Can not disable generation of securityContext in grafana deployment

[AlexanderThaller]

Describe the bug
We want to completly remove the securityContext entry from the grafana deployment to make it work within our openshift environment. But we don't seem to be able to completly disable the generation of that section.

Version
v5.0.0-rc1

To Reproduce
Greate a Grafana instance with the following definition:

apiVersion: grafana.integreatly.org/v1beta1
kind: Grafana
metadata:
  name: test-no-security-context
spec:
  deployment:
    spec:
      template:
        spec:
          securityContext: {}
          containers:
            - name: grafana
              securityContext: {}

Which creates the following deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    deployment.kubernetes.io/revision: "1"
  creationTimestamp: "2023-04-03T11:54:44Z"
  generation: 1
  name: test-no-security-context-deployment
  namespace: grafana-operator
  ownerReferences:
  - apiVersion: grafana.integreatly.org/v1beta1
    kind: Grafana
    name: test-no-security-context
    uid: c6d7c4d3-6417-4862-ab34-a1641e38b135
  resourceVersion: "5940916"
  uid: 37c273f2-9df3-4d09-988a-37090cbda454
spec:
  progressDeadlineSeconds: 601
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: test-no-security-context
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: test-no-security-context
      name: test-no-security-context-deployment
    spec:
      containers:
      - args:
        - -config=/etc/grafana/grafana.ini
        env:
        - name: PLUGINS_HASH
          valueFrom:
            configMapKeyRef:
              key: PLUGINS_HASH
              name: test-no-security-context-plugins
              optional: true
        - name: CONFIG_HASH
          value: 98e8da23b51963ae3b3569c19ffdc1ec060852dfde6dab68bfb63d46751b4b08
        - name: GF_INSTALL_PLUGINS
        - name: GF_SECURITY_ADMIN_USER
          valueFrom:
            secretKeyRef:
              key: GF_SECURITY_ADMIN_USER
              name: test-no-security-context-admin-credentials
        - name: GF_SECURITY_ADMIN_PASSWORD
          valueFrom:
            secretKeyRef:
              key: GF_SECURITY_ADMIN_PASSWORD
              name: test-no-security-context-admin-credentials
        image: docker.io/grafana/grafana:9.1.6
        imagePullPolicy: IfNotPresent
        name: grafana
        ports:
        - containerPort: 3000
          name: grafana-http
          protocol: TCP
        readinessProbe:
          failureThreshold: 1
          httpGet:
            path: /api/health
            port: 3000
            scheme: HTTP
          initialDelaySeconds: 5
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 3
        resources:
          limits:
            cpu: 500m
            memory: 1Gi
          requests:
            cpu: 100m
            memory: 256Mi
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          privileged: false
          readOnlyRootFilesystem: true
          runAsNonRoot: true
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /etc/grafana/
          name: test-no-security-context-ini
        - mountPath: /var/lib/grafana
          name: grafana-data
        - mountPath: /var/log/grafana
          name: grafana-logs
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext:
        seccompProfile:
          type: RuntimeDefault
      serviceAccount: test-no-security-context-sa
      serviceAccountName: test-no-security-context-sa
      terminationGracePeriodSeconds: 30
      volumes:
      - configMap:
          defaultMode: 420
          name: test-no-security-context-ini
        name: test-no-security-context-ini
      - emptyDir: {}
        name: grafana-logs
      - emptyDir: {}
        name: grafana-data
status:
  conditions:
  - lastTransitionTime: "2023-04-03T11:54:44Z"
    lastUpdateTime: "2023-04-03T11:54:44Z"
    message: Deployment does not have minimum availability.
    reason: MinimumReplicasUnavailable
    status: "False"
    type: Available
  - lastTransitionTime: "2023-04-03T11:54:44Z"
    lastUpdateTime: "2023-04-03T11:54:44Z"
    message: ReplicaSet "test-no-security-context-deployment-7f95c96b44" is progressing.
    reason: ReplicaSetUpdated
    status: "True"
    type: Progressing
  observedGeneration: 1
  replicas: 1
  unavailableReplicas: 1
  updatedReplicas: 1

Expected behavior
We would expect that none of those entries appear in the deployment file.

Suspect component/Location where the bug might be occurring
unknown

Runtime (please complete the following information):

• Environment: OpenShift version: 4.12.8

[NissesSenap]

The problem might be that you are sending securityContext: {}, what happens if you try to overwrite the values that you don't need specially?
Of course, it shouldn't be needed, but it could be a good workaround.

[AlexanderThaller]

We tried setting the following:

      securityContext:
        seccompProfile: {}

Which also lead to the default values being set.

We also tried to override the following:

          type: RuntimeDefault

Using an empty value for that is kinda impossible as we can not use Localhost or Unconfined instead of RuntimeDefault and setting anything else will lead to an error like this:

  Last Message:  Deployment.apps "test-no-security-context-deployment" is invalid: [spec.template.spec.containers[0].securityContext.seccompProfile.type: Unsupported value: "BlaBla": supported values: "Localhost", "RuntimeDefault", "Unconfined", spec.template.spec.securityContext.seccompProfile.type: Unsupported value: "BlaBla": supported values: "Localhost", "RuntimeDefault", "Unconfined"]

Likewise when we try to use an emptystring for type: we get the following:

  Last Message:  Deployment.apps "test-no-security-context-deployment" is invalid: [spec.template.spec.containers[0].securityContext.seccompProfile.type: Required value: type is required when seccompProfile is set, spec.template.spec.securityContext.seccompProfile.type: Required value: type is required when seccompProfile is set]

[weisdd]

@AlexanderThaller could you elaborate more why both Unconfined or RuntimeDefault are incompatible with your setup?

[AlexanderThaller]

@weisdd I discussed this with @NissesSenap on Slack.

The issue is that setting a seccomp profile is disallowed in the cluster grafana-operator is supposed to run in. Defining any kind of seccomp profile Unconfined or RuntimeDefault or Localhost leads to an error similar to this one cert-manager/cert-manager#5516.

I hope that makes sense.

I will try to write a pullrequest to add a setting to disable the generation of seccomp profiles if thats ok with you.

[weisdd]

@AlexanderThaller Sure, feel free to raise a PR.
In the worst case, I think it should be OK if we simply remove the default setting here: https://github.com/grafana-operator/grafana-operator/blob/461a0cf6e0f51ede15aeef0de5a4980015606633/controllers/reconcilers/grafana/deployment_reconciler.go#L295

[NissesSenap]

It would be nice if we can keep the default settings, i really do enjoy best practices when it comes to security.
And if you for some reason don't want it you should need to opt out. Just like if you disable TLS verification when doing https.
But adapt the function to support removing the defaults should be possible.

[NissesSenap]

@AlexanderThaller did you have a chance to look into this?

[AlexanderThaller]

Not yet sorry pretty busy at the moment @NissesSenap

[nkaijala-elisa]

Just dropping by to let you know that I'm experiencing the same problem.

An absolutely demo-purposes-only workaround is to manually edit the operator-managed deployment to have securityContext: {}.