id: I8b5206cb6fadd029e6597e3da2b85857133ea95e
Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
---
 portieris-helm/centos/portieris-helm.spec     |   2 +
 ...4-run-admission-webhooks-as-non-root.patch | 105 ++++++++++++++++++
 2 files changed, 107 insertions(+)
 create mode 100644 portieris-helm/files/0004-run-admission-webhooks-as-non-root.patch

diff --git a/portieris-helm/centos/portieris-helm.spec b/portieris-helm/centos/portieris-helm.spec
index ca5b06b..79e2e53 100644
--- a/portieris-helm/centos/portieris-helm.spec
+++ b/portieris-helm/centos/portieris-helm.spec
@@ -29,6 +29,7 @@ BuildArch: noarch
 Patch01: 0001-Squash-required-portieris-fixes.patch
 Patch02: 0002-add-image-pull-secrets-to-images.patch
 Patch03: 0003-add-toggle-to-reinstall-the-admission-webhook.patch
+Patch04: 0004-run-admission-webhooks-as-non-root.patch
 
 BuildRequires: helm
 BuildRequires: chartmuseum
@@ -41,6 +42,7 @@ StarlingX portieris charts
 %patch01 -p1
 %patch02 -p1
 %patch03 -p1
+%patch04 -p1
 
 %build
 # Host a server for the charts
diff --git a/portieris-helm/files/0004-run-admission-webhooks-as-non-root.patch b/portieris-helm/files/0004-run-admission-webhooks-as-non-root.patch
new file mode 100644
index 0000000..7275d54
--- /dev/null
+++ b/portieris-helm/files/0004-run-admission-webhooks-as-non-root.patch
@@ -0,0 +1,105 @@
+From 8a6d884de01c2ce8ad9f68284b69a0ae2e5dea2a Mon Sep 17 00:00:00 2001
+From: Michel Thebeau <Michel.Thebeau@windriver.com>
+Date: Wed, 1 Sep 2021 18:54:44 -0400
+Subject: [PATCH 4/4] run admission webhooks as non-root
+
+With pod security policies enabled the webhooks will not run as root,
+with "Error: container has runAsNonRoot and image will run as root".
+
+Copy the securityContext from portieris chart, run as 'portieris'
+service account.
+
+Fix subsequent jobs that fail with the absent securityContext,
+permissions.  Add patch verb to customresourcedefinitions for portieris
+service add account.
+
+Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
+---
+ .../admission-webhooks/create-admission-webhooks.yaml         | 3 +++
+ .../admission-webhooks/delete-admission-webhooks.yaml         | 3 +++
+ helm/portieris/templates/clusterrole.yaml                     | 4 ++--
+ helm/portieris/templates/crd-creation/create-crds.yaml        | 4 +++-
+ helm/portieris/templates/crd-creation/delete-crds.yaml        | 4 +++-
+ .../templates/crd-creation/validate-crd-creation.yaml         | 4 +++-
+ 6 files changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
+index 7773413..cbe0eb7 100644
+--- a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
++++ b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
+@@ -44,3 +44,6 @@ spec:
+           configMap:
+             name: admission-webhooks
+       restartPolicy: OnFailure
++      securityContext:
++        runAsUser: {{ .Values.securityContext.runAsUser }}
++
+diff --git a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml
+index ce34927..dd8c259 100644
+--- a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml
++++ b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml
+@@ -40,3 +40,6 @@ spec:
+           configMap:
+             name: admission-webhooks
+       restartPolicy: OnFailure
++      securityContext:
++        runAsUser: {{ .Values.securityContext.runAsUser }}
++
+diff --git a/helm/portieris/templates/clusterrole.yaml b/helm/portieris/templates/clusterrole.yaml
+index 67c5912..13b4cb4 100644
+--- a/helm/portieris/templates/clusterrole.yaml
++++ b/helm/portieris/templates/clusterrole.yaml
+@@ -16,10 +16,10 @@ rules:
+   verbs: ["get", "watch", "list", "create", "patch"]
+ - apiGroups: ["apiextensions.k8s.io"]
+   resources: ["customresourcedefinitions"]
+-  verbs: ["get", "create", "delete"]
++  verbs: ["get", "create", "delete", "patch"]
+ - apiGroups: ["admissionregistration.k8s.io"]
+   resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
+-  verbs: ["get", "create", "delete"]
++  verbs: ["get", "create", "delete", "patch"]
+ - apiGroups: [""]
+   resources: ["secrets", "serviceaccounts"]
+   verbs: ["get"]
+diff --git a/helm/portieris/templates/crd-creation/create-crds.yaml b/helm/portieris/templates/crd-creation/create-crds.yaml
+index 3ac36f6..13b0ca2 100644
+--- a/helm/portieris/templates/crd-creation/create-crds.yaml
++++ b/helm/portieris/templates/crd-creation/create-crds.yaml
+@@ -39,4 +39,6 @@ spec:
+           configMap:
+             name: image-policy-crds
+       restartPolicy: OnFailure
+-      
+\ No newline at end of file
++      securityContext:
++        runAsUser: {{ .Values.securityContext.runAsUser }}
++
+diff --git a/helm/portieris/templates/crd-creation/delete-crds.yaml b/helm/portieris/templates/crd-creation/delete-crds.yaml
+index 9080511..783fe23 100644
+--- a/helm/portieris/templates/crd-creation/delete-crds.yaml
++++ b/helm/portieris/templates/crd-creation/delete-crds.yaml
+@@ -40,4 +40,6 @@ spec:
+           configMap:
+             name: image-policy-crds
+       restartPolicy: OnFailure
+-      
++      securityContext:
++        runAsUser: {{ .Values.securityContext.runAsUser }}
++
+diff --git a/helm/portieris/templates/crd-creation/validate-crd-creation.yaml b/helm/portieris/templates/crd-creation/validate-crd-creation.yaml
+index 5c68466..d3075da 100644
+--- a/helm/portieris/templates/crd-creation/validate-crd-creation.yaml
++++ b/helm/portieris/templates/crd-creation/validate-crd-creation.yaml
+@@ -33,4 +33,6 @@ spec:
+             - imagepolicies.securityenforcement.admission.cloud.ibm.com
+             - clusterimagepolicies.securityenforcement.admission.cloud.ibm.com
+       restartPolicy: OnFailure
+-      
+\ No newline at end of file
++      securityContext:
++        runAsUser: {{ .Values.securityContext.runAsUser }}
++
+-- 
+2.29.2
+