Change default SecurityContext to none (#1832)

* Change default SecurityContext to none

* Fix unit test

docs/cmd/kn_container_add.md

@@ -47,7 +47,7 @@ kn container add NAME
       --pull-policy string            Image pull policy. Valid values (case insensitive): Always | Never | IfNotPresent
       --pull-secret string            Image pull secret to set. An empty argument ("") clears the pull secret. The referenced secret must exist in the service's namespace.
       --request strings               The resource requirement requests for this Service. For example, 'cpu=100m,memory=256Mi'. You can use this flag multiple times. To unset a resource request, append "-" to the resource name, e.g. '--request cpu-'.
-      --security-context string       Security Context definition to be added the service. Accepted values: strict | none. (default "strict")
+      --security-context string       Predefined security context for the service. Accepted values: 'none' for no security context and 'strict' for dropping all capabilities, running as non-root, and no privilege escalation. (default "none")
       --service-account string        Service account name to set. An empty argument ("") clears the service account. The referenced service account must exist in the service's namespace.
       --user int                      The user ID to run the container (e.g., 1001).
 ```

docs/cmd/kn_service_apply.md

@@ -73,7 +73,7 @@ kn service apply s0 --filename my-svc.yml
       --scale-target int                  Recommendation for what metric value the PodAutoscaler should attempt to maintain. Use with --scale-metric flag to configure the metric name for which the target value should be maintained. Default metric name is concurrency. The flag defaults to --concurrency-limit when given.
       --scale-utilization int             Percentage of concurrent requests utilization before scaling up. (default 70)
       --scale-window string               Duration to look back for making auto-scaling decisions. The service is scaled to zero if no request was received in during that time. (eg: 10s)
-      --security-context string           Security Context definition to be added the service. Accepted values: strict | none. (default "strict")
+      --security-context string           Predefined security context for the service. Accepted values: 'none' for no security context and 'strict' for dropping all capabilities, running as non-root, and no privilege escalation. (default "none")
       --service-account string            Service account name to set. An empty argument ("") clears the service account. The referenced service account must exist in the service's namespace.
       --timeout int                       Duration in seconds that the request routing layer will wait for a request delivered to a container to begin replying (default 300)
       --user int                          The user ID to run the container (e.g., 1001).

docs/cmd/kn_service_create.md

@@ -98,7 +98,7 @@ kn service create NAME --image IMAGE
       --scale-target int                  Recommendation for what metric value the PodAutoscaler should attempt to maintain. Use with --scale-metric flag to configure the metric name for which the target value should be maintained. Default metric name is concurrency. The flag defaults to --concurrency-limit when given.
       --scale-utilization int             Percentage of concurrent requests utilization before scaling up. (default 70)
       --scale-window string               Duration to look back for making auto-scaling decisions. The service is scaled to zero if no request was received in during that time. (eg: 10s)
-      --security-context string           Security Context definition to be added the service. Accepted values: strict | none. (default "strict")
+      --security-context string           Predefined security context for the service. Accepted values: 'none' for no security context and 'strict' for dropping all capabilities, running as non-root, and no privilege escalation. (default "none")
       --service-account string            Service account name to set. An empty argument ("") clears the service account. The referenced service account must exist in the service's namespace.
       --tag strings                       Set tag (format: --tag revisionRef=tagName) where revisionRef can be a revision or '@latest' string representing latest ready revision. This flag can be specified multiple times.
       --target string                     Work on local directory instead of a remote cluster (experimental)

docs/cmd/kn_service_update.md

@@ -85,7 +85,7 @@ kn service update NAME
       --scale-target int                  Recommendation for what metric value the PodAutoscaler should attempt to maintain. Use with --scale-metric flag to configure the metric name for which the target value should be maintained. Default metric name is concurrency. The flag defaults to --concurrency-limit when given.
       --scale-utilization int             Percentage of concurrent requests utilization before scaling up. (default 70)
       --scale-window string               Duration to look back for making auto-scaling decisions. The service is scaled to zero if no request was received in during that time. (eg: 10s)
-      --security-context string           Security Context definition to be added the service. Accepted values: strict | none. (default "strict")
+      --security-context string           Predefined security context for the service. Accepted values: 'none' for no security context and 'strict' for dropping all capabilities, running as non-root, and no privilege escalation. (default "none")
       --service-account string            Service account name to set. An empty argument ("") clears the service account. The referenced service account must exist in the service's namespace.
       --tag strings                       Set tag (format: --tag revisionRef=tagName) where revisionRef can be a revision or '@latest' string representing latest ready revision. This flag can be specified multiple times.
       --target string                     Work on local directory instead of a remote cluster (experimental)

docs/cmd/kn_source_container_create.md

@@ -37,7 +37,7 @@ kn source container create NAME --image IMAGE --sink SINK
       --pull-policy string            Image pull policy. Valid values (case insensitive): Always | Never | IfNotPresent
       --pull-secret string            Image pull secret to set. An empty argument ("") clears the pull secret. The referenced secret must exist in the service's namespace.
