Set securityContext on injected initContainer (open-telemetry#1273)

Co-authored-by: Jacob Aronoff <jaronoff97@users.noreply.github.com>
ItielOlenick · Aug 4, 2023 · 8ef62e2 · 8ef62e2
1 parent 85eba16
commit 8ef62e2
Show file tree

Hide file tree

Showing 12 changed files with 69 additions and 0 deletions.
diff --git a/.chloggen/initcontainer-securitycontext.yaml b/.chloggen/initcontainer-securitycontext.yaml
@@ -0,0 +1,16 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. operator, target allocator, github action)
+component: operator
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Set securityContext on injected initContainer based on existing containers.
+
+# One or more tracking issues related to the change
+issues: [1084, 1058]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
diff --git a/pkg/instrumentation/sdk.go b/pkg/instrumentation/sdk.go
@@ -149,6 +149,19 @@ func (i *sdkInjector) inject(ctx context.Context, insts languageInstrumentations
 		pod = i.injectCommonEnvVar(otelinst, pod, index)
 		pod = i.injectCommonSDKConfig(ctx, otelinst, ns, pod, index, index)
 	}
+
+	pod = i.setInitContainerSecurityContext(pod, pod.Spec.Containers[index].SecurityContext)
+
+	return pod
+}
+
+func (i *sdkInjector) setInitContainerSecurityContext(pod corev1.Pod, securityContext *corev1.SecurityContext) corev1.Pod {
+	for i, initContainer := range pod.Spec.InitContainers {
+		if initContainer.Name == initContainerName {
+			pod.Spec.InitContainers[i].SecurityContext = securityContext
+		}
+	}
+
 	return pod
 }
 

diff --git a/tests/e2e/instrumentation-dotnet/01-assert.yaml b/tests/e2e/instrumentation-dotnet/01-assert.yaml
@@ -50,6 +50,10 @@ spec:
   - name: otc-container
   initContainers:
   - name: opentelemetry-auto-instrumentation
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop: ["ALL"]
     resources:
       limits:
         cpu: "500m"

diff --git a/tests/e2e/instrumentation-dotnet/01-install-app.yaml b/tests/e2e/instrumentation-dotnet/01-install-app.yaml
@@ -22,3 +22,7 @@ spec:
       containers:
       - name: myapp
         image: docker.io/avadhutp123/aspnetapp@sha256:d2e8d3415f6f12efae0369aa0a9777a58583841fb133f33e10a73adb9fb392da  # source code of the application: https://github.com/dotnet/dotnet-docker/tree/main/samples/aspnetapp
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
diff --git a/tests/e2e/instrumentation-java-other-ns/03-assert.yaml b/tests/e2e/instrumentation-java-other-ns/03-assert.yaml
@@ -44,5 +44,9 @@ spec:
   - name: otc-container
   initContainers:
   - name: opentelemetry-auto-instrumentation
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop: ["ALL"]
 status:
   phase: Running
diff --git a/tests/e2e/instrumentation-java-other-ns/03-install-app.yaml b/tests/e2e/instrumentation-java-other-ns/03-install-app.yaml
@@ -22,3 +22,7 @@ spec:
       containers:
       - name: myapp
         image: ghcr.io/pavolloffay/spring-petclinic:latest
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
diff --git a/tests/e2e/instrumentation-java/01-assert.yaml b/tests/e2e/instrumentation-java/01-assert.yaml
@@ -44,6 +44,10 @@ spec:
   - name: otc-container
   initContainers:
   - name: opentelemetry-auto-instrumentation
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop: ["ALL"]
     resources:
       limits:
         cpu: "500m"

diff --git a/tests/e2e/instrumentation-java/01-install-app.yaml b/tests/e2e/instrumentation-java/01-install-app.yaml
@@ -22,3 +22,7 @@ spec:
       containers:
       - name: myapp
         image: ghcr.io/pavolloffay/spring-petclinic:latest
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
diff --git a/tests/e2e/instrumentation-nodejs/01-assert.yaml b/tests/e2e/instrumentation-nodejs/01-assert.yaml
@@ -42,6 +42,10 @@ spec:
   - name: otc-container
   initContainers:
   - name: opentelemetry-auto-instrumentation
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop: ["ALL"]
     resources:
       limits:
         cpu: "500m"

diff --git a/tests/e2e/instrumentation-nodejs/01-install-app.yaml b/tests/e2e/instrumentation-nodejs/01-install-app.yaml
@@ -22,3 +22,7 @@ spec:
       containers:
       - name: myapp
         image: ghcr.io/anuraaga/express-hello-world:latest
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
diff --git a/tests/e2e/instrumentation-python/01-assert.yaml b/tests/e2e/instrumentation-python/01-assert.yaml
@@ -46,6 +46,10 @@ spec:
   - name: otc-container
   initContainers:
   - name: opentelemetry-auto-instrumentation
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop: ["ALL"]
     resources:
       limits:
         cpu: "500m"

diff --git a/tests/e2e/instrumentation-python/01-install-app.yaml b/tests/e2e/instrumentation-python/01-install-app.yaml
@@ -22,3 +22,7 @@ spec:
       containers:
       - name: myapp
         image: ghcr.io/anuraaga/flask-hello-world:latest
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]