Merge pull request #9518 from rook/mergify/bp/release-1.8/pr-9512

core: run discover daemonset as root uid (backport #9512)
rook · Jan 4, 2022 · a5f8e42 · a5f8e42
2 parents 295df75 + 78c2965
commit a5f8e42
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 7 deletions.
diff --git a/pkg/operator/discover/discover.go b/pkg/operator/discover/discover.go
@@ -30,6 +30,7 @@ import (
 	cephv1 "github.com/rook/rook/pkg/apis/ceph.rook.io/v1"
 	"github.com/rook/rook/pkg/clusterd"
 	discoverDaemon "github.com/rook/rook/pkg/daemon/discover"
+	"github.com/rook/rook/pkg/operator/ceph/controller"
 	k8sutil "github.com/rook/rook/pkg/operator/k8sutil"
 	"github.com/rook/rook/pkg/util/sys"
 
@@ -79,7 +80,6 @@ func (d *Discover) Start(ctx context.Context, namespace, discoverImage, security
 }
 
 func (d *Discover) createDiscoverDaemonSet(ctx context.Context, namespace, discoverImage, securityAccount string, useCephVolume bool) error {
-	privileged := true
 	discovery_parameters := []string{"discover",
 		"--discover-interval", getEnvVar(discoverIntervalEnv, defaultDiscoverInterval)}
 	if useCephVolume {
@@ -108,12 +108,10 @@ func (d *Discover) createDiscoverDaemonSet(ctx context.Context, namespace, disco
 					ServiceAccountName: securityAccount,
 					Containers: []v1.Container{
 						{
-							Name:  discoverDaemonsetName,
-							Image: discoverImage,
-							Args:  discovery_parameters,
-							SecurityContext: &v1.SecurityContext{
-								Privileged: &privileged,
-							},
+							Name:            discoverDaemonsetName,
+							Image:           discoverImage,
+							Args:            discovery_parameters,
+							SecurityContext: controller.PrivilegedContext(true),
 							VolumeMounts: []v1.VolumeMount{
 								{
 									Name:      "dev",

diff --git a/pkg/operator/discover/discover_test.go b/pkg/operator/discover/discover_test.go
@@ -79,6 +79,7 @@ func TestStartDiscoveryDaemonset(t *testing.T) {
 	assert.Equal(t, "mysa", agentDS.Spec.Template.Spec.ServiceAccountName)
 	assert.Equal(t, "my-priority-class", agentDS.Spec.Template.Spec.PriorityClassName)
 	assert.True(t, *agentDS.Spec.Template.Spec.Containers[0].SecurityContext.Privileged)
+	assert.Equal(t, int64(0), *agentDS.Spec.Template.Spec.Containers[0].SecurityContext.RunAsUser)
 	volumes := agentDS.Spec.Template.Spec.Volumes
 	assert.Equal(t, 3, len(volumes))
 	volumeMounts := agentDS.Spec.Template.Spec.Containers[0].VolumeMounts