LOG-3302: Update scc to desired

openshift · Jan 3, 2023 · 56840fc · 56840fc
1 parent ade2908
commit 56840fc
Show file tree

Hide file tree

Showing 2 changed files with 93 additions and 2 deletions.
diff --git a/internal/reconcile/scc.go b/internal/reconcile/scc.go
@@ -14,7 +14,7 @@ import (
 func SecurityContextConstraints(k8Client client.Client, desired *security.SecurityContextConstraints) error {
 	retryErr := retry.RetryOnConflict(retry.DefaultRetry, func() error {
 		current := &security.SecurityContextConstraints{}
-		key := client.ObjectKeyFromObject(desired)
+		key := client.ObjectKey{Name: desired.Name}
 		if err := k8Client.Get(context.TODO(), key, current); err != nil {
 			if errors.IsNotFound(err) {
 				return k8Client.Create(context.TODO(), desired)
@@ -27,7 +27,37 @@ func SecurityContextConstraints(k8Client client.Client, desired *security.Securi
 			log.V(3).Info("SecurityContextConstraints are the same skipping update")
 			return nil
 		}
-		return k8Client.Update(context.TODO(), current)
+		return k8Client.Update(context.TODO(), update(desired, current))
 	})
 	return retryErr
 }
+
+func update(from, to *security.SecurityContextConstraints) *security.SecurityContextConstraints {
+	to.Labels = from.Labels
+	to.Priority = from.Priority
+	to.AllowPrivilegedContainer = from.AllowPrivilegedContainer
+	to.DefaultAddCapabilities = from.DefaultAddCapabilities
+	to.RequiredDropCapabilities = from.RequiredDropCapabilities
+	to.AllowedCapabilities = from.AllowedCapabilities
+	to.AllowHostDirVolumePlugin = from.AllowHostDirVolumePlugin
+	to.Volumes = from.Volumes
+	to.AllowedFlexVolumes = from.AllowedFlexVolumes
+	to.AllowHostNetwork = from.AllowHostNetwork
+	to.AllowHostPorts = from.AllowHostPorts
+	to.AllowHostPID = from.AllowHostPID
+	to.AllowHostIPC = from.AllowHostIPC
+	to.DefaultAllowPrivilegeEscalation = from.DefaultAllowPrivilegeEscalation
+	to.AllowPrivilegeEscalation = from.AllowPrivilegeEscalation
+	to.SELinuxContext = from.SELinuxContext
+	to.RunAsUser = from.RunAsUser
+	to.SupplementalGroups = from.SupplementalGroups
+	to.FSGroup = from.FSGroup
+	to.ReadOnlyRootFilesystem = from.ReadOnlyRootFilesystem
+	to.Users = from.Users
+	to.Groups = from.Groups
+	to.SeccompProfiles = from.SeccompProfiles
+	to.AllowedUnsafeSysctls = from.AllowedUnsafeSysctls
+	to.ForbiddenSysctls = from.ForbiddenSysctls
+
+	return to
+}
diff --git a/internal/reconcile/scc_test.go b/internal/reconcile/scc_test.go
@@ -0,0 +1,61 @@
+package reconcile_test
+
+import (
+	"context"
+	security "github.com/openshift/api/security/v1"
+	"github.com/openshift/cluster-logging-operator/internal/reconcile"
+	"github.com/openshift/cluster-logging-operator/internal/runtime"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes/scheme"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+
+	"github.com/google/go-cmp/cmp"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/ginkgo/extensions/table"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("reconciling ", func() {
+
+	var (
+		anSCC = &security.SecurityContextConstraints{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       "SecurityContextConstraints",
+				APIVersion: security.SchemeGroupVersion.String(),
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "bar",
+			},
+			ReadOnlyRootFilesystem: true,
+		}
+	)
+
+	var _ = DescribeTable("SCC", func(initial *security.SecurityContextConstraints, desired security.SecurityContextConstraints) {
+
+		globalScheme := scheme.Scheme
+		security.Install(globalScheme)
+		builder := fake.NewClientBuilder().WithScheme(globalScheme)
+		if initial != nil {
+			builder.WithRuntimeObjects(initial)
+		}
+		k8sClient := builder.Build()
+
+		Expect(reconcile.SecurityContextConstraints(k8sClient, &desired)).To(Succeed(), "Expect no error reconciling secrets")
+
+		key := client.ObjectKey{Name: desired.Name}
+		act := &security.SecurityContextConstraints{}
+		Expect(k8sClient.Get(context.TODO(), key, act)).To(Succeed(), "Exp. no error after reconciliation to try and verify")
+
+		act.ResourceVersion = "" //dont care here
+		desired.ResourceVersion = ""
+
+		Expect(cmp.Diff(act, &desired)).To(BeEmpty(), "Exp. the spec to be the same")
+		Expect(cmp.Diff(act, initial)).To(Not(BeEmpty()), "Exp. the spec to have been updated")
+	},
+		Entry("when it does not exist should create it", nil, *anSCC),
+		Entry("when spec is modified it should revert it", runtime.NewSCC("bar"), *anSCC),
+		Entry("when spec is not modified it should do nothing", anSCC, *anSCC),
+	)
+})