diff --git a/api/bases/ovn.openstack.org_ovnnorthds.yaml b/api/bases/ovn.openstack.org_ovnnorthds.yaml index 82d0c301..55a534e6 100644 --- a/api/bases/ovn.openstack.org_ovnnorthds.yaml +++ b/api/bases/ovn.openstack.org_ovnnorthds.yaml @@ -181,11 +181,6 @@ spec: - type type: object type: array - hash: - additionalProperties: - type: string - description: Map of hashes to track e.g. job status - type: object networkAttachments: additionalProperties: items: diff --git a/api/v1beta1/ovnnorthd_types.go b/api/v1beta1/ovnnorthd_types.go index e57125fa..970fab81 100644 --- a/api/v1beta1/ovnnorthd_types.go +++ b/api/v1beta1/ovnnorthd_types.go @@ -81,9 +81,6 @@ type OVNNorthdStatus struct { // ReadyCount of OVN Northd instances ReadyCount int32 `json:"readyCount,omitempty"` - // Map of hashes to track e.g. job status - Hash map[string]string `json:"hash,omitempty"` - // Conditions Conditions condition.Conditions `json:"conditions,omitempty" optional:"true"` diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index 999d5fac..f4154f98 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -459,13 +459,6 @@ func (in *OVNNorthdSpec) DeepCopy() *OVNNorthdSpec { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OVNNorthdStatus) DeepCopyInto(out *OVNNorthdStatus) { *out = *in - if in.Hash != nil { - in, out := &in.Hash, &out.Hash - *out = make(map[string]string, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } if in.Conditions != nil { in, out := &in.Conditions, &out.Conditions *out = make(condition.Conditions, len(*in)) diff --git a/config/crd/bases/ovn.openstack.org_ovnnorthds.yaml b/config/crd/bases/ovn.openstack.org_ovnnorthds.yaml index 82d0c301..55a534e6 100644 --- a/config/crd/bases/ovn.openstack.org_ovnnorthds.yaml +++ b/config/crd/bases/ovn.openstack.org_ovnnorthds.yaml @@ -181,11 +181,6 @@ spec: - type type: object type: array - hash: - additionalProperties: - type: string - description: Map of hashes to track e.g. job status - type: object networkAttachments: additionalProperties: items: diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 83eef7da..7b032616 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -218,6 +218,14 @@ rules: - list - update - watch +- apiGroups: + - security.openshift.io + resourceNames: + - anyuid + resources: + - securitycontextconstraints + verbs: + - use - apiGroups: - security.openshift.io resourceNames: diff --git a/controllers/ovnnorthd_controller.go b/controllers/ovnnorthd_controller.go index d06da219..a706ec08 100644 --- a/controllers/ovnnorthd_controller.go +++ b/controllers/ovnnorthd_controller.go @@ -33,14 +33,10 @@ import ( "github.com/go-logr/logr" "github.com/openstack-k8s-operators/lib-common/modules/common" "github.com/openstack-k8s-operators/lib-common/modules/common/condition" - "github.com/openstack-k8s-operators/lib-common/modules/common/configmap" "github.com/openstack-k8s-operators/lib-common/modules/common/deployment" - "github.com/openstack-k8s-operators/lib-common/modules/common/env" "github.com/openstack-k8s-operators/lib-common/modules/common/helper" - "github.com/openstack-k8s-operators/lib-common/modules/common/labels" nad "github.com/openstack-k8s-operators/lib-common/modules/common/networkattachment" common_rbac "github.com/openstack-k8s-operators/lib-common/modules/common/rbac" - "github.com/openstack-k8s-operators/lib-common/modules/common/util" "github.com/openstack-k8s-operators/ovn-operator/api/v1beta1" ovnv1 "github.com/openstack-k8s-operators/ovn-operator/api/v1beta1" "github.com/openstack-k8s-operators/ovn-operator/pkg/ovnnorthd" @@ -87,7 +83,7 @@ func (r *OVNNorthdReconciler) GetLogger(ctx context.Context) logr.Logger { // +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update // +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update // service account permissions that are needed to grant permission to the above -// +kubebuilder:rbac:groups="security.openshift.io",resourceNames=anyuid;privileged,resources=securitycontextconstraints,verbs=use +// +kubebuilder:rbac:groups="security.openshift.io",resourceNames=anyuid,resources=securitycontextconstraints,verbs=use // +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch // Reconcile - OVN Northd @@ -116,7 +112,6 @@ func (r *OVNNorthdReconciler) Reconcile(ctx context.Context, req ctrl.Request) ( // initialize conditions used later as Status=Unknown cl := condition.CreateList( condition.UnknownCondition(condition.InputReadyCondition, condition.InitReason, condition.InputReadyInitMessage), - condition.UnknownCondition(condition.ServiceConfigReadyCondition, condition.InitReason, condition.ServiceConfigReadyInitMessage), condition.UnknownCondition(condition.NetworkAttachmentsReadyCondition, condition.InitReason, condition.NetworkAttachmentsReadyInitMessage), condition.UnknownCondition(condition.DeploymentReadyCondition, condition.InitReason, condition.DeploymentReadyInitMessage), condition.UnknownCondition(condition.ServiceAccountReadyCondition, condition.InitReason, condition.ServiceAccountReadyInitMessage), @@ -131,9 +126,6 @@ func (r *OVNNorthdReconciler) Reconcile(ctx context.Context, req ctrl.Request) ( return ctrl.Result{}, err } } - if instance.Status.Hash == nil { - instance.Status.Hash = map[string]string{} - } if instance.Status.NetworkAttachments == nil { instance.Status.NetworkAttachments = map[string][]string{} } @@ -214,9 +206,6 @@ func (r *OVNNorthdReconciler) reconcileUpdate(ctx context.Context, instance *ovn Log.Info("Reconciling Service update") - // TODO: should have minor update tasks if required - // - delete dbsync hash from status to rerun it? - Log.Info("Reconciled Service update successfully") return ctrl.Result{}, nil } @@ -226,9 +215,6 @@ func (r *OVNNorthdReconciler) reconcileUpgrade(ctx context.Context, instance *ov Log.Info("Reconciling Service upgrade") - // TODO: should have major version upgrade tasks - // -delete dbsync hash from status to rerun it? - Log.Info("Reconciled Service upgrade successfully") return ctrl.Result{}, nil } @@ -251,7 +237,7 @@ func (r *OVNNorthdReconciler) reconcileNormal(ctx context.Context, instance *ovn rbacRules := []rbacv1.PolicyRule{ { APIGroups: []string{"security.openshift.io"}, - ResourceNames: []string{"anyuid", "privileged"}, + ResourceNames: []string{"anyuid"}, Resources: []string{"securitycontextconstraints"}, Verbs: []string{"use"}, }, @@ -268,50 +254,8 @@ func (r *OVNNorthdReconciler) reconcileNormal(ctx context.Context, instance *ovn return rbacResult, nil } - // ConfigMap - configMapVars := make(map[string]env.Setter) - instance.Status.Conditions.MarkTrue(condition.InputReadyCondition, condition.InputReadyMessage) - // - // Create ConfigMaps required as input for the Service and calculate an overall hash of hashes - // - - // - // create Configmap required for northd input - // - %-scripts configmap holding scripts to e.g. bootstrap the service - // - %-config configmap holding minimal northd config required to get the service up, user can add additional files to be added to the service - // - parameters which has passwords gets added from the OpenStack secret via the init container - // - err = r.generateServiceConfigMaps(ctx, helper, instance, &configMapVars) - if err != nil { - instance.Status.Conditions.Set(condition.FalseCondition( - condition.ServiceConfigReadyCondition, - condition.ErrorReason, - condition.SeverityWarning, - condition.ServiceConfigReadyErrorMessage, - err.Error())) - return ctrl.Result{}, err - } - - // - // create hash over all the different input resources to identify if any those changed - // and a restart/recreate is required. - // - inputHash, err := r.createHashOfInputHashes(ctx, instance, configMapVars) - if err != nil { - instance.Status.Conditions.Set(condition.FalseCondition( - condition.ServiceConfigReadyCondition, - condition.ErrorReason, - condition.SeverityWarning, - condition.ServiceConfigReadyErrorMessage, - err.Error())) - return ctrl.Result{}, err - } - // Create ConfigMaps and Secrets - end - - instance.Status.Conditions.MarkTrue(condition.ServiceConfigReadyCondition, condition.ServiceConfigReadyMessage) - // // TODO check when/if Init, Update, or Upgrade should/could be skipped // @@ -369,9 +313,18 @@ func (r *OVNNorthdReconciler) reconcileNormal(ctx context.Context, instance *ovn return ctrlResult, nil } + nbEndpoint, err := getInternalEndpoint(ctx, helper, instance, v1beta1.NBDBType) + if err != nil { + return ctrlResult, err + } + sbEndpoint, err := getInternalEndpoint(ctx, helper, instance, v1beta1.SBDBType) + if err != nil { + return ctrlResult, err + } + // Define a new Deployment object depl := deployment.NewDeployment( - ovnnorthd.Deployment(instance, inputHash, serviceLabels, serviceAnnotations), + ovnnorthd.Deployment(instance, serviceLabels, serviceAnnotations, nbEndpoint, sbEndpoint), time.Duration(5)*time.Second, ) @@ -441,65 +394,3 @@ func getInternalEndpoint( } return internalEndpoint, nil } - -// generateServiceConfigMaps - create create configmaps which hold scripts and service configuration -// TODO add DefaultConfigOverwrite -func (r *OVNNorthdReconciler) generateServiceConfigMaps( - ctx context.Context, - h *helper.Helper, - instance *ovnv1.OVNNorthd, - envVars *map[string]env.Setter, -) error { - nbEndpoint, err := getInternalEndpoint(ctx, h, instance, v1beta1.NBDBType) - if err != nil { - return err - } - sbEndpoint, err := getInternalEndpoint(ctx, h, instance, v1beta1.SBDBType) - if err != nil { - return err - } - - // Create/update configmaps from templates - templateParameters := make(map[string]interface{}) - templateParameters["NBConnection"] = nbEndpoint - templateParameters["SBConnection"] = sbEndpoint - templateParameters["OVN_LOG_LEVEL"] = instance.Spec.LogLevel - - cmLabels := labels.GetLabels(instance, labels.GetGroupLabel(ovnnorthd.ServiceName), map[string]string{}) - cms := []util.Template{ - // ConfigMap - { - Name: fmt.Sprintf("%s-config-data", instance.Name), - Namespace: instance.Namespace, - Type: util.TemplateTypeConfig, - InstanceType: instance.Kind, - Labels: cmLabels, - ConfigOptions: templateParameters, - }, - } - return configmap.EnsureConfigMaps(ctx, h, instance, cms, envVars) -} - -// createHashOfInputHashes - creates a hash of hashes which gets added to the resources which requires a restart -// if any of the input resources change, like configs, passwords, ... -func (r *OVNNorthdReconciler) createHashOfInputHashes( - ctx context.Context, - instance *ovnv1.OVNNorthd, - envVars map[string]env.Setter, -) (string, error) { - Log := r.GetLogger(ctx) - - mergedMapVars := env.MergeEnvs([]corev1.EnvVar{}, envVars) - hash, err := util.ObjectHash(mergedMapVars) - if err != nil { - return hash, err - } - if hashMap, changed := util.SetHash(instance.Status.Hash, common.InputHashName, hash); changed { - instance.Status.Hash = hashMap - if err := r.Client.Status().Update(ctx, instance); err != nil { - return hash, err - } - Log.Info(fmt.Sprintf("Input maps hash %s - %s", common.InputHashName, hash)) - } - return