tigera · tmjd · Jul 13, 2020 · Jul 10, 2020 · Jul 10, 2020
diff --git a/deploy/role.yaml b/deploy/role.yaml
@@ -18,12 +18,20 @@ rules:
       - secrets
       - serviceaccounts
     verbs:
-      - '*'
+      - create
+      - get
+      - list
+      - update
+      - delete
+      - watch
   - apiGroups:
       - ""
     resources:
       - nodes
     verbs:
+      # Need to update node labels when migrating nodes.
+      - 'get'
+      - 'patch'
       - 'list'
       # We need this for Typha autoscaling
       - 'watch'
@@ -35,21 +43,27 @@ rules:
       - rolebindings
       - roles
     verbs:
-      - '*'
+      - create
+      - get
+      - list
+      - update
+      - delete
+      - watch
+      - bind
+      - escalate
   - apiGroups:
       - apps
     resources:
       - deployments
       - daemonsets
       - statefulsets
     verbs:
-      - '*'
-  - apiGroups:
-      - apiextensions.k8s.io
-    resources:
-      - customresourcedefinitions
-    verbs:
-      - '*'
+      - create
+      - get
+      - list
+      - update
+      - delete
+      - watch
   - apiGroups:
       - apps
     resourceNames:
@@ -63,13 +77,24 @@ rules:
     resources:
       - '*'
     verbs:
-      - '*'
+      - create
+      - get
+      - list
+      - update
+      - patch
+      - delete
+      - watch
   - apiGroups:
       - scheduling.k8s.io
     resources:
       - priorityclasses
     verbs:
-      - '*'
+      - create
+      - get
+      - list
+      - update
+      - delete
+      - watch
   - apiGroups:
       - monitoring.coreos.com
     resources:
@@ -78,77 +103,134 @@ rules:
       - get
       - create
   - apiGroups:
-    - policy
+      - policy
     resources:
-    - poddisruptionbudgets
+      - poddisruptionbudgets
     verbs:
-    - '*'
+      - create
+      - get
+      - list
+      - update
+      - delete
+      - watch
   # When running in OpenShift, we need to update networking config.
   - apiGroups:
       - config.openshift.io
     resources:
       - networks/status
     verbs:
-      - 'update'
-      - '*'
+      - get
+      - list
+      - update
   - apiGroups:
       - config.openshift.io
     resources:
       - networks
       - infrastructures
     verbs:
-      - 'get'
-      - '*'
+      - get
+      - list
+      - patch
+      - watch
   # On OpenShift, we need to modify SCCs.
   - apiGroups:
       - security.openshift.io
     resources:
       - securitycontextconstraints
     verbs:
-      - '*'
-    # Permissions below this point are required for TSEE only.
+      - create
+      - get
+      - list
+      - update
+      - delete
+      - watch
+  # For host network access.
+  - apiGroups:
+      - security.openshift.io
+    resources:
+      - securitycontextconstraints
+    resourceNames:
+      - hostnetwork
+    verbs:
+      - use
+      # Permissions below this point are required for TSEE only.
   - apiGroups:
       - apiregistration.k8s.io
     resources:
       - apiservices
     verbs:
-      - '*'
+      - create
+      - get
+      - list
+      - update
+      - delete
+      - watch
   - apiGroups:
       - "batch"
     resources:
       - jobs
       - cronjobs
     verbs:
-      - '*'
+      - create
+      - get
+      - list
+      - update
+      - delete
+      - watch
   - apiGroups:
       - projectcalico.org
     resources:
       - globalreporttypes
       - licensekeys
       - globalalerttemplates
     verbs:
-      - '*'
+      - create
+      - get
+      - list
+      - update
+      - delete
+      - watch
   - apiGroups:
       - elasticsearch.k8s.elastic.co
     resources:
       - elasticsearches
     verbs:
-      - '*'
+      - create
+      - get
+      - list
+      - update
+      - delete
+      - watch
   - apiGroups:
       - storage.k8s.io
     resources:
       - storageclasses
     verbs:
-      - '*'
+      - create
+      - get
+      - list
+      - update
+      - delete
+      - watch
   - apiGroups:
       - kibana.k8s.elastic.co
     resources:
       - kibanas
     verbs:
-      - '*'
+      - create
+      - get
+      - list
+      - update
+      - delete
+      - watch
   - apiGroups:
       - admissionregistration.k8s.io
     resources:
       - validatingwebhookconfigurations
     verbs:
-      - '*'
+      - create
+      - get
+      - list
+      - update
+      - delete
+      - watch
diff --git a/pkg/controller/installation/core_controller.go b/pkg/controller/installation/core_controller.go
@@ -19,6 +19,7 @@ import (
 	"fmt"
 	"net"
 	"os"
+	"reflect"
 	"strings"
 	"time"
 
