Add probes and security context patches (#464)

* Add securitycontext and probes patches

* Check in csv

* Fix dev.sh bundle push path

* Fix Subscription

* Fix dev.sh formatting

* Add +x to dev.sh

Author: smcclem

bundle/manifests/runtime-component.clusterserviceversion.yaml

@@ -410,6 +410,77 @@ spec:
         path: networkPolicy.fromLabels
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
+      - description: Hide liveness probe's Exec field
+        displayName: Livness Probe's Exec
+        path: probes.liveness.exec
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: Hide liveness probe's TCP Socket field
+        displayName: Livness Probe's Exec
+        path: probes.liveness.tcpSocket
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: Hide readiness probe's Exec field
+        displayName: Readiness Probe's Exec
+        path: probes.readiness.exec
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: Hide readiness probe's TCP Socket field
+        displayName: Readiness Probe's TCP Socket
+        path: probes.readiness.tcpSocket
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: Hide startup probe's Exec field
+        displayName: Startup Probe's Exec
+        path: probes.startup.exec
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - description: Hide startup probe's TCP Socket field
+        displayName: Startup Probe's Exec
+        path: probes.startup.tcpSocket
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Type
+        path: securityContext.seccompProfile.type
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:select:RuntimeDefault
+        - urn:alm:descriptor:com.tectonic.ui:select:Localhost
+        - urn:alm:descriptor:com.tectonic.ui:select:Unconfined
+      - displayName: Localhost Profile
+        path: securityContext.seccompProfile.localhostProfile
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
+        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:securityContext.seccompProfile.type:Localhost
+      - displayName: Read-Only Root Filesystem
+        path: securityContext.readOnlyRootFilesystem
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
+      - displayName: Run as Non-Root
+        path: securityContext.runAsNonRoot
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
+      - displayName: Privileged
+        path: securityContext.privileged
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
+      - displayName: Allow Privilege Escalation
+        path: securityContext.allowPrivilegeEscalation
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
+      - displayName: GMSA Credential Spec Name
+        path: securityContext.windowsOptions.gmsaCredentialSpecName
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - displayName: GMSA Credential Spec
+        path: securityContext.windowsOptions.gmsaCredentialSpec
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - displayName: Host Process
+        path: securityContext.windowsOptions.hostProcess
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
+      - displayName: SE Linux Options
+        path: securityContext.seLinuxOptions
       statusDescriptors:
       - displayName: Service Binding
         path: binding

config/manifests/kustomization.yaml

@@ -13,6 +13,16 @@ patches:
     kind: ClusterServiceVersion
     name: runtime-component.v0.0.0
     namespace: placeholder
+- path: probesPatch.yaml
+  target:
+    kind: ClusterServiceVersion
+    name: runtime-component.v0.0.0
+    namespace: placeholder
+- path: securityContextPatch.yaml
+  target:
+    kind: ClusterServiceVersion
+    name: runtime-component.v0.0.0
+    namespace: placeholder
 
 # [WEBHOOK] To enable webhooks, uncomment all the sections with [WEBHOOK] prefix.
 # Do NOT uncomment sections with prefix [CERTMANAGER], as OLM does not support cert-manager.

