controllers: create SCCs on Openshift #52
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
/hold |
openshift-ci
bot
added
the
do-not-merge/hold
main.go
Outdated
| Scheme: mgr.GetScheme(), | ||
| Client: mgr.GetClient(), | ||
| Scheme: mgr.GetScheme(), | ||
| IsOpenshift: true, |
There was a problem hiding this comment.
- any possibility to avoid this, since secv1 is just another api, if there's any possibility to check the availability of that api and set this option?
There was a problem hiding this comment.
Openshift requires that this api be used for security.
There was a problem hiding this comment.
- I meant it differently, yes OCP uses this api for security, my ask here is, can this not be hardcoded and set the value based on api availability?
| @@ -0,0 +1,169 @@ | |||
| /* | |||
There was a problem hiding this comment.
- please add this as one of resource unit, just reminding
| limitations under the License. | ||
| */ | ||
|
|
||
| package controllers |
There was a problem hiding this comment.
can you try below once?
diff --git a/controllers/scc.go b/controllers/scc.go
index a987590..f0a9d62 100644
--- a/controllers/scc.go
+++ b/controllers/scc.go
@@ -45,17 +45,17 @@ func (c openshiftSccs) ensureCreated(r *LVMClusterReconciler, ctx context.Contex
sccs := getAllSCCs(lvmCluster.Namespace)
for _, scc := range sccs {
- found, err := r.SecurityClient.SecurityContextConstraints().Get(scc.Name, metav1.GetOptions{})
+ found, err := r.SecurityClient.SecurityContextConstraints().Get(ctx, scc.Name, metav1.GetOptions{})
if err != nil && errors.IsNotFound(err) {
r.Log.Info("Creating SecurityContextConstraint.", "SecurityContextConstraint", scc.Name)
- _, err := r.SecurityClient.SecurityContextConstraints().Create(scc)
+ _, err := r.SecurityClient.SecurityContextConstraints().Create(ctx, scc, metav1.CreateOptions{})
if err != nil {
return fmt.Errorf("unable to create SCC %+v: %v", scc, err)
}
} else if err == nil {
scc.ObjectMeta = found.ObjectMeta
r.Log.Info("Updating SecurityContextConstraint.", "SecurityContextConstraint", scc.Name)
- _, err := r.SecurityClient.SecurityContextConstraints().Update(scc)
+ _, err := r.SecurityClient.SecurityContextConstraints().Update(ctx, scc, metav1.UpdateOptions{})
if err != nil {
r.Log.Error(err, "Unable to update SecurityContextConstraint.", "SecurityContextConstraint", scc.Name)
return fmt.Errorf("unable to update SCC %+v: %v", scc, err)There was a problem hiding this comment.
That was what I had originally but that did not match the v3.9 signatures
There was a problem hiding this comment.
It does work with the updated packages .
go.mod
Outdated
| @@ -7,6 +7,8 @@ require ( | |||
| github.com/google/go-cmp v0.5.6 | |||
| github.com/onsi/ginkgo v1.16.4 | |||
| github.com/onsi/gomega v1.15.0 | |||
| github.com/openshift/api v3.9.0+incompatible | |||
There was a problem hiding this comment.
can you try with below?
diff --git a/go.mod b/go.mod
index ddfee36..613087f 100644
--- a/go.mod
+++ b/go.mod
@@ -7,8 +7,8 @@ require (
github.com/google/go-cmp v0.5.6
github.com/onsi/ginkgo v1.16.4
github.com/onsi/gomega v1.15.0
- github.com/openshift/api v3.9.0+incompatible
- github.com/openshift/client-go v3.9.0+incompatible
+ github.com/openshift/api v0.0.0-20211028023115-7224b732cc14
+ github.com/openshift/client-go v0.0.0-20210831095141-e19a065e79f7
github.com/topolvm/topolvm v0.10.3
gotest.tools/v3 v3.0.3
k8s.io/api v0.22.2- above is the result of
-> go get github.com/openshift/[email protected]
-> go get github.com/openshift/[email protected]
There was a problem hiding this comment.
That works. Thanks.
controllers/scc.go
Outdated
|
|
||
| func (c openshiftSccs) ensureCreated(r *LVMClusterReconciler, ctx context.Context, lvmCluster *lvmv1alpha1.LVMCluster) error { | ||
| if r.IsOpenshift == true { | ||
|
|
controllers/scc.go
Outdated
| r.Log.Info("Updating SecurityContextConstraint.", "SecurityContextConstraint", scc.Name) | ||
| _, err := r.SecurityClient.SecurityContextConstraints().Update(scc) | ||
| if err != nil { | ||
| r.Log.Error(err, "Unable to update SecurityContextConstraint.", "SecurityContextConstraint", scc.Name) |
There was a problem hiding this comment.
| r.Log.Error(err, "Unable to update SecurityContextConstraint.", "SecurityContextConstraint", scc.Name) | |
| r.Log.Error(err, "failed to update SecurityContextConstraint.", "SecurityContextConstraint", scc.Name) |
just to be consistent with other error messages.
controllers/scc.go
Outdated
| _, err := r.SecurityClient.SecurityContextConstraints().Update(scc) | ||
| if err != nil { | ||
| r.Log.Error(err, "Unable to update SecurityContextConstraint.", "SecurityContextConstraint", scc.Name) | ||
| return fmt.Errorf("unable to update SCC %+v: %v", scc, err) |
There was a problem hiding this comment.
| return fmt.Errorf("unable to update SCC %+v: %v", scc, err) | |
| return fmt.Errorf("failed to update SCC %q: %v", scc.Name, err) |
controllers/scc.go
Outdated
| } | ||
| } else { | ||
| r.Log.Error(err, "Something went wrong when checking for SecurityContextConstraint.", "SecurityContextConstraint", scc.Name) | ||
| return fmt.Errorf("something went wrong when checking for SCC %+v: %v", scc, err) |
There was a problem hiding this comment.
| return fmt.Errorf("something went wrong when checking for SCC %+v: %v", scc, err) | |
| return fmt.Errorf("something went wrong when checking for SCC %q: %v", scc.Name, err) |
controllers/scc.go
Outdated
| } | ||
|
|
||
| func (c openshiftSccs) updateStatus(r *LVMClusterReconciler, ctx context.Context, lvmCluster *lvmv1alpha1.LVMCluster) error { | ||
| // intentionally empty as there'll be no status field on CSIDriver resource |
There was a problem hiding this comment.
need to update this comment for SCC.
nbalacha
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
/unhold |
openshift-ci
bot
removed
the
do-not-merge/hold
|
Cannot create SCCs using the ENV tests so skipping that for now. |
config/rbac/kustomization.yaml
Outdated
| #- topolvm_node_scc.yaml | ||
| #- topolvm_node_scc_role.yaml | ||
| #- topolvm_node_scc_role_bindings.yaml |
There was a problem hiding this comment.
as the files are deleted, better remove these lines rather than commenting them?
| Kind: "SecurityContextConstraints", | ||
| }, | ||
| } | ||
| scc.Name = "odf-lvm-topolvm-node" |
There was a problem hiding this comment.
is the prefix odf intentional here?
There was a problem hiding this comment.
Yes. SCCs will be created only on Openshift so Odf is fine.
| Kind: "SecurityContextConstraints", | ||
| }, | ||
| } | ||
| scc.Name = "odf-lvm-vgmanager" |
controllers/lvmcluster_controller.go
Outdated
| // It does this by querying for the "privileged" SCC which exists on all OCP clusters. | ||
| func (r *LVMClusterReconciler) checkIfOpenshift(ctx context.Context) error { | ||
| if r.ClusterType == "" { | ||
| //has not been determined yet |
There was a problem hiding this comment.
| //has not been determined yet | |
| // has not been determined yet |
controllers/scc.go
Outdated
| return fmt.Errorf("failed to create SCC %q: %v", scc.Name, err) | ||
| } | ||
| } else if err == nil { | ||
| //Don't update the SCC |
There was a problem hiding this comment.
| //Don't update the SCC | |
| // Don't update the SCC |
|
|
||
| const ( | ||
| ClusterTypeOCP ClusterType = "openshift" | ||
| ClusterTypeOther ClusterType = "other" |
There was a problem hiding this comment.
do we really need other option here? I think only ClusterTypeOCP should do the job.
There was a problem hiding this comment.
other looks a bit ambiguous as well
There was a problem hiding this comment.
It is set to a value to indicate that the check has been performed and a result has been received.
controllers/lvmcluster_controller.go
Outdated
|
|
||
| err = r.checkIfOpenshift(ctx) | ||
| if err != nil { | ||
| //Ignore the error for now |
There was a problem hiding this comment.
| //Ignore the error for now | |
| // Ignore the error for now |
There was a problem hiding this comment.
why ignore the error? error should be propagated if we can't detect the platform, IMO.
There was a problem hiding this comment.
For non-Openshift clusters it should still work so take a chance and go ahead?
Bundle manifests cannot include SCCs.The SCCs required by the topolvm-node and vgmanager have to be created post the operator installation by the LVM operator. Signed-off-by: N Balachandran <[email protected]>
This commit removes the topolvm-node and vgmanager specific scc related rbacs from config/ and includes the changes required for the lvm controller to create the required SCCs programatically. Signed-off-by: N Balachandran <[email protected]>
Updated the env tests with scc changes. Signed-off-by: N Balachandran <[email protected]>
|
/approve |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: leelavg, nbalacha, sp98 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Create SCCs for topolvm-node and vgmanager on openshift.
Signed-off-by: N Balachandran [email protected]