From 9e982bbc41f1fca2fe7458d3722705b44bc18ac2 Mon Sep 17 00:00:00 2001 From: N Balachandran Date: Thu, 30 Dec 2021 17:38:23 +0530 Subject: [PATCH 1/3] feat: add scc resource manager Bundle manifests cannot include SCCs.The SCCs required by the topolvm-node and vgmanager have to be created post the operator installation by the LVM operator. Signed-off-by: N Balachandran --- controllers/lvmcluster_controller.go | 52 +++++++- controllers/scc.go | 180 +++++++++++++++++++++++++++ go.mod | 2 + go.sum | 22 ++++ main.go | 7 +- 5 files changed, 257 insertions(+), 6 deletions(-) create mode 100644 controllers/scc.go diff --git a/controllers/lvmcluster_controller.go b/controllers/lvmcluster_controller.go index d550bea32..36bdf007e 100644 --- a/controllers/lvmcluster_controller.go +++ b/controllers/lvmcluster_controller.go @@ -21,8 +21,10 @@ import ( "fmt" "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "github.com/go-logr/logr" + secv1client "github.com/openshift/client-go/security/clientset/versioned/typed/security/v1" lvmv1alpha1 "github.com/red-hat-storage/lvm-operator/api/v1alpha1" "k8s.io/apimachinery/pkg/runtime" ctrl "sigs.k8s.io/controller-runtime" @@ -36,19 +38,31 @@ var lvmClusterFinalizer = "lvmcluster.topolvm.io" const ( ControllerName = "lvmcluster-controller" + + openshiftSCCPrivilegedName = "privileged" +) + +type ClusterType string + +const ( + ClusterTypeOCP ClusterType = "openshift" + ClusterTypeOther ClusterType = "other" ) // LVMClusterReconciler reconciles a LVMCluster object type LVMClusterReconciler struct { client.Client - Scheme *runtime.Scheme - Log logr.Logger + Scheme *runtime.Scheme + Log logr.Logger + ClusterType ClusterType + SecurityClient secv1client.SecurityV1Interface } //+kubebuilder:rbac:groups=lvm.topolvm.io,resources=lvmclusters,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=apps,resources=daemonsets,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=lvm.topolvm.io,resources=lvmclusters/status,verbs=get;update;patch //+kubebuilder:rbac:groups=lvm.topolvm.io,resources=lvmclusters/finalizers,verbs=update +//+kubebuilder:rbac:groups=security.openshift.io,resources=securitycontextconstraints,verbs=get;create;update;delete // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. @@ -74,7 +88,11 @@ func (r *LVMClusterReconciler) Reconcile(ctx context.Context, req ctrl.Request) // Error reading the object - requeue the request. return ctrl.Result{}, err } - + err = r.checkIfOpenshift(ctx) + if err != nil { + r.Log.Error(err, "failed to check cluster type") + return ctrl.Result{}, err + } result, reconcileError := r.reconcile(ctx, lvmCluster) // Apply status changes @@ -100,6 +118,7 @@ func (r *LVMClusterReconciler) reconcile(ctx context.Context, instance *lvmv1alp resourceList := []resourceManager{ &csiDriver{}, &topolvmController{}, + &openshiftSccs{}, &topolvmNode{}, &vgManager{}, &topolvmStorageClass{}, @@ -179,3 +198,30 @@ type resourceManager interface { // status that changes only when the operands change. updateStatus(*LVMClusterReconciler, context.Context, *lvmv1alpha1.LVMCluster) error } + +// checkIfOpenshift checks to see if the operator is running on an OCP cluster. +// It does this by querying for the "privileged" SCC which exists on all OCP clusters. +func (r *LVMClusterReconciler) checkIfOpenshift(ctx context.Context) error { + if r.ClusterType == "" { + // cluster type has not been determined yet + // Check if the privileged SCC exists on the cluster (this is one of the default SCCs) + _, err := r.SecurityClient.SecurityContextConstraints().Get(ctx, openshiftSCCPrivilegedName, metav1.GetOptions{}) + if err != nil { + if errors.IsNotFound(err) { + // Not an Openshift cluster + r.ClusterType = ClusterTypeOther + } else { + // Something went wrong + r.Log.Error(err, "failed to get SCC", "Name", openshiftSCCPrivilegedName) + return err + } + } else { + r.ClusterType = ClusterTypeOCP + } + } + return nil +} + +func IsOpenshift(r *LVMClusterReconciler) bool { + return r.ClusterType == ClusterTypeOCP +} diff --git a/controllers/scc.go b/controllers/scc.go new file mode 100644 index 000000000..bb6fdf32c --- /dev/null +++ b/controllers/scc.go @@ -0,0 +1,180 @@ +/* +Copyright 2021. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package controllers + +import ( + "context" + "fmt" + + secv1 "github.com/openshift/api/security/v1" + lvmv1alpha1 "github.com/red-hat-storage/lvm-operator/api/v1alpha1" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +const ( + sccName = "topolvm-scc" +) + +type openshiftSccs struct{} + +// openshiftSccs unit satisfies resourceManager interface +var _ resourceManager = openshiftSccs{} + +func (c openshiftSccs) getName() string { + return sccName +} + +func (c openshiftSccs) ensureCreated(r *LVMClusterReconciler, ctx context.Context, lvmCluster *lvmv1alpha1.LVMCluster) error { + if !IsOpenshift(r) { + r.Log.Info("not creating SCCs as this is not an Openshift cluster") + return nil + } + sccs := getAllSCCs(lvmCluster.Namespace) + for _, scc := range sccs { + _, err := r.SecurityClient.SecurityContextConstraints().Get(ctx, scc.Name, metav1.GetOptions{}) + if err != nil && errors.IsNotFound(err) { + r.Log.Info("creating SecurityContextConstraint", "SecurityContextConstraint", scc.Name) + _, err := r.SecurityClient.SecurityContextConstraints().Create(ctx, scc, metav1.CreateOptions{}) + if err != nil { + return fmt.Errorf("failed to create SCC %q: %v", scc.Name, err) + } + } else if err == nil { + // Don't update the SCC + r.Log.Info("already exists", "SecurityContextConstraint", scc.Name) + } else { + r.Log.Error(err, "Something went wrong when checking for SecurityContextConstraint", "SecurityContextConstraint", scc.Name) + return fmt.Errorf("something went wrong when checking for SCC %q: %v", scc.Name, err) + } + } + + return nil +} + +func (c openshiftSccs) ensureDeleted(r *LVMClusterReconciler, ctx context.Context, lvmCluster *lvmv1alpha1.LVMCluster) error { + if IsOpenshift(r) { + var err error + sccs := getAllSCCs(lvmCluster.Namespace) + for _, scc := range sccs { + err = r.SecurityClient.SecurityContextConstraints().Delete(ctx, scc.Name, metav1.DeleteOptions{}) + if err != nil { + if errors.IsNotFound(err) { + r.Log.Info("SecurityContextConstraint is already deleted", "SecurityContextConstraint", scc.Name) + return nil + } else { + r.Log.Error(err, "failed to delete SecurityContextConstraint", "SecurityContextConstraint", scc.Name) + } + } + } + } + return nil +} + +func (c openshiftSccs) updateStatus(r *LVMClusterReconciler, ctx context.Context, lvmCluster *lvmv1alpha1.LVMCluster) error { + // intentionally empty + return nil +} + +func getAllSCCs(namespace string) []*secv1.SecurityContextConstraints { + return []*secv1.SecurityContextConstraints{ + newTopolvmNodeScc(namespace), + newVGManagerScc(namespace), + } +} + +func newTopolvmNodeScc(namespace string) *secv1.SecurityContextConstraints { + scc := &secv1.SecurityContextConstraints{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "security.openshift.io/v1", + Kind: "SecurityContextConstraints", + }, + } + scc.Name = "odf-lvm-topolvm-node" + scc.AllowPrivilegedContainer = true + scc.AllowHostNetwork = false + scc.AllowHostDirVolumePlugin = true + scc.AllowHostPorts = false + scc.AllowHostPID = true + scc.AllowHostIPC = false + scc.ReadOnlyRootFilesystem = false + scc.RequiredDropCapabilities = []corev1.Capability{} + scc.RunAsUser = secv1.RunAsUserStrategyOptions{ + Type: secv1.RunAsUserStrategyRunAsAny, + } + scc.SELinuxContext = secv1.SELinuxContextStrategyOptions{ + Type: secv1.SELinuxStrategyRunAsAny, + } + scc.FSGroup = secv1.FSGroupStrategyOptions{ + Type: secv1.FSGroupStrategyRunAsAny, + } + scc.SupplementalGroups = secv1.SupplementalGroupsStrategyOptions{ + Type: secv1.SupplementalGroupsStrategyRunAsAny, + } + scc.Volumes = []secv1.FSType{ + secv1.FSTypeConfigMap, + secv1.FSTypeEmptyDir, + secv1.FSTypeHostPath, + secv1.FSTypeSecret, + } + scc.Users = []string{ + fmt.Sprintf("system:serviceaccount:%s:%s", namespace, TopolvmNodeServiceAccount), + } + + return scc +} + +func newVGManagerScc(namespace string) *secv1.SecurityContextConstraints { + scc := &secv1.SecurityContextConstraints{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "security.openshift.io/v1", + Kind: "SecurityContextConstraints", + }, + } + scc.Name = "odf-lvm-vgmanager" + scc.AllowPrivilegedContainer = true + scc.AllowHostNetwork = false + scc.AllowHostDirVolumePlugin = true + scc.AllowHostPorts = false + scc.AllowHostPID = true + scc.AllowHostIPC = true + scc.ReadOnlyRootFilesystem = false + scc.RequiredDropCapabilities = []corev1.Capability{} + scc.RunAsUser = secv1.RunAsUserStrategyOptions{ + Type: secv1.RunAsUserStrategyRunAsAny, + } + scc.SELinuxContext = secv1.SELinuxContextStrategyOptions{ + Type: secv1.SELinuxStrategyMustRunAs, + } + scc.FSGroup = secv1.FSGroupStrategyOptions{ + Type: secv1.FSGroupStrategyMustRunAs, + } + scc.SupplementalGroups = secv1.SupplementalGroupsStrategyOptions{ + Type: secv1.SupplementalGroupsStrategyRunAsAny, + } + scc.Volumes = []secv1.FSType{ + secv1.FSTypeConfigMap, + secv1.FSTypeEmptyDir, + secv1.FSTypeHostPath, + secv1.FSTypeSecret, + } + scc.Users = []string{ + fmt.Sprintf("system:serviceaccount:%s:%s", namespace, VGManagerServiceAccount), + } + + return scc +} diff --git a/go.mod b/go.mod index 84c99835d..613087fea 100644 --- a/go.mod +++ b/go.mod @@ -7,6 +7,8 @@ require ( github.com/google/go-cmp v0.5.6 github.com/onsi/ginkgo v1.16.4 github.com/onsi/gomega v1.15.0 + github.com/openshift/api v0.0.0-20211028023115-7224b732cc14 + github.com/openshift/client-go v0.0.0-20210831095141-e19a065e79f7 github.com/topolvm/topolvm v0.10.3 gotest.tools/v3 v3.0.3 k8s.io/api v0.22.2 diff --git a/go.sum b/go.sum index f5d6e019a..64119678e 100644 --- a/go.sum +++ b/go.sum @@ -132,6 +132,11 @@ github.com/cybozu-go/netutil v1.2.0 h1:UBO0+hB43zd5mIXRfD195eBMHvgWlHP2mYuQ2F5Yx github.com/cybozu-go/netutil v1.2.0/go.mod h1:Wx92iF1dPrtuSzLUMEidtrKTFiDWpLcsYvbQ1lHSmxY= github.com/cybozu-go/well v1.10.0 h1:UuZO0Dxa5xf/4vBbNOH325Y+h04IsHGn6qpV6b6NYqY= github.com/cybozu-go/well v1.10.0/go.mod h1:OQdjEXQpbG+kSgEF3t3IYUx5y1R4qeBGvzL4gmi61qE= +github.com/dave/dst v0.26.2/go.mod h1:UMDJuIRPfyUCC78eFuB+SV/WI8oDeyFDvM/JR6NI3IU= +github.com/dave/gopackages v0.0.0-20170318123100-46e7023ec56e/go.mod h1:i00+b/gKdIDIxuLDFob7ustLAVqhsZRk2qVZrArELGQ= +github.com/dave/jennifer v1.2.0/go.mod h1:fIb+770HOpJ2fmN9EPPKOqm1vMGhB+TwXKMZhrIygKg= +github.com/dave/kerr v0.0.0-20170318121727-bc25dd6abe8e/go.mod h1:qZqlPyPvfsDJt+3wHJ1EvSXDuVjFTK0j2p/ca+gtsb8= +github.com/dave/rebecca v0.9.1/go.mod h1:N6XYdMD/OKw3lkF3ywh8Z6wPGuwNFDNtWYEMFWEmXBA= github.com/davecgh/go-spew v0.0.0-20161028175848-04cdfd42973b/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= @@ -256,6 +261,7 @@ github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/ github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= +github.com/google/pprof v0.0.0-20181127221834-b4f47329b966/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= @@ -411,6 +417,12 @@ github.com/onsi/gomega v1.10.4/go.mod h1:g/HbgYopi++010VEqkFgJHKC09uJiW9UkXvMUuK github.com/onsi/gomega v1.14.0/go.mod h1:cIuvLEne0aoVhAgh/O6ac0Op8WWw9H6eYCriF+tEHG0= github.com/onsi/gomega v1.15.0 h1:WjP/FQ/sk43MRmnEcT+MlDw2TFvkrXlprrPST/IudjU= github.com/onsi/gomega v1.15.0/go.mod h1:cIuvLEne0aoVhAgh/O6ac0Op8WWw9H6eYCriF+tEHG0= +github.com/openshift/api v0.0.0-20210831091943-07e756545ac1/go.mod h1:RsQCVJu4qhUawxxDP7pGlwU3IA4F01wYm3qKEu29Su8= +github.com/openshift/api v0.0.0-20211028023115-7224b732cc14 h1:kVSPSHkiepEIqFSVpDye5b8a8nu5tHsbmyLyeFHtLh4= +github.com/openshift/api v0.0.0-20211028023115-7224b732cc14/go.mod h1:RsQCVJu4qhUawxxDP7pGlwU3IA4F01wYm3qKEu29Su8= +github.com/openshift/build-machinery-go v0.0.0-20210712174854-1bb7fd1518d3/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= +github.com/openshift/client-go v0.0.0-20210831095141-e19a065e79f7 h1:iKVU5Tga76kiCWpq9giPi0TfI/gZcFoYb7/x+1SkgwM= +github.com/openshift/client-go v0.0.0-20210831095141-e19a065e79f7/go.mod h1:D6P8RkJzwdkBExQdYUnkWcePMLBiTeCCr8eQIQ7y8Dk= github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= @@ -461,6 +473,7 @@ github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= +github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= @@ -560,6 +573,7 @@ go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo= go.uber.org/zap v1.19.0 h1:mZQZefskPPCMIBCSEH0v2/iUqqLrYtaeqwD6FUGUnFE= go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI= +golang.org/x/arch v0.0.0-20180920145803-b19384d3c130/go.mod h1:cYlCBUl1MsqxdiKgmc4uh7TxZfWSFLOGSRR090WDxt8= golang.org/x/crypto v0.0.0-20180501155221-613d6eafa307/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= @@ -685,6 +699,7 @@ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180903190138-2b024373dcd9/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -808,6 +823,7 @@ golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjs golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200509030707-2212a7e161a5/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= @@ -963,6 +979,7 @@ gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +gopkg.in/src-d/go-billy.v4 v4.3.0/go.mod h1:tm33zBoOwxjYHZIE+OV8bxTWFMJLrconzFMd38aARFk= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= @@ -989,15 +1006,19 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= +k8s.io/api v0.22.1/go.mod h1:bh13rkTp3F1XEaLGykbyRD2QaTTzPm0e/BMd8ptFONY= k8s.io/api v0.22.2 h1:M8ZzAD0V6725Fjg53fKeTJxGsJvRbk4TEm/fexHMtfw= k8s.io/api v0.22.2/go.mod h1:y3ydYpLJAaDI+BbSe2xmGcqxiWHmWjkEeIbiwHvnPR8= k8s.io/apiextensions-apiserver v0.22.2 h1:zK7qI8Ery7j2CaN23UCFaC1hj7dMiI87n01+nKuewd4= k8s.io/apiextensions-apiserver v0.22.2/go.mod h1:2E0Ve/isxNl7tWLSUDgi6+cmwHi5fQRdwGVCxbC+KFA= +k8s.io/apimachinery v0.22.1/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0= k8s.io/apimachinery v0.22.2 h1:ejz6y/zNma8clPVfNDLnPbleBo6MpoFy/HBiBqCouVk= k8s.io/apimachinery v0.22.2/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0= k8s.io/apiserver v0.22.2/go.mod h1:vrpMmbyjWrgdyOvZTSpsusQq5iigKNWv9o9KlDAbBHI= +k8s.io/client-go v0.22.1/go.mod h1:BquC5A4UOo4qVDUtoc04/+Nxp1MeHcVc1HJm1KmG8kk= k8s.io/client-go v0.22.2 h1:DaSQgs02aCC1QcwUdkKZWOeaVsQjYvWv8ZazcZ6JcHc= k8s.io/client-go v0.22.2/go.mod h1:sAlhrkVDf50ZHx6z4K0S40wISNTarf1r800F+RlCF6U= +k8s.io/code-generator v0.22.1/go.mod h1:eV77Y09IopzeXOJzndrDyCI88UBok2h6WxAlBwpxa+o= k8s.io/code-generator v0.22.2/go.mod h1:eV77Y09IopzeXOJzndrDyCI88UBok2h6WxAlBwpxa+o= k8s.io/component-base v0.22.2 h1:vNIvE0AIrLhjX8drH0BgCNJcR4QZxMXcJzBsDplDx9M= k8s.io/component-base v0.22.2/go.mod h1:5Br2QhI9OTe79p+TzPe9JKNQYvEKbq9rTJDWllunGug= @@ -1015,6 +1036,7 @@ k8s.io/klog/v2 v2.9.