From b8925e34531c6065a35ce7d7bde45a703dbf95d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20M=C3=A5rtensson?= <andreas.martensson@svt.se>
Date: Thu, 24 Nov 2022 11:25:51 +0100
Subject: [PATCH] Set securityContext on injected initContainer

---
 pkg/instrumentation/sdk.go                          | 13 +++++++++++++
 tests/e2e/instrumentation-dotnet/01-assert.yaml     |  4 ++++
 .../e2e/instrumentation-dotnet/01-install-app.yaml  |  4 ++++
 .../instrumentation-java-other-ns/03-assert.yaml    |  4 ++++
 .../03-install-app.yaml                             |  4 ++++
 tests/e2e/instrumentation-java/01-assert.yaml       |  4 ++++
 tests/e2e/instrumentation-java/01-install-app.yaml  |  4 ++++
 tests/e2e/instrumentation-nodejs/01-assert.yaml     |  4 ++++
 .../e2e/instrumentation-nodejs/01-install-app.yaml  |  4 ++++
 tests/e2e/instrumentation-python/01-assert.yaml     |  4 ++++
 .../e2e/instrumentation-python/01-install-app.yaml  |  4 ++++
 11 files changed, 53 insertions(+)

diff --git a/pkg/instrumentation/sdk.go b/pkg/instrumentation/sdk.go
index b126427d75..308e33c42d 100644
--- a/pkg/instrumentation/sdk.go
+++ b/pkg/instrumentation/sdk.go
@@ -118,6 +118,19 @@ func (i *sdkInjector) inject(ctx context.Context, insts languageInstrumentations
 		pod = i.injectCommonEnvVar(otelinst, pod, index)
 		pod = i.injectCommonSDKConfig(ctx, otelinst, ns, pod, index)
 	}
+
+	pod = i.setInitContainerSecurityContext(pod, pod.Spec.Containers[index].SecurityContext)
+
+	return pod
+}
+
+func (i *sdkInjector) setInitContainerSecurityContext(pod corev1.Pod, securityContext *corev1.SecurityContext) corev1.Pod {
+	for i, initContainer := range pod.Spec.InitContainers {
+		if initContainer.Name == initContainerName {
+			pod.Spec.InitContainers[i].SecurityContext = securityContext
+		}
+	}
+
 	return pod
 }
 
