api: export default SecurityContextConstraints in OCP clusters

weirdwiz · weirdwiz · commit df4399992b62 · 2024-08-06T13:48:25.000+05:30
this commit exports SecurityContextConstraints to let the user deploy
the ceph-csi-operator in OCP clusters

Signed-off-by: Divyansh Kamboj &lt;dkamboj@redhat.com&gt;
diff --git a/api/go.mod b/api/go.mod
@@ -5,22 +5,28 @@ go 1.22.0
 toolchain go1.22.5
 
 require (
+	github.com/openshift/api v0.0.0-20240724184751-84047ef4a2ce
+	github.com/stretchr/testify v1.8.4
 	k8s.io/api v0.30.3
 	k8s.io/apimachinery v0.30.3
 	sigs.k8s.io/controller-runtime v0.18.4
+	sigs.k8s.io/yaml v1.3.0
 )
 
 require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	golang.org/x/net v0.23.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/klog/v2 v2.120.1 // indirect
 	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
diff --git a/api/go.sum b/api/go.sum
@@ -32,6 +32,8 @@ github.com/onsi/ginkgo/v2 v2.17.1 h1:V++EzdbhI4ZV4ev0UTIj0PzhzOcReJFyJaLjtSF55M8
 github.com/onsi/ginkgo/v2 v2.17.1/go.mod h1:llBI3WDLL9Z6taip6f33H76YcWtJv+7R3HigUjbIBOs=
 github.com/onsi/gomega v1.32.0 h1:JRYU78fJ1LPxlckP6Txi/EYqJvjtMrDC04/MM5XRHPk=
 github.com/onsi/gomega v1.32.0/go.mod h1:a4x4gW6Pz2yK1MAmvluYme5lvYTn61afQ2ETw/8n4Lg=
+github.com/openshift/api v0.0.0-20240724184751-84047ef4a2ce h1:AR9XMlwc7akIN13KDx4L0tI04zHf8jEZ1z1RMRbz1J0=
+github.com/openshift/api v0.0.0-20240724184751-84047ef4a2ce/go.mod h1:OOh6Qopf21pSzqNVCB5gomomBXb8o5sGKZxG2KNpaXM=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
diff --git a/api/ocp/scc.go b/api/ocp/scc.go
@@ -0,0 +1,36 @@
+package ocp
+
+import (
+	_ "embed"
+	"fmt"
+	"strings"
+
+	secv1 "github.com/openshift/api/security/v1"
+	"sigs.k8s.io/yaml"
+)
+
+//go:embed scc.yaml
+var sccYAMLTemplate string
+
+// NewSecurityContextConstraints loads the embedded SCC YAML template, replaces the namespace,
+// and returns it as a SecurityContextConstraints object
+func NewSecurityContextConstraints(name string, namespace string) (*secv1.SecurityContextConstraints, error) {
+	scc := &secv1.SecurityContextConstraints{}
+	err := yaml.Unmarshal([]byte(sccYAMLTemplate), scc)
+	if err != nil {
+		return nil, fmt.Errorf("error unmarshaling YAML: %v", err)
+	}
+	scc.Name = name
+	scc.Namespace = namespace
+	var users []string
+	for _, user := range scc.Users {
+		serviceAccount := strings.Split(user, ":")
+		if len(serviceAccount) != 4 {
+			return nil, fmt.Errorf("invalid service account name")
+		}
+		serviceAccount[2] = namespace
+		users = append(users, strings.Join(serviceAccount, ":"))
+	}
+	scc.Users = users
+	return scc, nil
+}
diff --git a/api/ocp/scc.yaml b/api/ocp/scc.yaml
@@ -0,0 +1,38 @@
+kind: SecurityContextConstraints
+metadata:
+  name: csi-scc
+  namespace: ceph-csi-operator-system
+allowHostDirVolumePlugin: true
+allowHostIPC: true
+allowHostNetwork: false
+allowHostPID: true
+allowHostPorts: true
+allowPrivilegedContainer: true
+allowedCapabilities:
+  - SYS_ADMIN
+apiVersion: security.openshift.io/v1
+defaultAddCapabilities: []
+fsGroup:
+  type: RunAsAny
+priority:
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+  - ALL
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+supplementalGroups:
+  type: RunAsAny
+users:
+  - system:serviceaccount:ceph-csi-operator-system:csi-rbd-ctrlplugin-sa
+  - system:serviceaccount:ceph-csi-operator-system:csi-cephfs-ctrlplugin-sa
+  - system:serviceaccount:ceph-csi-operator-system:csi-nfs-ctrlplugin-sa
+  - system:serviceaccount:ceph-csi-operator-system:csi-rbd-nodeplugin-sa
+  - system:serviceaccount:ceph-csi-operator-system:csi-cephfs-nodeplugin-sa
+  - system:serviceaccount:ceph-csi-operator-system:csi-nfs-nodeplugin-sa
+volumes:
+  - configMap
+  - emptyDir
+  - hostPath
+  - projected
diff --git a/api/ocp/scc_test.go b/api/ocp/scc_test.go
@@ -0,0 +1,26 @@
+package ocp
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewSecurityContextConstraints(t *testing.T) {
+	testNamespace := "test-namespace"
+	testName := "test"
+	scc, err := NewSecurityContextConstraints(testName, testNamespace)
+	require.NoError(t, err, "NewSecurityContextConstraints should not return an error")
+	assert.NotNil(t, scc, "SCC should not be nil")
+
+	assert.Equal(t, scc.Name, testName)
+	assert.NotEmpty(t, scc.Users, "Users should not be empty")
+	for _, user := range scc.Users {
+		assert.True(t, strings.Contains(user, testNamespace),
+			"Each user should contain the specified namespace")
+		assert.False(t, strings.Contains(user, "{{.Namespace}}"),
+			"Template placeholders should be replaced")
+	}
+}
