use portworx-restricted based on IsPrivileged flag

libopenstorage · Aug 8, 2023 · df61352 · df61352
1 parent e155688
commit df61352
Show file tree

Hide file tree

Showing 3 changed files with 179 additions and 163 deletions.
diff --git a/drivers/storage/portworx/component/csi.go b/drivers/storage/portworx/component/csi.go
@@ -317,12 +317,6 @@ func (c *csi) createClusterRole(
 				Resources: []string{"leases"},
 				Verbs:     []string{"*"},
 			},
-			{
-				APIGroups:     []string{"security.openshift.io"},
-				Resources:     []string{"securitycontextconstraints"},
-				ResourceNames: []string{PxRestrictedSCCName},
-				Verbs:         []string{"use"},
-			},
 			{
 				APIGroups:     []string{"policy"},
 				Resources:     []string{"podsecuritypolicies"},
@@ -332,6 +326,18 @@ func (c *csi) createClusterRole(
 		},
 	}
 
+	if !pxutil.IsPrivileged(cluster) {
+		clusterRole.Rules = append(
+			clusterRole.Rules,
+			rbacv1.PolicyRule{
+				APIGroups:     []string{"security.openshift.io"},
+				Resources:     []string{"securitycontextconstraints"},
+				ResourceNames: []string{PxRestrictedSCCName},
+				Verbs:         []string{"use"},
+			},
+		)
+	}
+
 	k8sVer1_14, err := version.NewVersion("1.14")
 	if err != nil {
 		return err

diff --git a/drivers/storage/portworx/component/lighthouse.go b/drivers/storage/portworx/component/lighthouse.go
@@ -90,7 +90,7 @@ func (c *lighthouse) Reconcile(cluster *corev1.StorageCluster) error {
 	if err := c.createServiceAccount(cluster.Namespace, ownerRef); err != nil {
 		return err
 	}
-	if err := c.createClusterRole(); err != nil {
+	if err := c.createClusterRole(cluster); err != nil {
 		return err
 	}
 	if err := c.createClusterRoleBinding(cluster.Namespace); err != nil {
@@ -147,75 +147,80 @@ func (c *lighthouse) createServiceAccount(
 	)
 }
 
-func (c *lighthouse) createClusterRole() error {
-	return k8sutil.CreateOrUpdateClusterRole(
-		c.k8sClient,
-		&rbacv1.ClusterRole{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: LhClusterRoleName,
+func (c *lighthouse) createClusterRole(cluster *corev1.StorageCluster) error {
+	clusterRole := &rbacv1.ClusterRole{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: LhClusterRoleName,
+		},
+		Rules: []rbacv1.PolicyRule{
+			{
+				APIGroups: []string{""},
+				Resources: []string{"pods"},
+				Verbs:     []string{"get", "list"},
 			},
-			Rules: []rbacv1.PolicyRule{
-				{
-					APIGroups: []string{""},
-					Resources: []string{"pods"},
-					Verbs:     []string{"get", "list"},
-				},
-				{
-					APIGroups: []string{"extensions", "apps"},
-					Resources: []string{"deployments"},
-					Verbs:     []string{"get", "list"},
-				},
-				{
-					APIGroups: []string{""},
-					Resources: []string{"secrets"},
-					Verbs:     []string{"get", "create", "update"},
-				},
-				{
-					APIGroups: []string{""},
-					Resources: []string{"configmaps"},
-					Verbs:     []string{"get", "create", "update"},
-				},
-				{
-					APIGroups: []string{""},
-					Resources: []string{"nodes"},
-					Verbs:     []string{"get", "list", "watch"},
-				},
-				{
-					APIGroups: []string{""},
-					Resources: []string{"services"},
-					Verbs:     []string{"get", "list", "watch", "create"},
-				},
-				{
-					APIGroups: []string{"stork.libopenstorage.org"},
-					Resources: []string{"*"},
-					Verbs:     []string{"get", "list", "create", "delete", "update"},
-				},
-				{
-					APIGroups: []string{"monitoring.coreos.com"},
-					Resources: []string{
-						"alertmanagers",
-						"prometheuses",
-						"prometheuses/finalizers",
-						"servicemonitors",
-						"prometheusrules",
-					},
-					Verbs: []string{"*"},
-				},
-				{
-					APIGroups:     []string{"security.openshift.io"},
-					Resources:     []string{"securitycontextconstraints"},
-					ResourceNames: []string{PxRestrictedSCCName, "anyuid"},
-					Verbs:         []string{"use"},
-				},
-				{
-					APIGroups:     []string{"policy"},
-					Resources:     []string{"podsecuritypolicies"},
-					ResourceNames: []string{constants.PrivilegedPSPName},
-					Verbs:         []string{"use"},
+			{
+				APIGroups: []string{"extensions", "apps"},
+				Resources: []string{"deployments"},
+				Verbs:     []string{"get", "list"},
+			},
+			{
+				APIGroups: []string{""},
+				Resources: []string{"secrets"},
+				Verbs:     []string{"get", "create", "update"},
+			},
+			{
+				APIGroups: []string{""},
+				Resources: []string{"configmaps"},
+				Verbs:     []string{"get", "create", "update"},
+			},
+			{
+				APIGroups: []string{""},
+				Resources: []string{"nodes"},
+				Verbs:     []string{"get", "list", "watch"},
+			},
+			{
+				APIGroups: []string{""},
+				Resources: []string{"services"},
+				Verbs:     []string{"get", "list", "watch", "create"},
+			},
+			{
+				APIGroups: []string{"stork.libopenstorage.org"},
+				Resources: []string{"*"},
+				Verbs:     []string{"get", "list", "create", "delete", "update"},
+			},
+			{
+				APIGroups: []string{"monitoring.coreos.com"},
+				Resources: []string{
+					"alertmanagers",
+					"prometheuses",
+					"prometheuses/finalizers",
+					"servicemonitors",
+					"prometheusrules",
 				},
+				Verbs: []string{"*"},
+			},
+			{
+				APIGroups:     []string{"policy"},
+				Resources:     []string{"podsecuritypolicies"},
+				ResourceNames: []string{constants.PrivilegedPSPName},
+				Verbs:         []string{"use"},
 			},
 		},
-	)
+	}
+
+	if pxutil.IsPrivileged(cluster) {
+		clusterRole.Rules = append(
+			clusterRole.Rules,
+			rbacv1.PolicyRule{
+				APIGroups:     []string{"security.openshift.io"},
+				Resources:     []string{"securitycontextconstraints"},
+				ResourceNames: []string{PxRestrictedSCCName},
+				Verbs:         []string{"use"},
+			},
+		)
+	}
+
+	return k8sutil.CreateOrUpdateClusterRole(c.k8sClient, clusterRole)
 }
 
