Merge pull request #1121 from stashed/baseline-psp

tamalsaha · web-flow · commit 30a490a60320 · 2020-06-01T12:16:14.000-07:00
Co-authored-by: Tamal Saha &lt;tamal@appscode.com&gt;
diff --git a/pkg/cmds/server/options.go b/pkg/cmds/server/options.go
@@ -17,7 +17,6 @@ limitations under the License.
 package server
 
 import (
-	"flag"
 	"fmt"
 	"time"
 
@@ -46,6 +45,9 @@ type ExtraOptions struct {
 	ResyncPeriod            time.Duration
 	EnableValidatingWebhook bool
 	EnableMutatingWebhook   bool
+	CronJobPSPNames         []string
+	BackupJobPSPNames       []string
+	RestoreJobPSPNames      []string
 }
 
 func NewExtraOptions() *ExtraOptions {
@@ -61,7 +63,7 @@ func NewExtraOptions() *ExtraOptions {
 	}
 }
 
-func (s *ExtraOptions) AddGoFlags(fs *flag.FlagSet) {
+func (s *ExtraOptions) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&s.ScratchDir, "scratch-dir", s.ScratchDir, "Directory used to store temporary files. Use an `emptyDir` in Kubernetes.")
 	fs.StringVar(&s.StashImageTag, "image-tag", s.StashImageTag, "Image tag for sidecar, init-container, check-job and recovery-job")
 	fs.StringVar(&s.DockerRegistry, "docker-registry", s.DockerRegistry, "Docker image registry for sidecar, init-container, check-job, recovery-job and kubectl-job")
@@ -72,12 +74,10 @@ func (s *ExtraOptions) AddGoFlags(fs *flag.FlagSet) {
 
 	fs.BoolVar(&s.EnableMutatingWebhook, "enable-mutating-webhook", s.EnableMutatingWebhook, "If true, enables mutating webhooks for KubeDB CRDs.")
 	fs.BoolVar(&s.EnableValidatingWebhook, "enable-validating-webhook", s.EnableValidatingWebhook, "If true, enables validating webhooks for KubeDB CRDs.")
-}
 
-func (s *ExtraOptions) AddFlags(fs *pflag.FlagSet) {
-	pfs := flag.NewFlagSet("stash", flag.ExitOnError)
-	s.AddGoFlags(pfs)
-	fs.AddGoFlagSet(pfs)
+	fs.StringSliceVar(&s.CronJobPSPNames, "cron-job-psp", s.CronJobPSPNames, "Name of the PSPs for backup triggering CronJob. Use comma to separate multiple PSP names.")
+	fs.StringSliceVar(&s.BackupJobPSPNames, "backup-job-psp", s.BackupJobPSPNames, "Name of the PSPs for backup job. Use comma to separate multiple PSP names.")
+	fs.StringSliceVar(&s.RestoreJobPSPNames, "restore-job-psp", s.RestoreJobPSPNames, "Name of the PSPs for restore job. Use comma to separate multiple PSP names.")
 }
 
 func (s *ExtraOptions) ApplyTo(cfg *controller.Config) error {
@@ -93,6 +93,10 @@ func (s *ExtraOptions) ApplyTo(cfg *controller.Config) error {
 	cfg.EnableMutatingWebhook = s.EnableMutatingWebhook
 	cfg.EnableValidatingWebhook = s.EnableValidatingWebhook
 
+	cfg.CronJobPSPNames = s.CronJobPSPNames
+	cfg.BackupJobPSPNames = s.BackupJobPSPNames
+	cfg.RestoreJobPSPNames = s.RestoreJobPSPNames
+
 	if cfg.KubeClient, err = kubernetes.NewForConfig(cfg.ClientConfig); err != nil {
 		return err
 	}
diff --git a/pkg/controller/config.go b/pkg/controller/config.go
@@ -52,6 +52,9 @@ type config struct {
 	ResyncPeriod            time.Duration
 	EnableValidatingWebhook bool
 	EnableMutatingWebhook   bool
+	CronJobPSPNames         []string
+	BackupJobPSPNames       []string
+	RestoreJobPSPNames      []string
 }
 
 type Config struct {
diff --git a/pkg/controller/psp.go b/pkg/controller/psp.go
@@ -24,21 +24,15 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-const (
-	DefaultBackupSessionCronJobPSPName = "stash-backupsession-cron"
-	DefaultBackupJobPSPName            = "stash-backup-job"
-	DefaultRestoreJobPSPName           = "stash-restore-job"
-)
-
 func (c *StashController) getBackupSessionCronJobPSPNames() []string {
 	// BackupSession cron does not need any custom PSP. So, default minimum privileged
-	return []string{DefaultBackupSessionCronJobPSPName}
+	return c.CronJobPSPNames
 }
 
 func (c *StashController) getBackupJobPSPNames(taskRef api_v1beta1.TaskRef) ([]string, error) {
 	// if task field is empty then return default backup job psp
 	if taskRef.Name == "" {
-		return []string{DefaultBackupJobPSPName}, nil
+		return c.BackupJobPSPNames, nil
 	}
 