@@ -426,6 +427,16 @@ func (r *ReconcileInstallation) Reconcile(request reconcile.Request) (reconcile.
 
 	ctx := context.Background()
 
+	// Get the installation object if it exists so that we can save the original
+	// status before we merge/fill that object with other values.
+	instance := &operator.Installation{}
+	if err := r.client.Get(ctx, utils.DefaultInstanceKey, instance); err != nil && apierrors.IsNotFound(err) {
+		reqLogger.Info("Installation config not found")
+		r.status.OnCRNotFound()
+		return reconcile.Result{}, nil
+	}
+	status := instance.Status
+
 	// Query for the installation object.
 	instance, err := GetInstallation(ctx, r.client, r.autoDetectedProvider)
 	if err != nil {
@@ -456,6 +467,17 @@ func (r *ReconcileInstallation) Reconcile(request reconcile.Request) (reconcile.
 		return reconcile.Result{}, err
 	}
 
+	// A status is needed at this point for operator scorecard tests.
+	// status.variant is written later but for some tests the reconciliation
+	// does not get to that point.
+	if reflect.DeepEqual(status, operator.InstallationStatus{}) {
+		instance.Status = operator.InstallationStatus{}
+		if err = r.client.Status().Update(ctx, instance); err != nil {
+			r.SetDegraded("Failed to write default status", err, reqLogger)
+			return reconcile.Result{}, err
+		}
+	}
+
 	// The operator supports running in a "Calico only" mode so that it doesn't need to run TSEE specific controllers.
 	// If we are switching from this mode to one that enables TSEE, we need to restart the operator to enable the other controllers.
 	if !r.enterpriseCRDsExist && instance.Spec.Variant == operator.TigeraSecureEnterprise {

diff --git a/test/mainline_test.go b/test/mainline_test.go
@@ -17,6 +17,7 @@ package test
 import (
 	"context"
 	"fmt"
+	"reflect"
 	"strings"
 	"time"
 
@@ -125,6 +126,38 @@ var _ = Describe("Mainline component function tests", func() {
 
 		It("Should install resources for a CRD", func() {
 			stopChan := installResourceCRD(c, mgr)
+
+			instance := &operator.Installation{
+				TypeMeta:   metav1.TypeMeta{Kind: "Installation", APIVersion: "operator.tigera.io/v1"},
+				ObjectMeta: metav1.ObjectMeta{Name: "default"},
+			}
+			By("Checking that the installation status is set correctly")
+			Eventually(func() error {
+				err := GetResource(c, instance)
+				if err != nil {
+					return err
+				}
+				if instance.Status.Variant != operator.Calico {
+					return fmt.Errorf("installation status not Calico yet")
+				}
+				return nil
+			}, 60*time.Second).Should(BeNil())
+
+			By("Checking that the installation status does not change")
+			Consistently(func() error {
+				err := GetResource(c, instance)
+				if err != nil {
+					return err
+				}
+				if reflect.DeepEqual(instance.Status, operator.InstallationStatus{}) {
+					return fmt.Errorf("installation status is empty")
+				}
+				if instance.Status.Variant != operator.Calico {
+					return fmt.Errorf("installation status was %v, expected: %v", instance.Status, operator.Calico)
+				}
+				return nil
+			}, 30*time.Second, 50*time.Millisecond).Should(BeNil())
+
 			defer close(stopChan)
 		})
 	})
@@ -236,6 +269,7 @@ func setupManager() (client.Client, manager.Manager) {
 	err = controller.AddToManager(mgr, options.AddOptions{
 		DetectedProvider:    operator.ProviderNone,
 		EnterpriseCRDExists: true,
+		AmazonCRDExists:     true,
 	})
 	Expect(err).NotTo(HaveOccurred())
 	return mgr.GetClient(), mgr