Skip to content

Commit

Permalink
Allow OLM operator to bypass NS restrictions (#142)
Browse files Browse the repository at this point in the history
  • Loading branch information
@bastjan
bastjan authored Dec 6, 2022
1 parent dcdca69 commit c098449
Show file tree
Hide file tree
Showing 15 changed files with 78 additions and 1 deletion.
4 changes: 4 additions & 0 deletions class/defaults.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,10 @@ parameters:
kind: ServiceAccount
name: namespace-openshift-config-2c8343f13594d63-manager
namespace: syn-resource-locker
openshift-operator-lifecycle-manager:
kind: ServiceAccount
name: olm-operator-serviceaccount
namespace: openshift-operator-lifecycle-manager

reservedNamespaces:
kubernetes: ["default", "kube-*"]
Expand Down
3 changes: 3 additions & 0 deletions docs/modules/ROOT/pages/references/policies/02_disallow_reserved_namespaces.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,9 @@ spec:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd
- kind: ServiceAccount
name: olm-operator-serviceaccount
namespace: openshift-operator-lifecycle-manager
- kind: ServiceAccount
name: namespace-openshift-config-2c8343f13594d63-manager
namespace: syn-resource-locker
Expand Down
9 changes: 9 additions & 0 deletions docs/modules/ROOT/pages/references/policies/02_organization_namespaces.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,9 @@ spec:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd
- kind: ServiceAccount
name: olm-operator-serviceaccount
namespace: openshift-operator-lifecycle-manager
- kind: ServiceAccount
name: namespace-openshift-config-2c8343f13594d63-manager
namespace: syn-resource-locker
Expand Down Expand Up @@ -162,6 +165,9 @@ spec:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd
- kind: ServiceAccount
name: olm-operator-serviceaccount
namespace: openshift-operator-lifecycle-manager
- kind: ServiceAccount
name: namespace-openshift-config-2c8343f13594d63-manager
namespace: syn-resource-locker
Expand Down Expand Up @@ -211,6 +217,9 @@ spec:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd
- kind: ServiceAccount
name: olm-operator-serviceaccount
namespace: openshift-operator-lifecycle-manager
- kind: ServiceAccount
name: namespace-openshift-config-2c8343f13594d63-manager
namespace: syn-resource-locker
Expand Down
9 changes: 9 additions & 0 deletions docs/modules/ROOT/pages/references/policies/02_organization_sa_namespaces.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,9 @@ spec:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd
- kind: ServiceAccount
name: olm-operator-serviceaccount
namespace: openshift-operator-lifecycle-manager
- kind: ServiceAccount
name: namespace-openshift-config-2c8343f13594d63-manager
namespace: syn-resource-locker
Expand Down Expand Up @@ -156,6 +159,9 @@ spec:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd
- kind: ServiceAccount
name: olm-operator-serviceaccount
namespace: openshift-operator-lifecycle-manager
- kind: ServiceAccount
name: namespace-openshift-config-2c8343f13594d63-manager
namespace: syn-resource-locker
Expand Down Expand Up @@ -210,6 +216,9 @@ spec:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd
- kind: ServiceAccount
name: olm-operator-serviceaccount
namespace: openshift-operator-lifecycle-manager
- kind: ServiceAccount
name: namespace-openshift-config-2c8343f13594d63-manager
namespace: syn-resource-locker
Expand Down
6 changes: 6 additions & 0 deletions docs/modules/ROOT/pages/references/policies/02_validate_namespace_metadata.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,9 @@ spec:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd
- kind: ServiceAccount
name: olm-operator-serviceaccount
namespace: openshift-operator-lifecycle-manager
- kind: ServiceAccount
name: namespace-openshift-config-2c8343f13594d63-manager
namespace: syn-resource-locker
Expand Down Expand Up @@ -162,6 +165,9 @@ spec:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd
- kind: ServiceAccount
name: olm-operator-serviceaccount
namespace: openshift-operator-lifecycle-manager
- kind: ServiceAccount
name: namespace-openshift-config-2c8343f13594d63-manager
namespace: syn-resource-locker
Expand Down
3 changes: 3 additions & 0 deletions docs/modules/ROOT/pages/references/policies/03_projectrequest.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,9 @@ spec:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd
- kind: ServiceAccount
name: olm-operator-serviceaccount
namespace: openshift-operator-lifecycle-manager
- kind: ServiceAccount
name: namespace-openshift-config-2c8343f13594d63-manager
namespace: syn-resource-locker
Expand Down
6 changes: 6 additions & 0 deletions docs/modules/ROOT/pages/references/policies/12_namespace_quota_per_zone.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,9 @@ spec:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd
- kind: ServiceAccount
name: olm-operator-serviceaccount
namespace: openshift-operator-lifecycle-manager
- kind: ServiceAccount
name: namespace-openshift-config-2c8343f13594d63-manager
namespace: syn-resource-locker
Expand Down Expand Up @@ -195,6 +198,9 @@ spec:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd
- kind: ServiceAccount
name: olm-operator-serviceaccount
namespace: openshift-operator-lifecycle-manager
- kind: ServiceAccount
name: namespace-openshift-config-2c8343f13594d63-manager
namespace: syn-resource-locker
Expand Down
1 change: 1 addition & 0 deletions tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/01_config_map.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ data:
\n- \"system:controller:operator-lifecycle-manager\"\n- \"system:master\"\n- \"\
