From 119c20587f169446481b27ce543766034f319f58 Mon Sep 17 00:00:00 2001
From: Peng Liu <pliu@redhat.com>
Date: Thu, 7 May 2020 22:39:49 -0400
Subject: [PATCH] Use privileged SCC to replace runlevel

---
 bindata/manifests/plugins/002-rbac.yaml       |  43 ++++++
 deploy/namespace.yaml                         |   1 -
 deploy/role.yaml                              |  16 +++
 ...operator.v4.5.0.clusterserviceversion.yaml |  25 ++--
 .../sriovnetworknodepolicy_controller.go      | 134 ++----------------
 5 files changed, 87 insertions(+), 132 deletions(-)

diff --git a/bindata/manifests/plugins/002-rbac.yaml b/bindata/manifests/plugins/002-rbac.yaml
index 7042254d6..f1b205b5e 100644
--- a/bindata/manifests/plugins/002-rbac.yaml
+++ b/bindata/manifests/plugins/002-rbac.yaml
@@ -10,3 +10,46 @@ kind: ServiceAccount
 metadata:
   name: sriov-device-plugin
   namespace: {{.Namespace}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: sriov-plugin
+  namespace: {{.Namespace}}
+rules:
+  - apiGroups:
+      - security.openshift.io
+    resourceNames:
+      - privileged
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: sriov-cni
+  namespace: {{.Namespace}}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: sriov-plugin
+subjects:
+  - kind: ServiceAccount
+    name: sriov-cni
+    namespace: {{.Namespace}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: sriov-device-plugin
+  namespace: {{.Namespace}}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: sriov-plugin
+subjects:
+  - kind: ServiceAccount
+    name: sriov-device-plugin
+    namespace: {{.Namespace}}
diff --git a/deploy/namespace.yaml b/deploy/namespace.yaml
index 88f50c716..372847857 100644
--- a/deploy/namespace.yaml
+++ b/deploy/namespace.yaml
@@ -4,4 +4,3 @@ metadata:
   name: $NAMESPACE
   labels:
     name: $NAMESPACE
-    openshift.io/run-level: "1"
diff --git a/deploy/role.yaml b/deploy/role.yaml
index 898761aae..79c29777a 100644
--- a/deploy/role.yaml
+++ b/deploy/role.yaml
@@ -40,6 +40,14 @@ rules:
   - deployments/finalizers
   verbs:
   - update
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - serviceaccounts
+  - roles
+  - rolebindings
+  verbs:
+  - '*'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -65,3 +73,11 @@ rules:
   - sriovnetworknodestates
   verbs:
   - '*'
+- apiGroups:
+    - security.openshift.io
+  resourceNames:
+    - privileged
+  resources:
+    - securitycontextconstraints
+  verbs:
+    - use
diff --git a/manifests/4.5/sriov-network-operator.v4.5.0.clusterserviceversion.yaml b/manifests/4.5/sriov-network-operator.v4.5.0.clusterserviceversion.yaml
index 271f03a32..04a8ac74c 100644
--- a/manifests/4.5/sriov-network-operator.v4.5.0.clusterserviceversion.yaml
+++ b/manifests/4.5/sriov-network-operator.v4.5.0.clusterserviceversion.yaml
@@ -105,14 +105,7 @@ spec:
       This operator has to run in namespace 'openshift-sriov-network-operator'. An Operator Group is also required to install this operator:
 
       ```
-      $ oc create -f - <<EOF
-      apiVersion: v1
-      kind: Namespace
-      metadata:
-        name: openshift-sriov-network-operator
-        labels:
-          openshift.io/run-level: "1"
-      EOF
+      $ oc create namespace openshift-sriov-network-operator
 