diff --git a/tests/e2e/instrumentation-dotnet/01-assert.yaml b/tests/e2e/instrumentation-dotnet/01-assert.yaml
index a5946f895d..d511fed0f2 100644
--- a/tests/e2e/instrumentation-dotnet/01-assert.yaml
+++ b/tests/e2e/instrumentation-dotnet/01-assert.yaml
@@ -50,5 +50,9 @@ spec:
   - name: otc-container
   initContainers:
   - name: opentelemetry-auto-instrumentation
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop: ["ALL"]
 status:
   phase: Running
diff --git a/tests/e2e/instrumentation-dotnet/01-install-app.yaml b/tests/e2e/instrumentation-dotnet/01-install-app.yaml
index 8591d40284..e7cce1a5e3 100644
--- a/tests/e2e/instrumentation-dotnet/01-install-app.yaml
+++ b/tests/e2e/instrumentation-dotnet/01-install-app.yaml
@@ -22,3 +22,7 @@ spec:
       containers:
       - name: myapp
         image: docker.io/avadhutp123/aspnetapp@sha256:d2e8d3415f6f12efae0369aa0a9777a58583841fb133f33e10a73adb9fb392da  # source code of the application: https://github.com/dotnet/dotnet-docker/tree/main/samples/aspnetapp
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
diff --git a/tests/e2e/instrumentation-java-other-ns/03-assert.yaml b/tests/e2e/instrumentation-java-other-ns/03-assert.yaml
index fc4dd75353..d7fd949a39 100644
--- a/tests/e2e/instrumentation-java-other-ns/03-assert.yaml
+++ b/tests/e2e/instrumentation-java-other-ns/03-assert.yaml
@@ -44,5 +44,9 @@ spec:
   - name: otc-container
   initContainers:
   - name: opentelemetry-auto-instrumentation
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop: ["ALL"]
 status:
   phase: Running
diff --git a/tests/e2e/instrumentation-java-other-ns/03-install-app.yaml b/tests/e2e/instrumentation-java-other-ns/03-install-app.yaml
index f566eb4c02..7674e6e61d 100644
--- a/tests/e2e/instrumentation-java-other-ns/03-install-app.yaml
+++ b/tests/e2e/instrumentation-java-other-ns/03-install-app.yaml
@@ -22,3 +22,7 @@ spec:
       containers:
       - name: myapp
         image: ghcr.io/pavolloffay/spring-petclinic:latest
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
diff --git a/tests/e2e/instrumentation-java/01-assert.yaml b/tests/e2e/instrumentation-java/01-assert.yaml
index d3505b046c..4e684c8196 100644
--- a/tests/e2e/instrumentation-java/01-assert.yaml
+++ b/tests/e2e/instrumentation-java/01-assert.yaml
@@ -44,5 +44,9 @@ spec:
   - name: otc-container
   initContainers:
   - name: opentelemetry-auto-instrumentation
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop: ["ALL"]
 status:
   phase: Running
diff --git a/tests/e2e/instrumentation-java/01-install-app.yaml b/tests/e2e/instrumentation-java/01-install-app.yaml
index 093bb8b4c1..a68255bf8f 100644
--- a/tests/e2e/instrumentation-java/01-install-app.yaml
+++ b/tests/e2e/instrumentation-java/01-install-app.yaml
@@ -22,3 +22,7 @@ spec:
       containers:
       - name: myapp
         image: ghcr.io/pavolloffay/spring-petclinic:latest
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
diff --git a/tests/e2e/instrumentation-nodejs/01-assert.yaml b/tests/e2e/instrumentation-nodejs/01-assert.yaml
index 3190895a59..d9ddbe279a 100644
--- a/tests/e2e/instrumentation-nodejs/01-assert.yaml
+++ b/tests/e2e/instrumentation-nodejs/01-assert.yaml
@@ -40,5 +40,9 @@ spec:
   - name: otc-container
   initContainers:
   - name: opentelemetry-auto-instrumentation
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop: ["ALL"]
 status:
   phase: Running
diff --git a/tests/e2e/instrumentation-nodejs/01-install-app.yaml b/tests/e2e/instrumentation-nodejs/01-install-app.yaml
index 1a1a298883..1234d661f0 100644
--- a/tests/e2e/instrumentation-nodejs/01-install-app.yaml
+++ b/tests/e2e/instrumentation-nodejs/01-install-app.yaml
@@ -22,3 +22,7 @@ spec:
       containers:
       - name: myapp
         image: ghcr.io/anuraaga/express-hello-world:latest
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
diff --git a/tests/e2e/instrumentation-python/01-assert.yaml b/tests/e2e/instrumentation-python/01-assert.yaml
index 4b7c122ae0..ad93843fbe 100644
--- a/tests/e2e/instrumentation-python/01-assert.yaml
+++ b/tests/e2e/instrumentation-python/01-assert.yaml
@@ -46,5 +46,9 @@ spec:
   - name: otc-container
   initContainers:
   - name: opentelemetry-auto-instrumentation
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop: ["ALL"]
 status:
   phase: Running
diff --git a/tests/e2e/instrumentation-python/01-install-app.yaml b/tests/e2e/instrumentation-python/01-install-app.yaml
index e8e9e0f940..70648d61e5 100644
--- a/tests/e2e/instrumentation-python/01-install-app.yaml
+++ b/tests/e2e/instrumentation-python/01-install-app.yaml
@@ -22,3 +22,7 @@ spec:
       containers:
       - name: myapp
         image: ghcr.io/anuraaga/flask-hello-world:latest
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]