       --request strings               The resource requirement requests for this Service. For example, 'cpu=100m,memory=256Mi'. You can use this flag multiple times. To unset a resource request, append "-" to the resource name, e.g. '--request cpu-'.
-      --security-context string       Security Context definition to be added the service. Accepted values: strict | none. (default "strict")
+      --security-context string       Predefined security context for the service. Accepted values: 'none' for no security context and 'strict' for dropping all capabilities, running as non-root, and no privilege escalation. (default "none")
       --service-account string        Service account name to set. An empty argument ("") clears the service account. The referenced service account must exist in the service's namespace.
   -s, --sink string                   Addressable sink for events. You can specify a broker, channel, Knative service or URI. Examples: '--sink broker:nest' for a broker 'nest', '--sink channel:pipe' for a channel 'pipe', '--sink ksvc:mysvc:mynamespace' for a Knative service 'mysvc' in another namespace 'mynamespace', '--sink https://event.receiver.uri' for an HTTP URI, '--sink ksvc:receiver' or simply '--sink receiver' for a Knative service 'receiver' in the current namespace. '--sink special.eventing.dev/v1alpha1/channels:pipe' for GroupVersionResource of v1alpha1 'pipe'. If a prefix is not provided, it is considered as a Knative service in the current namespace.
       --user int                      The user ID to run the container (e.g., 1001).

docs/cmd/kn_source_container_update.md

@@ -37,7 +37,7 @@ kn source container update NAME --image IMAGE
       --pull-policy string            Image pull policy. Valid values (case insensitive): Always | Never | IfNotPresent
       --pull-secret string            Image pull secret to set. An empty argument ("") clears the pull secret. The referenced secret must exist in the service's namespace.
       --request strings               The resource requirement requests for this Service. For example, 'cpu=100m,memory=256Mi'. You can use this flag multiple times. To unset a resource request, append "-" to the resource name, e.g. '--request cpu-'.
-      --security-context string       Security Context definition to be added the service. Accepted values: strict | none. (default "strict")
+      --security-context string       Predefined security context for the service. Accepted values: 'none' for no security context and 'strict' for dropping all capabilities, running as non-root, and no privilege escalation. (default "none")
       --service-account string        Service account name to set. An empty argument ("") clears the service account. The referenced service account must exist in the service's namespace.
   -s, --sink string                   Addressable sink for events. You can specify a broker, channel, Knative service or URI. Examples: '--sink broker:nest' for a broker 'nest', '--sink channel:pipe' for a channel 'pipe', '--sink ksvc:mysvc:mynamespace' for a Knative service 'mysvc' in another namespace 'mynamespace', '--sink https://event.receiver.uri' for an HTTP URI, '--sink ksvc:receiver' or simply '--sink receiver' for a Knative service 'receiver' in the current namespace. '--sink special.eventing.dev/v1alpha1/channels:pipe' for GroupVersionResource of v1alpha1 'pipe'. If a prefix is not provided, it is considered as a Knative service in the current namespace.
       --user int                      The user ID to run the container (e.g., 1001).

lib/test/service.go

@@ -259,7 +259,6 @@ func BuildServiceWithOptions(name string, so ...servingtest.ServiceOption) *serv
 		APIVersion: "serving.knative.dev/v1",
 	}
 	svc.Spec.Template.Spec.Containers[0].Resources = corev1.ResourceRequirements{}
-	svc.Spec.Template.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{}
 	return svc
 }
 
@@ -302,7 +301,6 @@ func BuildRevision(name string, options ...servingtest.RevisionOption) *servingv
 	rev.ObjectMeta.UID = ""
 	rev.ObjectMeta.Generation = int64(0)
 	rev.Spec.PodSpec.Containers[0].Resources = corev1.ResourceRequirements{}
-	rev.Spec.PodSpec.Containers[0].SecurityContext = &corev1.SecurityContext{}
 	return rev
 }
 

pkg/kn/commands/service/create_mock_test.go

@@ -18,8 +18,6 @@ import (
 	"testing"
 	"time"
 
-	"knative.dev/client/pkg/kn/flags"
-
 	"knative.dev/serving/pkg/apis/autoscaling"
 
 	"gotest.tools/v3/assert"
@@ -479,7 +477,6 @@ func getService(name string) *servingv1.Service {
 			Limits:   corev1.ResourceList{},
 			Requests: corev1.ResourceList{},
 		},
-		SecurityContext: flags.DefaultStrictSecCon(),
 	}}
 
 	return service

pkg/kn/commands/source/container/container_test.go

@@ -20,8 +20,6 @@ import (
 	"bytes"
 	"strings"
 
-	"knative.dev/client/pkg/kn/flags"
-
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/client-go/tools/clientcmd"
 	v1 "knative.dev/eventing/pkg/apis/sources/v1"
@@ -94,7 +92,6 @@ func createContainerSource(name, image string, sink duckv1.Destination, ceo map[
 					Limits:   corev1.ResourceList{},
 					Requests: corev1.ResourceList{},
 				},
-				SecurityContext: flags.DefaultStrictSecCon(),
 			}}}).
