Feature: pod security admission

[feloy]

What does this PR do?:

This PR adds the possibility to get a patched PodTemplate based on a Pod Security Admission policy, so the Pod can be accepted by the Pod Security Admission controller.

Prior to being able to do this, some refactoring has been done:

• updating the k8s dependencies to latest version, to be able to use the latest version of k8s.io/pod-security-admission
• update to go 1.19, to be able to use the latest k8s dependencies
• A new method GetPodTemplateSpec has been added, that will handle the Pod Security patching and the container/pod overrides in an atomic way (instead of making them in different places), to be used instead of GetContainers/GetInitContainers
• GetDeployment now accepts a podSecurityTemplate instead of containers, initContainers and volumes (these 3 values are now marked as deprecated)

Which issue(s) this PR fixes:

redhat-developer/odo#6339

PR acceptance criteria:

Testing and documentation do not need to be complete in order for this PR to be approved. We just need to ensure tracking issues are opened.

• Open new test/doc issues under the devfile/api repo
• Check each criteria if:
• There is a separate tracking issue. Add the issue link under the criteria
  or
• test/doc updates are made as part of this PR
• If unchecked, explain why it's not needed

• Unit/Functional tests

• QE Integration test

• Documentation

• Client Impact

• Gosec scans

How to test changes / Special notes to the reviewer:

[codecov]

Codecov Report

Patch coverage: 67.42% and project coverage change: +0.65 🎉

Comparison is base (4f0ff68) 59.67% compared to head (2239fa9) 60.33%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #165      +/-   ##
==========================================
+ Coverage   59.67%   60.33%   +0.65%     
==========================================
  Files          36       37       +1     
  Lines        4226     4369     +143     
==========================================
+ Hits         2522     2636     +114     
- Misses       1557     1571      +14     
- Partials      147      162      +15     

Impacted Files	Coverage Δ
pkg/devfile/parser/data/v2/header.go	100.00% <ø> (ø)
pkg/devfile/parser/data/v2/projects.go	94.73% <ø> (ø)
pkg/devfile/parser/parse.go	59.01% <ø> (+5.14%)	⬆️
pkg/devfile/parser/sourceAttribute.go	85.91% <ø> (ø)
pkg/util/util.go	38.69% <ø> (ø)
pkg/devfile/generator/policy.go	64.10% <64.10%> (ø)
pkg/devfile/generator/generators.go	63.09% <69.47%> (-2.14%)	⬇️
pkg/devfile/generator/utils.go	90.90% <100.00%> (+0.28%)	⬆️
... and 1 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[elsony]

To maintain backward compatibility, we need to keep the old functions and create new ones to provide the new function

[rm3l]

I guess we also need to update the Go version in codecov.yml? I can see that this workflow is not triggered on PRs, but only upon a push on main, which makes me think that this may no longer pass on main once this PR is merged.

[rm3l]

Also, wondering if we should not update the version in go.mod to reflect this? This way, all calls to the setup-go action could simply use the version declared in go.mod (see https://github.com/actions/setup-go#getting-go-version-from-the-gomod-file). But I am not sure about the implications on consumers of the library if the Go version in go.mod is updated. This might be a different issue, that said..

[rm3l]

To me (and per https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container), security settings at the Container level override settings made at the Pod level when there is an overlap. So I think, we don't need to set the value as true to containers only if they are not specified at the container level.
So we should still visit all containers and set the field to true, no?

[feloy]

To me (and per https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container), security settings at the Container level override settings made at the Pod level when there is an overlap. So I think, we don't need to set the value as true to containers only if they are not specified at the container level.

I agree up to here.

So we should still visit all containers and set the field to true, no?

By design, we know the field at container level will never be set (because they could be set only from the library, and they are not). For this reason, we only need to set it at pod level.

[rm3l]

Similar point here: I think we should visit all containers and set the field too..

To me (and per https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container), security settings at the Container level override settings made at the Pod level when there is an overlap. So I think, we don't need to set the value to containers only if they are not specified at the container level.
So we should still visit all containers and set the field, no?

[openshift-ci]

@rm3l: changing LGTM is restricted to collaborators

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rm3l]

LGTM - thanks!

[openshift-ci]

@rm3l: changing LGTM is restricted to collaborators

In response to this:

LGTM - thanks!

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[yangcao77]

the GetContainers and GetInitContainers are being called by this new function introduced. which means the two functions are still in use, and need to be updated upon any changes to GetContainers/GetInitContainers behaviors. why mark the two functions as deprecated?

[feloy]

IMO, the GetContainers/GetInitContainers could be removed later from the library interface, by renaming them as getContainers/getInitContainers

[yangcao77]

dup with

library/pkg/devfile/generator/generators.go

Lines 209 to 212 in 5985a28

	deploySpecParams = deploymentSpecParams{
	PodTemplateSpec: *podTemplateSpec,
	PodSelectorLabels: deployParams.PodSelectorLabels,
	Replicas: deployParams.Replicas,

, can be move out side of the if-else block?

[yangcao77]

you do not need to introduce a new function for this purpose.
should use

library/pkg/devfile/parser/data/v2/components.go

Line 28 in 5985a28

func (d *DevfileV2) GetComponents(options common.DevfileOptions) ([]v1.Component, error) {

, and set DevfileOptions.FilterByName = <the containerName>

[feloy]

Are you sure? getContainerByName finds a specific container from the containers passed as parameter, but the method you mentions would find a component from the Devfile.

[feloy]

Thanks @yangcao77 for you review

[yangcao77]

thanks for making this change, generally looks good to me

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: feloy, rm3l, yangcao77

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [yangcao77]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment