Cherry-pick commits from #1576 & #1565 & #1606 to 7.58.x

[AObuchow]

What does this PR do?

Backport of commits relevant to solving https://issues.redhat.com/browse/CRW-3400 and https://issues.redhat.com/browse/CRW-3894 in 7.58.x.

Contains the commit for configuring the container security context used in DWO: c313ecc.
Note: I modified the commit to not include the changes from #1565. This PR can be reworked to include those changes (which require DWO 0.18.0) if desired.

Also contains the commit for setting AllowPrivilegeEscalation to true: 3d07ff7

Screenshot/screencast of this PR

n/a

What issues does this PR fix or reference?

Fixes eclipse-che/che#21770 & eclipse-che/che#21959 in 7.58.x

How to test this PR?

First start up an OpenShift cluster.

Install DWO 0.17.0 (0.17.1)

I've created the following catalog source which can applied with oc apply -f:

apiVersion: operators.coreos.com/v1alpha1  
kind: CatalogSource  
metadata:  
 name: devworkspace-operator-catalog  
 namespace: openshift-marketplace  
spec:  
 sourceType: grpc  
 image: quay.io/aobuchow/devworkspace-operator-index@sha256:c6a5d9d727212de4332b1c79aec2b1f50e67ed4cc98defe1bb19c4ff97dee695  
 publisher: Red Hat  
 displayName: DevWorkspace Operator Catalog  
 updateStrategy:  
   registryPoll:  
     interval: 5m

Then go to OperatorHub and install DWO 0.17.1 from the DevWorkspace Operator catalog

Install Che using the Operator Image from this PR

1. Check out the branch from this PR
2. make gen-chectl-tmpl TEMPLATES=/tmp/operator-resources
3. Deploy che: chectl server:deploy -p openshift --templates /tmp/operator-resources --che-operator-image=quay.io/aobuchow/che-operator:latest (or build your own image of Che Operator on your quay repo)

Patch Che-Server deployment in Che Cluster CRD

This is a temporary workaround until eclipse-che/che#21958 gets resolved.
Change the image of Che-Server used for Che to an earlier version, eg. 7.58.0: kubectl edit checluster eclipse-che -n eclipse-che

  components:
    cheServer:
      debug: false
+      deployment:
+        containers:
+          - image: 'quay.io/eclipse/che-server:7.58.0'

Enable container build capabilities in Che Cluster CR

kubectl edit checluster eclipse-che -n eclipse-che:

  devEnvironments:
    startTimeoutSeconds: 300
    secondsOfRunBeforeIdling: -1
    maxNumberOfWorkspacesPerUser: -1
+    disableContainerBuildCapabilities: false

Start a workspace (with the latest UDI)

I've forked the Che-Website repo to use the latest UDI image, as the older one wasn't working with podman build.
The forked repo link is: https://github.com/AObuchow/che-website

Now ensure that the workspace deployment's pod has the container-build SCC annotation:

metadata:
  generateName: workspacec65af80e7611435a-b674746b7-
  annotations:
    k8s.v1.cni.cncf.io/network-status: |-
      [{
          "name": "openshift-sdn",
          "interface": "eth0",
          "ips": [
              "10.217.0.94"
          ],
          "default": true,
          "dns": {}
      }]
    k8s.v1.cni.cncf.io/networks-status: |-
      [{
          "name": "openshift-sdn",
          "interface": "eth0",
          "ips": [
              "10.217.0.94"
          ],
          "default": true,
          "dns": {}
      }]
+    openshift.io/scc: container-build

Also ensure that the container security context is correct:

      securityContext:
        capabilities:
          add:
            - SETGID
            - SETUID
          drop:
            - KILL
            - MKNOD
        runAsUser: 1000680000
        runAsNonRoot: true
        allowPrivilegeEscalation: true

Build a container from the workspace:

1. Open a new terminal from within Che Code
2. git clone https://github.com/scriptcamp/podman.git
3. cd podman/nginx-image
4. podman build -t scriptcamp/nginx .
5. Select docker.io/library/nginx:alpine
6. The container build should be successful and have an output similar to the following:

STEP 1/2: FROM nginx:alpine
✔ docker.io/library/nginx:alpine
Trying to pull docker.io/library/nginx:alpine...
Getting image source signatures
Copying blob 83e90619bc2e done  
Copying blob 10eb2ce358fa done  
Copying blob d52adec6f48b done  
Copying blob 8921db27df28 done  
Copying blob a1be370d6a52 done  
Copying blob 689b9959905b done  
Copying blob c7a81ce22aac done  
Copying config c433c51bbd done  
Writing manifest to image destination
Storing signatures
STEP 2/2: COPY index.html /usr/share/nginx/html/index.html
COMMIT scriptcamp/nginx
--> b783ac21a4d
Successfully tagged localhost/scriptcamp/nginx:latest
b783ac21a4d1285e2ca7834ea300f6e42ea1930e5aef2c425fd1f178d6b292e1

PR Checklist

As the author of this Pull Request I made sure that:

• The Eclipse Contributor Agreement is valid
• Code produced is complete
• Code builds without errors
• Tests are covering the bugfix
• Development resource are up to date
• The repository devfile is up to date and works
• Sections What issues does this PR fix or reference and How to test this PR completed
• Relevant user documentation updated
• Relevant contributing documentation updated
• CI/CD changes implemented, documented and communicated

Reviewers

Reviewers, please comment how you tested the PR when approving it.

[openshift-ci]

Hi @AObuchow. Thanks for your PR.

I'm waiting for a eclipse-che member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ibuziuk]

/ok-to-test

[tolusha]

Updated PR to include #1606 as well

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: AObuchow, tolusha

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[devstudio-release]

Build 3.4 :: operator_3.4/5: Console, Changes, Git Data

[devstudio-release]

Build 3.4 :: sync-to-downstream_3.4/83: Console, Changes, Git Data

[devstudio-release]

Build 3.4 :: get-sources-rhpkg-container-build_3.4/84: Console, Changes, Git Data

[devstudio-release]

Build 3.4 :: operator-bundle_3.4/25: Console, Changes, Git Data

[devstudio-release]

Build 3.4 :: sync-to-downstream_3.4/84: Console, Changes, Git Data

[devstudio-release]

Build 3.4 :: get-sources-rhpkg-container-build_3.4/85: Console, Changes, Git Data

[devstudio-release]

Build 3.4 :: push-latest-container-to-quay_3.4/82: Console, Changes, Git Data

[devstudio-release]

Build 3.4 :: push-latest-container-to-quay_3.4/83: Console, Changes, Git Data

[devstudio-release]

Build 3.4 :: copyIIBsToQuay/756: Console, Changes, Git Data

[devstudio-release]

Build 3.4 :: push-latest-container-to-quay_3.4/83:

Copied: devspaces-rhel8-operator; /job/DS_CI/job/update-digests_3.4 triggered;
/job/DS_CI/job/Releng/job/copyIIBsToQuay triggered for OCP v4.12 v4.11 v4.10

[devstudio-release]

Build 3.4 :: get-sources-rhpkg-container-build_3.4/84:

devspaces-operator : 3.4 :: Build 50368596 : quay.io/devspaces/devspaces-rhel8-operator:3.4-22
SUCCESS; copied to quay; /DS_CI/push-latest-container-to-quay_3.4/83 triggered

[devstudio-release]

Build 3.4 :: copyIIBsToQuay/757: Console, Changes, Git Data

[devstudio-release]

Build 3.4 :: push-latest-container-to-quay_3.4/82:

Copied: devspaces-operator-bundle; bundle-generated updated;
/job/DS_CI/job/Releng/job/copyIIBsToQuay triggered for OCP v4.12 v4.11 v4.10

[devstudio-release]

Build 3.4 :: get-sources-rhpkg-container-build_3.4/85:

devspaces-operator-bundle : 3.4 :: Build 50369641 : quay.io/devspaces/devspaces-operator-bundle:3.4-169
SUCCESS; copied to quay; /DS_CI/push-latest-container-to-quay_3.4/82 triggered;

