From e00b92df83d8add5a9626f8eea79313816d4f317 Mon Sep 17 00:00:00 2001
From: Jiri Mencak <jmencak@users.noreply.github.com>
Date: Tue, 11 Jun 2024 11:40:57 +0200
Subject: [PATCH] Stop exposing the entire host filesystem

With the principle of least privilege in mind, stop exposing the
entirety of the host filesystem.
---
 assets/tuned/manifests/ds-tuned.yaml    | 10 +++++-----
 test/e2e/basic/metrics_cert_rotation.go |  5 ++---
 test/e2e/basic/sysctl_d_override.go     |  8 +++-----
 test/e2e/core/cluster_version.go        |  9 ++-------
 4 files changed, 12 insertions(+), 20 deletions(-)

diff --git a/assets/tuned/manifests/ds-tuned.yaml b/assets/tuned/manifests/ds-tuned.yaml
index 13bb57e5e0..ca74cace9d 100644
--- a/assets/tuned/manifests/ds-tuned.yaml
+++ b/assets/tuned/manifests/ds-tuned.yaml
@@ -71,8 +71,8 @@ spec:
           name: var-lib-kubelet
           mountPropagation: HostToContainer
           readOnly: true
-        - mountPath: /host
-          name: host
+        - mountPath: /host/var/lib
+          name: host-var-lib
           mountPropagation: HostToContainer
         env:
           - name: WATCH_NAMESPACE
@@ -132,10 +132,10 @@ spec:
           path: /var/lib/kubelet
           type: Directory
         name: var-lib-kubelet
-      - name: host
-        hostPath:
-          path: /
+      - hostPath:
+          path: /var/lib
           type: Directory
+        name: host-var-lib
       dnsPolicy: ClusterFirst
       nodeSelector:
         kubernetes.io/os: linux
diff --git a/test/e2e/basic/metrics_cert_rotation.go b/test/e2e/basic/metrics_cert_rotation.go
index e38c4af1a8..e7ac4dd749 100644
--- a/test/e2e/basic/metrics_cert_rotation.go
+++ b/test/e2e/basic/metrics_cert_rotation.go
@@ -59,9 +59,8 @@ var _ = ginkgo.Describe("[basic][metrics] Node Tuning Operator certificate rotat
 				secretCertContents := string(tlsSecret.Data["tls.crt"])
 
 				operatorPodIP := operatorPod.Status.PodIP
-				// We need chroot because host may be using system libraries incompatible with the container
-				// image system libraries.  Alternatively, use container-shipped openssl.
-				opensslCmd := "/usr/sbin/chroot /host /usr/bin/openssl s_client -connect " + operatorPodIP + ":60000 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'"
+				// Use container-shipped openssl.
+				opensslCmd := "/usr/bin/openssl s_client -connect " + operatorPodIP + ":60000 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'"
 
 				serverCertContents, err := util.ExecCmdInPod(tunedPod, "/bin/bash", "-c", opensslCmd)
 				gomega.Expect(err).NotTo(gomega.HaveOccurred())
diff --git a/test/e2e/basic/sysctl_d_override.go b/test/e2e/basic/sysctl_d_override.go
index 67bcc78aa3..8bfaa8a6e8 100644
--- a/test/e2e/basic/sysctl_d_override.go
+++ b/test/e2e/basic/sysctl_d_override.go
@@ -38,9 +38,7 @@ var _ = ginkgo.Describe("[basic][sysctl_d_override] Node Tuning Operator /etc/sy
 
 			if node != nil {
 				util.ExecAndLogCommand("oc", "label", "node", "--overwrite", node.Name, nodeLabelSysctlOverride+"-")
-			}
-			if pod != nil {
-				util.ExecAndLogCommand("oc", "exec", "-n", ntoconfig.WatchNamespace(), pod.Name, "--", "rm", sysctlFile)
+				util.ExecAndLogCommand("oc", "debug", fmt.Sprintf("no/%s", node.Name), "--", "rm", sysctlFile)
 			}
 			util.ExecAndLogCommand("oc", "delete", "-n", ntoconfig.WatchNamespace(), "-f", profileSysctlOverride)
 		})
@@ -72,7 +70,7 @@ var _ = ginkgo.Describe("[basic][sysctl_d_override] Node Tuning Operator /etc/sy
 			gomega.Expect(err).NotTo(gomega.HaveOccurred())
 
 			ginkgo.By(fmt.Sprintf("writing %s override file on the host with %s=%s", sysctlFile, sysctlVar, sysctlValSet))
-			_, _, err = util.ExecAndLogCommand("oc", "exec", "-n", ntoconfig.WatchNamespace(), pod.Name, "--", "sh", "-c",
+			_, _, err = util.ExecAndLogCommand("oc", "debug", fmt.Sprintf("no/%s", node.Name), "--", "sh", "-c",
 				fmt.Sprintf("echo %s=%s > %s; sync %s", sysctlVar, sysctlValSet, sysctlFile, sysctlFile))
 			gomega.Expect(err).NotTo(gomega.HaveOccurred())
 
@@ -118,7 +116,7 @@ var _ = ginkgo.Describe("[basic][sysctl_d_override] Node Tuning Operator /etc/sy
 			gomega.Expect(err).NotTo(gomega.HaveOccurred())
 
 			ginkgo.By(fmt.Sprintf("removing %s override file on the host", sysctlFile))
-			_, _, err = util.ExecAndLogCommand("oc", "exec", "-n", ntoconfig.WatchNamespace(), pod.Name, "--", "rm", sysctlFile)
+			_, _, err = util.ExecAndLogCommand("oc", "debug", fmt.Sprintf("no/%s", node.Name), "--", "rm", sysctlFile)
 			gomega.Expect(err).NotTo(gomega.HaveOccurred())
 
 			ginkgo.By(fmt.Sprintf("deleting Pod %s", pod.Name))
diff --git a/test/e2e/core/cluster_version.go b/test/e2e/core/cluster_version.go
index 7f9b550392..ba9add0897 100644
--- a/test/e2e/core/cluster_version.go
+++ b/test/e2e/core/cluster_version.go
@@ -17,7 +17,7 @@ var _ = ginkgo.Describe("[core][cluster_version] Node Tuning Operator host, cont
 		node *coreapi.Node
 	)
 
-	ginkgo.It("host, container OS and cluster version retrievable", func() {
+	ginkgo.It("container OS and cluster version retrievable", func() {
 		ginkgo.By("getting a list of worker nodes")
 		nodes, err := util.GetNodesByRole(cs, "worker")
 		gomega.Expect(err).NotTo(gomega.HaveOccurred())
@@ -28,13 +28,8 @@ var _ = ginkgo.Describe("[core][cluster_version] Node Tuning Operator host, cont
 		pod, err := util.GetTunedForNode(cs, node)
 		gomega.Expect(err).NotTo(gomega.HaveOccurred())
 
-		ginkgo.By(fmt.Sprintf("getting the host OS version on node %s", node.Name))
-		out, err := util.ExecCmdInPod(pod, "cat", "/host/etc/os-release")
-		gomega.Expect(err).NotTo(gomega.HaveOccurred())
-		util.Logf("%s", out)
-
 		ginkgo.By("getting the TuneD container OS version")
-		out, err = util.ExecCmdInPod(pod, "cat", "/etc/os-release")
+		out, err := util.ExecCmdInPod(pod, "cat", "/etc/os-release")
 		gomega.Expect(err).NotTo(gomega.HaveOccurred())
 		util.Logf("%s", out)