From 1e95042496e83cb3c578b5486032274cd05119b0 Mon Sep 17 00:00:00 2001
From: Bella Khizgiyaev <bkhizgiy@redhat.com>
Date: Mon, 23 Oct 2023 18:35:15 +0300
Subject: [PATCH] Fix creation of ova provider in restricted namespaces.

Currently migration to restricted namespaces is working but the provider creation is failing
since the ova-server pod doesn't have proper security configuration to run on such namespaces,
this fix adds the missing parts.

Signed-off-by: Bella Khizgiyaev <bkhizgiy@redhat.com>
---
 pkg/controller/provider/ova-setup.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/pkg/controller/provider/ova-setup.go b/pkg/controller/provider/ova-setup.go
index 776b8cdf8..3ee358ffd 100644
--- a/pkg/controller/provider/ova-setup.go
+++ b/pkg/controller/provider/ova-setup.go
@@ -193,6 +193,8 @@ func (r *Reconciler) makeOvaProviderPodSpec(pvcName string, providerName string)
 
 	nfsVolumeName := fmt.Sprintf("%s-%s", nfsVolumeNamePrefix, providerName)
 	ovaContainerName := fmt.Sprintf("%s-pod-%s", ovaServer, providerName)
+	allowPrivilegeEscalation := false
+	nonRoot := true
 
 	return core.PodSpec{
 		Containers: []core.Container{
@@ -206,6 +208,13 @@ func (r *Reconciler) makeOvaProviderPodSpec(pvcName string, providerName string)
 						MountPath: mountPath,
 					},
 				},
+				SecurityContext: &core.SecurityContext{
+					AllowPrivilegeEscalation: &allowPrivilegeEscalation,
+					RunAsNonRoot:             &nonRoot,
+					Capabilities: &core.Capabilities{
+						Drop: []core.Capability{"ALL"},
+					},
+				},
 			},
 		},
 		Volumes: []core.Volume{