add user number in kube-state-metrics (stolostron#1474)

Signed-off-by: Thibault Mange <[email protected]>

operators/endpointmetrics/controllers/observabilityendpoint/observabilityaddon_controller.go

@@ -242,7 +242,7 @@ func (r *ObservabilityAddonReconciler) Reconcile(ctx context.Context, req ctrl.R
 	} else {
 		// Render the prometheus templates
 		renderer := rendererutil.NewRenderer()
-		toDeploy, err := rendering.Render(renderer, r.Client, hubInfo)
+		toDeploy, err := rendering.Render(ctx, renderer, r.Client, hubInfo)
 		if err != nil {
 			return ctrl.Result{}, fmt.Errorf("failed to render prometheus templates: %w", err)
 		}

operators/endpointmetrics/pkg/microshift/microshift.go

@@ -0,0 +1,34 @@
+// Copyright (c) Red Hat, Inc.
+// Copyright Contributors to the Open Cluster Management project
+// Licensed under the Apache License 2.0
+
+package microshift
+
+import (
+	"context"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+// IsMicroshiftCluster checks if the cluster is a microshift cluster.
+// It verifies the existence of the configmap microshift-version in namespace kube-public.
+// If the configmap exists, it returns the version of the microshift cluster.
+// If the configmap does not exist, it returns an empty string.
+func IsMicroshiftCluster(ctx context.Context, client client.Client) (string, error) {
+	res := &corev1.ConfigMap{}
+	err := client.Get(ctx, types.NamespacedName{
+		Name:      "microshift-version",
+		Namespace: "kube-public",
+	}, res)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			return "", nil
+		}
+		return "", err
+	}
+
+	return res.Data["version"], nil
+}

operators/endpointmetrics/pkg/rendering/renderer.go

@@ -21,6 +21,7 @@ import (
 	runtimeclient "sigs.k8s.io/controller-runtime/pkg/client"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 
+	"github.com/stolostron/multicluster-observability-operator/operators/endpointmetrics/pkg/microshift"
 	"github.com/stolostron/multicluster-observability-operator/operators/endpointmetrics/pkg/rendering/templates"
 	operatorconfig "github.com/stolostron/multicluster-observability-operator/operators/pkg/config"
 	rendererutil "github.com/stolostron/multicluster-observability-operator/operators/pkg/rendering"
@@ -55,6 +56,7 @@ var (
 var Images = map[string]string{}
 
 func Render(
+	ctx context.Context,
 	r *rendererutil.Renderer,
 	c runtimeclient.Client,
 	hubInfo *operatorconfig.HubInfo,
@@ -102,6 +104,23 @@ func Render(
 				{Name: os.Getenv(operatorconfig.PullSecret)},
 			}
 
+			// Add user number to ensure non root user
+			// Do nothing on microshift as it is restricted by the restricted SCC
+			microshiftVersion, err := microshift.IsMicroshiftCluster(ctx, c)
+			if err != nil {
+				return nil, err
+			}
+			userNumber := int64(65534)
+			if microshiftVersion == "" {
+				for _, container := range spec.Containers {
+					if container.SecurityContext == nil {
+						container.SecurityContext = &corev1.SecurityContext{}
+					}
+					container.SecurityContext.RunAsUser = &userNumber
+					container.SecurityContext.RunAsGroup = &userNumber
+				}
+			}
+
 			unstructuredObj, err := runtime.DefaultUnstructuredConverter.ToUnstructured(obj)
 			if err != nil {
 				return nil, err
@@ -206,7 +225,7 @@ func Render(
 			}
 
 			// replace the disabled metrics
-			disabledMetricsSt, err := getDisabledMetrics(c)
+			disabledMetricsSt, err := getDisabledMetrics(ctx, c)
 			if err != nil {
 				return nil, err
 			}
@@ -280,9 +299,9 @@ func resourcePriority(resource *unstructured.Unstructured) int {
 	}
 }
 
-func getDisabledMetrics(c runtimeclient.Client) (string, error) {
+func getDisabledMetrics(ctx context.Context, c runtimeclient.Client) (string, error) {
 	cm := &corev1.ConfigMap{}
-	err := c.Get(context.TODO(), types.NamespacedName{Name: operatorconfig.AllowlistConfigMapName,
+	err := c.Get(ctx, types.NamespacedName{Name: operatorconfig.AllowlistConfigMapName,
 		Namespace: namespace}, cm)
 	if err != nil {
 		return "", err

operators/endpointmetrics/pkg/rendering/renderer_test.go

@@ -5,6 +5,7 @@
 package rendering
 
 import (
+	"context"
 	"os"
 	"path"
 	"testing"
@@ -51,7 +52,7 @@ func TestRender(t *testing.T) {
 	}
 	c := fake.NewClientBuilder().WithRuntimeObjects([]runtime.Object{getAllowlistCM()}...).Build()
 
-	objs, err := Render(renderer, c, hubInfo)
+	objs, err := Render(context.Background(), renderer, c, hubInfo)
 	if err != nil {
 		t.Fatalf("failed to render endpoint templates: %v", err)
 	}