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec= k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e h1:KLHHjkdQFomZy8+06csTWZ0m1343QqxZhR2LJ1OxCYM= k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw= k8s.io/mount-utils v0.22.2/go.mod h1:dHl6c2P60T5LHUnZxVslyly9EDCMzvhtISO5aY+Z4sk= +k8s.io/utils v0.0.0-20210707171843-4b05e18ac7d9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a h1:8dYfu/Fc9Gz2rNJKB9IQRGgQOh2clmRzNIPPY1xLY5g= k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= diff --git a/main.go b/main.go index be6a4d310..a9d4f8aec 100644 --- a/main.go +++ b/main.go @@ -32,6 +32,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" + secv1client "github.com/openshift/client-go/security/clientset/versioned/typed/security/v1" lvmv1alpha1 "github.com/red-hat-storage/lvm-operator/api/v1alpha1" "github.com/red-hat-storage/lvm-operator/controllers" //+kubebuilder:scaffold:imports @@ -45,7 +46,6 @@ var ( func init() { utilruntime.Must(clientgoscheme.AddToScheme(scheme)) - utilruntime.Must(lvmv1alpha1.AddToScheme(scheme)) //+kubebuilder:scaffold:scheme } @@ -88,8 +88,9 @@ func main() { } if err = (&controllers.LVMClusterReconciler{ - Client: mgr.GetClient(), - Scheme: mgr.GetScheme(), + Client: mgr.GetClient(), + Scheme: mgr.GetScheme(), + SecurityClient: secv1client.NewForConfigOrDie(mgr.GetConfig()), }).SetupWithManager(mgr); err != nil { setupLog.Error(err, "unable to create controller", "controller", "LVMCluster") os.Exit(1) From 948104b7443da746e7af8499d14e4087a4973365 Mon Sep 17 00:00:00 2001 From: N Balachandran Date: Thu, 30 Dec 2021 17:39:24 +0530 Subject: [PATCH 2/3] feat: updates the rbacs for sccs This commit removes the topolvm-node and vgmanager specific scc related rbacs from config/ and includes the changes required for the lvm controller to create the required SCCs programatically. Signed-off-by: N Balachandran --- config/rbac/kustomization.yaml | 5 ---- config/rbac/role.yaml | 9 ++++++ config/rbac/topolvm_node_scc.yaml | 29 ------------------- config/rbac/topolvm_node_scc_role.yaml | 13 --------- .../rbac/topolvm_node_scc_role_bindings.yaml | 12 -------- config/rbac/vg_manager_role.yaml | 8 ----- 6 files changed, 9 insertions(+), 67 deletions(-) delete mode 100644 config/rbac/topolvm_node_scc.yaml delete mode 100644 config/rbac/topolvm_node_scc_role.yaml delete mode 100644 config/rbac/topolvm_node_scc_role_bindings.yaml diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 538517c20..3f85e52f4 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -17,10 +17,6 @@ resources: - topolvm_node_service_account.yaml - topolvm_node_role.yaml - topolvm_node_role_bindings.yaml -# topolvm-node scc -- topolvm_node_scc.yaml -- topolvm_node_scc_role.yaml -- topolvm_node_scc_role_bindings.yaml # Comment the following 4 lines if you want to disable # the auth proxy (https://github.com/brancz/kube-rbac-proxy) # which protects your /metrics endpoint. @@ -31,4 +27,3 @@ resources: - vg_manager_role.yaml - vg_manager_role_binding.yaml - vg_manager_service_account.yaml -- vg_manager_scc.yaml diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 5a5328a40..0802d9dca 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -55,6 +55,15 @@ rules: - get - patch - update +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + verbs: + - create + - delete + - get + - update - apiGroups: - storage.k8s.io resources: diff --git a/config/rbac/topolvm_node_scc.yaml b/config/rbac/topolvm_node_scc.yaml deleted file mode 100644 index 1131a37b6..000000000 --- a/config/rbac/topolvm_node_scc.yaml +++ /dev/null @@ -1,29 +0,0 @@ -kind: SecurityContextConstraints -apiVersion: security.openshift.io/v1 -metadata: - name: topolvm-node - annotations: - kubernetes.io/description: 'topolvm-node allows access to host - features and the ability to run as any user, any group, any fsGroup, and with - any SELinux context. Use this SCC only for topolvm node daemonset' -allowHostDirVolumePlugin: true # Needed for volumes -allowHostIPC: false -allowHostNetwork: false -allowHostPID: true # lvmd needs to see pid 1 -allowHostPorts: false -allowPrivilegeEscalation: true # topolvm node uses privileged containers -allowPrivilegedContainer: true -readOnlyRootFilesystem: false -runAsUser: - type: RunAsAny -seLinuxContext: - type: RunAsAny -fsGroup: - type: RunAsAny -supplementalGroups: - type: RunAsAny -volumes: - - 'configMap' - - 'emptyDir' - - 'secret' - - 'hostPath' diff --git a/config/rbac/topolvm_node_scc_role.yaml b/config/rbac/topolvm_node_scc_role.yaml deleted file mode 100644 index 1e7b1ce9f..000000000 --- a/config/rbac/topolvm_node_scc_role.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: topolvm-node-scc -rules: -- apiGroups: - - security.openshift.io - resources: - - securitycontextconstraints - verbs: - - use - resourceNames: - - topolvm-node diff --git a/config/rbac/topolvm_node_scc_role_bindings.yaml b/config/rbac/topolvm_node_scc_role_bindings.yaml deleted file mode 100644 index 2bebc03cd..000000000 --- a/config/rbac/topolvm_node_scc_role_bindings.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: topolvm-node-scc -subjects: - - kind: ServiceAccount - name: topolvm-node - namespace: system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: topolvm-node-scc diff --git a/config/rbac/vg_manager_role.yaml b/config/rbac/vg_manager_role.yaml index a9e2b1539..f876cb844 100644 --- a/config/rbac/vg_manager_role.yaml +++ b/config/rbac/vg_manager_role.yaml @@ -33,11 +33,3 @@ rules: - get - patch - update -- apiGroups: - - security.openshift.io - resourceNames: - - vg-manager - resources: - - securitycontextconstraints - verbs: - - use From 967f03f3f0520a18744182994e897a0929b9c28f Mon Sep 17 00:00:00 2001 From: N Balachandran Date: Thu, 30 Dec 2021 17:40:15 +0530 Subject: [PATCH 3/3] tests: updates env tests Updated the env tests with scc changes. Signed-off-by: N Balachandran --- controllers/suite_test.go | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/controllers/suite_test.go b/controllers/suite_test.go index 4b5eac62d..5c5449009 100644 --- a/controllers/suite_test.go +++ b/controllers/suite_test.go @@ -33,6 +33,7 @@ import ( logf "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/log/zap" + secv1client "github.com/openshift/client-go/security/clientset/versioned/typed/security/v1" lvmv1alpha1 "github.com/red-hat-storage/lvm-operator/api/v1alpha1" //+kubebuilder:scaffold:imports ) @@ -96,9 +97,10 @@ var _ = BeforeSuite(func() { Expect(k8sClient.Create(ctx, testNamespace)).Should(Succeed()) err = (&LVMClusterReconciler{ - Client: k8sManager.GetClient(), - Scheme: k8sManager.GetScheme(), - Log: ctrl.Log.WithName("controllers").WithName("LvmCluster"), + Client: k8sManager.GetClient(), + Scheme: k8sManager.GetScheme(), + SecurityClient: secv1client.NewForConfigOrDie(k8sManager.GetConfig()), + Log: ctrl.Log.WithName("controllers").WithName("LvmCluster"), }).SetupWithManager(k8sManager) Expect(err).ToNot(HaveOccurred())