From dd67b866dcadd909a8b2d3cf355301f50b0c3eb4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Han?= <seb@redhat.com>
Date: Mon, 3 Jan 2022 12:35:19 +0100
Subject: [PATCH] core: run discover daemonset as root uid
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

So that the tool inside the container has the permission to run
correctly, e.g: sgdisk.

Clsoes: https://github.com/rook/rook/issues/9493
Signed-off-by: Sébastien Han <seb@redhat.com>
---
 pkg/operator/discover/discover.go      | 12 +++++-------
 pkg/operator/discover/discover_test.go |  1 +
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/pkg/operator/discover/discover.go b/pkg/operator/discover/discover.go
index 028e15a25282..da5c6c1738db 100644
--- a/pkg/operator/discover/discover.go
+++ b/pkg/operator/discover/discover.go
@@ -30,6 +30,7 @@ import (
 	cephv1 "github.com/rook/rook/pkg/apis/ceph.rook.io/v1"
 	"github.com/rook/rook/pkg/clusterd"
 	discoverDaemon "github.com/rook/rook/pkg/daemon/discover"
+	"github.com/rook/rook/pkg/operator/ceph/controller"
 	k8sutil "github.com/rook/rook/pkg/operator/k8sutil"
 	"github.com/rook/rook/pkg/util/sys"
 
@@ -79,7 +80,6 @@ func (d *Discover) Start(ctx context.Context, namespace, discoverImage, security
 }
 
 func (d *Discover) createDiscoverDaemonSet(ctx context.Context, namespace, discoverImage, securityAccount string, useCephVolume bool) error {
-	privileged := true
 	discovery_parameters := []string{"discover",
 		"--discover-interval", getEnvVar(discoverIntervalEnv, defaultDiscoverInterval)}
 	if useCephVolume {
@@ -108,12 +108,10 @@ func (d *Discover) createDiscoverDaemonSet(ctx context.Context, namespace, disco
 					ServiceAccountName: securityAccount,
 					Containers: []v1.Container{
 						{
-							Name:  discoverDaemonsetName,
-							Image: discoverImage,
-							Args:  discovery_parameters,
-							SecurityContext: &v1.SecurityContext{
-								Privileged: &privileged,
-							},
+							Name:            discoverDaemonsetName,
+							Image:           discoverImage,
+							Args:            discovery_parameters,
+							SecurityContext: controller.PrivilegedContext(true),
 							VolumeMounts: []v1.VolumeMount{
 								{
 									Name:      "dev",
diff --git a/pkg/operator/discover/discover_test.go b/pkg/operator/discover/discover_test.go
index 994575f95da7..2b42bf18cf0d 100644
--- a/pkg/operator/discover/discover_test.go
+++ b/pkg/operator/discover/discover_test.go
@@ -79,6 +79,7 @@ func TestStartDiscoveryDaemonset(t *testing.T) {
 	assert.Equal(t, "mysa", agentDS.Spec.Template.Spec.ServiceAccountName)
 	assert.Equal(t, "my-priority-class", agentDS.Spec.Template.Spec.PriorityClassName)
 	assert.True(t, *agentDS.Spec.Template.Spec.Containers[0].SecurityContext.Privileged)
+	assert.Equal(t, int64(0), *agentDS.Spec.Template.Spec.Containers[0].SecurityContext.RunAsUser)
 	volumes := agentDS.Spec.Template.Spec.Volumes
 	assert.Equal(t, 3, len(volumes))
 	volumeMounts := agentDS.Spec.Template.Spec.Containers[0].VolumeMounts