Bundle CSV related images:
- quay.io/devspaces/code-rhel8:3.4-46
- quay.io/devspaces/configbump-rhel8:3.4-12
- quay.io/devspaces/dashboard-rhel8:3.4-26
- quay.io/devspaces/devfileregistry-rhel8:3.4-80
- quay.io/devspaces/devspaces-rhel8-operator:3.4-21
- quay.io/devspaces/idea-rhel8:3.4-21
- quay.io/devspaces/machineexec-rhel8:3.4-22
- quay.io/devspaces/pluginregistry-rhel8:3.4-22
- quay.io/devspaces/server-rhel8:3.4-27
- quay.io/devspaces/theia-endpoint-rhel8:3.4-6
- quay.io/devspaces/theia-rhel8:3.4-7
- quay.io/devspaces/traefik-rhel8:3.4-10
- quay.io/devspaces/udi-rhel8:3.4-48
= registry.redhat.io/devworkspace/devworkspace-rhel8-operator:0.17-2
= registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.11.0-202212070335.p0.ga805ba5.assembly.stream
= registry.redhat.io/openshift4/ose-oauth-proxy:v4.11.0-202212070335.p0.gaad1b28.assembly.stream
= registry.redhat.io/rhel8/postgresql-13:1-101
= registry.redhat.io/rhel8/postgresql-96:1-159
= registry.redhat.io/rhscl/mongodb-36-rhel7:1-50
= registry.redhat.io/ubi8/ubi-minimal:8.6-994

[devstudio-release]

Build 3.4 :: sync-to-downstream_3.4/83:

Build container: devspaces-operator synced; /DS_CI/get-sources-rhpkg-container-build_3.4/84 triggered;

[devstudio-release]

Build 3.4 :: operator_3.4/5:

Upstream sync done; /DS_CI/sync-to-downstream_3.4/83 triggered

[devstudio-release]

Build 3.4 :: sync-to-downstream_3.4/84:

Build container: devspaces-operator-bundle synced; /DS_CI/get-sources-rhpkg-container-build_3.4/85 triggered; /job/DS_CI/job/dsc_3.4 triggered;

[devstudio-release]

Build 3.4 :: operator-bundle_3.4/25:

Upstream sync done; /DS_CI/sync-to-downstream_3.4/84 triggered

[devstudio-release]

Build 3.4 :: dsc_3.4/20: Console, Changes, Git Data

[devstudio-release]

Build 3.4 :: update-digests_3.4/195: Console, Changes, Git Data

[devstudio-release]

Build 3.4 :: update-digests_3.4/195:

No new images detected: nothing to do!

[devstudio-release]

Build 3.4 :: dsc_3.4/20:

3.4.0 CI

[devstudio-release]

Build 3.4 :: copyIIBsToQuay/756:

3.4
arches = x86_64, s390x, ppc64le;
  * LATEST DS OPERATOR BUNDLE = <a href=https://quay.io/repository/devspaces/devspaces-operator-bundle?tab=tags>registry-proxy.engineering.redhat.com/rh-osbs/devspaces-operator-bundle:3.4-169
  * LATEST DWO OPERATOR BUNDLE = <a href=https://quay.io/repository/devworkspace/devworkspace-operator-bundle?tab=tags>registry-proxy.engineering.redhat.com/rh-osbs/devworkspace-operator-bundle:0.18-2
+ s390x-rhel8 IIB(s) copied:
  + quay.io/devspaces/iib:3.4-v4.12-422039-410106-s390x
  + quay.io/devspaces/iib:3.4-v4.12-s390x
  + quay.io/devspaces/iib:latest-v4.12-s390x
  + quay.io/devspaces/iib:3.4-v4.11-422030-410097-s390x
  + quay.io/devspaces/iib:3.4-v4.11-s390x
  + quay.io/devspaces/iib:latest-v4.11-s390x
  + quay.io/devspaces/iib:3.4-v4.10-422025-410093-s390x
  + quay.io/devspaces/iib:3.4-v4.10-s390x
  + quay.io/devspaces/iib:latest-v4.10-s390x
+ x86_64-rhel8 IIB(s) copied:
  + quay.io/devspaces/iib:3.4-v4.12-422039-410106-x86_64
  + quay.io/devspaces/iib:3.4-v4.12-x86_64
  + quay.io/devspaces/iib:latest-v4.12-x86_64
  + quay.io/devspaces/iib:3.4-v4.11-422030-410097-x86_64
  + quay.io/devspaces/iib:3.4-v4.11-x86_64
  + quay.io/devspaces/iib:latest-v4.11-x86_64
  + quay.io/devspaces/iib:3.4-v4.10-422025-410093-x86_64
  + quay.io/devspaces/iib:3.4-v4.10-x86_64
  + quay.io/devspaces/iib:latest-v4.10-x86_64
+ ppc64le-rhel8 IIB(s) copied:
  + quay.io/devspaces/iib:3.4-v4.12-422039-410106-ppc64le
  + quay.io/devspaces/iib:3.4-v4.12-ppc64le
  + quay.io/devspaces/iib:latest-v4.12-ppc64le
  + quay.io/devspaces/iib:3.4-v4.11-422030-410097-ppc64le
  + quay.io/devspaces/iib:3.4-v4.11-ppc64le
  + quay.io/devspaces/iib:latest-v4.11-ppc64le
  + quay.io/devspaces/iib:3.4-v4.10-422025-410093-ppc64le
  + quay.io/devspaces/iib:3.4-v4.10-ppc64le
  + quay.io/devspaces/iib:latest-v4.10-ppc64le

