/
scc.go
105 lines (90 loc) · 2.79 KB
/
scc.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
package assets
import (
"context"
"fmt"
embedded "github.com/openshift/microshift/assets"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/serializer"
"k8s.io/client-go/rest"
"k8s.io/client-go/tools/clientcmd"
"k8s.io/klog/v2"
sccv1 "github.com/openshift/api/security/v1"
sccclientv1 "github.com/openshift/client-go/security/clientset/versioned/typed/security/v1"
"github.com/openshift/library-go/pkg/operator/resource/resourcemerge"
)
var (
sccScheme = runtime.NewScheme()
sccCodecs = serializer.NewCodecFactory(sccScheme)
)
func init() {
if err := sccv1.AddToScheme(sccScheme); err != nil {
panic(err)
}
}
type sccApplier struct {
Client *sccclientv1.SecurityV1Client
scc *sccv1.SecurityContextConstraints
}
func sccClient(kubeconfigPath string) *sccclientv1.SecurityV1Client {
restConfig, err := clientcmd.BuildConfigFromFlags("", kubeconfigPath)
if err != nil {
panic(err)
}
return sccclientv1.NewForConfigOrDie(rest.AddUserAgent(restConfig, "scc-agent"))
}
func (s *sccApplier) Read(objBytes []byte, render RenderFunc, params RenderParams) {
var err error
if render != nil {
objBytes, err = render(objBytes, params)
if err != nil {
panic(err)
}
}
obj, err := runtime.Decode(sccCodecs.UniversalDecoder(sccv1.SchemeGroupVersion), objBytes)
if err != nil {
panic(err)
}
s.scc = obj.(*sccv1.SecurityContextConstraints)
}
func (s *sccApplier) Handle(ctx context.Context) error {
// adapted from cvo
existing, err := s.Client.SecurityContextConstraints().Get(ctx, s.scc.Name, metav1.GetOptions{})
if apierrors.IsNotFound(err) {
_, err := s.Client.SecurityContextConstraints().Create(ctx, s.scc, metav1.CreateOptions{})
return err
}
if err != nil {
return err
}
var modified bool
resourcemerge.EnsureObjectMeta(&modified, &existing.ObjectMeta, s.scc.ObjectMeta)
if !modified {
return nil
}
_, err = s.Client.SecurityContextConstraints().Update(ctx, existing, metav1.UpdateOptions{})
return err
}
func applySCCs(ctx context.Context, sccs []string, handler resourceHandler, render RenderFunc, params RenderParams) error {
lock.Lock()
defer lock.Unlock()
for _, scc := range sccs {
klog.Infof("Applying scc api %s", scc)
objBytes, err := embedded.Asset(scc)
if err != nil {
return fmt.Errorf("error getting asset %s: %v", scc, err)
}
handler.Read(objBytes, render, params)
if err := handler.Handle(ctx); err != nil {
klog.Warningf("Failed to apply scc api %s: %v", scc, err)
return err
}
}
return nil
}
func ApplySCCs(ctx context.Context, sccs []string, render RenderFunc, params RenderParams, kubeconfigPath string) error {
scc := &sccApplier{}
scc.Client = sccClient(kubeconfigPath)
return applySCCs(ctx, sccs, scc, render, params)
}