Skip to content

Commit

Permalink
Merge pull request #1862 from kube-logging/fix/reintroduce-scc
Browse files Browse the repository at this point in the history 
fix: re-introduce scc
  • Loading branch information
@csatib02
csatib02 authored Nov 28, 2024
2 parents 79361bb + 1c248bf commit a6e3a6b
Show file tree
Hide file tree
Showing 24 changed files with 202 additions and 14 deletions.
2 changes: 2 additions & 0 deletions charts/logging-operator/charts/crds/templates/logging.banzaicloud.io_fluentbitagents.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2469,6 +2469,8 @@ spec:
type: object
security:
properties:
createOpenShiftSCC:
type: boolean
podSecurityContext:
properties:
appArmorProfile:
Expand Down
2 changes: 2 additions & 0 deletions charts/logging-operator/charts/crds/templates/logging.banzaicloud.io_fluentdconfigs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2443,6 +2443,8 @@ spec:
type: object
security:
properties:
createOpenShiftSCC:
type: boolean
podSecurityContext:
properties:
appArmorProfile:
Expand Down
6 changes: 6 additions & 0 deletions charts/logging-operator/charts/crds/templates/logging.banzaicloud.io_loggings.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3516,6 +3516,8 @@ spec:
type: object
security:
properties:
createOpenShiftSCC:
type: boolean
podSecurityContext:
properties:
appArmorProfile:
Expand Down Expand Up @@ -6184,6 +6186,8 @@ spec:
type: object
security:
properties:
createOpenShiftSCC:
type: boolean
podSecurityContext:
properties:
appArmorProfile:
Expand Down Expand Up @@ -12769,6 +12773,8 @@ spec:
type: object
security:
properties:
createOpenShiftSCC:
type: boolean
podSecurityContext:
properties:
appArmorProfile:
Expand Down
2 changes: 2 additions & 0 deletions charts/logging-operator/charts/crds/templates/logging.banzaicloud.io_nodeagents.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4654,6 +4654,8 @@ spec:
type: object
security:
properties:
createOpenShiftSCC:
type: boolean
podSecurityContext:
properties:
appArmorProfile:
Expand Down
2 changes: 2 additions & 0 deletions charts/logging-operator/crds/logging.banzaicloud.io_fluentbitagents.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2466,6 +2466,8 @@ spec:
type: object
security:
properties:
createOpenShiftSCC:
type: boolean
podSecurityContext:
properties:
appArmorProfile:
Expand Down
2 changes: 2 additions & 0 deletions charts/logging-operator/crds/logging.banzaicloud.io_fluentdconfigs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2440,6 +2440,8 @@ spec:
type: object
security:
properties:
createOpenShiftSCC:
type: boolean
podSecurityContext:
properties:
appArmorProfile:
Expand Down
6 changes: 6 additions & 0 deletions charts/logging-operator/crds/logging.banzaicloud.io_loggings.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3513,6 +3513,8 @@ spec:
type: object
security:
properties:
createOpenShiftSCC:
type: boolean
podSecurityContext:
properties:
appArmorProfile:
Expand Down Expand Up @@ -6181,6 +6183,8 @@ spec:
type: object
security:
properties:
createOpenShiftSCC:
type: boolean
podSecurityContext:
properties:
appArmorProfile:
Expand Down Expand Up @@ -12766,6 +12770,8 @@ spec:
type: object
security:
properties:
createOpenShiftSCC:
type: boolean
podSecurityContext:
properties:
appArmorProfile:
Expand Down
2 changes: 2 additions & 0 deletions charts/logging-operator/crds/logging.banzaicloud.io_nodeagents.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4651,6 +4651,8 @@ spec:
type: object
security:
properties:
createOpenShiftSCC:
type: boolean
podSecurityContext:
properties:
appArmorProfile:
Expand Down
2 changes: 2 additions & 0 deletions config/crd/bases/logging.banzaicloud.io_fluentbitagents.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2466,6 +2466,8 @@ spec:
type: object
security:
properties:
createOpenShiftSCC:
type: boolean
podSecurityContext:
properties:
appArmorProfile:
Expand Down
2 changes: 2 additions & 0 deletions config/crd/bases/logging.banzaicloud.io_fluentdconfigs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2440,6 +2440,8 @@ spec:
type: object
security:
properties:
createOpenShiftSCC:
type: boolean
podSecurityContext:
properties:
appArmorProfile:
Expand Down
6 changes: 6 additions & 0 deletions config/crd/bases/logging.banzaicloud.io_loggings.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3513,6 +3513,8 @@ spec:
type: object
security:
properties:
createOpenShiftSCC:
type: boolean
podSecurityContext:
properties:
appArmorProfile:
Expand Down Expand Up @@ -6181,6 +6183,8 @@ spec:
type: object
security:
properties:
createOpenShiftSCC:
type: boolean
podSecurityContext:
properties:
appArmorProfile:
Expand Down Expand Up @@ -12766,6 +12770,8 @@ spec:
type: object
security:
properties:
createOpenShiftSCC:
type: boolean
podSecurityContext:
properties:
appArmorProfile:
Expand Down
2 changes: 2 additions & 0 deletions config/crd/bases/logging.banzaicloud.io_nodeagents.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4651,6 +4651,8 @@ spec:
type: object
security:
properties:
createOpenShiftSCC:
type: boolean
podSecurityContext:
properties:
appArmorProfile:
Expand Down
3 changes: 3 additions & 0 deletions docs/configuration/crds/v1beta1/common_types.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,9 @@ ServiceMonitorConfig defines the ServiceMonitor properties

Security defines Fluentd, FluentbitAgent deployment security properties

### createOpenShiftSCC (*bool, optional) {#security-createopenshiftscc}


### podSecurityContext (*corev1.PodSecurityContext, optional) {#security-podsecuritycontext}


Expand Down
5 changes: 3 additions & 2 deletions pkg/resources/eventtailer/clusterrolebinding.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ package eventtailer

import (
"github.com/cisco-open/operator-tools/pkg/reconciler"
rbacv1 "k8s.io/api/rbac/v1"
v1 "k8s.io/api/rbac/v1"
"k8s.io/apimachinery/pkg/runtime"
)
Expand All @@ -26,13 +27,13 @@ func (e *EventTailer) ClusterRoleBinding() (runtime.Object, reconciler.DesiredSt
ObjectMeta: e.clusterObjectMeta(),
Subjects: []v1.Subject{
{
Kind: "ServiceAccount",
Kind: rbacv1.ServiceAccountKind,
Name: e.Name(),
Namespace: e.customResource.Spec.ControlNamespace,
},
},
RoleRef: v1.RoleRef{
APIGroup: "rbac.authorization.k8s.io",
APIGroup: rbacv1.GroupName,
Kind: "ClusterRole",
Name: e.Name(),
},
Expand Down
5 changes: 5 additions & 0 deletions pkg/resources/fluentbit/fluentbit.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ const (
defaultServiceAccountName = "fluentbit"
clusterRoleBindingName = "fluentbit"
clusterRoleName = "fluentbit"
sccRoleName = "scc-privileged"
fluentBitSecretConfigName = "fluentbit"
fluentbitDaemonSetName = "fluentbit"
fluentbitServiceName = "fluentbit"
Expand Down Expand Up @@ -132,6 +133,10 @@ func (r *Reconciler) Reconcile(ctx context.Context) (*reconcile.Result, error) {
r.serviceMetrics,
r.serviceBufferMetrics,
}
if r.fluentbitSpec.Security.CreateOpenShiftSCC != nil && *r.fluentbitSpec.Security.CreateOpenShiftSCC {
objects = append(objects, r.sccRole, r.sccRoleBinding)
}

if resources.IsSupported(ctx, resources.ServiceMonitorKey) {
objects = append(objects, r.monitorServiceMetrics, r.monitorBufferServiceMetrics)
}
Expand Down
46 changes: 44 additions & 2 deletions pkg/resources/fluentbit/rbac.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,48 @@ import (
"k8s.io/apimachinery/pkg/runtime"
)

func (r *Reconciler) sccRole() (runtime.Object, reconciler.DesiredState, error) {
if *r.fluentbitSpec.Security.CreateOpenShiftSCC {
return &rbacv1.Role{
ObjectMeta: r.FluentbitObjectMeta(sccRoleName),
Rules: []rbacv1.PolicyRule{
{
APIGroups: []string{"security.openshift.io"},
ResourceNames: []string{"privileged"},
Resources: []string{"securitycontextconstraints"},
Verbs: []string{"use"},
},
},
}, reconciler.StatePresent, nil
}
return &rbacv1.Role{
ObjectMeta: r.FluentbitObjectMeta(sccRoleName),
Rules: []rbacv1.PolicyRule{}}, reconciler.StateAbsent, nil
}

func (r *Reconciler) sccRoleBinding() (runtime.Object, reconciler.DesiredState, error) {
if *r.fluentbitSpec.Security.CreateOpenShiftSCC {
return &rbacv1.RoleBinding{
ObjectMeta: r.FluentbitObjectMeta(sccRoleName),
RoleRef: rbacv1.RoleRef{
Kind: "Role",
APIGroup: rbacv1.GroupName,
Name: r.nameProvider.ComponentName(sccRoleName),
},
Subjects: []rbacv1.Subject{
{
Kind: rbacv1.ServiceAccountKind,
Name: r.getServiceAccount(),
Namespace: r.Logging.Spec.ControlNamespace,
},
},
}, reconciler.StatePresent, nil
}
return &rbacv1.RoleBinding{
ObjectMeta: r.FluentbitObjectMeta(sccRoleName),
RoleRef: rbacv1.RoleRef{}}, reconciler.StateAbsent, nil
}

