Added configuration for the sidecar agent's securityContext

Signed-off-by: chgl <chgl@users.noreply.github.com>

deploy/crds/jaegertracing.io_jaegers_crd.yaml

@@ -662,6 +662,56 @@ spec:
                   type: object
                 serviceAccount:
                   type: string
+                sidecarSecurityContext:
+                  properties:
+                    allowPrivilegeEscalation:
+                      type: boolean
+                    capabilities:
+                      properties:
+                        add:
+                          items:
+                            type: string
+                          type: array
+                        drop:
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    privileged:
+                      type: boolean
+                    procMount:
+                      type: string
+                    readOnlyRootFilesystem:
+                      type: boolean
+                    runAsGroup:
+                      format: int64
+                      type: integer
+                    runAsNonRoot:
+                      type: boolean
+                    runAsUser:
+                      format: int64
+                      type: integer
+                    seLinuxOptions:
+                      properties:
+                        level:
+                          type: string
+                        role:
+                          type: string
+                        type:
+                          type: string
+                        user:
+                          type: string
+                      type: object
+                    windowsOptions:
+                      properties:
+                        gmsaCredentialSpec:
+                          type: string
+                        gmsaCredentialSpecName:
+                          type: string
+                        runAsUserName:
+                          type: string
+                      type: object
+                  type: object
                 strategy:
                   type: string
                 tolerations:

pkg/apis/jaegertracing/v1/jaeger_types.go

@@ -383,6 +383,9 @@ type JaegerAgentSpec struct {
 
 	// +optional
 	Config FreeForm `json:"config,omitempty"`
+
+	// +optional
+	SidecarSecurityContext *v1.SecurityContext `json:"sidecarSecurityContext,omitempty"`
 }
 
 // JaegerStorageSpec defines the common storage options to be used for the query and collector

pkg/inject/sidecar.go

@@ -274,8 +274,9 @@ func container(jaeger *v1.Jaeger, dep *appsv1.Deployment) corev1.Container {
 				Name:          "admin-http",
 			},
 		},
-		Resources:    commonSpec.Resources,
-		VolumeMounts: volumesAndMountsSpec.VolumeMounts,
+		Resources:       commonSpec.Resources,
+		SecurityContext: jaeger.Spec.Agent.SidecarSecurityContext,
+		VolumeMounts:    volumesAndMountsSpec.VolumeMounts,
 	}
 }
 

pkg/inject/sidecar_test.go

@@ -850,3 +850,16 @@ func TestInjectSidecarOnOpenShift(t *testing.T) {
 	assert.Len(t, dep.Spec.Template.Spec.Containers[1].VolumeMounts, 2)
 	assert.Len(t, dep.Spec.Template.Spec.Volumes, 2)
 }
+
+func TestSidecarWithSecurityContext(t *testing.T) {
+	var user, group int64 = 111, 222
+	expectedSecurityContext := &corev1.SecurityContext{RunAsUser: &user, RunAsGroup: &group}
+
+	jaeger := v1.NewJaeger(types.NamespacedName{Name: "TestSidecarWithSecurityContext"})
+	jaeger.Spec.Agent.SidecarSecurityContext = expectedSecurityContext
+
+	dep := dep(map[string]string{}, map[string]string{})
+	dep = Sidecar(jaeger, dep)
+	assert.Len(t, dep.Spec.Template.Spec.Containers, 2)
+	assert.Equal(t, dep.Spec.Template.Spec.Containers[1].SecurityContext, expectedSecurityContext)
+}