This is an automated email from the ASF dual-hosted git repository.
squakez pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-k.git
The following commit(s) were added to refs/heads/main by this push:
new ddabc6201 feat(trait): default security as non root
ddabc6201 is described below
commit ddabc62013307fa2aa429b54cce4f2f93f878b17
Author: Pasquale Congiusti <[email protected]>
AuthorDate: Sat Jun 6 09:06:41 2026 +0200
feat(trait): default security as non root
Closes #5462
---
docs/modules/ROOT/partials/apis/camel-k-crds.adoc | 4 +--
docs/modules/traits/pages/security-context.adoc | 4 +--
helm/camel-k/crds/camel-k-crds.yaml | 32 +++++++++++-----------
pkg/apis/camel/v1/trait/security_context.go | 4 +--
pkg/builder/image.go | 3 +-
pkg/builder/jib.go | 4 ++-
.../camel.apache.org_integrationplatforms.yaml | 8 +++---
.../camel.apache.org_integrationprofiles.yaml | 8 +++---
.../crd/bases/camel.apache.org_integrations.yaml | 8 +++---
.../config/crd/bases/camel.apache.org_pipes.yaml | 8 +++---
pkg/trait/container_test.go | 4 +--
pkg/trait/security_context.go | 9 +++---
pkg/trait/security_context_test.go | 7 +++--
pkg/util/defaults/defaults_support.go | 2 ++
pkg/util/jib/configuration.go | 1 +
15 files changed, 56 insertions(+), 50 deletions(-)
diff --git a/docs/modules/ROOT/partials/apis/camel-k-crds.adoc
b/docs/modules/ROOT/partials/apis/camel-k-crds.adoc
index b6d710201..64b41593e 100644
--- a/docs/modules/ROOT/partials/apis/camel-k-crds.adoc
+++ b/docs/modules/ROOT/partials/apis/camel-k-crds.adoc
@@ -9501,14 +9501,14 @@ int64
|
-Security Context RunAsUser configuration (default none): this value is
automatically retrieved in Openshift clusters when not explicitly set.
+Security Context RunAsUser configuration (default user 1000): this value is
automatically retrieved in Openshift clusters when not explicitly set.
|`runAsNonRoot` +
bool
|
-Security Context RunAsNonRoot configuration (default false).
+Security Context RunAsNonRoot configuration (default true).
|`seccompProfileType` +
*https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.36/#seccompprofiletype-v1-core[Kubernetes
core/v1.SeccompProfileType]*
diff --git a/docs/modules/traits/pages/security-context.adoc
b/docs/modules/traits/pages/security-context.adoc
index f24436897..3f18842a2 100644
--- a/docs/modules/traits/pages/security-context.adoc
+++ b/docs/modules/traits/pages/security-context.adoc
@@ -31,11 +31,11 @@ The following configuration options are available:
| security-context.runAsUser
| int64
-| Security Context RunAsUser configuration (default none): this value is
automatically retrieved in Openshift clusters when not explicitly set.
+| Security Context RunAsUser configuration (default user 1000): this value is
automatically retrieved in Openshift clusters when not explicitly set.
| security-context.runAsNonRoot
| bool
-| Security Context RunAsNonRoot configuration (default false).
+| Security Context RunAsNonRoot configuration (default true).
| security-context.seccompProfileType
| SeccompProfileType
diff --git a/helm/camel-k/crds/camel-k-crds.yaml
b/helm/camel-k/crds/camel-k-crds.yaml
index ad761c78d..82c0661ab 100644
--- a/helm/camel-k/crds/camel-k-crds.yaml
+++ b/helm/camel-k/crds/camel-k-crds.yaml
@@ -5700,11 +5700,11 @@ spec:
type: boolean
runAsNonRoot:
description: Security Context RunAsNonRoot
configuration (default
- false).
+ true).
type: boolean
runAsUser:
description: 'Security Context RunAsUser configuration
(default
- none): this value is automatically retrieved in
Openshift
+ user 1000): this value is automatically retrieved in
Openshift
clusters when not explicitly set.'
format: int64
type: integer
@@ -8230,11 +8230,11 @@ spec:
type: boolean
runAsNonRoot:
description: Security Context RunAsNonRoot
configuration (default
- false).
+ true).
type: boolean
runAsUser:
description: 'Security Context RunAsUser configuration
(default
- none): this value is automatically retrieved in
Openshift
+ user 1000): this value is automatically retrieved in
Openshift
clusters when not explicitly set.'
format: int64
type: integer
@@ -10654,11 +10654,11 @@ spec:
type: boolean
runAsNonRoot:
description: Security Context RunAsNonRoot
configuration (default
- false).
