[Bugfix] Pass SecurityContext Pod Settings for SELinux and Seccomp (#1643)

CHANGELOG.md

@@ -22,6 +22,7 @@
 - (Bugfix) Use Rendered Spec in case of scheduling compare
 - (Feature) Parametrize Scheduling Graceful Duration
 - (Bugfix) Change Accepted Spec Propagation
+- (Bugfix) Pass SecurityContext Pod Settings for SELinux and Seccomp
 
 ## [1.2.39](https://github.com/arangodb/kube-arangodb/tree/1.2.39) (2024-03-11)
 - (Feature) Extract Scheduler API

pkg/apis/deployment/v1/server_group_security_context_spec.go

@@ -116,6 +116,15 @@ func (s *ServerGroupSpecSecurityContext) NewPodSecurityContext(secured bool) *co
 		}
 	}
 
+	if s != nil {
+		if psc == nil {
+			psc = &core.PodSecurityContext{}
+		}
+
+		psc.SeccompProfile = s.SeccompProfile.DeepCopy()
+		psc.SELinuxOptions = s.SELinuxOptions.DeepCopy()
+	}
+
 	if s != nil && len(s.Sysctls) > 0 {
 		var sysctls []core.Sysctl
 		for k, v := range s.Sysctls {

pkg/apis/deployment/v1/server_group_security_context_spec_test.go

@@ -1,7 +1,7 @@
 //
 // DISCLAIMER
 //
-// Copyright 2016-2023 ArangoDB GmbH, Cologne, Germany
+// Copyright 2016-2024 ArangoDB GmbH, Cologne, Germany
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -101,6 +101,28 @@ func TestServerGroupSpecSecurityContext_NewPodSecurityContext(t *testing.T) {
 				},
 			},
 		},
+		"pass seccompProfile opts": {
+			sc: &ServerGroupSpecSecurityContext{
+				SeccompProfile: &core.SeccompProfile{
+					Type: core.SeccompProfileTypeRuntimeDefault,
+				},
+			},
+			secured: false,
+			want: &core.PodSecurityContext{
+				SeccompProfile: &core.SeccompProfile{
+					Type: core.SeccompProfileTypeRuntimeDefault,
+				},
+			},
+		},
+		"pass seLinuxOptions opts": {
+			sc: &ServerGroupSpecSecurityContext{
+				SELinuxOptions: &core.SELinuxOptions{Type: "test"},
+			},
+			secured: false,
+			want: &core.PodSecurityContext{
+				SELinuxOptions: &core.SELinuxOptions{Type: "test"},
+			},
+		},
 	}
 
 	for testName, testCase := range testCases {
@@ -225,6 +247,34 @@ func TestServerGroupSpecSecurityContext_NewSecurityContext(t *testing.T) {
 				RunAsUser:              util.NewType[int64](3001),
 			},
 		},
+		"pass seccompProfile opts": {
+			sc: &ServerGroupSpecSecurityContext{
+				SeccompProfile: &core.SeccompProfile{
+					Type: core.SeccompProfileTypeRuntimeDefault,
+				},
+			},
+			secured: false,
+			want: &core.SecurityContext{
+				Capabilities: &core.Capabilities{
+					Drop: []core.Capability{"ALL"},
+				},
+				SeccompProfile: &core.SeccompProfile{
+					Type: core.SeccompProfileTypeRuntimeDefault,
+				},
+			},
+		},
+		"pass seLinuxOptions opts": {
+			sc: &ServerGroupSpecSecurityContext{
+				SELinuxOptions: &core.SELinuxOptions{Type: "test"},
+			},
+			secured: false,
+			want: &core.SecurityContext{
+				Capabilities: &core.Capabilities{
+					Drop: []core.Capability{"ALL"},
+				},
+				SELinuxOptions: &core.SELinuxOptions{Type: "test"},
+			},
+		},
 	}
 
 	for testName, testCase := range tests {

pkg/apis/deployment/v2alpha1/server_group_security_context_spec.go

@@ -116,6 +116,15 @@ func (s *ServerGroupSpecSecurityContext) NewPodSecurityContext(secured bool) *co
 		}
 	}
 
+	if s != nil {
+		if psc == nil {
+			psc = &core.PodSecurityContext{}
+		}
+
+		psc.SeccompProfile = s.SeccompProfile.DeepCopy()
+		psc.SELinuxOptions = s.SELinuxOptions.DeepCopy()
+	}
+
 	if s != nil && len(s.Sysctls) > 0 {
 		var sysctls []core.Sysctl
 		for k, v := range s.Sysctls {

pkg/apis/deployment/v2alpha1/server_group_security_context_spec_test.go

@@ -1,7 +1,7 @@
 //
 // DISCLAIMER
 //
-// Copyright 2016-2023 ArangoDB GmbH, Cologne, Germany
+// Copyright 2016-2024 ArangoDB GmbH, Cologne, Germany
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -101,6 +101,28 @@ func TestServerGroupSpecSecurityContext_NewPodSecurityContext(t *testing.T) {
 				},
 			},
 		},
+		"pass seccompProfile opts": {
+			sc: &ServerGroupSpecSecurityContext{
+				SeccompProfile: &core.SeccompProfile{
+					Type: core.SeccompProfileTypeRuntimeDefault,
+				},
+			},
+			secured: false,
+			want: &core.PodSecurityContext{
+				SeccompProfile: &core.SeccompProfile{
+					Type: core.SeccompProfileTypeRuntimeDefault,
+				},
+			},
+		},
+		"pass seLinuxOptions opts": {
+			sc: &ServerGroupSpecSecurityContext{
+				SELinuxOptions: &core.SELinuxOptions{Type: "test"},
+			},
+			secured: false,
+			want: &core.PodSecurityContext{
+				SELinuxOptions: &core.SELinuxOptions{Type: "test"},
+			},
+		},
 	}
 
 	for testName, testCase := range testCases {
@@ -225,6 +247,34 @@ func TestServerGroupSpecSecurityContext_NewSecurityContext(t *testing.T) {
 				RunAsUser:              util.NewType[int64](3001),
 			},
 		},
+		"pass seccompProfile opts": {
+			sc: &ServerGroupSpecSecurityContext{
+				SeccompProfile: &core.SeccompProfile{
+					Type: core.SeccompProfileTypeRuntimeDefault,
+				},
+			},
+			secured: false,
+			want: &core.SecurityContext{
+				Capabilities: &core.Capabilities{
+					Drop: []core.Capability{"ALL"},
+				},
+				SeccompProfile: &core.SeccompProfile{
+					Type: core.SeccompProfileTypeRuntimeDefault,
+				},
+			},
+		},
+		"pass seLinuxOptions opts": {
+			sc: &ServerGroupSpecSecurityContext{
+				SELinuxOptions: &core.SELinuxOptions{Type: "test"},
+			},
+			secured: false,
+			want: &core.SecurityContext{
+				Capabilities: &core.Capabilities{
+					Drop: []core.Capability{"ALL"},
+				},
+				SELinuxOptions: &core.SELinuxOptions{Type: "test"},
+			},
+		},
 	}
 
 	for testName, testCase := range tests {