Merge pull request #743 from stlaz/privileged_ns_roles

add roles for the new privileged namespaces PSa syncer controller
openshift · Aug 14, 2023 · d95b0c2 · d95b0c2
2 parents 5f49f59 + c2bf60f
commit d95b0c2
Show file tree

Hide file tree

Showing 6 changed files with 82 additions and 3 deletions.
diff --git a/...ager/podsecurity-admission-label-privileged-namespaces-syncer-controller-clusterrole.yaml b/...ager/podsecurity-admission-label-privileged-namespaces-syncer-controller-clusterrole.yaml
@@ -0,0 +1,24 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+  name: system:openshift:controller:privileged-namespaces-psa-label-syncer
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - default
+  - kube-system
+  - kube-public
+  resources:
+  - namespaces
+  verbs:
+  - patch
diff --git a/...dsecurity-admission-label-privileged-namespaces-syncer-controller-clusterrolebinding.yaml b/...dsecurity-admission-label-privileged-namespaces-syncer-controller-clusterrolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:openshift:controller:privileged-namespaces-psa-label-syncer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openshift:controller:privileged-namespaces-psa-label-syncer
+subjects:
+- kind: ServiceAccount
+  name: privileged-namespaces-psa-label-syncer
+  namespace: openshift-infra
diff --git a/...s/00_podsecurity-admission-label-privileged-namespaces-syncer-controller-clusterrole.yaml b/...s/00_podsecurity-admission-label-privileged-namespaces-syncer-controller-clusterrole.yaml
@@ -0,0 +1,24 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+  name: system:openshift:controller:privileged-namespaces-psa-label-syncer
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - default
+  - kube-system
+  - kube-public
+  resources:
+  - namespaces
+  verbs:
+  - patch
diff --git a/...dsecurity-admission-label-privileged-namespaces-syncer-controller-clusterrolebinding.yaml b/...dsecurity-admission-label-privileged-namespaces-syncer-controller-clusterrolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:openshift:controller:privileged-namespaces-psa-label-syncer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openshift:controller:privileged-namespaces-psa-label-syncer
+subjects:
+- kind: ServiceAccount
+  name: privileged-namespaces-psa-label-syncer
+  namespace: openshift-infra
diff --git a/pkg/cmd/render/render_test.go b/pkg/cmd/render/render_test.go
@@ -3,7 +3,6 @@ package render
 import (
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path"
 	"path/filepath"
@@ -83,7 +82,7 @@ func runRender(args ...string) (*cobra.Command, error) {
 }
 
 func setupAssetOutputDir(testName string) (teardown func(), outputDir string, err error) {
-	outputDir, err = ioutil.TempDir("", testName)
+	outputDir, err = os.MkdirTemp("", testName)
 	if err != nil {
 		return nil, "", err
 	}
@@ -167,6 +166,8 @@ func TestRenderCommand(t *testing.T) {
 				"manifests/manifests/00_openshift-kube-controller-manager-ns.yaml",
 				"manifests/manifests/00_openshift-kube-controller-manager-operator-ns.yaml",
 				"manifests/manifests/00_podsecurity-admission-label-syncer-controller-clusterrole.yaml",
+				"manifests/manifests/00_podsecurity-admission-label-privileged-namespaces-syncer-controller-clusterrole.yaml",
+				"manifests/manifests/00_podsecurity-admission-label-privileged-namespaces-syncer-controller-clusterrolebinding.yaml",
 				"manifests/manifests/00_podsecurity-admission-label-syncer-controller-clusterrolebinding.yaml",
 				"manifests/manifests/secret-csr-signer-signer.yaml",
 				"manifests/manifests/secret-initial-kube-controller-manager-service-account-private-key.yaml",
@@ -246,6 +247,8 @@ func TestRenderCommand(t *testing.T) {
 				"manifests/manifests/00_openshift-kube-controller-manager-operator-ns.yaml",
 				"manifests/manifests/00_podsecurity-admission-label-syncer-controller-clusterrole.yaml",
 				"manifests/manifests/00_podsecurity-admission-label-syncer-controller-clusterrolebinding.yaml",
+				"manifests/manifests/00_podsecurity-admission-label-privileged-namespaces-syncer-controller-clusterrole.yaml",
+				"manifests/manifests/00_podsecurity-admission-label-privileged-namespaces-syncer-controller-clusterrolebinding.yaml",
 				"manifests/manifests/secret-csr-signer-signer.yaml",
 				"manifests/manifests/secret-initial-kube-controller-manager-service-account-private-key.yaml",
 			},
@@ -310,6 +313,8 @@ func TestRenderCommand(t *testing.T) {
 				"manifests/manifests/00_openshift-kube-controller-manager-operator-ns.yaml",
 				"manifests/manifests/00_podsecurity-admission-label-syncer-controller-clusterrole.yaml",
 				"manifests/manifests/00_podsecurity-admission-label-syncer-controller-clusterrolebinding.yaml",
+				"manifests/manifests/00_podsecurity-admission-label-privileged-namespaces-syncer-controller-clusterrole.yaml",
+				"manifests/manifests/00_podsecurity-admission-label-privileged-namespaces-syncer-controller-clusterrolebinding.yaml",
 				"manifests/manifests/secret-csr-signer-signer.yaml",
 				"manifests/manifests/secret-initial-kube-controller-manager-service-account-private-key.yaml",
 			},
@@ -412,7 +417,7 @@ func TestRenderCommand(t *testing.T) {
 					t.Errorf("file %q: %v", f, err)
 				}
 				if file, ok := test.expectedContents[f]; ok {
-					data, err := ioutil.ReadFile(p)
+					data, err := os.ReadFile(p)
 					if err != nil {
 						t.Errorf("error reading file %s: %v", p, err)
 						continue

diff --git a/pkg/operator/starter.go b/pkg/operator/starter.go
@@ -124,6 +124,8 @@ func RunOperator(ctx context.Context, cc *controllercmd.ControllerContext) error
 			"assets/kube-controller-manager/namespace-security-allocation-controller-clusterrolebinding.yaml",
 			"assets/kube-controller-manager/podsecurity-admission-label-syncer-controller-clusterrole.yaml",
 			"assets/kube-controller-manager/podsecurity-admission-label-syncer-controller-clusterrolebinding.yaml",
+			"assets/kube-controller-manager/podsecurity-admission-label-privileged-namespaces-syncer-controller-clusterrole.yaml",
+			"assets/kube-controller-manager/podsecurity-admission-label-privileged-namespaces-syncer-controller-clusterrolebinding.yaml",
 			"assets/kube-controller-manager/namespace-openshift-infra.yaml",
 			"assets/kube-controller-manager/svc.yaml",
 			"assets/kube-controller-manager/sa.yaml",