+ true).
type: boolean
runAsUser:
description: 'Security Context RunAsUser configuration
(default
- none): this value is automatically retrieved in
Openshift
+ user 1000): this value is automatically retrieved in
Openshift
clusters when not explicitly set.'
format: int64
type: integer
@@ -13064,11 +13064,11 @@ spec:
type: boolean
runAsNonRoot:
description: Security Context RunAsNonRoot
configuration (default
- false).
+ true).
type: boolean
runAsUser:
description: 'Security Context RunAsUser configuration
(default
- none): this value is automatically retrieved in
Openshift
+ user 1000): this value is automatically retrieved in
Openshift
clusters when not explicitly set.'
format: int64
type: integer
@@ -22330,11 +22330,11 @@ spec:
type: boolean
runAsNonRoot:
description: Security Context RunAsNonRoot
configuration (default
- false).
+ true).
type: boolean
runAsUser:
description: 'Security Context RunAsUser configuration
(default
- none): this value is automatically retrieved in
Openshift
+ user 1000): this value is automatically retrieved in
Openshift
clusters when not explicitly set.'
format: int64
type: integer
@@ -24701,11 +24701,11 @@ spec:
type: boolean
runAsNonRoot:
description: Security Context RunAsNonRoot
configuration (default
- false).
+ true).
type: boolean
runAsUser:
description: 'Security Context RunAsUser configuration
(default
- none): this value is automatically retrieved in
Openshift
+ user 1000): this value is automatically retrieved in
Openshift
clusters when not explicitly set.'
format: int64
type: integer
@@ -35335,11 +35335,11 @@ spec:
type: boolean
runAsNonRoot:
description: Security Context RunAsNonRoot
configuration
- (default false).
+ (default true).
type: boolean
runAsUser:
description: 'Security Context RunAsUser
configuration
- (default none): this value is automatically
retrieved
+ (default user 1000): this value is automatically
retrieved
in Openshift clusters when not explicitly set.'
format: int64
type: integer
@@ -37623,11 +37623,11 @@ spec:
type: boolean
runAsNonRoot:
description: Security Context RunAsNonRoot
configuration (default
- false).
+ true).
type: boolean
runAsUser:
description: 'Security Context RunAsUser configuration
(default
- none): this value is automatically retrieved in
Openshift
+ user 1000): this value is automatically retrieved in
Openshift
clusters when not explicitly set.'
format: int64
type: integer
diff --git a/pkg/apis/camel/v1/trait/security_context.go
b/pkg/apis/camel/v1/trait/security_context.go
index 01b79bcbf..fad3cac6e 100644
--- a/pkg/apis/camel/v1/trait/security_context.go
+++ b/pkg/apis/camel/v1/trait/security_context.go
@@ -27,9 +27,9 @@ import corev1 "k8s.io/api/core/v1"
type SecurityContextTrait struct {
PlatformBaseTrait `json:",inline" property:",squash"`
- // Security Context RunAsUser configuration (default none): this value
is automatically retrieved in Openshift clusters when not explicitly set.
+ // Security Context RunAsUser configuration (default user 1000): this
value is automatically retrieved in Openshift clusters when not explicitly set.
RunAsUser *int64 `json:"runAsUser,omitempty" property:"run-as-user"`
- // Security Context RunAsNonRoot configuration (default false).
+ // Security Context RunAsNonRoot configuration (default true).
RunAsNonRoot *bool `json:"runAsNonRoot,omitempty"
property:"run-as-non-root"`
// Security Context SeccompProfileType configuration (default
RuntimeDefault).