[devstudio-release]

Build 3.4 :: copyIIBsToQuay/757:

3.4
arches = x86_64, s390x, ppc64le;
  * LATEST DS OPERATOR BUNDLE = <a href=https://quay.io/repository/devspaces/devspaces-operator-bundle?tab=tags>registry-proxy.engineering.redhat.com/rh-osbs/devspaces-operator-bundle:3.4-169
  * LATEST DWO OPERATOR BUNDLE = <a href=https://quay.io/repository/devworkspace/devworkspace-operator-bundle?tab=tags>registry-proxy.engineering.redhat.com/rh-osbs/devworkspace-operator-bundle:0.18-2
+ s390x-rhel8 IIB(s) copied:
  + quay.io/devspaces/iib:3.4-v4.12-422039-410106-s390x
  + quay.io/devspaces/iib:3.4-v4.11-422030-410097-s390x
  + quay.io/devspaces/iib:3.4-v4.10-422025-410093-s390x
+ x86_64-rhel8 IIB(s) copied:
  + quay.io/devspaces/iib:3.4-v4.12-422039-410106-x86_64
  + quay.io/devspaces/iib:3.4-v4.11-422030-410097-x86_64
  + quay.io/devspaces/iib:3.4-v4.11-x86_64
  + quay.io/devspaces/iib:latest-v4.11-x86_64
  + quay.io/devspaces/iib:3.4-v4.10-422025-410093-x86_64
  + quay.io/devspaces/iib:3.4-v4.10-x86_64
  + quay.io/devspaces/iib:latest-v4.10-x86_64
+ ppc64le-rhel8 IIB(s) copied:
  + quay.io/devspaces/iib:3.4-v4.12-422039-410106-ppc64le
  + quay.io/devspaces/iib:3.4-v4.11-422030-410097-ppc64le
  + quay.io/devspaces/iib:3.4-v4.10-422025-410093-ppc64le

[devstudio-release]

Build 3.4 :: operator-bundle_3.4/26: Console, Changes, Git Data

[devstudio-release]

Build 3.4 :: sync-to-downstream_3.4/85: Console, Changes, Git Data

[devstudio-release]

Build 3.4 :: get-sources-rhpkg-container-build_3.4/86: Console, Changes, Git Data

[devstudio-release]

Build 3.4 :: push-latest-container-to-quay_3.4/84: Console, Changes, Git Data

[devstudio-release]

Build 3.4 :: copyIIBsToQuay/792: Console, Changes, Git Data

[devstudio-release]

Build 3.4 :: push-latest-container-to-quay_3.4/84:

Copied: devspaces-operator-bundle; bundle-generated updated;
/job/DS_CI/job/Releng/job/copyIIBsToQuay triggered for OCP v4.12 v4.11 v4.10

[devstudio-release]

Build 3.4 :: get-sources-rhpkg-container-build_3.4/86:

devspaces-operator-bundle : 3.4 :: Build 50473836 : quay.io/devspaces/devspaces-operator-bundle:3.4-170
SUCCESS; copied to quay; /DS_CI/push-latest-container-to-quay_3.4/84 triggered;