 		Sink(sink).
 		Build()

pkg/kn/flags/podspec.go

@@ -237,7 +237,8 @@ func (p *PodSpecFlags) AddFlags(flagset *pflag.FlagSet) []string {
 	flagset.Int64VarP(&p.User, "user", "", 0, "The user ID to run the container (e.g., 1001).")
 	flagNames = append(flagNames, "user")
 
-	flagset.StringVar(&p.SecurityContext, "security-context", "strict", "Security Context definition to be added the service. Accepted values: strict | none.")
+	flagset.StringVar(&p.SecurityContext, "security-context", "none", "Predefined security context for the service. Accepted values: 'none' for no security context "+
+		"and 'strict' for dropping all capabilities, running as non-root, and no privilege escalation.")
 	flagNames = append(flagNames, "security-context")
 
 	return flagNames
@@ -415,10 +416,6 @@ func (p *PodSpecFlags) ResolvePodSpec(podSpec *corev1.PodSpec, flags *pflag.Flag
 		if err := UpdateSecurityContext(podSpec, p.SecurityContext); err != nil {
 			return err
 		}
-	} else {
-		if err := UpdateSecurityContext(podSpec, ""); err != nil {
-			return err
-		}
 	}
 
 	return nil

pkg/kn/flags/podspec_helper.go

@@ -386,15 +386,10 @@ func UpdateSecurityContext(spec *corev1.PodSpec, securityContext string) error {
 	switch strings.ToLower(securityContext) {
 	case "none":
 		// Blank any Security Context defined
-		container.SecurityContext = &corev1.SecurityContext{}
+		container.SecurityContext = nil
 	case "strict":
 		// Add or update Security Context to default strict
 		container.SecurityContext = DefaultStrictSecCon()
-	case "":
-		// Add default strict SC flag is not used, hence empty value
-		if container.SecurityContext == nil {
-			container.SecurityContext = DefaultStrictSecCon()
-		}
 		//TODO(dsimansk): add parsing of SC options from the flag value
 	default:
 		return fmt.Errorf("invalid --security-context %s. Valid arguments: strict | none", securityContext)

pkg/kn/flags/podspec_helper_test.go

@@ -1506,16 +1506,7 @@ func TestUpdateSecurityContext(t *testing.T) {
 		{
 			name: "none",
 			expected: &corev1.PodSpec{
-				Containers: []corev1.Container{{
-					SecurityContext: &corev1.SecurityContext{}}},
-			},
-			expectedError: nil,
-		},
-		{
-			name: "",
-			expected: &corev1.PodSpec{
-				Containers: []corev1.Container{
-					{SecurityContext: DefaultStrictSecCon()}},
+				Containers: []corev1.Container{{}},
 			},
 			expectedError: nil,
 		},

pkg/kn/flags/podspec_test.go

@@ -44,7 +44,7 @@ func TestPodSpecFlags(t *testing.T) {
 		Volume:          []string{},
 		Arg:             []string{},
 		Command:         []string{},
-		SecurityContext: "strict",
+		SecurityContext: "none",
 	}
 	flags := &PodSpecFlags{}
 	testCmd := &cobra.Command{
@@ -223,7 +223,6 @@ containers:
 					Limits:   corev1.ResourceList{},
 					Requests: corev1.ResourceList{},
 				},
-				SecurityContext: DefaultStrictSecCon(),
 			},
 			{
 				Name:  "foo",
@@ -398,7 +397,6 @@ func TestPodSpecResolveWithEnvFile(t *testing.T) {
 					Limits:   corev1.ResourceList{},
 					Requests: corev1.ResourceList{},
 				},
-				SecurityContext: DefaultStrictSecCon(),
 			},
 		},
 	}

test/e2e/service_export_test.go

@@ -53,7 +53,7 @@ func TestServiceExport(t *testing.T) {
 	defer r.DumpIfFailed()
 
 	t.Log("create service with byo revision")
-	serviceCreateWithOptions(r, "hello", "--revision-name", "rev1", "--security-context=none")
+	serviceCreateWithOptions(r, "hello", "--revision-name", "rev1")
 
 	userImage := pkgtest.ImagePath("helloworld")
 	if strings.Contains(userImage, "@") {
@@ -233,7 +233,7 @@ func TestServiceExport(t *testing.T) {
 	), "--with-revisions", "--mode", "export", "-o", "yaml")
 
 	t.Log("create and export service 'foo' and verify that serviceUID and configurationUID labels are absent")
-	serviceCreateWithOptions(r, "foo", "--security-context=none")
+	serviceCreateWithOptions(r, "foo")
 	output := serviceExportOutput(r, "foo", "-o", "json")
 	actSvc := servingv1.Service{}
 	err = json.Unmarshal([]byte(output), &actSvc)