// +kubebuilder:validation:Enum=Unconfined;RuntimeDefault
diff --git a/pkg/builder/image.go b/pkg/builder/image.go
index 5995a0231..3c82aeaed 100644
--- a/pkg/builder/image.go
+++ b/pkg/builder/image.go
@@ -21,6 +21,7 @@ import (
"os"
"path"
"path/filepath"
+ "strconv"
"strings"
"github.com/apache/camel-k/v2/pkg/util/io"
@@ -115,7 +116,7 @@ func jvmDockerfile(ctx *builderContext) error {
dockerfile := []byte(`
FROM ` + ctx.BaseImage + `
ADD . ` + DeploymentDir + `
- USER 1000
+ USER ` + strconv.FormatInt(defaults.DefaultPodRunAsUser, 10) + `
`)
err := os.WriteFile(filepath.Join(ctx.Path, ContextDir, "Dockerfile"),
dockerfile, io.FilePerm400)
diff --git a/pkg/builder/jib.go b/pkg/builder/jib.go
index 340731391..e41fa9ca0 100644
--- a/pkg/builder/jib.go
+++ b/pkg/builder/jib.go
@@ -23,11 +23,13 @@ import (
"os"
"os/exec"
"path/filepath"
+ "strconv"
"strings"
v1 "github.com/apache/camel-k/v2/pkg/apis/camel/v1"
"github.com/apache/camel-k/v2/pkg/client"
"github.com/apache/camel-k/v2/pkg/util"
+ "github.com/apache/camel-k/v2/pkg/util/defaults"
"github.com/apache/camel-k/v2/pkg/util/jib"
"github.com/apache/camel-k/v2/pkg/util/log"
"github.com/apache/camel-k/v2/pkg/util/maven"
@@ -149,7 +151,7 @@ func buildJibMavenArgs(mavenDir, image, baseImage string,
insecureRegistry bool,
mavenArgs = append(mavenArgs, jib.JibMavenToImageParam+image)
mavenArgs = append(mavenArgs, jib.JibMavenFromImageParam+baseImage)
mavenArgs = append(mavenArgs,
jib.JibMavenBaseImageCache+mavenDir+"/jib")
- mavenArgs = append(mavenArgs, "-Djib.container.user=1000")
+ mavenArgs = append(mavenArgs,
jib.JibMavenContainerUser+strconv.FormatInt(defaults.DefaultPodRunAsUser, 10))
if imagePlatforms != nil {
platforms := strings.Join(imagePlatforms, ",")
diff --git
a/pkg/resources/config/crd/bases/camel.apache.org_integrationplatforms.yaml
b/pkg/resources/config/crd/bases/camel.apache.org_integrationplatforms.yaml
index 1ec9afa42..516c9b10b 100644
--- a/pkg/resources/config/crd/bases/camel.apache.org_integrationplatforms.yaml
+++ b/pkg/resources/config/crd/bases/camel.apache.org_integrationplatforms.yaml
@@ -2399,11 +2399,11 @@ spec:
type: boolean
runAsNonRoot:
description: Security Context RunAsNonRoot
configuration (default
- false).
+ true).
type: boolean
runAsUser:
description: 'Security Context RunAsUser configuration
(default
- none): this value is automatically retrieved in
Openshift
+ user 1000): this value is automatically retrieved in
Openshift
clusters when not explicitly set.'
format: int64
type: integer
@@ -4929,11 +4929,11 @@ spec:
type: boolean
runAsNonRoot:
description: Security Context RunAsNonRoot
configuration (default
- false).
+ true).
type: boolean
runAsUser:
description: 'Security Context RunAsUser configuration
(default
- none): this value is automatically retrieved in
Openshift
+ user 1000): this value is automatically retrieved in
Openshift
clusters when not explicitly set.'
format: int64
type: integer
diff --git
a/pkg/resources/config/crd/bases/camel.apache.org_integrationprofiles.yaml
b/pkg/resources/config/crd/bases/camel.apache.org_integrationprofiles.yaml
index 6dff2fcd2..fb5282e45 100644
--- a/pkg/resources/config/crd/bases/camel.apache.org_integrationprofiles.yaml
+++ b/pkg/resources/config/crd/bases/camel.apache.org_integrationprofiles.yaml
@@ -2257,11 +2257,11 @@ spec:
type: boolean
runAsNonRoot:
description: Security Context RunAsNonRoot
configuration (default
- false).
+ true).
type: boolean
runAsUser:
description: 'Security Context RunAsUser configuration
(default
- none): this value is automatically retrieved in
Openshift
+ user 1000): this value is automatically retrieved in
Openshift
clusters when not explicitly set.'
format: int64
type: integer
@@ -4667,11 +4667,11 @@ spec:
type: boolean
runAsNonRoot:
description: Security Context RunAsNonRoot
configuration (default
- false).
+ true).
type: boolean
runAsUser:
description: 'Security Context RunAsUser configuration
(default
- none): this value is automatically retrieved in
Openshift
+ user 1000): this value is automatically retrieved in
Openshift
clusters when not explicitly set.'
format: int64
type: integer
diff --git a/pkg/resources/config/crd/bases/camel.apache.org_integrations.yaml
b/pkg/resources/config/crd/bases/camel.apache.org_integrations.yaml
index b52aac2b6..8fe4faefc 100644
--- a/pkg/resources/config/crd/bases/camel.apache.org_integrations.yaml
+++ b/pkg/resources/config/crd/bases/camel.apache.org_integrations.yaml
@@ -9102,11 +9102,11 @@ spec:
type: boolean
runAsNonRoot:
description: Security Context RunAsNonRoot
configuration (default
- false).
