Drop all capabilities and add the required ones

ansd · ansd · commit a32578bb3f69 · 2020-09-09T08:42:58.000+02:00
diff --git a/internal/resource/statefulset.go b/internal/resource/statefulset.go
@@ -497,11 +497,8 @@ func (builder *StatefulSetBuilder) podTemplateSpec(annotations, labels map[strin
 					SecurityContext: &corev1.SecurityContext{
 						RunAsUser: pointer.Int64Ptr(0),
 						Capabilities: &corev1.Capabilities{
-							Drop: []corev1.Capability{
-								// Remove default capabilities allowed by Docker except for CHOWN and FOWNER
-								"SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FSETID",
-								"KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP",
-							},
+							Drop: []corev1.Capability{"ALL"},
+							Add:  []corev1.Capability{"CHOWN", "FOWNER"},
 						},
 					},
 					Command: []string{
@@ -626,8 +623,8 @@ func (builder *StatefulSetBuilder) podTemplateSpec(annotations, labels map[strin
 							Exec: &corev1.ExecAction{
 								Command: []string{"/bin/bash", "-c",
 									fmt.Sprintf("if [ ! -z \"$(cat /etc/pod-info/%s)\" ]; then exit 0; fi;", DeletionMarker) +
-									fmt.Sprintf(" rabbitmq-upgrade await_online_quorum_plus_one -t %d;"+
-										" rabbitmq-upgrade await_online_synchronized_mirror -t %d", defaultGracePeriodTimeoutSeconds, defaultGracePeriodTimeoutSeconds),
+										fmt.Sprintf(" rabbitmq-upgrade await_online_quorum_plus_one -t %d;"+
+											" rabbitmq-upgrade await_online_synchronized_mirror -t %d", defaultGracePeriodTimeoutSeconds, defaultGracePeriodTimeoutSeconds),
 								},
 							},
 						},
diff --git a/internal/resource/statefulset_test.go b/internal/resource/statefulset_test.go
@@ -13,6 +13,7 @@ import (
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/ginkgo/extensions/table"
 	. "github.com/onsi/gomega"
+	. "github.com/onsi/gomega/gstruct"
 	rabbitmqv1beta1 "github.com/rabbitmq/cluster-operator/api/v1beta1"
 	"github.com/rabbitmq/cluster-operator/internal/resource"
 	appsv1 "k8s.io/api/apps/v1"
@@ -943,56 +944,56 @@ var _ = Describe("StatefulSet", func() {
 			initContainers := statefulSet.Spec.Template.Spec.InitContainers
 			Expect(initContainers).To(HaveLen(1))
 