       $ oc create -f - <<EOF
       apiVersion: operators.coreos.com/v1
@@ -207,6 +200,14 @@ spec:
           - deployments/finalizers
           verbs:
           - update
+        - apiGroups:
+          - rbac.authorization.k8s.io
+          resources:
+          - serviceaccounts
+          - roles
+          - rolebindings
+          verbs:
+          - '*'
         serviceAccountName: sriov-network-operator
       - rules:
         - apiGroups:
@@ -228,6 +229,14 @@ spec:
           - sriovnetworknodestates
           verbs:
           - '*'
+        - apiGroups:
+          - security.openshift.io
+          resources:
+          - securitycontextconstraints
+          verbs:
+          - use
+          resourceNames:
+          - privileged
         serviceAccountName: sriov-network-config-daemon
       deployments:
       - name: sriov-network-operator
diff --git a/pkg/controller/sriovnetworknodepolicy/sriovnetworknodepolicy_controller.go b/pkg/controller/sriovnetworknodepolicy/sriovnetworknodepolicy_controller.go
index a1833d791..c9056d7bb 100644
--- a/pkg/controller/sriovnetworknodepolicy/sriovnetworknodepolicy_controller.go
+++ b/pkg/controller/sriovnetworknodepolicy/sriovnetworknodepolicy_controller.go
@@ -14,7 +14,6 @@ import (
 	errs "github.com/pkg/errors"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
-	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	uns "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -31,6 +30,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/source"
 
 	sriovnetworkv1 "github.com/openshift/sriov-network-operator/pkg/apis/sriovnetwork/v1"
+	"github.com/openshift/sriov-network-operator/pkg/apply"
 	"github.com/openshift/sriov-network-operator/pkg/controller/sriovoperatorconfig"
 	render "github.com/openshift/sriov-network-operator/pkg/render"
 )
@@ -428,22 +428,21 @@ func (r *ReconcileSriovNetworkNodePolicy) tryDeleteDsPods(namespace, name string
 }
 
 func (r *ReconcileSriovNetworkNodePolicy) syncDsObject(dp *sriovnetworkv1.SriovNetworkNodePolicy, pl *sriovnetworkv1.SriovNetworkNodePolicyList, obj *uns.Unstructured) error {
-	var err error
 	logger := log.WithName("syncDsObject")
-	logger.Info("Start to sync Objects")
-	scheme := kscheme.Scheme
-	switch kind := obj.GetKind(); kind {
-	case "ServiceAccount":
-		sa := &corev1.ServiceAccount{}
-		err = scheme.Convert(obj, sa, nil)
-		r.syncServiceAccount(dp, sa)
-		if err != nil {
-			logger.Error(err, "Fail to sync ServiceAccount")
+	kind := obj.GetKind()
+	logger.Info("Start to sync Objects", "Kind", kind)
+	switch kind {
+	case "ServiceAccount", "Role", "RoleBinding":
+		if err := controllerutil.SetControllerReference(dp, obj, r.scheme); err != nil {
+			return err
+		}
+		if err := apply.ApplyObject(context.TODO(), r.client, obj); err != nil {
+			logger.Error(err, "Fail to sync", "Kind", kind)
 			return err
 		}
 	case "DaemonSet":
 		ds := &appsv1.DaemonSet{}
-		err = scheme.Convert(obj, ds, nil)
+		err := kscheme.Scheme.Convert(obj, ds, nil)
 		r.syncDaemonSet(dp, pl, ds)
 		if err != nil {
 			logger.Error(err, "Fail to sync DaemonSet", "Namespace", ds.Namespace, "Name", ds.Name)
@@ -453,117 +452,6 @@ func (r *ReconcileSriovNetworkNodePolicy) syncDsObject(dp *sriovnetworkv1.SriovN
 	return nil
 }
 
