-
Notifications
You must be signed in to change notification settings - Fork 1.3k
/
ssc.go
107 lines (86 loc) · 3.08 KB
/
ssc.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
package apply
import (
"context"
"encoding/json"
"fmt"
secv1 "github.com/openshift/api/security/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
"kubevirt.io/client-go/log"
"kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac"
)
func (r *Reconciler) createOrUpdateSCC() error {
sec := r.clientset.SecClient()
if !r.stores.IsOnOpenshift {
return nil
}
version, imageRegistry, id := getTargetVersionRegistryID(r.kv)
for _, scc := range r.targetStrategy.SCCs() {
var cachedSCC *secv1.SecurityContextConstraints
scc := scc.DeepCopy()
obj, exists, _ := r.stores.SCCCache.GetByKey(scc.Name)
if exists {
cachedSCC = obj.(*secv1.SecurityContextConstraints)
}
injectOperatorMetadata(r.kv, &scc.ObjectMeta, version, imageRegistry, id, true)
if !exists {
r.expectations.SCC.RaiseExpectations(r.kvKey, 1, 0)
_, err := sec.SecurityContextConstraints().Create(context.Background(), scc, metav1.CreateOptions{})
if err != nil {
r.expectations.SCC.LowerExpectations(r.kvKey, 1, 0)
return fmt.Errorf("unable to create SCC %+v: %v", scc, err)
}
log.Log.V(2).Infof("SCC %v created", scc.Name)
} else if !objectMatchesVersion(&cachedSCC.ObjectMeta, version, imageRegistry, id, r.kv.GetGeneration()) {
scc.ObjectMeta = *cachedSCC.ObjectMeta.DeepCopy()
injectOperatorMetadata(r.kv, &scc.ObjectMeta, version, imageRegistry, id, true)
_, err := sec.SecurityContextConstraints().Update(context.Background(), scc, metav1.UpdateOptions{})
if err != nil {
return fmt.Errorf("Unable to update %s SecurityContextConstraints", scc.Name)
}
log.Log.V(2).Infof("SecurityContextConstraints %s updated", scc.Name)
} else {
log.Log.V(4).Infof("SCC %s is up to date", scc.Name)
}
}
return nil
}
func (r *Reconciler) removeKvServiceAccountsFromDefaultSCC(targetNamespace string) error {
var remainedUsersList []string
SCCObj, exists, err := r.stores.SCCCache.GetByKey("privileged")
if err != nil {
return err
} else if !exists {
return nil
}
SCC, ok := SCCObj.(*secv1.SecurityContextConstraints)
if !ok {
return fmt.Errorf("couldn't cast object to SecurityContextConstraints: %+v", SCCObj)
}
modified := false
kvServiceAccounts := rbac.GetKubevirtComponentsServiceAccounts(targetNamespace)
for _, acc := range SCC.Users {
if _, ok := kvServiceAccounts[acc]; !ok {
remainedUsersList = append(remainedUsersList, acc)
} else {
modified = true
}
}
if modified {
oldUserBytes, err := json.Marshal(SCC.Users)
if err != nil {
return err
}
userBytes, err := json.Marshal(remainedUsersList)
if err != nil {
return err
}
test := fmt.Sprintf(`{ "op": "test", "path": "/users", "value": %s }`, string(oldUserBytes))
patch := fmt.Sprintf(`{ "op": "replace", "path": "/users", "value": %s }`, string(userBytes))
_, err = r.clientset.SecClient().SecurityContextConstraints().Patch(context.Background(), "privileged", types.JSONPatchType, []byte(fmt.Sprintf("[ %s, %s ]", test, patch)), metav1.PatchOptions{})
if err != nil {
return fmt.Errorf("unable to patch scc: %v", err)
}
}
return nil
}