From 9e0bc85a417fbcbe428a8561d67c3cc22e0b6753 Mon Sep 17 00:00:00 2001 From: shashank-netapp <108022276+shashank-netapp@users.noreply.github.com> Date: Wed, 27 Mar 2024 18:51:14 +0530 Subject: [PATCH] Changed trident-controller-scc priority from 10 to null and added SCC yaml generation --- cli/cmd/install.go | 38 +++++++++++++++++++++++++++++ cli/k8s_client/yaml_factory.go | 8 +++++- cli/k8s_client/yaml_factory_test.go | 3 +-- 3 files changed, 46 insertions(+), 3 deletions(-) diff --git a/cli/cmd/install.go b/cli/cmd/install.go index b680ac4ad..2c4b74f18 100644 --- a/cli/cmd/install.go +++ b/cli/cmd/install.go @@ -56,16 +56,19 @@ const ( ControllerServiceAccountFilename = "trident-controller-serviceaccount.yaml" ControllerPodSecurityPolicyFilename = "trident-controller-podsecuritypolicy.yaml" ControllerClusterRoleBindingFilename = "trident-controller-clusterrolebinding.yaml" + ControllerSCCFilename = "trident-controller-scc.yaml" NodeLinuxRoleFilename = "trident-node-linux-role.yaml" NodeLinuxRoleBindingFilename = "trident-node-linux-rolebinding.yaml" NodeLinuxServiceAccountFilename = "trident-node-linux-serviceaccount.yaml" NodeLinuxPodSecurityPolicyFilename = "trident-node-linux-podsecuritypolicy.yaml" + NodeLinuxSCCFilename = "trident-node-linux-scc.yaml" NodeWindowsRoleFilename = "trident-node-windows-role.yaml" NodeWindowsRoleBindingFilename = "trident-node-windows-rolebinding.yaml" NodeWindowsServiceAccountFilename = "trident-node-windows-serviceaccount.yaml" NodeWindowsPodSecurityPolicyFilename = "trident-node-windows-podsecuritypolicy.yaml" + NodeWindowsSCCFilename = "trident-node-windows-scc.yaml" CRDsFilename = "trident-crds.yaml" DaemonSetFilename = "trident-daemonset.yaml" @@ -150,6 +153,9 @@ var ( nodeLinuxPodSecurityPolicyPath string nodeWindowsPodSecurityPolicyPath string resourceQuotaPath string + controllerSCCPath string + nodeLinuxSCCPath string + nodeWindowsSCCPath string setupYAMLPaths []string appLabel string @@ -536,6 +542,13 @@ func prepareYAMLFilePaths() error { nodeWindowsPodSecurityPolicyPath) } + if client.Flavor() == k8sclient.FlavorOpenShift { + controllerSCCPath = path.Join(setupPath, ControllerSCCFilename) + nodeLinuxSCCPath = path.Join(setupPath, NodeLinuxSCCFilename) + nodeWindowsSCCPath = path.Join(setupPath, NodeWindowsSCCFilename) + setupYAMLPaths = append(setupYAMLPaths, controllerSCCPath, nodeLinuxSCCPath, nodeWindowsSCCPath) + } + return nil } @@ -721,6 +734,23 @@ func prepareYAMLFiles() error { } } + // If OpenShift, generate corresponding SCCs + if client.Flavor() == k8sclient.FlavorOpenShift { + // Creating trident controller security context constraint (SCC) + controllerSCCYAML := k8sclient.GetOpenShiftSCCYAML(getControllerRBACResourceName(), getControllerRBACResourceName(), TridentPodNamespace, labels, nil, + isLinuxNodeSCCUser(getControllerRBACResourceName())) + if err = writeFile(controllerSCCPath, controllerSCCYAML); err != nil { + return fmt.Errorf("could not write controller SCC YAML file; %v", err) + } + + // Creating trident node security context constraint (SCC) + nodeLinuxSCCYAML := k8sclient.GetOpenShiftSCCYAML(getNodeRBACResourceName(false), getNodeRBACResourceName(false), TridentPodNamespace, daemonSetlabels, nil, + isLinuxNodeSCCUser(getNodeRBACResourceName(false))) + if err = writeFile(nodeLinuxSCCPath, nodeLinuxSCCYAML); err != nil { + return fmt.Errorf("could not write node linux SCC YAML file; %v", err) + } + } + if windows { daemonArgs = &k8sclient.DaemonsetYAMLArguments{ DaemonsetName: getDaemonSetName(true), @@ -775,6 +805,14 @@ func prepareYAMLFiles() error { return fmt.Errorf("could not write node windows pod security policy YAML file; %v", err) } } + + if client.Flavor() == k8sclient.FlavorOpenShift { + nodeWindowsSCCYAML := k8sclient.GetOpenShiftSCCYAML(getNodeRBACResourceName(true), getNodeRBACResourceName(true), TridentPodNamespace, daemonSetlabels, nil, + isLinuxNodeSCCUser(getNodeRBACResourceName(true))) + if err = writeFile(nodeWindowsSCCPath, nodeWindowsSCCYAML); err != nil { + return fmt.Errorf("could not write node windows SCC YAML file; %v", err) + } + } } return nil diff --git a/cli/k8s_client/yaml_factory.go b/cli/k8s_client/yaml_factory.go index 408adab5f..8651b6ea8 100644 --- a/cli/k8s_client/yaml_factory.go +++ b/cli/k8s_client/yaml_factory.go @@ -548,6 +548,8 @@ spec: labels: app: {LABEL_APP} {LABEL_IDENTITY} + annotations: + openshift.io/required-scc: {SERVICE_ACCOUNT} spec: serviceAccount: {SERVICE_ACCOUNT} containers: @@ -913,6 +915,8 @@ spec: metadata: labels: app: {LABEL_APP} + annotations: + openshift.io/required-scc: {SERVICE_ACCOUNT} spec: serviceAccount: {SERVICE_ACCOUNT} hostNetwork: true @@ -1115,6 +1119,8 @@ spec: metadata: labels: app: {LABEL_APP} + annotations: + openshift.io/required-scc: {SERVICE_ACCOUNT} spec: securityContext: windowsOptions: @@ -1482,7 +1488,7 @@ defaultAddCapabilities: null fsGroup: type: RunAsAny groups: [] -priority: 10 +priority: null readOnlyRootFilesystem: false requiredDropCapabilities: - MKNOD diff --git a/cli/k8s_client/yaml_factory_test.go b/cli/k8s_client/yaml_factory_test.go index 8578ef2d5..a0d0ee55d 100644 --- a/cli/k8s_client/yaml_factory_test.go +++ b/cli/k8s_client/yaml_factory_test.go @@ -1135,7 +1135,6 @@ func TestGetOpenShiftSCCYAML_UnprivilegedUser(t *testing.T) { namespace := "trident" labels := map[string]string{"app": "controller.trident.netapp.io"} crdDetails := map[string]string{"kind": "ReplicaSet"} - priority := int32(10) expected := scc.SecurityContextConstraints{ TypeMeta: metav1.TypeMeta{ @@ -1168,7 +1167,7 @@ func TestGetOpenShiftSCCYAML_UnprivilegedUser(t *testing.T) { Type: "RunAsAny", }, Groups: []string{}, - Priority: &priority, + Priority: nil, ReadOnlyRootFilesystem: false, RequiredDropCapabilities: []v1.Capability{"MKNOD"}, RunAsUser: scc.RunAsUserStrategyOptions{