 	// find out task and then functions. finally, get psp names from the functions
@@ -63,13 +57,13 @@ func (c *StashController) getBackupJobPSPNames(taskRef api_v1beta1.TaskRef) ([]s
 	}
 
 	// if no PSP name is specified, then return default PSP for backup job
-	return []string{DefaultBackupJobPSPName}, nil
+	return c.BackupJobPSPNames, nil
 }
 
 func (c *StashController) getRestoreJobPSPNames(restoreSession *api_v1beta1.RestoreSession) ([]string, error) {
 	// if task field is empty then return default restore job psp
 	if restoreSession.Spec.Task.Name == "" {
-		return []string{DefaultRestoreJobPSPName}, nil
+		return c.RestoreJobPSPNames, nil
 	}
 
 	// find out task and then functions. finally, get psp names from the functions
@@ -94,5 +88,5 @@ func (c *StashController) getRestoreJobPSPNames(restoreSession *api_v1beta1.Rest
 	}
 
 	// if no PSP name is specified, then return default PSP for restore job
-	return []string{DefaultRestoreJobPSPName}, nil
+	return c.RestoreJobPSPNames, nil
 }

Original file line number	Diff line number	Diff line change
`@@ -52,6 +52,9 @@ type config struct {`
`52`	`52`	`ResyncPeriod time.Duration`
`53`	`53`	`EnableValidatingWebhook bool`
`54`	`54`	`EnableMutatingWebhook bool`
	`55`	`+ CronJobPSPNames []string`
	`56`	`+ BackupJobPSPNames []string`
	`57`	`+ RestoreJobPSPNames []string`
`55`	`58`	`}`
`56`	`59`
`57`	`60`	`type Config struct {`
Original file line number	Diff line number	Diff line change
`@@ -24,21 +24,15 @@ import (`
`24`	`24`	`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
`25`	`25`	`)`
`26`	`26`
`27`		`-const (`
`28`		`- DefaultBackupSessionCronJobPSPName = "stash-backupsession-cron"`
`29`		`- DefaultBackupJobPSPName = "stash-backup-job"`
`30`		`- DefaultRestoreJobPSPName = "stash-restore-job"`
`31`		`-)`
`32`		`-`
`33`	`27`	`func (c *StashController) getBackupSessionCronJobPSPNames() []string {`
`34`	`28`	`// BackupSession cron does not need any custom PSP. So, default minimum privileged`
`35`		`- return []string{DefaultBackupSessionCronJobPSPName}`
	`29`	`+ return c.CronJobPSPNames`
`36`	`30`	`}`
`37`	`31`
`38`	`32`	`func (c *StashController) getBackupJobPSPNames(taskRef api_v1beta1.TaskRef) ([]string, error) {`
`39`	`33`	`// if task field is empty then return default backup job psp`
`40`	`34`	`if taskRef.Name == "" {`
`41`		`- return []string{DefaultBackupJobPSPName}, nil`
	`35`	`+ return c.BackupJobPSPNames, nil`
`42`	`36`	`}`
`43`	`37`
`44`	`38`	`// find out task and then functions. finally, get psp names from the functions`
`@@ -63,13 +57,13 @@ func (c *StashController) getBackupJobPSPNames(taskRef api_v1beta1.TaskRef) ([]s`
`63`	`57`	`}`
`64`	`58`
`65`	`59`	`// if no PSP name is specified, then return default PSP for backup job`
`66`		`- return []string{DefaultBackupJobPSPName}, nil`
	`60`	`+ return c.BackupJobPSPNames, nil`
`67`	`61`	`}`
`68`	`62`
`69`	`63`	`func (c StashController) getRestoreJobPSPNames(restoreSession api_v1beta1.RestoreSession) ([]string, error) {`
`70`	`64`	`// if task field is empty then return default restore job psp`
`71`	`65`	`if restoreSession.Spec.Task.Name == "" {`
`72`		`- return []string{DefaultRestoreJobPSPName}, nil`
	`66`	`+ return c.RestoreJobPSPNames, nil`
`73`	`67`	`}`
`74`	`68`
`75`	`69`	`// find out task and then functions. finally, get psp names from the functions`
`@@ -94,5 +88,5 @@ func (c StashController) getRestoreJobPSPNames(restoreSession api_v1beta1.Rest`
`94`	`88`	`}`
`95`	`89`
`96`	`90`	`// if no PSP name is specified, then return default PSP for restore job`
`97`		`- return []string{DefaultRestoreJobPSPName}, nil`
	`91`	`+ return c.RestoreJobPSPNames, nil`
`98`	`92`	`}`