update pod securitycontext and upgrade operator sdk version (#262)

Signed-off-by: Zhiwei Yin <zyin@redhat.com>
open-cluster-management-io · Sep 4, 2023 · 8b4abc7 · 8b4abc7
1 parent ac142e6
commit 8b4abc7
Show file tree

Hide file tree

Showing 10 changed files with 456 additions and 138 deletions.
diff --git a/Makefile b/Makefile
@@ -13,15 +13,15 @@ include $(addprefix ./vendor/github.com/openshift/build-machinery-go/make/, \
 )
 
 OPERATOR_SDK?=$(PERMANENT_TMP_GOPATH)/bin/operator-sdk
-OPERATOR_SDK_VERSION?=v1.1.0
+OPERATOR_SDK_VERSION?=v1.28.0
 operatorsdk_gen_dir:=$(dir $(OPERATOR_SDK))
 # CSV_VERSION is used to generate new CSV manifests
 CSV_VERSION?=0.12.0
 
-OPERATOR_SDK_ARCHOS:=x86_64-linux-gnu
+OPERATOR_SDK_ARCHOS:=linux_amd64
 ifeq ($(GOHOSTOS),darwin)
 	ifeq ($(GOHOSTARCH),amd64)
-		OPERATOR_SDK_ARCHOS:=x86_64-apple-darwin
+		OPERATOR_SDK_ARCHOS:=darwin_amd64
 	endif
 endif
 
@@ -57,12 +57,12 @@ patch-crd: ensure-yaml-patch
 update: patch-crd copy-crd update-csv
 
 update-csv: ensure-operator-sdk
-	cd deploy/cluster-manager && ../../$(OPERATOR_SDK) generate bundle --manifests --deploy-dir config/ --crds-dir config/crds/ --output-dir olm-catalog/cluster-manager/ --version $(CSV_VERSION)
-	cd deploy/klusterlet && ../../$(OPERATOR_SDK) generate bundle --manifests --deploy-dir config/ --crds-dir config/crds/ --output-dir olm-catalog/klusterlet/ --version=$(CSV_VERSION)
+	cd deploy/cluster-manager && ../../$(OPERATOR_SDK) generate bundle --version $(CSV_VERSION) --package cluster-manager --input-dir config --output-dir olm-catalog/cluster-manager
+	cd deploy/klusterlet && ../../$(OPERATOR_SDK) generate bundle --version $(CSV_VERSION) --package klusterlet --input-dir config --output-dir olm-catalog/klusterlet
 
-	# delete useless serviceaccounts in manifests although they are copied from config by operator-sdk.
-	rm ./deploy/cluster-manager/olm-catalog/cluster-manager/manifests/cluster-manager_v1_serviceaccount.yaml
-	rm ./deploy/klusterlet/olm-catalog/klusterlet/manifests/klusterlet_v1_serviceaccount.yaml
+	# delete bundle.Dockerfile since we do not use it to build image.
+	rm ./deploy/cluster-manager/bundle.Dockerfile
+	rm ./deploy/klusterlet/bundle.Dockerfile
 
 verify-crds: patch-crd
 	bash -x hack/verify-crds.sh
@@ -93,7 +93,7 @@ ensure-operator-sdk:
 ifeq "" "$(wildcard $(OPERATOR_SDK))"
 	$(info Installing operator-sdk into '$(OPERATOR_SDK)')
 	mkdir -p '$(operatorsdk_gen_dir)'
-	curl -s -f -L https://github.com/operator-framework/operator-sdk/releases/download/$(OPERATOR_SDK_VERSION)/operator-sdk-$(OPERATOR_SDK_VERSION)-$(OPERATOR_SDK_ARCHOS) -o '$(OPERATOR_SDK)'
+	curl -s -f -L https://github.com/operator-framework/operator-sdk/releases/download/$(OPERATOR_SDK_VERSION)/operator-sdk_$(OPERATOR_SDK_ARCHOS) -o '$(OPERATOR_SDK)'
 	chmod +x '$(OPERATOR_SDK)';
 else
 	$(info Using existing operator-sdk from "$(OPERATOR_SDK)")

diff --git a/deploy/cluster-manager/PROJECT b/deploy/cluster-manager/PROJECT
@@ -1,2 +1,4 @@
+version: "3"
+layout:
+- go.kubebuilder.io/v3
 projectName: cluster-manager
-version: 2
diff --git a/...-manager/olm-catalog/cluster-manager/manifests/cluster-manager.clusterserviceversion.yaml b/...-manager/olm-catalog/cluster-manager/manifests/cluster-manager.clusterserviceversion.yaml
@@ -59,10 +59,10 @@ metadata:
     categories: Integration & Delivery,OpenShift Optional
     certified: "false"
     containerImage: quay.io/open-cluster-management/registration-operator:latest
-    createdAt: "2023-05-24T20:00:31Z"
+    createdAt: "2023-09-04T03:11:35Z"
     description: Manages the installation and upgrade of the ClusterManager.
-    operators.operatorframework.io/builder: operator-sdk-v1.1.0
-    operators.operatorframework.io/project_layout: go
+    operators.operatorframework.io/builder: operator-sdk-v1.28.0
+    operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
     repository: https://github.com/open-cluster-management-io/registration-operator
     support: Red Hat, Inc.
   name: cluster-manager.v0.12.0
@@ -71,7 +71,8 @@ spec:
   apiservicedefinitions: {}
   customresourcedefinitions:
     owned:
-    - description: ClusterManager defines the configurations of controllers running hub that govern registration and work distribution for attached Klusterlets
+    - description: ClusterManager defines the configurations of controllers running
+        hub that govern registration and work distribution for attached Klusterlets
       displayName: ClusterManager
       kind: ClusterManager
       name: clustermanagers.operator.open-cluster-management.io
@@ -499,7 +500,9 @@ spec:
           - get
         serviceAccountName: cluster-manager
       deployments:
-      - name: cluster-manager
+      - label:
+          app: cluster-manager
+        name: cluster-manager
         spec:
           replicas: 3
           selector:

diff --git a/...atalog/cluster-manager/manifests/operator.open-cluster-management.io_clustermanagers.yaml b/...atalog/cluster-manager/manifests/operator.open-cluster-management.io_clustermanagers.yaml
diff --git a/deploy/cluster-manager/olm-catalog/cluster-manager/metadata/annotations.yaml b/deploy/cluster-manager/olm-catalog/cluster-manager/metadata/annotations.yaml
@@ -1,7 +1,10 @@
 annotations:
-    operators.operatorframework.io.bundle.channel.default.v1: stable
-    operators.operatorframework.io.bundle.channels.v1: stable
-    operators.operatorframework.io.bundle.manifests.v1: manifests/
-    operators.operatorframework.io.bundle.mediatype.v1: registry+v1
-    operators.operatorframework.io.bundle.metadata.v1: metadata/
-    operators.operatorframework.io.bundle.package.v1: cluster-manager
+  # Core bundle annotations.
+  operators.operatorframework.io.bundle.mediatype.v1: registry+v1
+  operators.operatorframework.io.bundle.manifests.v1: manifests/
+  operators.operatorframework.io.bundle.metadata.v1: metadata/
+  operators.operatorframework.io.bundle.package.v1: cluster-manager
+  operators.operatorframework.io.bundle.channels.v1: alpha
+  operators.operatorframework.io.metrics.builder: operator-sdk-v1.28.0
+  operators.operatorframework.io.metrics.mediatype.v1: metrics+v1
+  operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v3
diff --git a/deploy/klusterlet/PROJECT b/deploy/klusterlet/PROJECT
@@ -1,2 +1,4 @@
+version: "3"
+layout:
+- go.kubebuilder.io/v3
 projectName: klusterlet
-version: 2
diff --git a/deploy/klusterlet/config/operator/operator.yaml b/deploy/klusterlet/config/operator/operator.yaml
@@ -39,12 +39,20 @@ spec:
                   values:
                   - klusterlet
       serviceAccountName: klusterlet
+      securityContext:
+        runAsNonRoot: true
       containers:
       - name: klusterlet
         image: quay.io/open-cluster-management/registration-operator:latest
         args:
           - "/registration-operator"
           - "klusterlet"
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          privileged: false
         livenessProbe:
           httpGet:
             path: /healthz

diff --git a/deploy/klusterlet/olm-catalog/klusterlet/manifests/klusterlet.clusterserviceversion.yaml b/deploy/klusterlet/olm-catalog/klusterlet/manifests/klusterlet.clusterserviceversion.yaml
@@ -39,10 +39,10 @@ metadata:
     categories: Integration & Delivery,OpenShift Optional
     certified: "false"
     containerImage: quay.io/open-cluster-management/registration-operator:latest
-    createdAt: "2023-05-24T20:00:31Z"
+    createdAt: "2023-09-04T03:11:35Z"
     description: Manages the installation and upgrade of the Klusterlet.
-    operators.operatorframework.io/builder: operator-sdk-v1.1.0
-    operators.operatorframework.io/project_layout: go
+    operators.operatorframework.io/builder: operator-sdk-v1.28.0
+    operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
     repository: https://github.com/open-cluster-management-io/registration-operator
     support: Red Hat, Inc.
   name: klusterlet.v0.12.0
@@ -51,7 +51,8 @@ spec:
   apiservicedefinitions: {}
   customresourcedefinitions:
     owned:
-    - description: Klusterlet defines the configurations of agents running on the managed cluster
+    - description: Klusterlet defines the configurations of agents running on the
+        managed cluster
       displayName: Klusterlet
       kind: Klusterlet
       name: klusterlets.operator.open-cluster-management.io
@@ -237,7 +238,9 @@ spec:
           - patch
         serviceAccountName: klusterlet
       deployments:
-      - name: klusterlet
+      - label:
+          app: klusterlet
+        name: klusterlet
         spec:
           replicas: 3
           selector:
@@ -295,6 +298,14 @@ spec:
                   requests:
                     cpu: 100m
                     memory: 128Mi
+                securityContext:
+                  allowPrivilegeEscalation: false
+                  capabilities:
+                    drop:
+                    - ALL
+                  privileged: false
+              securityContext:
+                runAsNonRoot: true
               serviceAccountName: klusterlet
     strategy: deployment
   installModes: