diff --git a/internal/reconcile/scc.go b/internal/reconcile/scc.go index 9f7cd96341..3e1ac9aad5 100644 --- a/internal/reconcile/scc.go +++ b/internal/reconcile/scc.go @@ -14,7 +14,7 @@ import ( func SecurityContextConstraints(k8Client client.Client, desired *security.SecurityContextConstraints) error { retryErr := retry.RetryOnConflict(retry.DefaultRetry, func() error { current := &security.SecurityContextConstraints{} - key := client.ObjectKeyFromObject(desired) + key := client.ObjectKey{Name: desired.Name} if err := k8Client.Get(context.TODO(), key, current); err != nil { if errors.IsNotFound(err) { return k8Client.Create(context.TODO(), desired) @@ -27,7 +27,37 @@ func SecurityContextConstraints(k8Client client.Client, desired *security.Securi log.V(3).Info("SecurityContextConstraints are the same skipping update") return nil } - return k8Client.Update(context.TODO(), current) + return k8Client.Update(context.TODO(), update(desired, current)) }) return retryErr } + +func update(from, to *security.SecurityContextConstraints) *security.SecurityContextConstraints { + to.Labels = from.Labels + to.Priority = from.Priority + to.AllowPrivilegedContainer = from.AllowPrivilegedContainer + to.DefaultAddCapabilities = from.DefaultAddCapabilities + to.RequiredDropCapabilities = from.RequiredDropCapabilities + to.AllowedCapabilities = from.AllowedCapabilities + to.AllowHostDirVolumePlugin = from.AllowHostDirVolumePlugin + to.Volumes = from.Volumes + to.AllowedFlexVolumes = from.AllowedFlexVolumes + to.AllowHostNetwork = from.AllowHostNetwork + to.AllowHostPorts = from.AllowHostPorts + to.AllowHostPID = from.AllowHostPID + to.AllowHostIPC = from.AllowHostIPC + to.DefaultAllowPrivilegeEscalation = from.DefaultAllowPrivilegeEscalation + to.AllowPrivilegeEscalation = from.AllowPrivilegeEscalation + to.SELinuxContext = from.SELinuxContext + to.RunAsUser = from.RunAsUser + to.SupplementalGroups = from.SupplementalGroups + to.FSGroup = from.FSGroup + to.ReadOnlyRootFilesystem = from.ReadOnlyRootFilesystem + to.Users = from.Users + to.Groups = from.Groups + to.SeccompProfiles = from.SeccompProfiles + to.AllowedUnsafeSysctls = from.AllowedUnsafeSysctls + to.ForbiddenSysctls = from.ForbiddenSysctls + + return to +} diff --git a/internal/reconcile/scc_test.go b/internal/reconcile/scc_test.go new file mode 100644 index 0000000000..cb67d8326d --- /dev/null +++ b/internal/reconcile/scc_test.go @@ -0,0 +1,61 @@ +package reconcile_test + +import ( + "context" + security "github.com/openshift/api/security/v1" + "github.com/openshift/cluster-logging-operator/internal/reconcile" + "github.com/openshift/cluster-logging-operator/internal/runtime" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/kubernetes/scheme" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/client/fake" + + "github.com/google/go-cmp/cmp" + + . "github.com/onsi/ginkgo" + . "github.com/onsi/ginkgo/extensions/table" + . "github.com/onsi/gomega" +) + +var _ = Describe("reconciling ", func() { + + var ( + anSCC = &security.SecurityContextConstraints{ + TypeMeta: metav1.TypeMeta{ + Kind: "SecurityContextConstraints", + APIVersion: security.SchemeGroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "bar", + }, + ReadOnlyRootFilesystem: true, + } + ) + + var _ = DescribeTable("SCC", func(initial *security.SecurityContextConstraints, desired security.SecurityContextConstraints) { + + globalScheme := scheme.Scheme + security.Install(globalScheme) + builder := fake.NewClientBuilder().WithScheme(globalScheme) + if initial != nil { + builder.WithRuntimeObjects(initial) + } + k8sClient := builder.Build() + + Expect(reconcile.SecurityContextConstraints(k8sClient, &desired)).To(Succeed(), "Expect no error reconciling secrets") + + key := client.ObjectKey{Name: desired.Name} + act := &security.SecurityContextConstraints{} + Expect(k8sClient.Get(context.TODO(), key, act)).To(Succeed(), "Exp. no error after reconciliation to try and verify") + + act.ResourceVersion = "" //dont care here + desired.ResourceVersion = "" + + Expect(cmp.Diff(act, &desired)).To(BeEmpty(), "Exp. the spec to be the same") + Expect(cmp.Diff(act, initial)).To(Not(BeEmpty()), "Exp. the spec to have been updated") + }, + Entry("when it does not exist should create it", nil, *anSCC), + Entry("when spec is modified it should revert it", runtime.NewSCC("bar"), *anSCC), + Entry("when spec is not modified it should do nothing", anSCC, *anSCC), + ) +})