Changed trident-controller-scc priority from 10 to null and added SCC…

… yaml generation
NetApp · Mar 27, 2024 · 9e0bc85 · 9e0bc85
1 parent 6d71d32
commit 9e0bc85
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 3 deletions.
diff --git a/cli/cmd/install.go b/cli/cmd/install.go
@@ -56,16 +56,19 @@ const (
 	ControllerServiceAccountFilename     = "trident-controller-serviceaccount.yaml"
 	ControllerPodSecurityPolicyFilename  = "trident-controller-podsecuritypolicy.yaml"
 	ControllerClusterRoleBindingFilename = "trident-controller-clusterrolebinding.yaml"
+	ControllerSCCFilename                = "trident-controller-scc.yaml"
 
 	NodeLinuxRoleFilename              = "trident-node-linux-role.yaml"
 	NodeLinuxRoleBindingFilename       = "trident-node-linux-rolebinding.yaml"
 	NodeLinuxServiceAccountFilename    = "trident-node-linux-serviceaccount.yaml"
 	NodeLinuxPodSecurityPolicyFilename = "trident-node-linux-podsecuritypolicy.yaml"
+	NodeLinuxSCCFilename               = "trident-node-linux-scc.yaml"
 
 	NodeWindowsRoleFilename              = "trident-node-windows-role.yaml"
 	NodeWindowsRoleBindingFilename       = "trident-node-windows-rolebinding.yaml"
 	NodeWindowsServiceAccountFilename    = "trident-node-windows-serviceaccount.yaml"
 	NodeWindowsPodSecurityPolicyFilename = "trident-node-windows-podsecuritypolicy.yaml"
+	NodeWindowsSCCFilename               = "trident-node-windows-scc.yaml"
 
 	CRDsFilename             = "trident-crds.yaml"
 	DaemonSetFilename        = "trident-daemonset.yaml"
@@ -150,6 +153,9 @@ var (
 	nodeLinuxPodSecurityPolicyPath   string
 	nodeWindowsPodSecurityPolicyPath string
 	resourceQuotaPath                string
+	controllerSCCPath                string
+	nodeLinuxSCCPath                 string
+	nodeWindowsSCCPath               string
 	setupYAMLPaths                   []string
 
 	appLabel      string
@@ -536,6 +542,13 @@ func prepareYAMLFilePaths() error {
 			nodeWindowsPodSecurityPolicyPath)
 	}
 
+	if client.Flavor() == k8sclient.FlavorOpenShift {
+		controllerSCCPath = path.Join(setupPath, ControllerSCCFilename)
+		nodeLinuxSCCPath = path.Join(setupPath, NodeLinuxSCCFilename)
+		nodeWindowsSCCPath = path.Join(setupPath, NodeWindowsSCCFilename)
+		setupYAMLPaths = append(setupYAMLPaths, controllerSCCPath, nodeLinuxSCCPath, nodeWindowsSCCPath)
+	}
+
 	return nil
 }
 
@@ -721,6 +734,23 @@ func prepareYAMLFiles() error {
 		}
 	}
 
+	// If OpenShift, generate corresponding SCCs
+	if client.Flavor() == k8sclient.FlavorOpenShift {
+		// Creating trident controller security context constraint (SCC)
+		controllerSCCYAML := k8sclient.GetOpenShiftSCCYAML(getControllerRBACResourceName(), getControllerRBACResourceName(), TridentPodNamespace, labels, nil,
+			isLinuxNodeSCCUser(getControllerRBACResourceName()))
+		if err = writeFile(controllerSCCPath, controllerSCCYAML); err != nil {
+			return fmt.Errorf("could not write controller SCC YAML file; %v", err)
+		}
+
+		// Creating trident node security context constraint (SCC)
+		nodeLinuxSCCYAML := k8sclient.GetOpenShiftSCCYAML(getNodeRBACResourceName(false), getNodeRBACResourceName(false), TridentPodNamespace, daemonSetlabels, nil,
+			isLinuxNodeSCCUser(getNodeRBACResourceName(false)))
+		if err = writeFile(nodeLinuxSCCPath, nodeLinuxSCCYAML); err != nil {
+			return fmt.Errorf("could not write node linux SCC YAML file; %v", err)
+		}
+	}
+
 	if windows {
 		daemonArgs = &k8sclient.DaemonsetYAMLArguments{
 			DaemonsetName:        getDaemonSetName(true),
@@ -775,6 +805,14 @@ func prepareYAMLFiles() error {
 				return fmt.Errorf("could not write node windows pod security policy YAML file; %v", err)
 			}
 		}
+
+		if client.Flavor() == k8sclient.FlavorOpenShift {
+			nodeWindowsSCCYAML := k8sclient.GetOpenShiftSCCYAML(getNodeRBACResourceName(true), getNodeRBACResourceName(true), TridentPodNamespace, daemonSetlabels, nil,
+				isLinuxNodeSCCUser(getNodeRBACResourceName(true)))
+			if err = writeFile(nodeWindowsSCCPath, nodeWindowsSCCYAML); err != nil {
+				return fmt.Errorf("could not write node windows SCC YAML file; %v", err)
+			}
+		}
 	}
 
 	return nil

diff --git a/cli/k8s_client/yaml_factory.go b/cli/k8s_client/yaml_factory.go
@@ -548,6 +548,8 @@ spec:
       labels:
         app: {LABEL_APP}
         {LABEL_IDENTITY}
+      annotations:
+        openshift.io/required-scc: {SERVICE_ACCOUNT}
     spec:
       serviceAccount: {SERVICE_ACCOUNT}
       containers:
@@ -913,6 +915,8 @@ spec:
     metadata:
       labels:
         app: {LABEL_APP}
+      annotations:
+        openshift.io/required-scc: {SERVICE_ACCOUNT}
     spec:
       serviceAccount: {SERVICE_ACCOUNT}
       hostNetwork: true
@@ -1115,6 +1119,8 @@ spec:
     metadata:
       labels:
         app: {LABEL_APP}
+      annotations:
+        openshift.io/required-scc: {SERVICE_ACCOUNT}
     spec:
       securityContext:
         windowsOptions:
@@ -1482,7 +1488,7 @@ defaultAddCapabilities: null
 fsGroup:
   type: RunAsAny
 groups: []
-priority: 10
+priority: null
 readOnlyRootFilesystem: false
 requiredDropCapabilities:
 - MKNOD

diff --git a/cli/k8s_client/yaml_factory_test.go b/cli/k8s_client/yaml_factory_test.go
@@ -1135,7 +1135,6 @@ func TestGetOpenShiftSCCYAML_UnprivilegedUser(t *testing.T) {
 	namespace := "trident"
 	labels := map[string]string{"app": "controller.trident.netapp.io"}
 	crdDetails := map[string]string{"kind": "ReplicaSet"}
-	priority := int32(10)
 
 	expected := scc.SecurityContextConstraints{
 		TypeMeta: metav1.TypeMeta{
@@ -1168,7 +1167,7 @@ func TestGetOpenShiftSCCYAML_UnprivilegedUser(t *testing.T) {
 			Type: "RunAsAny",
 		},
 		Groups:                   []string{},
-		Priority:                 &priority,
+		Priority:                 nil,
 		ReadOnlyRootFilesystem:   false,
 		RequiredDropCapabilities: []v1.Capability{"MKNOD"},
 		RunAsUser: scc.RunAsUserStrategyOptions{