From 854062111cf4b91a40649a2e2647c88c0a68b0db Mon Sep 17 00:00:00 2001
From: Dom Delnano <ddelnano@gmail.com>
Date: Mon, 25 Nov 2024 11:18:30 -0800
Subject: [PATCH] Update cli to detect OpenShift and provide notice to install
 SCC (#2048)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Summary: Update cli to detect OpenShift and provide notice to install
SCC

This updates `px deploy` to detect OpenShift clusters. In addition, it
also prompts a user that they need to install a
SecurityContextConstraint before continuing with the deployment. Note:
the existing SCC instructions no longer work. I've raised
https://github.com/pixie-io/docs.px.dev/pull/291 and verified that a
pixie deploy works properly with the updated instructions.

Relevant Issues: N/A

Type of change: /kind feature

Test Plan: Verified the following with a locally built `px` cli
- [x] deploy command prints appropriate message when KUBECONFIG set to
OpenShift cluster
```
$ oc status
Warning: apps.openshift.io/v1 DeploymentConfig is deprecated in v4.14+, unavailable in v4.10000+
In project default on server https://api.test-openshift.testing.getcosmic.ai:6443

svc/openshift - kubernetes.default.svc.cluster.local
svc/kubernetes - 172.30.0.1:443 -> 6443

View details with 'oc describe <resource>/<name>' or list resources with 'oc get all'.

$ ./px deploy
Pixie CLI

Running Cluster Checks:
 ✔    Kernel version > 4.14.0
 ✔    Cluster type is supported
 ✔    K8s version > 1.16.0
 ✔    Kubectl > 1.10.0 is present
 ✔    User can create namespace
 ✕    Cluster type is in list of known supported types  ERR: openshift cluster detected. Please note that a Security Context Constraint (SCC) is required to run Pixie. Install a SCC in the namespace designated for
 ✕    Cluster type is in list of known supported types  ERR: openshift cluster detected. Please note that a Security Context Constraint (SCC) is required to run Pixie. Install a SCC in the namespace designated for the Pixie install before continuing. See example on https://docs.px.dev/reference/admin/environment-configs/
Some cluster checks failed. Pixie may not work properly on your cluster. Continue with deploy? (y/n) [y] : ^C
```
- Verified that `oc status` returns with a non-zero exit status if
KUBECONFIG points to a different k8s cluster
```
$ kubectl get nodes
NAME                                                  STATUS   ROLES    AGE   VERSION
gke-dev-cluster-ddelnano-default-pool-a27c1ac2-fh3l   Ready    <none>   26d   v1.30.5-gke.1014001
gke-dev-cluster-ddelnano-default-pool-a27c1ac2-qbqs   Ready    <none>   13d   v1.30.5-gke.1014001

$ oc status; echo $?
error: you do not have rights to view project "default" specified in your config or the project doesn't exist
1
```

Changelog Message: Enhanced the `px` cli to detect OpenShift clusters
and prompt to install the appropriate SecurityContextConstraints before
proceeding with a deploy

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>
---
 src/pixie_cli/pkg/utils/checks.go | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/pixie_cli/pkg/utils/checks.go b/src/pixie_cli/pkg/utils/checks.go
index f36d84ec1f7..cfaabed19de 100644
--- a/src/pixie_cli/pkg/utils/checks.go
+++ b/src/pixie_cli/pkg/utils/checks.go
@@ -65,6 +65,8 @@ const (
 	ClusterTypeK0s
 	// ClusterTypeK3s is a k3s cluster.
 	ClusterTypeK3s
+	// ClusterTypeOpenShift is an OpenShift cluster.
+	ClusterTypeOpenShift
 )
 
 var allowedClusterTypes = []ClusterType{
@@ -75,6 +77,8 @@ var allowedClusterTypes = []ClusterType{
 	ClusterTypeMinikubeHyperkit,
 	ClusterTypeK0s,
 	ClusterTypeK3s,
+	// ClusterTypeOpenShift is omitted because it requires an additional setup (SecurityContextConstraints install).
+	// This prompts the user to install the SCC instead of blindly failing.
 }
 
 // detectClusterType gets the cluster type of the cluster for the current kube config context.
@@ -153,6 +157,12 @@ func detectClusterType() ClusterType {
 		}
 	}
 
+	// Check if it is an OpenShift cluster
+	err = exec.Command("/bin/sh", "-c", "oc status").Run()
+	if err == nil {
+		return ClusterTypeOpenShift
+	}
+
 	return ClusterTypeUnknown
 }
 
@@ -258,6 +268,10 @@ var (
 			}
 		}
 
+		if clusterType == ClusterTypeOpenShift {
+			return errors.New("openshift cluster detected. Please note that a Security Context Constraint (SCC) is required to run Pixie. Install a SCC in the namespace designated for the Pixie install before continuing. See example on https://docs.px.dev/reference/admin/environment-configs/")
+		}
+
 		return errors.New("Cluster type is not in list of known supported cluster types. Please see: https://docs.px.dev/installing-pixie/requirements/")
 	})
 )