UD-1521: Add fsgroup for persistent volume

Signed-off-by: Kevin Conner <[email protected]>

Makefile

@@ -1,5 +1,5 @@
 # Image URL to use all building/pushing image targets
-IMG ?= controller:latest
+IMG ?= operator:latest
 WORKER_IMG ?= worker:latest
 
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.

charts/zora/README.md

@@ -124,6 +124,7 @@ The following table lists the configurable parameters of the Zora chart and thei
 | scan.plugins.trivy.timeout | string | `"10m"` | Trivy timeout |
 | scan.plugins.trivy.insecure | bool | `false` | Allow insecure server connections for Trivy |
 | scan.plugins.trivy.persistence.enabled | bool | `true` | Specifies whether Trivy vulnerabilities database should be persisted between the scans, using PersistentVolumeClaim |
+| scan.plugins.trivy.persistence.fsGroup | int | `0` | Specifies the fsGroup to use when mounting the persistent volume |
 | scan.plugins.trivy.persistence.accessMode | string | `"ReadWriteOnce"` | [Persistence access mode](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) |
 | scan.plugins.trivy.persistence.storageClass | string | `""` | [Persistence storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/). Set to empty for default storage class |
 | scan.plugins.trivy.persistence.storageRequest | string | `"1Gi"` | Persistence storage size |

charts/zora/templates/operator/deployment.yaml

@@ -104,6 +104,7 @@ spec:
             - --cronjob-clusterrolebinding-name=zora-plugins-rolebinding
             - --cronjob-serviceaccount-name=zora-plugins
             - --trivy-db-pvc={{- if .Values.scan.plugins.trivy.persistence.enabled }}trivy-db-cache{{- end }}
+            - --trivy-db-fsgroup={{ .Values.scan.plugins.trivy.persistence.fsGroup }}
 {{- if .Values.scan.plugins.annotations}}
             - --cronjob-serviceaccount-annotations={{ $first := true }}{{- range $key, $value := .Values.scan.plugins.annotations }}{{if not $first}},{{else}}{{$first = false}}{{end}}{{ $key }}={{$value}}{{- end }}
 {{- end }}

charts/zora/templates/plugins/trivy-job.yaml

@@ -21,6 +21,8 @@ spec:
   ttlSecondsAfterFinished: 0
   template:
     spec:
+      securityContext:
+        fsGroup: 0
       volumes:
         - name: trivy-db
           persistentVolumeClaim:
@@ -52,7 +54,7 @@ spec:
                 --download-java-db-only \
                 {{- end }}
                 --download-db-only \
-              && chgrp -R 0 /tmp/trivy-cache/* && chmod -R g+rwX /tmp/trivy-cache/*
+              && chgrp -R {{ .Values.scan.plugins.trivy.persistence.fsGroup }} /tmp/trivy-cache/* && chmod -R g+rwX /tmp/trivy-cache/*
           env:
             - name: SSL_CERT_DIR
               value: "/etc/ssl/:/run/secrets/kubernetes.io/serviceaccount/"

charts/zora/values.yaml

@@ -238,6 +238,8 @@ scan:
       persistence:
         # -- Specifies whether Trivy vulnerabilities database should be persisted between the scans, using PersistentVolumeClaim
         enabled: true
+        # -- Specifies the fsGroup to use when mounting the persistent volume
+        fsGroup: 0
         # -- [Persistence access mode](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes)
         accessMode: ReadWriteOnce
         # -- [Persistence storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/). Set to empty for default storage class

cmd/main.go

@@ -81,6 +81,7 @@ func main() {
 	var checksConfigMapName string
 	var kubexnsImage string
 	var trivyPVC string
+	var trivyFSGroup int64
 	var updateCRDs bool
 	var injectConversion bool
 	var caPath string
@@ -110,6 +111,7 @@ func main() {
 	flag.StringVar(&checksConfigMapName, "checks-configmap-name", "zora-custom-checks", "Name of custom checks ConfigMap")
 	flag.StringVar(&kubexnsImage, "kubexns-image", "ghcr.io/undistro/kubexns:latest", "kubexns image")
 	flag.StringVar(&trivyPVC, "trivy-db-pvc", "", "PersistentVolumeClaim name for Trivy DB")
+	flag.Int64Var(&trivyFSGroup, "trivy-db-fsgroup", 0, "PersistentVolumeClaim FSGroup for Trivy DB")
 	flag.BoolVar(&updateCRDs, "update-crds", false,
 		"If set to true, operator will update Zora CRDs if needed")
 	flag.BoolVar(&injectConversion, "inject-conversion", false,
@@ -217,6 +219,7 @@ func main() {
 		OnDelete:                onClusterScanDelete,
 		KubexnsImage:            kubexnsImage,
 		TrivyPVC:                trivyPVC,
+		TrivyFSGroup:            &trivyFSGroup,
 		ChecksConfigMap:         fmt.Sprintf("%s/%s", checksConfigMapNamespace, checksConfigMapName),
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "ClusterScan")

internal/controller/zora/clusterscan_controller.go

@@ -64,6 +64,7 @@ type ClusterScanReconciler struct {
 	KubexnsImage            string
 	ChecksConfigMap         string
 	TrivyPVC                string
+	TrivyFSGroup            *int64
 	Annotations             map[string]string
 	OnUpdate                saas.ClusterScanHook
 	OnDelete                saas.ClusterScanHook
@@ -219,6 +220,7 @@ func (r *ClusterScanReconciler) reconcile(ctx context.Context, clusterscan *v1al
 			KubexnsImage:       r.KubexnsImage,
 			ChecksConfigMap:    r.ChecksConfigMap,
 			TrivyPVC:           r.TrivyPVC,
+			TrivyFSGroup:       r.TrivyFSGroup,
 			ClusterUID:         cluster.UID,
 		}
 

pkg/plugins/cronjob.go

@@ -97,6 +97,7 @@ type CronJobMutator struct {
 	KubexnsImage       string
 	ChecksConfigMap    string
 	TrivyPVC           string
+	TrivyFSGroup       *int64
 	ClusterUID         types.UID
 }
 
@@ -151,6 +152,11 @@ func (r *CronJobMutator) Mutate() error {
 				PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{ClaimName: r.TrivyPVC},
 			},
 		})
+		if r.TrivyFSGroup != nil {
+			r.Existing.Spec.JobTemplate.Spec.Template.Spec.SecurityContext = &corev1.PodSecurityContext{
+				FSGroup: r.TrivyFSGroup,
+			}
+		}
 	}
 
 	if pointer.BoolDeref(r.Plugin.Spec.MountCustomChecksVolume, false) {