system:openshift:controller:namespace-security-allocation-controller\"\n- \"system:openshift:controller:podsecurity-admission-label-syncer-controller\"\
\n\"PrivilegedGroups\": []\n\"PrivilegedUsers\":\n- \"system:serviceaccount:argocd:argocd-application-controller\"\
\n- \"system:serviceaccount:openshift-operator-lifecycle-manager:olm-operator-serviceaccount\"\
\n- \"system:serviceaccount:syn-resource-locker:namespace-openshift-config-2c8343f13594d63-manager\"\
\n- \"system:serviceaccount:syn-resource-locker:namespace-default-d6a0af6dd07e8a3-manager\"\
\n- \"system:serviceaccount:syn-resource-locker:namespace-openshift-monitoring-c4273dc15ddfdf7-manager\""
Expand Down
2 changes: 1 addition & 1 deletion tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/02_deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ spec:
template:
metadata:
annotations:
checksum/config: a1d896d928f0c283d0841f0290a4443d
checksum/config: 98737c1e624c2d57494fc0cfdbe029b9
kubectl.kubernetes.io/default-container: agent
labels:
control-plane: appuio-cloud-agent
Expand Down
3 changes: 3 additions & 0 deletions tests/golden/defaults/appuio-cloud/appuio-cloud/02_disallow_reserved_namespaces.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,9 @@ spec:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd
- kind: ServiceAccount
name: olm-operator-serviceaccount
namespace: openshift-operator-lifecycle-manager
- kind: ServiceAccount
name: namespace-openshift-config-2c8343f13594d63-manager
namespace: syn-resource-locker
Expand Down
9 changes: 9 additions & 0 deletions tests/golden/defaults/appuio-cloud/appuio-cloud/02_organization_namespaces.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,9 @@ spec:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd
- kind: ServiceAccount
name: olm-operator-serviceaccount
namespace: openshift-operator-lifecycle-manager
- kind: ServiceAccount
name: namespace-openshift-config-2c8343f13594d63-manager
namespace: syn-resource-locker
Expand Down Expand Up @@ -125,6 +128,9 @@ spec:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd
- kind: ServiceAccount
name: olm-operator-serviceaccount
namespace: openshift-operator-lifecycle-manager
- kind: ServiceAccount
name: namespace-openshift-config-2c8343f13594d63-manager
namespace: syn-resource-locker
Expand Down Expand Up @@ -174,6 +180,9 @@ spec:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd
- kind: ServiceAccount
name: olm-operator-serviceaccount
namespace: openshift-operator-lifecycle-manager
- kind: ServiceAccount
name: namespace-openshift-config-2c8343f13594d63-manager
namespace: syn-resource-locker
Expand Down
9 changes: 9 additions & 0 deletions tests/golden/defaults/appuio-cloud/appuio-cloud/02_organization_sa_namespaces.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,9 @@ spec:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd
- kind: ServiceAccount
name: olm-operator-serviceaccount
namespace: openshift-operator-lifecycle-manager
- kind: ServiceAccount
name: namespace-openshift-config-2c8343f13594d63-manager
namespace: syn-resource-locker
Expand Down Expand Up @@ -121,6 +124,9 @@ spec:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd
- kind: ServiceAccount
name: olm-operator-serviceaccount
namespace: openshift-operator-lifecycle-manager
- kind: ServiceAccount
name: namespace-openshift-config-2c8343f13594d63-manager
namespace: syn-resource-locker
Expand Down Expand Up @@ -175,6 +181,9 @@ spec:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd
- kind: ServiceAccount
name: olm-operator-serviceaccount
namespace: openshift-operator-lifecycle-manager
- kind: ServiceAccount
name: namespace-openshift-config-2c8343f13594d63-manager
namespace: syn-resource-locker
Expand Down
6 changes: 6 additions & 0 deletions tests/golden/defaults/appuio-cloud/appuio-cloud/02_validate_namespace_metadata.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,9 @@ spec:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd
- kind: ServiceAccount
name: olm-operator-serviceaccount
namespace: openshift-operator-lifecycle-manager
- kind: ServiceAccount
name: namespace-openshift-config-2c8343f13594d63-manager
namespace: syn-resource-locker
Expand Down Expand Up @@ -131,6 +134,9 @@ spec:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd
- kind: ServiceAccount
name: olm-operator-serviceaccount
namespace: openshift-operator-lifecycle-manager
- kind: ServiceAccount
name: namespace-openshift-config-2c8343f13594d63-manager
namespace: syn-resource-locker
Expand Down
3 changes: 3 additions & 0 deletions tests/golden/defaults/appuio-cloud/appuio-cloud/03_projectrequest.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,9 @@ spec:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd
- kind: ServiceAccount
name: olm-operator-serviceaccount
namespace: openshift-operator-lifecycle-manager
- kind: ServiceAccount
name: namespace-openshift-config-2c8343f13594d63-manager
namespace: syn-resource-locker
Expand Down
6 changes: 6 additions & 0 deletions tests/golden/defaults/appuio-cloud/appuio-cloud/12_namespace_quota_per_zone.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,9 @@ spec:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd
- kind: ServiceAccount
name: olm-operator-serviceaccount
namespace: openshift-operator-lifecycle-manager
- kind: ServiceAccount
name: namespace-openshift-config-2c8343f13594d63-manager
namespace: syn-resource-locker
Expand Down Expand Up @@ -158,6 +161,9 @@ spec:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd
- kind: ServiceAccount
name: olm-operator-serviceaccount
namespace: openshift-operator-lifecycle-manager
- kind: ServiceAccount
name: namespace-openshift-config-2c8343f13594d63-manager
namespace: syn-resource-locker
Expand Down

0 comments on commit c098449

Please sign in to comment.