-func (r *ReconcileSriovNetworkNodePolicy) syncService(cr *sriovnetworkv1.SriovNetworkNodePolicy, in *corev1.Service) error {
-	logger := log.WithName("syncService")
-	logger.Info("Start to sync service", "Name", in.Name, "Namespace", in.Namespace)
-
-	if err := controllerutil.SetControllerReference(cr, in, r.scheme); err != nil {
-		return err
-	}
-	s := &corev1.Service{}
-	err := r.client.Get(context.TODO(), types.NamespacedName{Namespace: in.Namespace, Name: in.Name}, s)
-	if err != nil {
-		if errors.IsNotFound(err) {
-			err = r.client.Create(context.TODO(), in)
-			if err != nil {
-				return fmt.Errorf("Couldn't create service: %v", err)
-			}
-			logger.Info("Create service for", in.Namespace, in.Name)
-		} else {
-			return fmt.Errorf("Fail to get service: %v", err)
-		}
-	} else {
-		logger.Info("Service already exists, updating")
-		err = r.client.Update(context.TODO(), in)
-		if err != nil {
-			return fmt.Errorf("Couldn't update service: %v", err)
-		}
-	}
-	return nil
-}
-
-func (r *ReconcileSriovNetworkNodePolicy) syncClusterRole(cr *sriovnetworkv1.SriovNetworkNodePolicy, in *rbacv1.ClusterRole) error {
-	logger := log.WithName("syncClusterRole")
-	logger.Info("Start to sync cluster role", "Name", in.Name, "Namespace", in.Namespace)
-
-	if err := controllerutil.SetControllerReference(cr, in, r.scheme); err != nil {
-		return err
-	}
-	clusterRole := &rbacv1.ClusterRole{}
-	err := r.client.Get(context.TODO(), types.NamespacedName{Namespace: in.Namespace, Name: in.Name}, clusterRole)
-	if err != nil {
-		if errors.IsNotFound(err) {
-			err = r.client.Create(context.TODO(), in)
-			if err != nil {
-				return fmt.Errorf("Couldn't create cluster role: %v", err)
-			}
-			logger.Info("Create cluster role for", in.Namespace, in.Name)
-		} else {
-			return fmt.Errorf("Fail to get cluster role: %v", err)
-		}
-	} else {
-		logger.Info("Cluster role already exists, updating")
-		err = r.client.Update(context.TODO(), in)
-		if err != nil {
-			return fmt.Errorf("Couldn't update cluster role: %v", err)
-		}
-	}
-	return nil
-}
-
-func (r *ReconcileSriovNetworkNodePolicy) syncClusterRoleBinding(cr *sriovnetworkv1.SriovNetworkNodePolicy, in *rbacv1.ClusterRoleBinding) error {
-	logger := log.WithName("syncClusterRoleBinding")
-	logger.Info("Start to sync cluster role binding", "Name", in.Name, "Namespace", in.Namespace)
-
-	if err := controllerutil.SetControllerReference(cr, in, r.scheme); err != nil {
-		return err
-	}
-	clusterRoleBinding := &rbacv1.ClusterRoleBinding{}
-	err := r.client.Get(context.TODO(), types.NamespacedName{Namespace: in.Namespace, Name: in.Name}, clusterRoleBinding)
-	if err != nil {
-		if errors.IsNotFound(err) {
-			err = r.client.Create(context.TODO(), in)
-			if err != nil {
-				return fmt.Errorf("Couldn't create cluster role binding: %v", err)
-			}
-			logger.Info("Create cluster role binding for", in.Namespace, in.Name)
-		} else {
-			return fmt.Errorf("Fail to get cluster role binding: %v", err)
-		}
-	} else {
-		logger.Info("Cluster role binding already exists, updating")
-		err = r.client.Update(context.TODO(), in)
-		if err != nil {
-			return fmt.Errorf("Couldn't update cluster role binding: %v", err)
-		}
-	}
-	return nil
-}
-
-func (r *ReconcileSriovNetworkNodePolicy) syncServiceAccount(cr *sriovnetworkv1.SriovNetworkNodePolicy, in *corev1.ServiceAccount) error {
-	logger := log.WithName("syncServiceAccount")
-	logger.Info("Start to sync ServiceAccount", "Name", in.Name, "Namespace", in.Namespace)
-
-	if err := controllerutil.SetControllerReference(cr, in, r.scheme); err != nil {
-		return err
-	}
-	sa := &corev1.ServiceAccount{}
-	err := r.client.Get(context.TODO(), types.NamespacedName{Namespace: in.Namespace, Name: in.Name}, sa)
-	if err != nil {
-		if errors.IsNotFound(err) {
-			err = r.client.Create(context.TODO(), in)
-			if err != nil {
-				return fmt.Errorf("Couldn't create ServiceAccount: %v", err)
-			}
-			logger.Info("Create ServiceAccount for", in.Namespace, in.Name)
-		} else {
-			return fmt.Errorf("Fail to get ServiceAccount: %v", err)
-		}
-	}
-	// No neet to update SA
-	return nil
-}
-
 func (r *ReconcileSriovNetworkNodePolicy) syncDaemonSet(cr *sriovnetworkv1.SriovNetworkNodePolicy, pl *sriovnetworkv1.SriovNetworkNodePolicyList, in *appsv1.DaemonSet) error {
 	logger := log.WithName("syncDaemonSet")
 	logger.Info("Start to sync DaemonSet", "Namespace", in.Namespace, "Name", in.Name)