ansible/helm: add ssc to not allow root previleges

Signed-off-by: Camila Macedo <cmacedo@redhat.com>

changelog/fragments/ansible-helm-ssc.yaml

@@ -0,0 +1,44 @@
+# entries is a list of entries to include in
+# release notes and/or the migration guide
+entries:
+  - description: >
+      (ansible/v1)(helm/v1) Add SecurityContext to now allow root privileges.
+
+    # kind is one of:
+    # - addition
+    # - change
+    # - deprecation
+    # - removal
+    # - bugfix
+    kind: "addition"
+
+    # Is this a breaking change?
+    breaking: false
+
+    # NOTE: ONLY USE `pull_request_override` WHEN ADDING THIS
+    # FILE FOR A PREVIOUSLY MERGED PULL_REQUEST!
+    #
+    # The generator auto-detects the PR number from the commit
+    # message in which this file was originally added.
+    #
+    # What is the pull request number (without the "#")?
+    # pull_request_override: 0
+
+
+    # Migration can be defined to automatically add a section to
+    # the migration guide. This is required for breaking changes.
+    migration:
+      header: (ansible/v1)(helm/v1) **(Optional)** Add SecurityContext to now allow root privileges.
+      body: >
+        In the `config/manager` add the following security context:
+        ```yaml
+        spec:
+          securityContext:
+            runAsNonRoot: true
+        ...
+        containers:
+        - command:
+          ...
+          securityContext:
+            allowPrivilegeEscalation: false
+        ```

internal/plugins/ansible/v1/scaffolds/internal/templates/config/manager/manager.go

@@ -69,26 +69,32 @@ spec:
       labels:
         control-plane: controller-manager
     spec:
+      securityContext:
+        runAsNonRoot: true
       containers:
-        - name: manager
-          args:
-            - "--enable-leader-election"
-            - "--leader-election-id={{ .ProjectName }}"
-          env:
-            - name: ANSIBLE_GATHERING
-              value: explicit
-          image: {{ .Image }}
-          livenessProbe:
-            httpGet:
-              path: /healthz
-              port: 6789
-            initialDelaySeconds: 15
-            periodSeconds: 20
-          readinessProbe:
-            httpGet:
-              path: /readyz
-              port: 6789
-            initialDelaySeconds: 5
-            periodSeconds: 10
+      - command:
+        - /manager
+        args:
+        - "--enable-leader-election"
+        - "--leader-election-id={{ .ProjectName }}"
+        name: manager
+        env:
+        - name: ANSIBLE_GATHERING
+          value: explicit
+        image: {{ .Image }}
+        securityContext:
+          allowPrivilegeEscalation: false
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 6789
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 6789
+          initialDelaySeconds: 5
+          periodSeconds: 10
       terminationGracePeriodSeconds: 10
 `

internal/plugins/helm/v1/scaffolds/internal/templates/config/manager/manager.go

@@ -69,12 +69,18 @@ spec:
       labels:
         control-plane: controller-manager
     spec:
+      securityContext:
+        runAsNonRoot: true
       containers:
-      - image: {{ .Image }}
+      - command:
+        - /manager
         args:
         - "--enable-leader-election"
         - "--leader-election-id={{ .ProjectName }}"
         name: manager
+        image: {{ .Image }}
+        securityContext:
+          allowPrivilegeEscalation: false
         livenessProbe:
           httpGet:
             path: /healthz

testdata/ansible/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml

@@ -120,6 +120,8 @@ spec:
                 - --metrics-addr=127.0.0.1:8080
                 - --enable-leader-election
                 - --leader-election-id=memcached-operator
+                command:
+                - /manager
                 env:
                 - name: ANSIBLE_GATHERING
                   value: explicit
@@ -138,6 +140,10 @@ spec:
                   initialDelaySeconds: 5
                   periodSeconds: 10
                 resources: {}
+                securityContext:
+                  allowPrivilegeEscalation: false
+              securityContext:
+                runAsNonRoot: true
               terminationGracePeriodSeconds: 10
       permissions:
       - rules:

testdata/ansible/memcached-operator/config/manager/manager.yaml

@@ -22,25 +22,31 @@ spec:
       labels:
         control-plane: controller-manager
     spec:
+      securityContext:
+        runAsNonRoot: true
       containers:
-        - name: manager
-          args:
-            - "--enable-leader-election"
-            - "--leader-election-id=memcached-operator"
-          env:
-            - name: ANSIBLE_GATHERING
-              value: explicit
-          image: controller:latest
-          livenessProbe:
-            httpGet:
-              path: /healthz
-              port: 6789
-            initialDelaySeconds: 15
-            periodSeconds: 20
-          readinessProbe:
-            httpGet:
-              path: /readyz
-              port: 6789
-            initialDelaySeconds: 5
-            periodSeconds: 10
+      - command:
+        - /manager
+        args:
+        - "--enable-leader-election"
+        - "--leader-election-id=memcached-operator"
+        name: manager
+        env:
+        - name: ANSIBLE_GATHERING
+          value: explicit
+        image: controller:latest
+        securityContext:
+          allowPrivilegeEscalation: false
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 6789
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 6789
+          initialDelaySeconds: 5
+          periodSeconds: 10
       terminationGracePeriodSeconds: 10

testdata/helm/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml

@@ -208,6 +208,8 @@ spec:
                 - --metrics-addr=127.0.0.1:8080
                 - --enable-leader-election
                 - --leader-election-id=memcached-operator
+                command:
+                - /manager
                 image: quay.io/example/memcached-operator:v0.0.1
                 livenessProbe:
                   httpGet:
@@ -229,6 +231,10 @@ spec:
                   requests:
                     cpu: 100m
                     memory: 60Mi
+                securityContext:
+                  allowPrivilegeEscalation: false
+              securityContext:
+                runAsNonRoot: true
               terminationGracePeriodSeconds: 10
       permissions:
       - rules:

testdata/helm/memcached-operator/config/manager/manager.yaml

@@ -22,12 +22,18 @@ spec:
       labels:
         control-plane: controller-manager
     spec:
+      securityContext:
+        runAsNonRoot: true
       containers:
-      - image: controller:latest
+      - command:
+        - /manager
         args:
         - "--enable-leader-election"
         - "--leader-election-id=memcached-operator"
         name: manager
+        image: controller:latest
+        securityContext:
+          allowPrivilegeEscalation: false
         livenessProbe:
           httpGet:
             path: /healthz