Cherrypick PWX-32732 : use SCC based on IsPrivileged flag (#1194)

* PWX-32732 : use SCC based on IsPrivileged flag (#1191) * use portworx-restricted based on IsPrivileged flag * Add UTs for install with non-privileged annotation * Add UTs for install with non-privileged annotation * remove debug logs * resolve conflict * fix failing test
libopenstorage · Aug 9, 2023 · d139354 · d139354
1 parent ed695b0
commit d139354
Show file tree

Hide file tree

Showing 12 changed files with 483 additions and 183 deletions.
diff --git a/drivers/storage/portworx/component/csi.go b/drivers/storage/portworx/component/csi.go
@@ -226,6 +226,11 @@ func (c *csi) createClusterRole(
 	cluster *corev1.StorageCluster,
 	csiConfig *pxutil.CSIConfiguration,
 ) error {
+	sccName := PxSCCName
+	if !pxutil.IsPrivileged(cluster) {
+		sccName = PxRestrictedSCCName
+	}
+
 	clusterRole := &rbacv1.ClusterRole{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: CSIClusterRoleName,
@@ -320,7 +325,7 @@ func (c *csi) createClusterRole(
 			{
 				APIGroups:     []string{"security.openshift.io"},
 				Resources:     []string{"securitycontextconstraints"},
-				ResourceNames: []string{PxRestrictedSCCName},
+				ResourceNames: []string{sccName},
 				Verbs:         []string{"use"},
 			},
 			{

diff --git a/drivers/storage/portworx/component/lighthouse.go b/drivers/storage/portworx/component/lighthouse.go
@@ -90,7 +90,7 @@ func (c *lighthouse) Reconcile(cluster *corev1.StorageCluster) error {
 	if err := c.createServiceAccount(cluster.Namespace, ownerRef); err != nil {
 		return err
 	}
-	if err := c.createClusterRole(); err != nil {
+	if err := c.createClusterRole(cluster); err != nil {
 		return err
 	}
 	if err := c.createClusterRoleBinding(cluster.Namespace); err != nil {
@@ -147,75 +147,79 @@ func (c *lighthouse) createServiceAccount(
 	)
 }
 
-func (c *lighthouse) createClusterRole() error {
-	return k8sutil.CreateOrUpdateClusterRole(
-		c.k8sClient,
-		&rbacv1.ClusterRole{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: LhClusterRoleName,
+func (c *lighthouse) createClusterRole(cluster *corev1.StorageCluster) error {
+	sccName := PxSCCName
+	if !pxutil.IsPrivileged(cluster) {
+		sccName = PxRestrictedSCCName
+	}
+
+	clusterRole := &rbacv1.ClusterRole{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: LhClusterRoleName,
+		},
+		Rules: []rbacv1.PolicyRule{
+			{
+				APIGroups: []string{""},
+				Resources: []string{"pods"},
+				Verbs:     []string{"get", "list"},
 			},
-			Rules: []rbacv1.PolicyRule{
-				{
-					APIGroups: []string{""},
-					Resources: []string{"pods"},
-					Verbs:     []string{"get", "list"},
-				},
-				{
-					APIGroups: []string{"extensions", "apps"},
-					Resources: []string{"deployments"},
-					Verbs:     []string{"get", "list"},
-				},
-				{
-					APIGroups: []string{""},
-					Resources: []string{"secrets"},
-					Verbs:     []string{"get", "create", "update"},
-				},
-				{
-					APIGroups: []string{""},
-					Resources: []string{"configmaps"},
-					Verbs:     []string{"get", "create", "update"},
-				},
-				{
-					APIGroups: []string{""},
-					Resources: []string{"nodes"},
-					Verbs:     []string{"get", "list", "watch"},
-				},
-				{
-					APIGroups: []string{""},
-					Resources: []string{"services"},
-					Verbs:     []string{"get", "list", "watch", "create"},
-				},
-				{
-					APIGroups: []string{"stork.libopenstorage.org"},
-					Resources: []string{"*"},
-					Verbs:     []string{"get", "list", "create", "delete", "update"},
-				},
-				{
-					APIGroups: []string{"monitoring.coreos.com"},
-					Resources: []string{
-						"alertmanagers",
-						"prometheuses",
-						"prometheuses/finalizers",
-						"servicemonitors",
-						"prometheusrules",
-					},
-					Verbs: []string{"*"},
-				},
-				{
-					APIGroups:     []string{"security.openshift.io"},
-					Resources:     []string{"securitycontextconstraints"},
-					ResourceNames: []string{PxRestrictedSCCName, "anyuid"},
-					Verbs:         []string{"use"},
-				},
-				{
-					APIGroups:     []string{"policy"},
-					Resources:     []string{"podsecuritypolicies"},
-					ResourceNames: []string{constants.PrivilegedPSPName},
-					Verbs:         []string{"use"},
+			{
+				APIGroups: []string{"extensions", "apps"},
+				Resources: []string{"deployments"},
+				Verbs:     []string{"get", "list"},
+			},
+			{
+				APIGroups: []string{""},
+				Resources: []string{"secrets"},
+				Verbs:     []string{"get", "create", "update"},
+			},
+			{
+				APIGroups: []string{""},
+				Resources: []string{"configmaps"},
+				Verbs:     []string{"get", "create", "update"},
+			},
+			{
+				APIGroups: []string{""},
+				Resources: []string{"nodes"},
+				Verbs:     []string{"get", "list", "watch"},
+			},
+			{
+				APIGroups: []string{""},
+				Resources: []string{"services"},
+				Verbs:     []string{"get", "list", "watch", "create"},
+			},
+			{
+				APIGroups: []string{"stork.libopenstorage.org"},
+				Resources: []string{"*"},
+				Verbs:     []string{"get", "list", "create", "delete", "update"},
+			},
+			{
+				APIGroups: []string{"monitoring.coreos.com"},
+				Resources: []string{
+					"alertmanagers",
+					"prometheuses",
+					"prometheuses/finalizers",
+					"servicemonitors",
+					"prometheusrules",
 				},
+				Verbs: []string{"*"},
+			},
+			{
+				APIGroups:     []string{"security.openshift.io"},
+				Resources:     []string{"securitycontextconstraints"},
+				ResourceNames: []string{sccName, "anyuid"},
+				Verbs:         []string{"use"},
+			},
+			{
+				APIGroups:     []string{"policy"},
+				Resources:     []string{"podsecuritypolicies"},
+				ResourceNames: []string{constants.PrivilegedPSPName},
+				Verbs:         []string{"use"},
 			},
 		},
-	)
+	}
+
+	return k8sutil.CreateOrUpdateClusterRole(c.k8sClient, clusterRole)
 }
 