+ true).
type: boolean
runAsUser:
description: 'Security Context RunAsUser configuration
(default
- none): this value is automatically retrieved in
Openshift
+ user 1000): this value is automatically retrieved in
Openshift
clusters when not explicitly set.'
format: int64
type: integer
@@ -11473,11 +11473,11 @@ spec:
type: boolean
runAsNonRoot:
description: Security Context RunAsNonRoot
configuration (default
- false).
+ true).
type: boolean
runAsUser:
description: 'Security Context RunAsUser configuration
(default
- none): this value is automatically retrieved in
Openshift
+ user 1000): this value is automatically retrieved in
Openshift
clusters when not explicitly set.'
format: int64
type: integer
diff --git a/pkg/resources/config/crd/bases/camel.apache.org_pipes.yaml
b/pkg/resources/config/crd/bases/camel.apache.org_pipes.yaml
index cad0e7697..56c8166d3 100644
--- a/pkg/resources/config/crd/bases/camel.apache.org_pipes.yaml
+++ b/pkg/resources/config/crd/bases/camel.apache.org_pipes.yaml
@@ -9162,11 +9162,11 @@ spec:
type: boolean
runAsNonRoot:
description: Security Context RunAsNonRoot
configuration
- (default false).
+ (default true).
type: boolean
runAsUser:
description: 'Security Context RunAsUser
configuration
- (default none): this value is automatically
retrieved
+ (default user 1000): this value is automatically
retrieved
in Openshift clusters when not explicitly set.'
format: int64
type: integer
@@ -11450,11 +11450,11 @@ spec:
type: boolean
runAsNonRoot:
description: Security Context RunAsNonRoot
configuration (default
- false).
+ true).
type: boolean
runAsUser:
description: 'Security Context RunAsUser configuration
(default
- none): this value is automatically retrieved in
Openshift
+ user 1000): this value is automatically retrieved in
Openshift
clusters when not explicitly set.'
format: int64
type: integer
diff --git a/pkg/trait/container_test.go b/pkg/trait/container_test.go
index 4cfcf7493..7a5465ced 100644
--- a/pkg/trait/container_test.go
+++ b/pkg/trait/container_test.go
@@ -520,7 +520,7 @@ func TestUserSecurityContext(t *testing.T) {
environment.Integration.Spec.Traits = v1.Traits{
Container: &traitv1.ContainerTrait{
RunAsNonRoot: ptr.To(false),
- RunAsUser: ptr.To(int64(1000)),
+ RunAsUser: ptr.To(int64(1001)),
SeccompProfileType: "Unconfined",
AllowPrivilegeEscalation: ptr.To(true),
CapabilitiesDrop: []corev1.Capability{"DROP"},
@@ -543,7 +543,7 @@ func TestUserSecurityContext(t *testing.T) {
assert.NotNil(t, d)
assert.Len(t, d.Spec.Template.Spec.Containers, 1)
assert.Equal(t, ptr.To(false),
d.Spec.Template.Spec.Containers[0].SecurityContext.RunAsNonRoot)
- assert.Equal(t, ptr.To(int64(1000)),
d.Spec.Template.Spec.Containers[0].SecurityContext.RunAsUser)
+ assert.Equal(t, ptr.To(int64(1001)),
d.Spec.Template.Spec.Containers[0].SecurityContext.RunAsUser)
assert.Equal(t, corev1.SeccompProfileTypeUnconfined,
d.Spec.Template.Spec.Containers[0].SecurityContext.SeccompProfile.Type)
assert.Equal(t, ptr.To(true),
d.Spec.Template.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation)
assert.Equal(t, []corev1.Capability{"DROP"},
d.Spec.Template.Spec.Containers[0].SecurityContext.Capabilities.Drop)
diff --git a/pkg/trait/security_context.go b/pkg/trait/security_context.go
index e45236977..7b6f8d351 100644
--- a/pkg/trait/security_context.go
+++ b/pkg/trait/security_context.go
@@ -24,6 +24,7 @@ import (
v1 "github.com/apache/camel-k/v2/pkg/apis/camel/v1"
traitv1 "github.com/apache/camel-k/v2/pkg/apis/camel/v1/trait"
+ "github.com/apache/camel-k/v2/pkg/util/defaults"
