From 1ad3011c42f007991528ed2bee73a8240aea9d9a Mon Sep 17 00:00:00 2001 From: Krzysztof Ostrowski Date: Mon, 8 Apr 2024 18:15:34 +0200 Subject: [PATCH 1/2] controllers: add psa labels to ns --- controllers/gitopsservice_controller.go | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/controllers/gitopsservice_controller.go b/controllers/gitopsservice_controller.go index 2794b8b41..03bc17a8c 100644 --- a/controllers/gitopsservice_controller.go +++ b/controllers/gitopsservice_controller.go @@ -216,7 +216,7 @@ func (r *ReconcileGitopsService) Reconcile(ctx context.Context, request reconcil } // Create namespace if it doesn't already exist - namespaceRef := newNamespace(namespace) + namespaceRef := newRestrictedNamespace(namespace) err = r.Client.Get(ctx, types.NamespacedName{Name: namespace}, &corev1.Namespace{}) if err != nil { if errors.IsNotFound(err) { @@ -299,7 +299,7 @@ func (r *ReconcileGitopsService) ensureDefaultArgoCDInstanceDoesntExist(instance return err } - argocdNS := newNamespace(defaultArgoCDInstance.Namespace) + argocdNS := newRestrictedNamespace(defaultArgoCDInstance.Namespace) err = r.Client.Get(context.TODO(), types.NamespacedName{Name: argocdNS.Name}, &corev1.Namespace{}) if err != nil { @@ -338,7 +338,7 @@ func (r *ReconcileGitopsService) reconcileDefaultArgoCDInstance(instance *pipeli // The operator decides the namespace based on the version of the cluster it is installed in // 4.6 Cluster: Backend in openshift-pipelines-app-delivery namespace and argocd in openshift-gitops namespace // 4.7 Cluster: Both backend and argocd instance in openshift-gitops namespace - argocdNS := newNamespace(defaultArgoCDInstance.Namespace) + argocdNS := newRestrictedNamespace(defaultArgoCDInstance.Namespace) err = r.Client.Get(context.TODO(), types.NamespacedName{Name: argocdNS.Name}, &corev1.Namespace{}) if err != nil { if errors.IsNotFound(err) { @@ -810,7 +810,7 @@ func newBackendService(ns types.NamespacedName) *corev1.Service { return svc } -func newNamespace(ns string) *corev1.Namespace { +func newRestrictedNamespace(ns string) *corev1.Namespace { objectMeta := metav1.ObjectMeta{ Name: ns, Labels: map[string]string{ @@ -818,6 +818,18 @@ func newNamespace(ns string) *corev1.Namespace { "openshift.io/cluster-monitoring": "true", }, } + + if strings.HasPrefix(ns, "openshift-") { + // Set pod security policy, which is required for namespaces pre-fixed with openshift + // as the pod security label syncer doesn't set them on OCP namespaces. + objectMeta.Labels["pod-security.kubernetes.io/enforce"] = "restricted" + objectMeta.Labels["pod-security.kubernetes.io/enforce-version"] = "v1.29" + objectMeta.Labels["pod-security.kubernetes.io/audit"] = "restricted" + objectMeta.Labels["pod-security.kubernetes.io/audit-version"] = "latest" + objectMeta.Labels["pod-security.kubernetes.io/warn"] = "restricted" + objectMeta.Labels["pod-security.kubernetes.io/warn-version"] = "latest" + } + return &corev1.Namespace{ ObjectMeta: objectMeta, } From de49bcfbd9ce07fe32b3e239acd3795152a57013 Mon Sep 17 00:00:00 2001 From: Krzysztof Ostrowski Date: Mon, 29 Apr 2024 18:59:31 +0200 Subject: [PATCH 2/2] controllers: add SCC pinning to Pods It is recommended to pin the SCC required for the Pods. It can occur that a customer specifies a SCC that has a higher priority than required-v2, which could lead to failing workloads in the namespace. --- controllers/gitopsservice_controller.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/controllers/gitopsservice_controller.go b/controllers/gitopsservice_controller.go index 03bc17a8c..032d6bd1c 100644 --- a/controllers/gitopsservice_controller.go +++ b/controllers/gitopsservice_controller.go @@ -761,6 +761,10 @@ func newBackendDeployment(ns types.NamespacedName) *appsv1.Deployment { ObjectMeta: metav1.ObjectMeta{ Labels: map[string]string{ "app.kubernetes.io/name": ns.Name, + + // restricted-v2 pinning is recommended for openshift workloads + // This SCC mutates the Pod Spec to pass PSA's restricted policy. + "openshift.io/required-scc": "restricted-v2", }, }, Spec: podSpec,