OCPBUGS-1666: Expose flag to enable/disable PodSecurity

[jmrodri]

Description of the change:

Added --security-context-config flag to enable seccompprofile. It defaults to enabled to support k8s 1.25. You can disable it with --security-context-config=legacy

Signed-off-by: jesus m. rodriguez jesusr@redhat.com

Motivation for the change:
In k8s 1.25 PodSecurityAdmission is enabled. https://kubernetes.io/blog/2022/08/04/upcoming-changes-in-kubernetes-1-25/#podsecuritypolicy-removal

Fixes a few issues found downstream but affect upstream as well:

• https://issues.redhat.com/browse/OSDK-2481
• https://issues.redhat.com/browse/OCPBUGS-1666

Checklist

If the pull request includes user-facing changes, extra documentation is required:

• Add a new changelog fragment in changelog/fragments (see changelog/fragments/00-template.yaml)
• Add or update relevant sections of the docs website in website/content/en/docs

[jmrodri]

Fixes a few issues upstream and downstream:

[jmrodri]

If you pass in an unsupported option you get the help message:

$ operator-sdk run bundle quay.io/olmqe/upgradeindex-bundle:v0.1 --index-image quay.io/olmqe/largefbcindexwithupgradefbc:v4.11 --timeout 5m --security-context-config=fake -n jesusr
Error: invalid argument "fake" for "--security-context-config" flag: must be one of "legacy", or "restricted"
Usage:
  operator-sdk run bundle <bundle-image> [flags]

Flags:
      --ca-secret-name string                     Name of a generic secret containing a PEM root certificate file required to pull bundle images. This secret *must* be in the namespace that this command is configured to run in, and the file *must* be encoded under the key "cert.pem"
  -h, --help                                      help for bundle
      --index-image string                        index image in which to inject bundle (default "quay.io/operator-framework/opm:latest")
      --install-mode InstallModeValue             install mode
      --kubeconfig string                         Path to the kubeconfig file to use for CLI requests.
  -n, --namespace string                          If present, namespace scope for this CLI request
      --pull-secret-name string                   Name of image pull secret ("type: kubernetes.io/dockerconfigjson") required to pull bundle images. This secret *must* be both in the namespace and an imagePullSecret of the service account that this command is configured to run in
      --security-context-config SecurityContext   specifies the security context to use for the catalog pod
      --service-account string                    Service account name to bind registry objects to. If unset, the default service account is used. This value does not override the operator's service account
      --skip-tls                                  skip authentication of image registry TLS certificate when pulling a bundle image in-cluster
      --skip-tls-verify                           skip TLS certificate verification for container image registries while pulling bundles
      --timeout duration                          Duration to wait for the command to complete before failing (default 2m0s)
      --use-http                                  use plain HTTP for container image registries while pulling bundles

Global Flags:
      --plugins strings   plugin keys to be used for this subcommand execution
      --verbose           Enable verbose logging

FATA[0000] invalid argument "fake" for "--security-context-config" flag: must be one of "legacy", or "restricted" 

[jmrodri]

When restricted is enabled, the pod will have the seccompProfile set on it.

$ operator-sdk run bundle quay.io/olmqe/upgradeindex-bundle:v0.1 --index-image quay.io/olmqe/largefbcindexwithupgradefbc:v4.11 --timeout 5m --security-context-config=restricted -n jesusr

$ k get pod quay-io-olmqe-upgradeindex-bundle-v0-1 -o yaml -n jesusr | grep -i seccompProfile -A5 -B1
  securityContext:
    seccompProfile:
      type: RuntimeDefault
  serviceAccount: default
  serviceAccountName: default
  terminationGracePeriodSeconds: 30
  tolerations:

[jmrodri]

if legacy is enabled then no seccompprofile is added to the Pod.

$ operator-sdk run bundle quay.io/olmqe/upgradeindex-bundle:v0.1 --index-image quay.io/olmqe/largefbcindexwithupgradefbc:v4.11 --timeout 5m --security-context-config=legacy -n jesusr

$ k get pod quay-io-olmqe-upgradeindex-bundle-v0-1 -o yaml -n jesusr | grep -i seccompProfile -A5 -B1

[everettraven]

Just a teeny nit on the changelog. Also need to run make generate to update the CLI docs with the latest changes.

[everettraven]

/lgtm

[jmrodri]

/cherry-pick v1.24.x

[openshift-cherrypick-robot]

@jmrodri: new pull request created: #6080

Details

In response to this:

/cherry-pick v1.24.x

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.