"github.com/apache/camel-k/v2/pkg/util/openshift"
)
@@ -31,7 +32,7 @@ const (
securityContextTraitID = "security-context"
securityContextTraitOder = 1600
- defaultPodRunAsNonRoot = false
+ defaultPodRunAsNonRoot = true
defaultPodSeccompProfileType = corev1.SeccompProfileTypeRuntimeDefault
)
@@ -95,9 +96,7 @@ func (t *securityContextTrait) setSecurityContext(e
*Environment, podSpec *corev
return err
}
- t.RunAsUser = runAsUser
-
- sc.RunAsUser = t.RunAsUser
+ sc.RunAsUser = runAsUser
podSpec.SecurityContext = &sc
return nil
@@ -114,7 +113,7 @@ func (t *securityContextTrait) getUser(e *Environment)
(*int64, error) {
return nil, err
}
if !isOpenShift {
- return nil, nil
+ return new(defaults.DefaultPodRunAsUser), nil
}
runAsUser, err := openshift.GetOpenshiftUser(e.Ctx, e.Client,
e.Integration.Namespace)
diff --git a/pkg/trait/security_context_test.go
b/pkg/trait/security_context_test.go
index 440236554..bc3331d06 100644
--- a/pkg/trait/security_context_test.go
+++ b/pkg/trait/security_context_test.go
@@ -32,6 +32,7 @@ import (
traitv1 "github.com/apache/camel-k/v2/pkg/apis/camel/v1/trait"
"github.com/apache/camel-k/v2/pkg/internal"
"github.com/apache/camel-k/v2/pkg/util/camel"
+ "github.com/apache/camel-k/v2/pkg/util/defaults"
"github.com/apache/camel-k/v2/pkg/util/kubernetes"
)
@@ -66,7 +67,7 @@ func TestDefaultPodKubernetesSecurityContext(t *testing.T) {
assert.NotNil(t, d)
assert.Equal(t, ptr.To(defaultPodRunAsNonRoot),
d.Spec.Template.Spec.SecurityContext.RunAsNonRoot)
- assert.Nil(t, d.Spec.Template.Spec.SecurityContext.RunAsUser)
+ assert.Equal(t, defaults.DefaultPodRunAsUser,
*d.Spec.Template.Spec.SecurityContext.RunAsUser)
assert.Equal(t, corev1.SeccompProfileTypeRuntimeDefault,
d.Spec.Template.Spec.SecurityContext.SeccompProfile.Type)
}
@@ -123,7 +124,7 @@ func TestUserPodSecurityContext(t *testing.T) {
environment.Integration.Spec.Traits = v1.Traits{
SecurityContext: &traitv1.SecurityContextTrait{
RunAsNonRoot: ptr.To(false),
- RunAsUser: ptr.To(int64(1000)),
+ RunAsUser: ptr.To(int64(1001)),
SeccompProfileType: "Unconfined",
},
}
@@ -142,7 +143,7 @@ func TestUserPodSecurityContext(t *testing.T) {
assert.NotNil(t, d)
assert.Equal(t, ptr.To(false),
d.Spec.Template.Spec.SecurityContext.RunAsNonRoot)
- assert.Equal(t, ptr.To(int64(1000)),
d.Spec.Template.Spec.SecurityContext.RunAsUser)
+ assert.Equal(t, ptr.To(int64(1001)),
d.Spec.Template.Spec.SecurityContext.RunAsUser)
assert.Equal(t, corev1.SeccompProfileTypeUnconfined,
d.Spec.Template.Spec.SecurityContext.SeccompProfile.Type)
}
diff --git a/pkg/util/defaults/defaults_support.go
b/pkg/util/defaults/defaults_support.go
index e0b18d5d3..a7885355b 100644
--- a/pkg/util/defaults/defaults_support.go
+++ b/pkg/util/defaults/defaults_support.go
@@ -24,6 +24,8 @@ import (
"github.com/apache/camel-k/v2/pkg/util/log"
)
+const DefaultPodRunAsUser = int64(1000)
+
func BaseImage() string {
return envOrDefault(baseImage, "KAMEL_BASE_IMAGE", "RELATED_IMAGE_BASE")
}
diff --git a/pkg/util/jib/configuration.go b/pkg/util/jib/configuration.go
index f90239aef..9c18a1cbf 100644
--- a/pkg/util/jib/configuration.go
+++ b/pkg/util/jib/configuration.go
@@ -26,6 +26,7 @@ import (
const JibMavenGoal = "jib:build"
const JibMavenToImageParam = "-Djib.to.image="
const JibMavenFromImageParam = "-Djib.from.image="
+const JibMavenContainerUser = "-Djib.container.user="
const JibMavenFromPlatforms = "-Djib.from.platforms="
const JibMavenBaseImageCache = "-Djib.baseImageCache="
const JibMavenInsecureRegistries = "-Djib.allowInsecureRegistries="
