ceph
diff --git a/‎api/go.mod
Lines changed: 9 additions & 1 deletion b/‎api/go.mod
Lines changed: 9 additions & 1 deletion
diff --git a/‎api/go.sum
Lines changed: 2 additions & 0 deletions b/‎api/go.sum
Lines changed: 2 additions & 0 deletions
diff --git a/‎api/ocp/scc.go
Lines changed: 37 additions & 0 deletions b/‎api/ocp/scc.go
Lines changed: 37 additions & 0 deletions
diff --git a/‎api/ocp/scc.yaml
Lines changed: 37 additions & 0 deletions b/‎api/ocp/scc.yaml
Lines changed: 37 additions & 0 deletions
diff --git a/‎api/ocp/scc_test.go
Lines changed: 26 additions & 0 deletions b/‎api/ocp/scc_test.go
Lines changed: 26 additions & 0 deletions
diff --git a/‎api/vendor/github.com/davecgh/go-spew/LICENSE
Lines changed: 15 additions & 0 deletions b/‎api/vendor/github.com/davecgh/go-spew/LICENSE
Lines changed: 15 additions & 0 deletions
diff --git a/‎api/vendor/github.com/davecgh/go-spew/spew/bypass.go
Lines changed: 145 additions & 0 deletions b/‎api/vendor/github.com/davecgh/go-spew/spew/bypass.go
Lines changed: 145 additions & 0 deletions
diff --git a/‎api/vendor/github.com/davecgh/go-spew/spew/bypasssafe.go
Lines changed: 38 additions & 0 deletions b/‎api/vendor/github.com/davecgh/go-spew/spew/bypasssafe.go
Lines changed: 38 additions & 0 deletions
@@ -1,24 +1,32 @@
 module github.com/ceph/ceph-csi-operator/api
 
-go 1.22.5
+go 1.22.0
+
+toolchain go1.22.5
 
 require (
+	github.com/openshift/api v0.0.0-20240724184751-84047ef4a2ce
+	github.com/stretchr/testify v1.8.4
 	k8s.io/api v0.30.3
 	k8s.io/apimachinery v0.30.3
 	sigs.k8s.io/controller-runtime v0.18.4
+	sigs.k8s.io/yaml v1.3.0
 )
 
 require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	golang.org/x/net v0.23.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/klog/v2 v2.120.1 // indirect
 	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 
@@ -32,6 +32,8 @@ github.com/onsi/ginkgo/v2 v2.17.1 h1:V++EzdbhI4ZV4ev0UTIj0PzhzOcReJFyJaLjtSF55M8
 github.com/onsi/ginkgo/v2 v2.17.1/go.mod h1:llBI3WDLL9Z6taip6f33H76YcWtJv+7R3HigUjbIBOs=
 github.com/onsi/gomega v1.32.0 h1:JRYU78fJ1LPxlckP6Txi/EYqJvjtMrDC04/MM5XRHPk=
 github.com/onsi/gomega v1.32.0/go.mod h1:a4x4gW6Pz2yK1MAmvluYme5lvYTn61afQ2ETw/8n4Lg=
+github.com/openshift/api v0.0.0-20240724184751-84047ef4a2ce h1:AR9XMlwc7akIN13KDx4L0tI04zHf8jEZ1z1RMRbz1J0=
+github.com/openshift/api v0.0.0-20240724184751-84047ef4a2ce/go.mod h1:OOh6Qopf21pSzqNVCB5gomomBXb8o5sGKZxG2KNpaXM=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
 
@@ -0,0 +1,37 @@
+package ocp
+
+import (
+	"bytes"
+	_ "embed"
+	"fmt"
+	"text/template"
+
+	secv1 "github.com/openshift/api/security/v1"
+	"sigs.k8s.io/yaml"
+)
+
+//go:embed scc.yaml
+var sccYAMLTemplate string
+
+// NewSecurityContextConstraints loads the embedded SCC YAML template, replaces the namespace,
+// and returns it as a SecurityContextConstraints object
+func NewSecurityContextConstraints(name string, namespace string) (*secv1.SecurityContextConstraints, error) {
+	tmpl, err := template.New("scc").Parse(sccYAMLTemplate)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing template: %v", err)
+	}
+
+	var buf bytes.Buffer
+	err = tmpl.Execute(&buf, map[string]string{"Name": name, "Namespace": namespace})
+	if err != nil {
+		return nil, fmt.Errorf("error executing template: %v", err)
+	}
+
+	scc := &secv1.SecurityContextConstraints{}
+	err = yaml.UnmarshalStrict(buf.Bytes(), scc)
+	if err != nil {
+		return nil, fmt.Errorf("error unmarshaling YAML: %v", err)
+	}
+
+	return scc, nil
+}
@@ -0,0 +1,37 @@
+kind: SecurityContextConstraints
+metadata:
+  name: {{ .Name }}
+allowHostDirVolumePlugin: true
+allowHostIPC: true
+allowHostNetwork: false
+allowHostPID: true
+allowHostPorts: true
+allowPrivilegedContainer: true
+allowedCapabilities:
+  - SYS_ADMIN
+apiVersion: security.openshift.io/v1
+defaultAddCapabilities: []
+fsGroup:
+  type: RunAsAny
+priority:
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+  - ALL
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+supplementalGroups:
+  type: RunAsAny
+users:
+  - system:serviceaccount:{{.Namespace}}:csi-rbd-ctrlplugin-sa
+  - system:serviceaccount:{{.Namespace}}:csi-cephfs-ctrlplugin-sa
+  - system:serviceaccount:{{.Namespace}}:csi-nfs-ctrlplugin-sa
+  - system:serviceaccount:{{.Namespace}}:csi-rbd-nodeplugin-sa
+  - system:serviceaccount:{{.Namespace}}:csi-cephfs-nodeplugin-sa
+  - system:serviceaccount:{{.Namespace}}:csi-nfs-nodeplugin-sa
+volumes:
+  - configMap
+  - emptyDir
+  - hostPath
+  - projected
@@ -0,0 +1,26 @@
+package ocp
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewSecurityContextConstraints(t *testing.T) {
+	testNamespace := "test-namespace"
+	testName := "test"
+	scc, err := NewSecurityContextConstraints(testName, testNamespace)
+	require.NoError(t, err, "NewSecurityContextConstraints should not return an error")
+	assert.NotNil(t, scc, "SCC should not be nil")
+
+	assert.Equal(t, scc.Name, testName)
+	assert.NotEmpty(t, scc.Users, "Users should not be empty")
+	for _, user := range scc.Users {
+		assert.True(t, strings.Contains(user, testNamespace),
+			"Each user should contain the specified namespace")
+		assert.False(t, strings.Contains(user, "{{.Namespace}}"),
+			"Template placeholders should be replaced")
+	}
+}