Skip to content

Commit

Permalink
export default SecurityContextConstraints in OCP clusters
Browse files Browse the repository at this point in the history
this commit exports SecurityContextConstraints to let the user deploy
the ceph-csi-operator in OCP clusters

Signed-off-by: Divyansh Kamboj <[email protected]>
  • Loading branch information
weirdwiz committed Aug 1, 2024
1 parent e6494a0 commit 3657a34
Show file tree
Hide file tree
Showing 78 changed files with 32,005 additions and 2 deletions.
12 changes: 10 additions & 2 deletions api/go.mod
Original file line number Diff line number Diff line change
@@ -1,24 +1,32 @@
module github.com/ceph/ceph-csi-operator/api
module github.com/weirdwiz/ceph-csi-operator/api

go 1.22.5
go 1.22.0

toolchain go1.22.5

require (
github.com/openshift/api v0.0.0-20240724184751-84047ef4a2ce
github.com/stretchr/testify v1.8.4
k8s.io/api v0.30.3
k8s.io/apimachinery v0.30.3
sigs.k8s.io/controller-runtime v0.18.4
sigs.k8s.io/yaml v1.3.0
)

require (
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/go-logr/logr v1.4.1 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
golang.org/x/net v0.23.0 // indirect
golang.org/x/text v0.14.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/klog/v2 v2.120.1 // indirect
k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
Expand Down
2 changes: 2 additions & 0 deletions api/go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@ github.com/onsi/ginkgo/v2 v2.17.1 h1:V++EzdbhI4ZV4ev0UTIj0PzhzOcReJFyJaLjtSF55M8
github.com/onsi/ginkgo/v2 v2.17.1/go.mod h1:llBI3WDLL9Z6taip6f33H76YcWtJv+7R3HigUjbIBOs=
github.com/onsi/gomega v1.32.0 h1:JRYU78fJ1LPxlckP6Txi/EYqJvjtMrDC04/MM5XRHPk=
github.com/onsi/gomega v1.32.0/go.mod h1:a4x4gW6Pz2yK1MAmvluYme5lvYTn61afQ2ETw/8n4Lg=
github.com/openshift/api v0.0.0-20240724184751-84047ef4a2ce h1:AR9XMlwc7akIN13KDx4L0tI04zHf8jEZ1z1RMRbz1J0=
github.com/openshift/api v0.0.0-20240724184751-84047ef4a2ce/go.mod h1:OOh6Qopf21pSzqNVCB5gomomBXb8o5sGKZxG2KNpaXM=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
Expand Down
37 changes: 37 additions & 0 deletions api/ocp/scc.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
package ocp

import (
"bytes"
_ "embed"
"fmt"
"text/template"

secv1 "github.com/openshift/api/security/v1"
"sigs.k8s.io/yaml"
)

//go:embed scc.yaml
var sccYAMLTemplate string

// NewSecurityContextConstraints loads the embedded SCC YAML template, replaces the namespace,
// and returns it as a SecurityContextConstraints object
func NewSecurityContextConstraints(name string, namespace string) (*secv1.SecurityContextConstraints, error) {
tmpl, err := template.New("scc").Parse(sccYAMLTemplate)
if err != nil {
return nil, fmt.Errorf("error parsing template: %v", err)
}

var buf bytes.Buffer
err = tmpl.Execute(&buf, map[string]string{"Name": name, "Namespace": namespace})
if err != nil {
return nil, fmt.Errorf("error executing template: %v", err)
}

scc := &secv1.SecurityContextConstraints{}
err = yaml.UnmarshalStrict(buf.Bytes(), scc)
if err != nil {
return nil, fmt.Errorf("error unmarshaling YAML: %v", err)
}

return scc, nil
}
37 changes: 37 additions & 0 deletions api/ocp/scc.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
kind: SecurityContextConstraints
metadata:
name: {{ .Name }}
allowHostDirVolumePlugin: true
allowHostIPC: true
allowHostNetwork: false
allowHostPID: true
allowHostPorts: true
allowPrivilegedContainer: true
allowedCapabilities:
- SYS_ADMIN
apiVersion: security.openshift.io/v1
defaultAddCapabilities: []
fsGroup:
type: RunAsAny
priority:
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
type: RunAsAny
seLinuxContext:
type: RunAsAny
supplementalGroups:
type: RunAsAny
users:
- system:serviceaccount:{{.Namespace}}:csi-rbd-ctrlplugin-sa
- system:serviceaccount:{{.Namespace}}:csi-cephfs-ctrlplugin-sa
- system:serviceaccount:{{.Namespace}}:csi-nfs-ctrlplugin-sa
- system:serviceaccount:{{.Namespace}}:csi-rbd-nodeplugin-sa
- system:serviceaccount:{{.Namespace}}:csi-cephfs-nodeplugin-sa
- system:serviceaccount:{{.Namespace}}:csi-nfs-nodeplugin-sa
volumes:
- configMap
- emptyDir
- hostPath
- projected
26 changes: 26 additions & 0 deletions api/ocp/scc_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
package ocp

import (
"strings"
"testing"

"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)

func TestNewSecurityContextConstraints(t *testing.T) {
testNamespace := "test-namespace"
testName := "test"
scc, err := NewSecurityContextConstraints(testName, testNamespace)
require.NoError(t, err, "NewSecurityContextConstraints should not return an error")
assert.NotNil(t, scc, "SCC should not be nil")

assert.Equal(t, scc.Name, testName)
assert.NotEmpty(t, scc.Users, "Users should not be empty")
for _, user := range scc.Users {
assert.True(t, strings.Contains(user, testNamespace),
"Each user should contain the specified namespace")
assert.False(t, strings.Contains(user, "{{.Namespace}}"),
"Template placeholders should be replaced")
}
}
15 changes: 15 additions & 0 deletions api/vendor/github.com/davecgh/go-spew/LICENSE

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

145 changes: 145 additions & 0 deletions api/vendor/github.com/davecgh/go-spew/spew/bypass.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

38 changes: 38 additions & 0 deletions api/vendor/github.com/davecgh/go-spew/spew/bypasssafe.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 3657a34

Please sign in to comment.