Bundle CSV related images:
- quay.io/devspaces/code-rhel8:3.4-46
- quay.io/devspaces/configbump-rhel8:3.4-12
- quay.io/devspaces/dashboard-rhel8:3.4-26
- quay.io/devspaces/devfileregistry-rhel8:3.4-80
- quay.io/devspaces/devspaces-rhel8-operator:3.4-22
- quay.io/devspaces/idea-rhel8:3.4-9
- quay.io/devspaces/machineexec-rhel8:3.4-22
- quay.io/devspaces/pluginregistry-rhel8:3.4-22
- quay.io/devspaces/server-rhel8:3.4-27
- quay.io/devspaces/theia-endpoint-rhel8:3.4-6
- quay.io/devspaces/theia-rhel8:3.4-7
- quay.io/devspaces/traefik-rhel8:3.4-10
- quay.io/devspaces/udi-rhel8:3.4-48
= registry.redhat.io/devworkspace/devworkspace-rhel8-operator:0.17-2
= registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.11.0-202212070335.p0.ga805ba5.assembly.stream
= registry.redhat.io/openshift4/ose-oauth-proxy:v4.11.0-202212070335.p0.gaad1b28.assembly.stream
= registry.redhat.io/rhel8/postgresql-13:1-101
= registry.redhat.io/rhel8/postgresql-96:1-159
= registry.redhat.io/rhscl/mongodb-36-rhel7:1-50
= registry.redhat.io/ubi8/ubi-minimal:8.6-994

[devstudio-release]

Build 3.4 :: sync-to-downstream_3.4/85:

Build container: devspaces-operator-bundle synced; /DS_CI/get-sources-rhpkg-container-build_3.4/86 triggered; /job/DS_CI/job/dsc_3.4 triggered;

[devstudio-release]

Build 3.4 :: operator-bundle_3.4/26:

Upstream sync done; /DS_CI/sync-to-downstream_3.4/85 triggered

[devstudio-release]

Build 3.4 :: dsc_3.4/21: Console, Changes, Git Data

[devstudio-release]

Build 3.4 :: copyIIBsToQuay/792:

3.4
arches = x86_64, s390x, ppc64le;
  * LATEST DS OPERATOR BUNDLE = <a href=https://quay.io/repository/devspaces/devspaces-operator-bundle?tab=tags>registry-proxy.engineering.redhat.com/rh-osbs/devspaces-operator-bundle:3.4-170
  * LATEST DWO OPERATOR BUNDLE = <a href=https://quay.io/repository/devworkspace/devworkspace-operator-bundle?tab=tags>registry-proxy.engineering.redhat.com/rh-osbs/devworkspace-operator-bundle:???
+ x86_64-rhel8 IIB(s) copied:
  + quay.io/devspaces/iib:3.4-v4.12-422039-x86_64
  + quay.io/devspaces/iib:3.4-v4.12-x86_64
  + quay.io/devspaces/iib:3.4-v4.12-x86_64
  + quay.io/devspaces/iib:3.4-v4.11-422030-x86_64
  + quay.io/devspaces/iib:3.4-v4.11-x86_64
  + quay.io/devspaces/iib:3.4-v4.11-x86_64
  + quay.io/devspaces/iib:3.4-v4.10-422025-x86_64
  + quay.io/devspaces/iib:3.4-v4.10-x86_64
  + quay.io/devspaces/iib:3.4-v4.10-x86_64
+ s390x-rhel8 IIB(s) copied:
  + quay.io/devspaces/iib:3.4-v4.12-422039-s390x
  + quay.io/devspaces/iib:3.4-v4.12-s390x
  + quay.io/devspaces/iib:3.4-v4.12-s390x
  + quay.io/devspaces/iib:3.4-v4.11-422030-s390x
  + quay.io/devspaces/iib:3.4-v4.11-s390x
  + quay.io/devspaces/iib:3.4-v4.11-s390x
  + quay.io/devspaces/iib:3.4-v4.10-422025-s390x
  + quay.io/devspaces/iib:3.4-v4.10-s390x
  + quay.io/devspaces/iib:3.4-v4.10-s390x
+ ppc64le-rhel8 IIB(s) copied:
  + quay.io/devspaces/iib:3.4-v4.12-422039-ppc64le
  + quay.io/devspaces/iib:3.4-v4.12-ppc64le
  + quay.io/devspaces/iib:3.4-v4.12-ppc64le
  + quay.io/devspaces/iib:3.4-v4.11-422030-ppc64le
  + quay.io/devspaces/iib:3.4-v4.11-ppc64le
  + quay.io/devspaces/iib:3.4-v4.11-ppc64le
  + quay.io/devspaces/iib:3.4-v4.10-422025-ppc64le
  + quay.io/devspaces/iib:3.4-v4.10-ppc64le
  + quay.io/devspaces/iib:3.4-v4.10-ppc64le

[devstudio-release]

Build 3.4 :: dsc_3.4/21:

3.4.0 CI