From a01921012dba53e033387666a5e585e75eae4874 Mon Sep 17 00:00:00 2001
From: Ryan Richard <richardry@vmware.com>
Date: Mon, 2 Nov 2020 16:33:46 -0500
Subject: [PATCH] kubecertagent: explicitly run as root

We need root here because the files that this pod reads are
most likely restricted to root access.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
---
 .../controller/kubecertagent/kubecertagent.go | 20 +++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/internal/controller/kubecertagent/kubecertagent.go b/internal/controller/kubecertagent/kubecertagent.go
index d29eabec..e08d1dea 100644
--- a/internal/controller/kubecertagent/kubecertagent.go
+++ b/internal/controller/kubecertagent/kubecertagent.go
@@ -157,6 +157,9 @@ func newAgentPod(
 	agentPod.Annotations[controllerManagerNameAnnotationKey] = controllerManagerPod.Name
 	agentPod.Annotations[controllerManagerUIDAnnotationKey] = string(controllerManagerPod.UID)
 
+	// We need to run the agent pod as root since the file permissions on the cluster keypair usually
+	// restricts access to only root.
+	rootID := int64(0)
 	agentPod.Spec.Containers[0].VolumeMounts = controllerManagerPod.Spec.Containers[0].VolumeMounts
 	agentPod.Spec.Volumes = controllerManagerPod.Spec.Volumes
 	agentPod.Spec.RestartPolicy = corev1.RestartPolicyNever
@@ -164,6 +167,10 @@ func newAgentPod(
 	agentPod.Spec.AutomountServiceAccountToken = boolPtr(false)
 	agentPod.Spec.NodeName = controllerManagerPod.Spec.NodeName
 	agentPod.Spec.Tolerations = controllerManagerPod.Spec.Tolerations
+	agentPod.Spec.SecurityContext = &corev1.PodSecurityContext{
+		RunAsUser:  &rootID,
+		RunAsGroup: &rootID,
+	}
 
 	return agentPod
 }
@@ -177,6 +184,11 @@ func isAgentPodUpToDate(actualAgentPod, expectedAgentPod *corev1.Pod) bool {
 			break
 		}
 	}
+
+	if actualAgentPod.Spec.SecurityContext == nil {
+		return false
+	}
+
 	return requiredLabelsAllPresentWithCorrectValues &&
 		equality.Semantic.DeepEqual(
 			actualAgentPod.Spec.Containers[0].VolumeMounts,
@@ -217,6 +229,14 @@ func isAgentPodUpToDate(actualAgentPod, expectedAgentPod *corev1.Pod) bool {
 		equality.Semantic.DeepEqual(
 			actualAgentPod.Spec.Tolerations,
 			expectedAgentPod.Spec.Tolerations,
+		) &&
+		equality.Semantic.DeepEqual(
+			actualAgentPod.Spec.SecurityContext.RunAsUser,
+			expectedAgentPod.Spec.SecurityContext.RunAsUser,
+		) &&
+		equality.Semantic.DeepEqual(
+			actualAgentPod.Spec.SecurityContext.RunAsGroup,
+			expectedAgentPod.Spec.SecurityContext.RunAsGroup,
 		)
 }