hash, nil -} diff --git a/pkg/ovnnorthd/const.go b/pkg/ovnnorthd/const.go index 5062c547..af968101 100644 --- a/pkg/ovnnorthd/const.go +++ b/pkg/ovnnorthd/const.go @@ -3,4 +3,8 @@ package ovnnorthd const ( // ServiceName - ServiceName = "ovn-northd" + + // openvswitch:openvswitch + OVSUid int64 = 997 + OVSGid int64 = 995 ) diff --git a/pkg/ovnnorthd/deployment.go b/pkg/ovnnorthd/deployment.go index 57de6d51..8488395d 100644 --- a/pkg/ovnnorthd/deployment.go +++ b/pkg/ovnnorthd/deployment.go @@ -13,6 +13,8 @@ limitations under the License. package ovnnorthd import ( + "fmt" + "github.com/openstack-k8s-operators/lib-common/modules/common" "github.com/openstack-k8s-operators/lib-common/modules/common/affinity" "github.com/openstack-k8s-operators/lib-common/modules/common/env" @@ -25,17 +27,17 @@ import ( const ( // ServiceCommand - - ServiceCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start" + ServiceCommand = "/usr/bin/ovn-northd" ) // Deployment func func Deployment( instance *ovnv1.OVNNorthd, - configHash string, labels map[string]string, annotations map[string]string, + nbEndpoint string, + sbEndpoint string, ) *appsv1.Deployment { - runAsUser := int64(0) livenessProbe := &corev1.Probe{ // TODO might need tuning @@ -49,13 +51,21 @@ func Deployment( PeriodSeconds: 5, InitialDelaySeconds: 5, } - - noopCmd := []string{ - "/bin/true", + cmd := ServiceCommand + args := []string{ + "-vfile:off", + fmt.Sprintf("-vconsole:%s", instance.Spec.LogLevel), + fmt.Sprintf("--ovnnb-db=%s", nbEndpoint), + fmt.Sprintf("--ovnsb-db=%s", sbEndpoint), } - args := []string{"-c"} + if instance.Spec.Debug.Service { - args = append(args, common.DebugCommand) + cmd = "/bin/sleep" + args = []string{"infinity"} + + noopCmd := []string{ + "/bin/true", + } livenessProbe.Exec = &corev1.ExecAction{ Command: noopCmd, } @@ -64,7 +74,6 @@ func Deployment( Command: noopCmd, } } else { - args = append(args, ServiceCommand) // // https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ // @@ -77,8 +86,6 @@ func Deployment( } envVars := map[string]env.Setter{} - envVars["KOLLA_CONFIG_STRATEGY"] = env.SetValue("COPY_ALWAYS") - envVars["CONFIG_HASH"] = env.SetValue(configHash) // TODO: Make confs customizable envVars["OVN_RUNDIR"] = env.SetValue("/tmp") @@ -101,17 +108,12 @@ func Deployment( ServiceAccountName: instance.RbacResourceName(), Containers: []corev1.Container{ { - Name: ServiceName, - Command: []string{ - "/bin/bash", - }, - Args: args, - Image: instance.Spec.ContainerImage, - SecurityContext: &corev1.SecurityContext{ - RunAsUser: &runAsUser, - }, + Name: ServiceName, + Command: []string{cmd}, + Args: args, + Image: instance.Spec.ContainerImage, + SecurityContext: getOVNNorthdSecurityContext(), Env: env.MergeEnvs([]corev1.EnvVar{}, envVars), - VolumeMounts: GetNorthdVolumeMounts(), Resources: instance.Spec.Resources, ReadinessProbe: readinessProbe, LivenessProbe: livenessProbe, @@ -122,7 +124,6 @@ func Deployment( }, }, } - deployment.Spec.Template.Spec.Volumes = GetNorthdVolumes(instance.Name) // If possible two pods of the same service should not // run on the same worker node. If this is not possible // the get still created on the same worker node. diff --git a/pkg/ovnnorthd/scc.go b/pkg/ovnnorthd/scc.go new file mode 100644 index 00000000..825c558b --- /dev/null +++ b/pkg/ovnnorthd/scc.go @@ -0,0 +1,22 @@ +package ovnnorthd + +import corev1 "k8s.io/api/core/v1" + +func getOVNNorthdSecurityContext() *corev1.SecurityContext { + falseVal := false + trueVal := true + runAsUser := int64(OVSUid) + runAsGroup := int64(OVSGid) + + return &corev1.SecurityContext{ + RunAsUser: &runAsUser, + RunAsGroup: &runAsGroup, + RunAsNonRoot: &trueVal, + AllowPrivilegeEscalation: &falseVal, + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{ + "ALL", + }, + }, + } +} diff --git a/pkg/ovnnorthd/volumes.go b/pkg/ovnnorthd/volumes.go deleted file mode 100644 index cc37f684..00000000 --- a/pkg/ovnnorthd/volumes.go +++ /dev/null @@ -1,69 +0,0 @@ -package ovnnorthd - -import corev1 "k8s.io/api/core/v1" - -// GetNorthdVolumes - -// TODO: merge to GetVolumes when other controllers also switched to current config -// mechanism. -func GetNorthdVolumes(name string) []corev1.Volume { - var config0640AccessMode int32 = 0640 - - return []corev1.Volume{ - { - Name: "etc-machine-id", - VolumeSource: corev1.VolumeSource{ - HostPath: &corev1.HostPathVolumeSource{ - Path: "/etc/machine-id", - }, - }, - }, - { - Name: "etc-localtime", - VolumeSource: corev1.VolumeSource{ - HostPath: &corev1.HostPathVolumeSource{ - Path: "/etc/localtime", - }, - }, - }, - { - Name: "config-data", - VolumeSource: corev1.VolumeSource{ - ConfigMap: &corev1.ConfigMapVolumeSource{ - DefaultMode: &config0640AccessMode, - LocalObjectReference: corev1.LocalObjectReference{ - Name: name + "-config-data", - }, - }, - }, - }, - } - -} - -// GetNorthdVolumeMounts - OVN Northd VolumeMounts -func GetNorthdVolumeMounts() []corev1.VolumeMount { - return []corev1.VolumeMount{ - { - Name: "etc-machine-id", - MountPath: "/etc/machine-id", - ReadOnly: true, - }, - { - Name: "etc-localtime", - MountPath: "/etc/localtime", - ReadOnly: true, - }, - { - Name: "config-data", - MountPath: "/var/lib/config-data", - ReadOnly: false, - }, - { - Name: "config-data", - MountPath: "/var/lib/kolla/config_files/config.json", - SubPath: "ovn-northd.json", - ReadOnly: true, - }, - } - -} diff --git a/templates/ovnnorthd/config/ovn-northd.json b/templates/ovnnorthd/config/ovn-northd.json deleted file mode 100644 index 87818f0d..00000000 --- a/templates/ovnnorthd/config/ovn-northd.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "command": "/usr/bin/ovn-northd --no-chdir -vconsole:{{ .OVN_LOG_LEVEL }} -vfile:off --pidfile=/run/ovn-northd.pid --ovnnb-db={{ .NBConnection }} --ovnsb-db={{ .SBConnection }}" -} diff --git a/tests/functional/ovnnorthd_controller_test.go b/tests/functional/ovnnorthd_controller_test.go index 116e128c..ebd32201 100644 --- a/tests/functional/ovnnorthd_controller_test.go +++ b/tests/functional/ovnnorthd_controller_test.go @@ -19,7 +19,6 @@ package functional_test import ( "encoding/json" "fmt" - "strings" "github.com/google/uuid" networkv1 "github.com/k8snetworkplumbingwg/network-attachment-definition-client/pkg/apis/k8s.cni.cncf.io/v1" @@ -50,7 +49,6 @@ var _ = Describe("OVNNorthd controller", func() { It("should have the Status fields initialized", func() { OVNNorthd := GetOVNNorthd(OVNNorthdName) - Expect(OVNNorthd.Status.Hash).To(BeEmpty()) Expect(OVNNorthd.Status.ReadyCount).To(Equal(int32(0))) }) @@ -62,12 +60,6 @@ var _ = Describe("OVNNorthd controller", func() { }, timeout, interval).Should(ContainElement("OVNNorthd")) }) - It("should not create a config map", func() { - Eventually(func() []corev1.ConfigMap { - return th.ListConfigMaps(fmt.Sprintf("%s-%s", OVNNorthdName.Name, "config-data")).Items - }, timeout, interval).Should(BeEmpty()) - }) - It("should be in input ready condition", func() { th.ExpectCondition( OVNNorthdName, @@ -77,66 +69,21 @@ var _ = Describe("OVNNorthd controller", func() { ) }) - When("OVNDBCluster instance is not available", func() { - It("should not create a config map", func() { - Eventually(func() []corev1.ConfigMap { - return th.ListConfigMaps(fmt.Sprintf("%s-%s", OVNNorthdName.Name, "config-data")).Items - }, timeout, interval).Should(BeEmpty()) - }) - It("should not set ServiceConfigReadyCondition condition", func() { - th.ExpectCondition( - OVNNorthdName, - ConditionGetterFunc(OVNNorthdConditionGetter), - condition.ServiceConfigReadyCondition, - corev1.ConditionFalse, - ) - }) - }) - When("OVNDBCluster instances are available", func() { - It("should create a ConfigMap for ovn-northd.json with the ovn connection config option set based on the OVNDBCluster", func() { + It("should create a Deployment with the ovn connection CLI args set based on the OVNDBCluster", func() { dbs := CreateOVNDBClusters(namespace) DeferCleanup(DeleteOVNDBClusters, dbs) - configataCM := types.NamespacedName{ - Namespace: OVNNorthdName.Namespace, - Name: fmt.Sprintf("%s-%s", OVNNorthdName.Name, "config-data"), - } - Eventually(func() corev1.ConfigMap { - return *th.GetConfigMap(configataCM) - }, timeout, interval).ShouldNot(BeNil()) - for _, db := range dbs { - ovndb := GetOVNDBCluster(db) - Expect(th.GetConfigMap(configataCM).Data["ovn-northd.json"]).Should( - ContainSubstring("ovn%s-db=%s", strings.ToLower(string(ovndb.Spec.DBType)), ovndb.Status.DBAddress)) + deplName := types.NamespacedName{ + Namespace: namespace, + Name: "ovn-northd", } - - th.ExpectCondition( - OVNNorthdName, - ConditionGetterFunc(OVNNorthdConditionGetter), - condition.ServiceConfigReadyCondition, - corev1.ConditionTrue, - ) - }) - }) - - When("OVNNorthd CR is deleted", func() { - It("removes the Config MAP", func() { - DeferCleanup(DeleteOVNDBClusters, CreateOVNDBClusters(namespace)) - configataCM := types.NamespacedName{ - Namespace: OVNNorthdName.Namespace, - Name: fmt.Sprintf("%s-%s", OVNNorthdName.Name, "config-data"), - } - - Eventually(func() corev1.ConfigMap { - return *th.GetConfigMap(configataCM) - }, timeout, interval).ShouldNot(BeNil()) - - th.DeleteInstance(GetOVNNorthd(OVNNorthdName)) - - Eventually(func() []corev1.ConfigMap { - return th.ListConfigMaps(configataCM.Name).Items - }, timeout, interval).Should(BeEmpty()) + depl := th.GetDeployment(deplName) + Expect(depl.Spec.Template.Spec.Containers[0].Args).To(Equal([]string{ + "-vfile:off", "-vconsole:info", + "--ovnnb-db=tcp:10.1.1.1:6641", + "--ovnsb-db=tcp:10.1.1.1:6642", + })) }) }) @@ -166,7 +113,8 @@ var _ = Describe("OVNNorthd controller", func() { Equal([]string{"/bin/true"})) Expect(depl.Spec.Template.Spec.Containers[0].ReadinessProbe.Exec.Command).To( Equal([]string{"/bin/true"})) - Expect(depl.Spec.Template.Spec.Containers[0].Args[1]).Should(ContainSubstring("sleep infinity")) + Expect(depl.Spec.Template.Spec.Containers[0].Command[0]).Should(ContainSubstring("/bin/sleep")) + Expect(depl.Spec.Template.Spec.Containers[0].Args[0]).Should(ContainSubstring("infinity")) }) }) diff --git a/tests/kuttl/common/assert_sample_deployment.yaml b/tests/kuttl/common/assert_sample_deployment.yaml index b4322b24..2f41c47f 100644 --- a/tests/kuttl/common/assert_sample_deployment.yaml +++ b/tests/kuttl/common/assert_sample_deployment.yaml @@ -127,11 +127,8 @@ spec: topologyKey: kubernetes.io/hostname weight: 1 containers: - - args: - - -c - - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start - command: - - /bin/bash + - command: + - /usr/bin/ovn-northd imagePullPolicy: IfNotPresent livenessProbe: exec: @@ -144,7 +141,10 @@ spec: successThreshold: 1 timeoutSeconds: 5 securityContext: - runAsUser: 0 + allowPrivilegeEscalation: false + runAsGroup: 995 + runAsNonRoot: true + runAsUser: 997 name: ovn-northd readinessProbe: exec: @@ -176,7 +176,7 @@ apiVersion: v1 kind: Pod metadata: annotations: - openshift.io/scc: privileged + openshift.io/scc: anyuid labels: service: ovn-northd ---