-			container := extractContainer(initContainers, "copy-config")
-			Expect(container.Command).To(ConsistOf(
-				"sh", "-c", "cp /tmp/rabbitmq/rabbitmq.conf /etc/rabbitmq/rabbitmq.conf "+
-					"&& chown 999:999 /etc/rabbitmq/rabbitmq.conf "+
-					"&& echo '' >> /etc/rabbitmq/rabbitmq.conf ; "+
-					"cp /tmp/rabbitmq/advanced.config /etc/rabbitmq/advanced.config "+
-					"&& chown 999:999 /etc/rabbitmq/advanced.config ; "+
-					"cp /tmp/rabbitmq/rabbitmq-env.conf /etc/rabbitmq/rabbitmq-env.conf "+
-					"&& chown 999:999 /etc/rabbitmq/rabbitmq-env.conf ; "+
-					"cp /tmp/erlang-cookie-secret/.erlang.cookie /var/lib/rabbitmq/.erlang.cookie "+
-					"&& chown 999:999 /var/lib/rabbitmq/.erlang.cookie "+
-					"&& chmod 600 /var/lib/rabbitmq/.erlang.cookie ; "+
-					"cp /tmp/rabbitmq-plugins/enabled_plugins /etc/rabbitmq/enabled_plugins "+
-					"&& chown 999:999 /etc/rabbitmq/enabled_plugins ; "+
-					"chgrp 999 /var/lib/rabbitmq/mnesia/",
-			))
-
-			Expect(container.VolumeMounts).To(ConsistOf(
-				corev1.VolumeMount{
-					Name:      "server-conf",
-					MountPath: "/tmp/rabbitmq/",
-				},
-				corev1.VolumeMount{
-					Name:      "plugins-conf",
-					MountPath: "/tmp/rabbitmq-plugins/",
-				},
-
-				corev1.VolumeMount{
-					Name:      "rabbitmq-etc",
-					MountPath: "/etc/rabbitmq/",
-				},
-				corev1.VolumeMount{
-					Name:      "rabbitmq-erlang-cookie",
-					MountPath: "/var/lib/rabbitmq/",
-				},
-				corev1.VolumeMount{
-					Name:      "erlang-cookie-secret",
-					MountPath: "/tmp/erlang-cookie-secret/",
-				},
-				corev1.VolumeMount{
-					Name:      "persistence",
-					MountPath: "/var/lib/rabbitmq/mnesia/",
-				},
-			))
-
-			Expect(container.Image).To(Equal("rabbitmq-image-from-cr"))
-			Expect(container.SecurityContext.RunAsUser).To(Equal(pointer.Int64Ptr(0)))
-			Expect(container.SecurityContext.Capabilities.Drop).To(ConsistOf([]corev1.Capability{
-				"SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FSETID",
-				"KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP",
+			initContainer := extractContainer(initContainers, "copy-config")
+			Expect(initContainer).To(MatchFields(IgnoreExtras, Fields{
+				"Image": Equal("rabbitmq-image-from-cr"),
+				"SecurityContext": PointTo(MatchFields(IgnoreExtras, Fields{
+					"Capabilities": PointTo(MatchAllFields(Fields{
+						"Drop": ConsistOf([]corev1.Capability{"ALL"}),
+						"Add":  ConsistOf([]corev1.Capability{"CHOWN", "FOWNER"}),
+					})),
+				})),
+				"Command": ConsistOf(
+					"sh", "-c", "cp /tmp/rabbitmq/rabbitmq.conf /etc/rabbitmq/rabbitmq.conf "+
+						"&& chown 999:999 /etc/rabbitmq/rabbitmq.conf "+
+						"&& echo '' >> /etc/rabbitmq/rabbitmq.conf ; "+
+						"cp /tmp/rabbitmq/advanced.config /etc/rabbitmq/advanced.config "+
+						"&& chown 999:999 /etc/rabbitmq/advanced.config ; "+
+						"cp /tmp/rabbitmq/rabbitmq-env.conf /etc/rabbitmq/rabbitmq-env.conf "+
+						"&& chown 999:999 /etc/rabbitmq/rabbitmq-env.conf ; "+
+						"cp /tmp/erlang-cookie-secret/.erlang.cookie /var/lib/rabbitmq/.erlang.cookie "+
+						"&& chown 999:999 /var/lib/rabbitmq/.erlang.cookie "+
+						"&& chmod 600 /var/lib/rabbitmq/.erlang.cookie ; "+
+						"cp /tmp/rabbitmq-plugins/enabled_plugins /etc/rabbitmq/enabled_plugins "+
+						"&& chown 999:999 /etc/rabbitmq/enabled_plugins ; "+
+						"chgrp 999 /var/lib/rabbitmq/mnesia/",
+				),
+				"VolumeMounts": ConsistOf(
+					corev1.VolumeMount{
+						Name:      "server-conf",
+						MountPath: "/tmp/rabbitmq/",
+					},
+					corev1.VolumeMount{
+						Name:      "plugins-conf",
+						MountPath: "/tmp/rabbitmq-plugins/",
+					},
+					corev1.VolumeMount{
+						Name:      "rabbitmq-etc",
+						MountPath: "/etc/rabbitmq/",
+					},
+					corev1.VolumeMount{
+						Name:      "rabbitmq-erlang-cookie",
+						MountPath: "/var/lib/rabbitmq/",
+					},
+					corev1.VolumeMount{
+						Name:      "erlang-cookie-secret",
+						MountPath: "/tmp/erlang-cookie-secret/",
+					},
+					corev1.VolumeMount{
+						Name:      "persistence",
+						MountPath: "/var/lib/rabbitmq/mnesia/",
+					},
+				),
 			}))
 		})
 
diff --git a/system_tests/system_tests.go b/system_tests/system_tests.go
@@ -23,7 +23,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-const statefulSetSuffix   = "server"
+const statefulSetSuffix = "server"
 
 var _ = Describe("Operator", func() {
 	var (

Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,7 @@ import (`
`23`	`23`	`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
`24`	`24`	`)`
`25`	`25`
`26`		`-const statefulSetSuffix = "server"`
	`26`	`+const statefulSetSuffix = "server"`
`27`	`27`
`28`	`28`	`var _ = Describe("Operator", func() {`
`29`	`29`	`var (`