-
Notifications
You must be signed in to change notification settings - Fork 106
/
aggregator.go
134 lines (119 loc) · 3.95 KB
/
aggregator.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
package compliancescan
import (
"context"
"fmt"
"path"
"github.com/go-logr/logr"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
compv1alpha1 "github.com/openshift/compliance-operator/pkg/apis/compliance/v1alpha1"
"github.com/openshift/compliance-operator/pkg/controller/common"
"github.com/openshift/compliance-operator/pkg/utils"
)
const aggregatorSA = "remediation-aggregator"
func getAggregatorPodName(scanName string) string {
return utils.DNSLengthName("aggregator-pod-", "aggregator-pod-%s", scanName)
}
func (r *ReconcileComplianceScan) newAggregatorPod(scanInstance *compv1alpha1.ComplianceScan, logger logr.Logger) *corev1.Pod {
podName := getAggregatorPodName(scanInstance.Name)
podLabels := map[string]string{
compv1alpha1.ComplianceScanLabel: scanInstance.Name,
"workload": "aggregator",
}
falseP := false
trueP := true
return &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: podName,
Namespace: common.GetComplianceOperatorNamespace(),
Labels: podLabels,
Annotations: map[string]string{
"workload.openshift.io/management": `{"effect": "PreferredDuringScheduling"}`,
},
},
Spec: corev1.PodSpec{
NodeSelector: r.schedulingInfo.Selector,
Tolerations: r.schedulingInfo.Tolerations,
ServiceAccountName: aggregatorSA,
InitContainers: []corev1.Container{
{
Name: "content-container",
Image: getInitContainerImage(&scanInstance.Spec, logger),
Command: []string{
"sh",
"-c",
fmt.Sprintf("cp %s /content | /bin/true", path.Join("/", scanInstance.Spec.Content)),
},
ImagePullPolicy: corev1.PullAlways,
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: &falseP,
ReadOnlyRootFilesystem: &trueP,
},
VolumeMounts: []corev1.VolumeMount{
{
Name: "content-dir",
MountPath: "/content",
},
},
},
},
Containers: []corev1.Container{
{
Name: "aggregator",
Image: utils.GetComponentImage(utils.OPERATOR),
Command: []string{
"compliance-operator", "aggregator",
"--content=" + absContentPath(scanInstance.Spec.Content),
"--scan=" + scanInstance.Name,
"--namespace=" + scanInstance.Namespace,
},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: &falseP,
ReadOnlyRootFilesystem: &trueP,
},
VolumeMounts: []corev1.VolumeMount{
{
Name: "content-dir",
MountPath: "/content",
ReadOnly: true,
},
},
},
},
RestartPolicy: corev1.RestartPolicyOnFailure,
Volumes: []corev1.Volume{
{
Name: "content-dir",
VolumeSource: corev1.VolumeSource{
EmptyDir: &corev1.EmptyDirVolumeSource{},
},
},
},
},
}
}
func (r *ReconcileComplianceScan) launchAggregatorPod(scanInstance *compv1alpha1.ComplianceScan, pod *corev1.Pod, logger logr.Logger) error {
// Make use of optimistic concurrency and just try creating the pod
err := r.client.Create(context.TODO(), pod)
if err != nil && !errors.IsAlreadyExists(err) {
logger.Error(err, "Cannot launch pod", "pod", pod)
return err
}
// If the pod was already created, just return
return nil
}
func (r *ReconcileComplianceScan) deleteAggregator(instance *compv1alpha1.ComplianceScan, logger logr.Logger) error {
aggregator := r.newAggregatorPod(instance, logger)
err := r.client.Delete(context.TODO(), aggregator)
if err != nil && !errors.IsNotFound(err) {
logger.Error(err, "Cannot delete aggregator pod", "pod", aggregator)
return err
}
return nil
}
func isAggregatorRunning(r *ReconcileComplianceScan, scanInstance *compv1alpha1.ComplianceScan, logger logr.Logger) (bool, error) {
logger.Info("Checking aggregator pod for scan", "ComplianceScan.Name", scanInstance.Name)
podName := getAggregatorPodName(scanInstance.Name)
return isPodRunning(r, podName, common.GetComplianceOperatorNamespace(), logger)
}