Merge branch 'owls-13226-readonlyfilesys-wko' into 'release/4.2'

Add readonly root file system support for operator and webhook pods.

See merge request weblogic-cloud/weblogic-kubernetes-operator!5005

Author: rjeberhard

kubernetes/charts/weblogic-operator/templates/_operator-dep.tpl

@@ -52,6 +52,16 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      initContainers:
+      - name:  "copy-container"
+        image: {{ .image | quote }}
+        imagePullPolicy: "IfNotPresent"
+        command: ["/bin/sh", "-c", "cp /deployment/* /deployment_copy && cp /probes/* /probes_copy"]
+        volumeMounts:
+        - name: "deployment-volume"
+          mountPath: "/deployment_copy"
+        - name: "probes-volume"
+          mountPath: "/probes_copy"
       containers:
       - name: "weblogic-operator"
         image: {{ .image | quote }}
@@ -129,6 +139,7 @@ spec:
           runAsUser: {{ .runAsUser | default 1000 }}
           {{- end }}
           runAsNonRoot: true
+          readOnlyRootFilesystem: true
           privileged: false
           allowPrivilegeEscalation: false
           capabilities:
@@ -141,6 +152,12 @@ spec:
         - name: "weblogic-operator-secrets-volume"
           mountPath: "/deployment/secrets"
           readOnly: true
+        - name: "deployment-volume"
+          mountPath: "/deployment"
+        - name: "log-volume"
+          mountPath: "/logs"
+        - name: "probes-volume"
+          mountPath: "/probes"
         {{- if and .elkIntegrationEnabled .operatorLogPVC }}
             {{- fail "Error: elkIntegrationEnabled and opeatorLogPVC cannot be set at the same time."}}
         {{- else if .elkIntegrationEnabled }}
@@ -201,6 +218,12 @@ spec:
       - name: "weblogic-operator-secrets-volume"
         secret:
           secretName: "weblogic-operator-secrets"
+      - name: "deployment-volume"
+        emptyDir: {}
+      - name: "log-volume"
+        emptyDir: {}
+      - name: "probes-volume"
+        emptyDir: {}
       {{- if .elkIntegrationEnabled }}
       - name: "log-dir"
         emptyDir:
@@ -229,6 +252,7 @@ spec:
         persistentVolumeClaim:
          claimName: {{ .operatorLogPVC }}
       {{- end }}
+
 {{- end }}
 ---
   {{ $chartVersion := .Chart.Version }}
@@ -311,6 +335,16 @@ spec:
           tolerations:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          initContainers:
+          - name:  "copy-container"
+            image: {{ .image | quote }}
+            imagePullPolicy: "IfNotPresent"
+            command: ["/bin/sh", "-c", "cp /deployment/* /deployment_copy && cp /probes/* /probes_copy"]
+            volumeMounts:
+            - name: "deployment-volume"
+              mountPath: "/deployment_copy"
+            - name: "probes-volume"
+              mountPath: "/probes_copy"
           containers:
           - name: "weblogic-operator-webhook"
             image: {{ .image | quote }}
@@ -374,6 +408,7 @@ spec:
               runAsNonRoot: true
               privileged: false
               allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
               capabilities:
                 drop: ["ALL"]
             volumeMounts:
@@ -382,6 +417,12 @@ spec:
             - name: "weblogic-webhook-secrets-volume"
               mountPath: "/deployment/secrets"
               readOnly: true
+            - name: "deployment-volume"
+              mountPath: "/deployment"
+            - name: "log-volume"
+              mountPath: "/logs"
+            - name: "probes-volume"
+              mountPath: "/probes"
             {{- if and .elkIntegrationEnabled .operatorLogPVC }}
                 {{- fail "Error: elkIntegrationEnabled and opeatorLogPVC cannot be set at the same time."}}
             {{- else if .elkIntegrationEnabled }}
@@ -437,6 +478,12 @@ spec:
           - name: "weblogic-webhook-secrets-volume"
             secret:
               secretName: "weblogic-webhook-secrets"
+          - name: "deployment-volume"
+            emptyDir: {}
+          - name: "log-volume"
+            emptyDir: {}
+          - name: "probes-volume"
+            emptyDir: {}
           {{- if .elkIntegrationEnabled }}
           - name: "log-dir"
             emptyDir:

kubernetes/charts/weblogic-operator/values.yaml

@@ -288,3 +288,4 @@ clusterSizePaddingValidationEnabled: true
 
 # operatorLogMount specifies the operator logging volumeMount.  The operator will mount this path with the operatorLogPVC
 #operatorLogMount:
+

kubernetes/src/test/java/oracle/kubernetes/operator/create/CreateOperatorGeneratedFilesTestBase.java