config/manifests/probesPatch.yaml

@@ -0,0 +1,48 @@
+- op: add
+  path: /spec/customresourcedefinitions/owned/0/specDescriptors/-
+  value:
+    description: Hide liveness probe's Exec field
+    displayName: Livness Probe's Exec
+    path: probes.liveness.exec
+    x-descriptors:
+      - urn:alm:descriptor:com.tectonic.ui:hidden
+- op: add
+  path: /spec/customresourcedefinitions/owned/0/specDescriptors/-
+  value:
+    description: Hide liveness probe's TCP Socket field
+    displayName: Livness Probe's Exec
+    path: probes.liveness.tcpSocket
+    x-descriptors:
+      - urn:alm:descriptor:com.tectonic.ui:hidden
+- op: add
+  path: /spec/customresourcedefinitions/owned/0/specDescriptors/-
+  value:
+    description: Hide readiness probe's Exec field
+    displayName: Readiness Probe's Exec
+    path: probes.readiness.exec
+    x-descriptors:
+      - urn:alm:descriptor:com.tectonic.ui:hidden
+- op: add
+  path: /spec/customresourcedefinitions/owned/0/specDescriptors/-
+  value:
+    description: Hide readiness probe's TCP Socket field
+    displayName: Readiness Probe's TCP Socket
+    path: probes.readiness.tcpSocket
+    x-descriptors:
+      - urn:alm:descriptor:com.tectonic.ui:hidden
+- op: add
+  path: /spec/customresourcedefinitions/owned/0/specDescriptors/-
+  value:
+    description: Hide startup probe's Exec field
+    displayName: Startup Probe's Exec
+    path: probes.startup.exec
+    x-descriptors:
+      - urn:alm:descriptor:com.tectonic.ui:hidden
+- op: add
+  path: /spec/customresourcedefinitions/owned/0/specDescriptors/-
+  value:
+    description: Hide startup probe's TCP Socket field
+    displayName: Startup Probe's Exec
+    path: probes.startup.tcpSocket
+    x-descriptors:
+      - urn:alm:descriptor:com.tectonic.ui:hidden

config/manifests/securityContextPatch.yaml

@@ -0,0 +1,71 @@
+- op: add
+  path: /spec/customresourcedefinitions/owned/0/specDescriptors/-
+  value:
+    displayName: Type
+    path: securityContext.seccompProfile.type
+    x-descriptors:
+      - urn:alm:descriptor:com.tectonic.ui:select:RuntimeDefault
+      - urn:alm:descriptor:com.tectonic.ui:select:Localhost
+      - urn:alm:descriptor:com.tectonic.ui:select:Unconfined
+- op: add
+  path: /spec/customresourcedefinitions/owned/0/specDescriptors/-
+  value:
+    displayName: Localhost Profile
+    path: securityContext.seccompProfile.localhostProfile
+    x-descriptors:
+      - urn:alm:descriptor:com.tectonic.ui:text
+      - urn:alm:descriptor:com.tectonic.ui:fieldDependency:securityContext.seccompProfile.type:Localhost
+- op: add
+  path: /spec/customresourcedefinitions/owned/0/specDescriptors/-
+  value:
+    displayName: Read-Only Root Filesystem
+    path: securityContext.readOnlyRootFilesystem
+    x-descriptors:
+      - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
+- op: add
+  path: /spec/customresourcedefinitions/owned/0/specDescriptors/-
+  value:
+    displayName: Run as Non-Root
+    path: securityContext.runAsNonRoot
+    x-descriptors:
+      - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
+- op: add
+  path: /spec/customresourcedefinitions/owned/0/specDescriptors/-
+  value:
+    displayName: Privileged
+    path: securityContext.privileged
+    x-descriptors:
+      - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
+- op: add
+  path: /spec/customresourcedefinitions/owned/0/specDescriptors/-
+  value:
+    displayName: Allow Privilege Escalation
+    path: securityContext.allowPrivilegeEscalation
+    x-descriptors:
+      - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
+- op: add
+  path: /spec/customresourcedefinitions/owned/0/specDescriptors/-
+  value:
+    displayName: GMSA Credential Spec Name
+    path: securityContext.windowsOptions.gmsaCredentialSpecName
+    x-descriptors:
+      - urn:alm:descriptor:com.tectonic.ui:text
+- op: add
+  path: /spec/customresourcedefinitions/owned/0/specDescriptors/-
+  value:
+    displayName: GMSA Credential Spec
+    path: securityContext.windowsOptions.gmsaCredentialSpec
+    x-descriptors:
+      - urn:alm:descriptor:com.tectonic.ui:text
+- op: add
+  path: /spec/customresourcedefinitions/owned/0/specDescriptors/-
+  value:
+    displayName: Host Process
+    path: securityContext.windowsOptions.hostProcess
+    x-descriptors:
+      - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
+- op: add
+  path: /spec/customresourcedefinitions/owned/0/specDescriptors/-
+  value:
+    displayName: SE Linux Options
+    path: securityContext.seLinuxOptions