From 39ab8b1e3678ac7821e1853949c4144b0844fe40 Mon Sep 17 00:00:00 2001
From: Connor Rogers <rconnor@vmware.com>
Date: Thu, 17 Jun 2021 15:27:11 +0100
Subject: [PATCH] Use RabbitMQ user for init container instead of root (#731)

---
 internal/resource/statefulset.go      | 19 ++-----------------
 internal/resource/statefulset_test.go | 19 +++----------------
 2 files changed, 5 insertions(+), 33 deletions(-)

diff --git a/internal/resource/statefulset.go b/internal/resource/statefulset.go
index b6813bb10..489a4266a 100644
--- a/internal/resource/statefulset.go
+++ b/internal/resource/statefulset.go
@@ -540,23 +540,8 @@ func (builder *StatefulSetBuilder) podTemplateSpec(previousPodAnnotations map[st
 					Name:  "setup-container",
 					Image: builder.Instance.Spec.Image,
 					SecurityContext: &corev1.SecurityContext{
-						RunAsUser: pointer.Int64Ptr(0),
-						Capabilities: &corev1.Capabilities{
-							// drop default set from Docker except for CHOWN, FOWNER, and DAC_OVERRIDE
-							Drop: []corev1.Capability{
-								"FSETID",
-								"KILL",
-								"SETGID",
-								"SETUID",
-								"SETPCAP",
-								"NET_BIND_SERVICE",
-								"NET_RAW",
-								"SYS_CHROOT",
-								"MKNOD",
-								"AUDIT_WRITE",
-								"SETFCAP",
-							},
-						},
+						RunAsGroup: &rabbitmqGID,
+						RunAsUser:  &rabbitmqUID,
 					},
 					Command: []string{
 						"sh", "-c", "cp /tmp/erlang-cookie-secret/.erlang.cookie /var/lib/rabbitmq/.erlang.cookie " +
diff --git a/internal/resource/statefulset_test.go b/internal/resource/statefulset_test.go
index ca8d1039f..7e19ca952 100644
--- a/internal/resource/statefulset_test.go
+++ b/internal/resource/statefulset_test.go
@@ -1217,26 +1217,13 @@ var _ = Describe("StatefulSet", func() {
 			initContainers := statefulSet.Spec.Template.Spec.InitContainers
 			Expect(initContainers).To(HaveLen(1))
 
+			rmqGID, rmqUID := int64(999), int64(999)
 			initContainer := extractContainer(initContainers, "setup-container")
 			Expect(initContainer).To(MatchFields(IgnoreExtras, Fields{
 				"Image": Equal("rabbitmq-image-from-cr"),
 				"SecurityContext": PointTo(MatchFields(IgnoreExtras, Fields{
-					"Capabilities": PointTo(MatchAllFields(Fields{
-						"Drop": ConsistOf([]corev1.Capability{
-							"FSETID",
-							"KILL",
-							"SETGID",
-							"SETUID",
-							"SETPCAP",
-							"NET_BIND_SERVICE",
-							"NET_RAW",
-							"SYS_CHROOT",
-							"MKNOD",
-							"AUDIT_WRITE",
-							"SETFCAP",
-						}),
-						"Add": BeEmpty(),
-					})),
+					"RunAsUser":  Equal(&rmqUID),
+					"RunAsGroup": Equal(&rmqGID),
 				})),
 				"Command": ConsistOf(
 					"sh", "-c", "cp /tmp/erlang-cookie-secret/.erlang.cookie /var/lib/rabbitmq/.erlang.cookie "+