@@ -13,6 +13,7 @@
 import io.kubernetes.client.openapi.models.V1Container;
 import io.kubernetes.client.openapi.models.V1Deployment;
 import io.kubernetes.client.openapi.models.V1DeploymentStrategy;
+import io.kubernetes.client.openapi.models.V1EmptyDirVolumeSource;
 import io.kubernetes.client.openapi.models.V1EnvVarSource;
 import io.kubernetes.client.openapi.models.V1ExecAction;
 import io.kubernetes.client.openapi.models.V1LabelSelector;
@@ -222,6 +223,20 @@ protected V1Deployment getExpectedWeblogicOperatorDeployment() {
                                 .serviceAccountName(getInputs().getServiceAccount())
                                 .securityContext(new V1PodSecurityContext().seccompProfile(
                                     new V1SeccompProfile().type("RuntimeDefault")))
+                                .addInitContainersItem(
+                                    newContainer()
+                                        .name("copy-container")
+                                        .image(getInputs().getWeblogicOperatorImage())
+                                        .imagePullPolicy("IfNotPresent")
+                                        .addCommandItem("/bin/sh")
+                                        .addCommandItem("-c")
+                                        .addCommandItem(
+                                            "cp /deployment/* /deployment_copy && cp /probes/* /probes_copy")
+                                        .addVolumeMountsItem(
+                                            newVolumeMount().name("deployment-volume").mountPath("/deployment_copy"))
+                                        .addVolumeMountsItem(
+                                            newVolumeMount().name("probes-volume").mountPath("/probes_copy"))
+                                )
                                 .addContainersItem(
                                     newContainer()
                                         .name("weblogic-operator")
@@ -280,6 +295,7 @@ protected V1Deployment getExpectedWeblogicOperatorDeployment() {
                                         .securityContext(
                                             new V1SecurityContext().runAsUser(1000L)
                                                 .runAsNonRoot(true)
+                                                .readOnlyRootFilesystem(true)
                                                 .privileged(false).allowPrivilegeEscalation(false)
                                                 .capabilities(new V1Capabilities().addDropItem("ALL")))
                                         .addVolumeMountsItem(
@@ -294,7 +310,19 @@ protected V1Deployment getExpectedWeblogicOperatorDeployment() {
                                             newVolumeMount()
                                                 .name("weblogic-operator-secrets-volume")
                                                 .mountPath("/deployment/secrets")
-                                                .readOnly(true)))
+                                                .readOnly(true))
+                                        .addVolumeMountsItem(
+                                            newVolumeMount()
+                                                .name("deployment-volume")
+                                                .mountPath("/deployment"))
+                                        .addVolumeMountsItem(
+                                            newVolumeMount()
+                                                .name("log-volume")
+                                                .mountPath("/logs"))
+                                        .addVolumeMountsItem(
+                                            newVolumeMount()
+                                                .name("probes-volume")
+                                                .mountPath("/probes")))
                                 .addVolumesItem(
                                     newVolume()
                                         .name("weblogic-operator-cm-volume")
@@ -313,7 +341,20 @@ protected V1Deployment getExpectedWeblogicOperatorDeployment() {
                                         .name("weblogic-operator-secrets-volume")
                                         .secret(
                                             newSecretVolumeSource()
-                                                .secretName("weblogic-operator-secrets"))))));
+                                                .secretName("weblogic-operator-secrets")))
+                                .addVolumesItem(
+                                    newVolume()
+                                        .name("deployment-volume")
+                                        .emptyDir(new V1EmptyDirVolumeSource()))
+                                .addVolumesItem(
+                                    newVolume()
+                                        .name("log-volume")
+                                        .emptyDir(new V1EmptyDirVolumeSource()))
+                                .addVolumesItem(
+                                    newVolume()
+                                        .name("probes-volume")
+                                        .emptyDir(new V1EmptyDirVolumeSource()))
+                        )));
   }
 
   void expectProbes(V1Container container) {