 func (c *lighthouse) createClusterRoleBinding(

diff --git a/drivers/storage/portworx/component/pvccontroller.go b/drivers/storage/portworx/component/pvccontroller.go
@@ -111,7 +111,7 @@ func (c *pvcController) Reconcile(cluster *corev1.StorageCluster) error {
 	if err := c.createServiceAccount(cluster.Namespace, ownerRef); err != nil {
 		return err
 	}
-	if err := c.createClusterRole(); err != nil {
+	if err := c.createClusterRole(cluster); err != nil {
 		return err
 	}
 	if err := c.createClusterRoleBinding(cluster.Namespace); err != nil {
@@ -162,99 +162,103 @@ func (c *pvcController) createServiceAccount(
 	)
 }
 
-func (c *pvcController) createClusterRole() error {
-	return k8sutil.CreateOrUpdateClusterRole(
-		c.k8sClient,
-		&rbacv1.ClusterRole{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: PVCClusterRoleName,
+func (c *pvcController) createClusterRole(cluster *corev1.StorageCluster) error {
+	sccName := PxSCCName
+	if !pxutil.IsPrivileged(cluster) {
+		sccName = PxRestrictedSCCName
+	}
+
+	clusterRole := &rbacv1.ClusterRole{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: PVCClusterRoleName,
+		},
+		Rules: []rbacv1.PolicyRule{
+			{
+				APIGroups: []string{""},
+				Resources: []string{"persistentvolumes"},
+				Verbs:     []string{"get", "list", "watch", "create", "delete", "update"},
 			},
-			Rules: []rbacv1.PolicyRule{
-				{
-					APIGroups: []string{""},
-					Resources: []string{"persistentvolumes"},
-					Verbs:     []string{"get", "list", "watch", "create", "delete", "update"},
-				},
-				{
-					APIGroups: []string{""},
-					Resources: []string{"persistentvolumes/status"},
-					Verbs:     []string{"update"},
-				},
-				{
-					APIGroups: []string{""},
-					Resources: []string{"persistentvolumeclaims"},
-					Verbs:     []string{"get", "list", "watch", "update"},
-				},
-				{
-					APIGroups: []string{""},
-					Resources: []string{"persistentvolumeclaims/status"},
-					Verbs:     []string{"update"},
-				},
-				{
-					APIGroups: []string{""},
-					Resources: []string{"pods"},
-					Verbs:     []string{"get", "list", "watch", "create", "delete"},
-				},
-				{
-					APIGroups: []string{"storage.k8s.io"},
-					Resources: []string{"storageclasses"},
-					Verbs:     []string{"get", "list", "watch"},
-				},
-				{
-					APIGroups: []string{""},
-					Resources: []string{"endpoints", "services"},
-					Verbs:     []string{"get", "create", "delete", "update"},
-				},
-				{
-					APIGroups: []string{""},
-					Resources: []string{"secrets"},
-					Verbs:     []string{"get", "list"},
-				},
-				{
-					APIGroups: []string{""},
-					Resources: []string{"nodes"},
-					Verbs:     []string{"get", "list", "watch"},
-				},
-				{
-					APIGroups: []string{"", "events.k8s.io"},
-					Resources: []string{"events"},
-					Verbs:     []string{"get", "list", "watch", "create", "update", "patch"},
-				},
-				{
-					APIGroups: []string{""},
-					Resources: []string{"serviceaccounts"},
-					Verbs:     []string{"get", "create"},
-				},
-				{
-					APIGroups: []string{""},
-					Resources: []string{"serviceaccounts/token"},