func (r *Reconciler) clusterRole() (runtime.Object, reconciler.DesiredState, error) {
if *r.fluentbitSpec.Security.RoleBasedAccessControlCreate {
clusterRoleResources := []string{"pods", "namespaces"}
Expand Down Expand Up @@ -51,12 +93,12 @@ func (r *Reconciler) clusterRoleBinding() (runtime.Object, reconciler.DesiredSta
ObjectMeta: r.FluentbitObjectMetaClusterScope(clusterRoleBindingName),
RoleRef: rbacv1.RoleRef{
Kind: "ClusterRole",
APIGroup: "rbac.authorization.k8s.io",
APIGroup: rbacv1.GroupName,
Name: r.nameProvider.ComponentName(clusterRoleName),
},
Subjects: []rbacv1.Subject{
{
Kind: "ServiceAccount",
Kind: rbacv1.ServiceAccountKind,
Name: r.getServiceAccount(),
Namespace: r.Logging.Spec.ControlNamespace,
},
Expand Down
3 changes: 3 additions & 0 deletions pkg/resources/fluentd/fluentd.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ const (
defaultServiceAccountName = "fluentd"
roleBindingName = "fluentd"
roleName = "fluentd"
sccRoleName = "scc-anyuid"
clusterRoleBindingName = "fluentd"
clusterRoleName = "fluentd"
containerName = "fluentd"
Expand Down Expand Up @@ -131,6 +132,8 @@ func (r *Reconciler) Reconcile(ctx context.Context) (*reconcile.Result, error) {
r.serviceAccount,
r.role,
r.roleBinding,
r.sccRole,
r.sccRoleBinding,
r.clusterRole,
r.clusterRoleBinding,
}
Expand Down
51 changes: 47 additions & 4 deletions pkg/resources/fluentd/rbac.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,12 +47,12 @@ func (r *Reconciler) roleBinding() (runtime.Object, reconciler.DesiredState, err
ObjectMeta: r.FluentdObjectMeta(roleBindingName, ComponentFluentd),
RoleRef: rbacv1.RoleRef{
Kind: "Role",
APIGroup: "rbac.authorization.k8s.io",
APIGroup: rbacv1.GroupName,
Name: r.Logging.QualifiedName(roleName),
},
Subjects: []rbacv1.Subject{
{
Kind: "ServiceAccount",
Kind: rbacv1.ServiceAccountKind,
Name: r.getServiceAccount(),
Namespace: r.Logging.Spec.ControlNamespace,
},
Expand All @@ -64,6 +64,49 @@ func (r *Reconciler) roleBinding() (runtime.Object, reconciler.DesiredState, err
RoleRef: rbacv1.RoleRef{}}, reconciler.StateAbsent, nil
}

func (r *Reconciler) sccRole() (runtime.Object, reconciler.DesiredState, error) {
if *r.fluentdSpec.Security.CreateOpenShiftSCC {
return &rbacv1.Role{
ObjectMeta: r.FluentdObjectMeta(sccRoleName, ComponentFluentd),
Rules: []rbacv1.PolicyRule{
{
APIGroups: []string{"security.openshift.io"},
ResourceNames: []string{"anyuid"},
Resources: []string{"securitycontextconstraints"},
Verbs: []string{"use"},
},
},
}, reconciler.StatePresent, nil
}

return &rbacv1.Role{
ObjectMeta: r.FluentdObjectMeta(sccRoleName, ComponentFluentd),
Rules: []rbacv1.PolicyRule{}}, reconciler.StateAbsent, nil
}

func (r *Reconciler) sccRoleBinding() (runtime.Object, reconciler.DesiredState, error) {
if *r.fluentdSpec.Security.CreateOpenShiftSCC {
return &rbacv1.RoleBinding{
ObjectMeta: r.FluentdObjectMeta(sccRoleName, ComponentFluentd),
RoleRef: rbacv1.RoleRef{
Kind: "Role",
APIGroup: rbacv1.GroupName,
Name: r.Logging.QualifiedName(sccRoleName),
},
Subjects: []rbacv1.Subject{
{
Kind: rbacv1.ServiceAccountKind,
Name: r.getServiceAccount(),
Namespace: r.Logging.Spec.ControlNamespace,
},
},
}, reconciler.StatePresent, nil
}
return &rbacv1.RoleBinding{
ObjectMeta: r.FluentdObjectMeta(sccRoleName, ComponentFluentd),
RoleRef: rbacv1.RoleRef{}}, reconciler.StateAbsent, nil
}

func (r *Reconciler) isEnhanceK8sFilter() bool {
for _, f := range r.Logging.Spec.GlobalFilters {
if f.EnhanceK8s != nil {
Expand Down Expand Up @@ -120,12 +163,12 @@ func (r *Reconciler) clusterRoleBinding() (runtime.Object, reconciler.DesiredSta
ObjectMeta: r.FluentdObjectMetaClusterScope(clusterRoleBindingName, ComponentFluentd),
RoleRef: rbacv1.RoleRef{
Kind: "ClusterRole",
APIGroup: "rbac.authorization.k8s.io",
APIGroup: rbacv1.GroupName,
Name: r.Logging.QualifiedName(roleName),
},
Subjects: []rbacv1.Subject{
{
Kind: "ServiceAccount",
Kind: rbacv1.ServiceAccountKind,
Name: r.getServiceAccount(),
Namespace: r.Logging.Spec.ControlNamespace,
},
Expand Down
Loading

0 comments on commit a6e3a6b

Please sign in to comment.