-
Notifications
You must be signed in to change notification settings - Fork 46
/
psalabelsyncer.go
71 lines (60 loc) · 2.48 KB
/
psalabelsyncer.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
package controller
import (
"context"
"github.com/openshift/cluster-policy-controller/pkg/psalabelsyncer"
"k8s.io/apimachinery/pkg/util/sets"
)
func runPodSecurityAdmissionLabelSynchronizationController(ctx context.Context, controllerCtx *EnhancedControllerContext) (bool, error) {
kubeClient, err := controllerCtx.ClientBuilder.Client(podSecurityAdmissionLabelSyncerControllerServiceAccountName)
if err != nil {
return true, err
}
featureGates := sets.NewString(controllerCtx.OpenshiftControllerConfig.FeatureGates...)
switch {
case featureGates.Has("OpenShiftPodSecurityAdmission=false"):
// if explicitly off, disable
controller, err := psalabelsyncer.NewAdvisingPodSecurityAdmissionLabelSynchronizationController(
kubeClient.CoreV1().Namespaces(),
controllerCtx.KubernetesInformers.Core().V1().Namespaces(),
controllerCtx.KubernetesInformers.Rbac().V1(),
controllerCtx.KubernetesInformers.Core().V1().ServiceAccounts(),
controllerCtx.SecurityInformers.Security().V1().SecurityContextConstraints(),
controllerCtx.EventRecorder.ForComponent("podsecurity-admission-label-sync-controller"),
)
if err != nil {
return true, err
}
go controller.Run(ctx, 1)
case featureGates.Has("OpenShiftPodSecurityAdmission=true"):
// if explicitly on or unspecified, run as enforcing.
fallthrough
default:
controller, err := psalabelsyncer.NewEnforcingPodSecurityAdmissionLabelSynchronizationController(
kubeClient.CoreV1().Namespaces(),
controllerCtx.KubernetesInformers.Core().V1().Namespaces(),
controllerCtx.KubernetesInformers.Rbac().V1(),
controllerCtx.KubernetesInformers.Core().V1().ServiceAccounts(),
controllerCtx.SecurityInformers.Security().V1().SecurityContextConstraints(),
controllerCtx.EventRecorder.ForComponent("podsecurity-admission-label-sync-controller"),
)
if err != nil {
return true, err
}
go controller.Run(ctx, 1)
}
return true, nil
}
func runPrivilegedNamespacesPSALabelSyncer(ctx context.Context, controllerCtx *EnhancedControllerContext) (bool, error) {
kubeClient, err := controllerCtx.ClientBuilder.Client(privilegedNamespacesPodSecurityAdmissionLabelSyncerServiceAccountName)
if err != nil {
return true, err
}
controller := psalabelsyncer.NewPrivilegedNamespacesPSALabelSyncer(
ctx,
kubeClient.CoreV1().Namespaces(),
controllerCtx.KubernetesInformers.Core().V1().Namespaces(),
controllerCtx.EventRecorder.ForComponent("privileged-namespaces-psa-label-syncer"),
)
go controller.Run(ctx, 1)
return true, nil
}