-					Verbs:     []string{"create"},
-				},
-				{
-					APIGroups: []string{""},
-					Resources: []string{"configmaps"},
-					Verbs:     []string{"get", "list", "watch", "create", "update"},
-				},
-				{
-					APIGroups:     []string{"security.openshift.io"},
-					Resources:     []string{"securitycontextconstraints"},
-					ResourceNames: []string{PxRestrictedSCCName},
-					Verbs:         []string{"use"},
-				},
-				{
-					APIGroups:     []string{"policy"},
-					Resources:     []string{"podsecuritypolicies"},
-					ResourceNames: []string{constants.PrivilegedPSPName},
-					Verbs:         []string{"use"},
-				},
-				{
-					APIGroups: []string{"coordination.k8s.io"},
-					Resources: []string{"leases"},
-					Verbs:     []string{"*"},
-				},
+			{
+				APIGroups: []string{""},
+				Resources: []string{"persistentvolumes/status"},
+				Verbs:     []string{"update"},
+			},
+			{
+				APIGroups: []string{""},
+				Resources: []string{"persistentvolumeclaims"},
+				Verbs:     []string{"get", "list", "watch", "update"},
+			},
+			{
+				APIGroups: []string{""},
+				Resources: []string{"persistentvolumeclaims/status"},
+				Verbs:     []string{"update"},
+			},
+			{
+				APIGroups: []string{""},
+				Resources: []string{"pods"},
+				Verbs:     []string{"get", "list", "watch", "create", "delete"},
+			},
+			{
+				APIGroups: []string{"storage.k8s.io"},
+				Resources: []string{"storageclasses"},
+				Verbs:     []string{"get", "list", "watch"},
+			},
+			{
+				APIGroups: []string{""},
+				Resources: []string{"endpoints", "services"},
+				Verbs:     []string{"get", "create", "delete", "update"},
+			},
+			{
+				APIGroups: []string{""},
+				Resources: []string{"secrets"},
+				Verbs:     []string{"get", "list"},
+			},
+			{
+				APIGroups: []string{""},
+				Resources: []string{"nodes"},
+				Verbs:     []string{"get", "list", "watch"},
+			},
+			{
+				APIGroups: []string{"", "events.k8s.io"},
+				Resources: []string{"events"},
+				Verbs:     []string{"get", "list", "watch", "create", "update", "patch"},
+			},
+			{
+				APIGroups: []string{""},
+				Resources: []string{"serviceaccounts"},
+				Verbs:     []string{"get", "create"},
+			},
+			{
+				APIGroups: []string{""},
+				Resources: []string{"serviceaccounts/token"},
+				Verbs:     []string{"create"},
+			},
+			{
+				APIGroups: []string{""},
+				Resources: []string{"configmaps"},
+				Verbs:     []string{"get", "list", "watch", "create", "update"},
+			},
+			{
+				APIGroups:     []string{"security.openshift.io"},
+				Resources:     []string{"securitycontextconstraints"},
+				ResourceNames: []string{sccName},
+				Verbs:         []string{"use"},
+			},
+			{
+				APIGroups:     []string{"policy"},
+				Resources:     []string{"podsecuritypolicies"},
+				ResourceNames: []string{constants.PrivilegedPSPName},
+				Verbs:         []string{"use"},
+			},
+			{
+				APIGroups: []string{"coordination.k8s.io"},
+				Resources: []string{"leases"},
+				Verbs:     []string{"*"},
 			},
 		},
-	)
+	}
+
+	return k8sutil.CreateOrUpdateClusterRole(c.k8sClient, clusterRole)
 }
 
 func (c *pvcController) createClusterRoleBinding(