 func (c *lighthouse) createClusterRoleBinding(

diff --git a/drivers/storage/portworx/component/pvccontroller.go b/drivers/storage/portworx/component/pvccontroller.go
@@ -111,7 +111,7 @@ func (c *pvcController) Reconcile(cluster *corev1.StorageCluster) error {
 	if err := c.createServiceAccount(cluster.Namespace, ownerRef); err != nil {
 		return err
 	}
-	if err := c.createClusterRole(); err != nil {
+	if err := c.createClusterRole(cluster); err != nil {
 		return err
 	}
 	if err := c.createClusterRoleBinding(cluster.Namespace); err != nil {
@@ -162,99 +162,104 @@ func (c *pvcController) createServiceAccount(
 	)
 }
 
-func (c *pvcController) createClusterRole() error {
-	return k8sutil.CreateOrUpdateClusterRole(
-		c.k8sClient,
-		&rbacv1.ClusterRole{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: PVCClusterRoleName,
+func (c *pvcController) createClusterRole(cluster *corev1.StorageCluster) error {
+	clusterRole := &rbacv1.ClusterRole{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: PVCClusterRoleName,
+		},
+		Rules: []rbacv1.PolicyRule{
+			{
+				APIGroups: []string{""},
+				Resources: []string{"persistentvolumes"},
+				Verbs:     []string{"get", "list", "watch", "create", "delete", "update"},
 			},
-			Rules: []rbacv1.PolicyRule{
-				{
-					APIGroups: []string{""},
-					Resources: []string{"persistentvolumes"},
-					Verbs:     []string{"get", "list", "watch", "create", "delete", "update"},
-				},
-				{
-					APIGroups: []string{""},
-					Resources: []string{"persistentvolumes/status"},
-					Verbs:     []string{"update"},
-				},
-				{
-					APIGroups: []string{""},
-					Resources: []string{"persistentvolumeclaims"},
-					Verbs:     []string{"get", "list", "watch", "update"},
-				},
-				{
-					APIGroups: []string{""},
-					Resources: []string{"persistentvolumeclaims/status"},
-					Verbs:     []string{"update"},
-				},
-				{
-					APIGroups: []string{""},
-					Resources: []string{"pods"},
-					Verbs:     []string{"get", "list", "watch", "create", "delete"},
-				},
-				{
-					APIGroups: []string{"storage.k8s.io"},
-					Resources: []string{"storageclasses"},
-					Verbs:     []string{"get", "list", "watch"},
-				},
-				{
-					APIGroups: []string{""},
-					Resources: []string{"endpoints", "services"},
-					Verbs:     []string{"get", "create", "delete", "update"},
-				},
-				{
-					APIGroups: []string{""},
-					Resources: []string{"secrets"},
-					Verbs:     []string{"get", "list"},
-				},
-				{
-					APIGroups: []string{""},
-					Resources: []string{"nodes"},
-					Verbs:     []string{"get", "list", "watch"},
-				},
-				{
-					APIGroups: []string{""},
-					Resources: []string{"events"},
-					Verbs:     []string{"watch", "create", "update", "patch"},
-				},
-				{
-					APIGroups: []string{""},
-					Resources: []string{"serviceaccounts"},
-					Verbs:     []string{"get", "create"},
-				},
-				{
-					APIGroups: []string{""},
-					Resources: []string{"serviceaccounts/token"},
-					Verbs:     []string{"create"},
-				},
-				{
-					APIGroups: []string{""},
-					Resources: []string{"configmaps"},
-					Verbs:     []string{"get", "list", "watch", "create", "update"},
-				},
-				{
-					APIGroups:     []string{"security.openshift.io"},
-					Resources:     []string{"securitycontextconstraints"},
-					ResourceNames: []string{PxRestrictedSCCName},
-					Verbs:         []string{"use"},
-				},
-				{
-					APIGroups:     []string{"policy"},
-					Resources:     []string{"podsecuritypolicies"},
-					ResourceNames: []string{constants.PrivilegedPSPName},
-					Verbs:         []string{"use"},
-				},
-				{
-					APIGroups: []string{"coordination.k8s.io"},
-					Resources: []string{"leases"},
-					Verbs:     []string{"*"},
-				},
+			{
+				APIGroups: []string{""},
+				Resources: []string{"persistentvolumes/status"},
+				Verbs:     []string{"update"},
+			},
+			{
+				APIGroups: []string{""},
+				Resources: []string{"persistentvolumeclaims"},
+				Verbs:     []string{"get", "list", "watch", "update"},
+			},
+			{
+				APIGroups: []string{""},
+				Resources: []string{"persistentvolumeclaims/status"},
+				Verbs:     []string{"update"},
+			},
+			{
+				APIGroups: []string{""},
+				Resources: []string{"pods"},
+				Verbs:     []string{"get", "list", "watch", "create", "delete"},
+			},
+			{
+				APIGroups: []string{"storage.k8s.io"},
+				Resources: []string{"storageclasses"},
+				Verbs:     []string{"get", "list", "watch"},
+			},
+			{
+				APIGroups: []string{""},
+				Resources: []string{"endpoints", "services"},
+				Verbs:     []string{"get", "create", "delete", "update"},
+			},
+			{
+				APIGroups: []string{""},
+				Resources: []string{"secrets"},
+				Verbs:     []string{"get", "list"},
+			},
+			{
+				APIGroups: []string{""},
+				Resources: []string{"nodes"},
+				Verbs:     []string{"get", "list", "watch"},
+			},
+			{
+				APIGroups: []string{""},
+				Resources: []string{"events"},
+				Verbs:     []string{"watch", "create", "update", "patch"},
+			},
+			{
+				APIGroups: []string{""},
+				Resources: []string{"serviceaccounts"},
+				Verbs:     []string{"get", "create"},
+			},
+			{
+				APIGroups: []string{""},
+				Resources: []string{"serviceaccounts/token"},
+				Verbs:     []string{"create"},
+			},
+			{
+				APIGroups: []string{""},
+				Resources: []string{"configmaps"},
+				Verbs:     []string{"get", "list", "watch", "create", "update"},
+			},
+			{
+				APIGroups:     []string{"policy"},
+				Resources:     []string{"podsecuritypolicies"},
+				ResourceNames: []string{constants.PrivilegedPSPName},
+				Verbs:         []string{"use"},
+			},
+			{
+				APIGroups: []string{"coordination.k8s.io"},
+				Resources: []string{"leases"},
+				Verbs:     []string{"*"},
 			},
 		},
-	)
+	}
+
+	if pxutil.IsPrivileged(cluster) {
+		clusterRole.Rules = append(
+			clusterRole.Rules,
+			rbacv1.PolicyRule{
+				APIGroups:     []string{"security.openshift.io"},
+				Resources:     []string{"securitycontextconstraints"},
+				ResourceNames: []string{PxRestrictedSCCName},
+				Verbs:         []string{"use"},
+			},
+		)
+	}
+
+	return k8sutil.CreateOrUpdateClusterRole(c.k8sClient, clusterRole)
 }
 
 func (c *pvcController) createClusterRoleBinding(