From d10c959d8bb7793aa7364531c9c3dda4ea5cf43b Mon Sep 17 00:00:00 2001 From: Bence Csati <113284287+csatib02@users.noreply.github.com> Date: Thu, 28 Nov 2024 10:18:01 +0100 Subject: [PATCH] Merge pull request #1862 from kube-logging/fix/reintroduce-scc fix: re-introduce scc Signed-off-by: Szilard Parrag --- ...ogging.banzaicloud.io_fluentbitagents.yaml | 2 + ...logging.banzaicloud.io_fluentdconfigs.yaml | 2 + .../logging.banzaicloud.io_loggings.yaml | 6 +++ .../logging.banzaicloud.io_nodeagents.yaml | 2 + ...ogging.banzaicloud.io_fluentbitagents.yaml | 2 + ...logging.banzaicloud.io_fluentdconfigs.yaml | 2 + .../crds/logging.banzaicloud.io_loggings.yaml | 6 +++ .../logging.banzaicloud.io_nodeagents.yaml | 2 + ...ogging.banzaicloud.io_fluentbitagents.yaml | 2 + ...logging.banzaicloud.io_fluentdconfigs.yaml | 2 + .../logging.banzaicloud.io_loggings.yaml | 6 +++ .../logging.banzaicloud.io_nodeagents.yaml | 2 + .../crds/v1beta1/common_types.md | 3 ++ .../eventtailer/clusterrolebinding.go | 5 +- pkg/resources/fluentbit/fluentbit.go | 5 ++ pkg/resources/fluentbit/rbac.go | 46 ++++++++++++++++- pkg/resources/fluentd/fluentd.go | 3 ++ pkg/resources/fluentd/rbac.go | 51 +++++++++++++++++-- pkg/resources/nodeagent/nodeagent.go | 4 ++ pkg/resources/nodeagent/rbac.go | 46 ++++++++++++++++- pkg/resources/syslogng/rbac.go | 8 +-- pkg/sdk/logging/api/v1beta1/common_types.go | 1 + pkg/sdk/logging/api/v1beta1/fluentd_types.go | 3 ++ .../api/v1beta1/zz_generated.deepcopy.go | 5 ++ 24 files changed, 202 insertions(+), 14 deletions(-) diff --git a/charts/logging-operator/charts/crds/templates/logging.banzaicloud.io_fluentbitagents.yaml b/charts/logging-operator/charts/crds/templates/logging.banzaicloud.io_fluentbitagents.yaml index 37399881f..08ad5f6a2 100644 --- a/charts/logging-operator/charts/crds/templates/logging.banzaicloud.io_fluentbitagents.yaml +++ b/charts/logging-operator/charts/crds/templates/logging.banzaicloud.io_fluentbitagents.yaml @@ -2469,6 +2469,8 @@ spec: type: object security: properties: + createOpenShiftSCC: + type: boolean podSecurityContext: properties: appArmorProfile: diff --git a/charts/logging-operator/charts/crds/templates/logging.banzaicloud.io_fluentdconfigs.yaml b/charts/logging-operator/charts/crds/templates/logging.banzaicloud.io_fluentdconfigs.yaml index 83efb336b..b30bb0c55 100644 --- a/charts/logging-operator/charts/crds/templates/logging.banzaicloud.io_fluentdconfigs.yaml +++ b/charts/logging-operator/charts/crds/templates/logging.banzaicloud.io_fluentdconfigs.yaml @@ -2443,6 +2443,8 @@ spec: type: object security: properties: + createOpenShiftSCC: + type: boolean podSecurityContext: properties: appArmorProfile: diff --git a/charts/logging-operator/charts/crds/templates/logging.banzaicloud.io_loggings.yaml b/charts/logging-operator/charts/crds/templates/logging.banzaicloud.io_loggings.yaml index 19a8b2bdc..1914ccc9c 100644 --- a/charts/logging-operator/charts/crds/templates/logging.banzaicloud.io_loggings.yaml +++ b/charts/logging-operator/charts/crds/templates/logging.banzaicloud.io_loggings.yaml @@ -3516,6 +3516,8 @@ spec: type: object security: properties: + createOpenShiftSCC: + type: boolean podSecurityContext: properties: appArmorProfile: @@ -6184,6 +6186,8 @@ spec: type: object security: properties: + createOpenShiftSCC: + type: boolean podSecurityContext: properties: appArmorProfile: @@ -12769,6 +12773,8 @@ spec: type: object security: properties: + createOpenShiftSCC: + type: boolean podSecurityContext: properties: appArmorProfile: diff --git a/charts/logging-operator/charts/crds/templates/logging.banzaicloud.io_nodeagents.yaml b/charts/logging-operator/charts/crds/templates/logging.banzaicloud.io_nodeagents.yaml index 4f0ce61d7..84de5c36f 100644 --- a/charts/logging-operator/charts/crds/templates/logging.banzaicloud.io_nodeagents.yaml +++ b/charts/logging-operator/charts/crds/templates/logging.banzaicloud.io_nodeagents.yaml @@ -4654,6 +4654,8 @@ spec: type: object security: properties: + createOpenShiftSCC: + type: boolean podSecurityContext: properties: appArmorProfile: diff --git a/charts/logging-operator/crds/logging.banzaicloud.io_fluentbitagents.yaml b/charts/logging-operator/crds/logging.banzaicloud.io_fluentbitagents.yaml index 752642133..1588dbbb4 100644 --- a/charts/logging-operator/crds/logging.banzaicloud.io_fluentbitagents.yaml +++ b/charts/logging-operator/crds/logging.banzaicloud.io_fluentbitagents.yaml @@ -2466,6 +2466,8 @@ spec: type: object security: properties: + createOpenShiftSCC: + type: boolean podSecurityContext: properties: appArmorProfile: diff --git a/charts/logging-operator/crds/logging.banzaicloud.io_fluentdconfigs.yaml b/charts/logging-operator/crds/logging.banzaicloud.io_fluentdconfigs.yaml index 7657b15ab..31283f2ea 100644 --- a/charts/logging-operator/crds/logging.banzaicloud.io_fluentdconfigs.yaml +++ b/charts/logging-operator/crds/logging.banzaicloud.io_fluentdconfigs.yaml @@ -2440,6 +2440,8 @@ spec: type: object security: properties: + createOpenShiftSCC: + type: boolean podSecurityContext: properties: appArmorProfile: diff --git a/charts/logging-operator/crds/logging.banzaicloud.io_loggings.yaml b/charts/logging-operator/crds/logging.banzaicloud.io_loggings.yaml index 53b27855a..ab1bddce6 100644 --- a/charts/logging-operator/crds/logging.banzaicloud.io_loggings.yaml +++ b/charts/logging-operator/crds/logging.banzaicloud.io_loggings.yaml @@ -3513,6 +3513,8 @@ spec: type: object security: properties: + createOpenShiftSCC: + type: boolean podSecurityContext: properties: appArmorProfile: @@ -6181,6 +6183,8 @@ spec: type: object security: properties: + createOpenShiftSCC: + type: boolean podSecurityContext: properties: appArmorProfile: @@ -12766,6 +12770,8 @@ spec: type: object security: properties: + createOpenShiftSCC: + type: boolean podSecurityContext: properties: appArmorProfile: diff --git a/charts/logging-operator/crds/logging.banzaicloud.io_nodeagents.yaml b/charts/logging-operator/crds/logging.banzaicloud.io_nodeagents.yaml index ac488db12..d7e8669f4 100644 --- a/charts/logging-operator/crds/logging.banzaicloud.io_nodeagents.yaml +++ b/charts/logging-operator/crds/logging.banzaicloud.io_nodeagents.yaml @@ -4651,6 +4651,8 @@ spec: type: object security: properties: + createOpenShiftSCC: + type: boolean podSecurityContext: properties: appArmorProfile: diff --git a/config/crd/bases/logging.banzaicloud.io_fluentbitagents.yaml b/config/crd/bases/logging.banzaicloud.io_fluentbitagents.yaml index 752642133..1588dbbb4 100644 --- a/config/crd/bases/logging.banzaicloud.io_fluentbitagents.yaml +++ b/config/crd/bases/logging.banzaicloud.io_fluentbitagents.yaml @@ -2466,6 +2466,8 @@ spec: type: object security: properties: + createOpenShiftSCC: + type: boolean podSecurityContext: properties: appArmorProfile: diff --git a/config/crd/bases/logging.banzaicloud.io_fluentdconfigs.yaml b/config/crd/bases/logging.banzaicloud.io_fluentdconfigs.yaml index 7657b15ab..31283f2ea 100644 --- a/config/crd/bases/logging.banzaicloud.io_fluentdconfigs.yaml +++ b/config/crd/bases/logging.banzaicloud.io_fluentdconfigs.yaml @@ -2440,6 +2440,8 @@ spec: type: object security: properties: + createOpenShiftSCC: + type: boolean podSecurityContext: properties: appArmorProfile: diff --git a/config/crd/bases/logging.banzaicloud.io_loggings.yaml b/config/crd/bases/logging.banzaicloud.io_loggings.yaml index 53b27855a..ab1bddce6 100644 --- a/config/crd/bases/logging.banzaicloud.io_loggings.yaml +++ b/config/crd/bases/logging.banzaicloud.io_loggings.yaml @@ -3513,6 +3513,8 @@ spec: type: object security: properties: + createOpenShiftSCC: + type: boolean podSecurityContext: properties: appArmorProfile: @@ -6181,6 +6183,8 @@ spec: type: object security: properties: + createOpenShiftSCC: + type: boolean podSecurityContext: properties: appArmorProfile: @@ -12766,6 +12770,8 @@ spec: type: object security: properties: + createOpenShiftSCC: + type: boolean podSecurityContext: properties: appArmorProfile: diff --git a/config/crd/bases/logging.banzaicloud.io_nodeagents.yaml b/config/crd/bases/logging.banzaicloud.io_nodeagents.yaml index ac488db12..d7e8669f4 100644 --- a/config/crd/bases/logging.banzaicloud.io_nodeagents.yaml +++ b/config/crd/bases/logging.banzaicloud.io_nodeagents.yaml @@ -4651,6 +4651,8 @@ spec: type: object security: properties: + createOpenShiftSCC: + type: boolean podSecurityContext: properties: appArmorProfile: diff --git a/docs/configuration/crds/v1beta1/common_types.md b/docs/configuration/crds/v1beta1/common_types.md index 5f9ab5a2a..2a8e31c2b 100644 --- a/docs/configuration/crds/v1beta1/common_types.md +++ b/docs/configuration/crds/v1beta1/common_types.md @@ -140,6 +140,9 @@ ServiceMonitorConfig defines the ServiceMonitor properties Security defines Fluentd, FluentbitAgent deployment security properties +### createOpenShiftSCC (*bool, optional) {#security-createopenshiftscc} + + ### podSecurityContext (*corev1.PodSecurityContext, optional) {#security-podsecuritycontext} diff --git a/pkg/resources/eventtailer/clusterrolebinding.go b/pkg/resources/eventtailer/clusterrolebinding.go index 0ad00a1f2..b5ce0a1ad 100644 --- a/pkg/resources/eventtailer/clusterrolebinding.go +++ b/pkg/resources/eventtailer/clusterrolebinding.go @@ -16,6 +16,7 @@ package eventtailer import ( "github.com/cisco-open/operator-tools/pkg/reconciler" + rbacv1 "k8s.io/api/rbac/v1" v1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/runtime" ) @@ -26,13 +27,13 @@ func (e *EventTailer) ClusterRoleBinding() (runtime.Object, reconciler.DesiredSt ObjectMeta: e.clusterObjectMeta(), Subjects: []v1.Subject{ { - Kind: "ServiceAccount", + Kind: rbacv1.ServiceAccountKind, Name: e.Name(), Namespace: e.customResource.Spec.ControlNamespace, }, }, RoleRef: v1.RoleRef{ - APIGroup: "rbac.authorization.k8s.io", + APIGroup: rbacv1.GroupName, Kind: "ClusterRole", Name: e.Name(), }, diff --git a/pkg/resources/fluentbit/fluentbit.go b/pkg/resources/fluentbit/fluentbit.go index fa8c02fa3..21a73dc18 100644 --- a/pkg/resources/fluentbit/fluentbit.go +++ b/pkg/resources/fluentbit/fluentbit.go @@ -43,6 +43,7 @@ const ( defaultServiceAccountName = "fluentbit" clusterRoleBindingName = "fluentbit" clusterRoleName = "fluentbit" + sccRoleName = "scc-privileged" fluentBitSecretConfigName = "fluentbit" fluentbitDaemonSetName = "fluentbit" fluentbitServiceName = "fluentbit" @@ -132,6 +133,10 @@ func (r *Reconciler) Reconcile(ctx context.Context) (*reconcile.Result, error) { r.serviceMetrics, r.serviceBufferMetrics, } + if r.fluentbitSpec.Security.CreateOpenShiftSCC != nil && *r.fluentbitSpec.Security.CreateOpenShiftSCC { + objects = append(objects, r.sccRole, r.sccRoleBinding) + } + if resources.IsSupported(ctx, resources.ServiceMonitorKey) { objects = append(objects, r.monitorServiceMetrics, r.monitorBufferServiceMetrics) } diff --git a/pkg/resources/fluentbit/rbac.go b/pkg/resources/fluentbit/rbac.go index b81bd9c2d..669984b29 100644 --- a/pkg/resources/fluentbit/rbac.go +++ b/pkg/resources/fluentbit/rbac.go @@ -23,6 +23,48 @@ import ( "k8s.io/apimachinery/pkg/runtime" ) +func (r *Reconciler) sccRole() (runtime.Object, reconciler.DesiredState, error) { + if *r.fluentbitSpec.Security.CreateOpenShiftSCC { + return &rbacv1.Role{ + ObjectMeta: r.FluentbitObjectMeta(sccRoleName), + Rules: []rbacv1.PolicyRule{ + { + APIGroups: []string{"security.openshift.io"}, + ResourceNames: []string{"privileged"}, + Resources: []string{"securitycontextconstraints"}, + Verbs: []string{"use"}, + }, + }, + }, reconciler.StatePresent, nil + } + return &rbacv1.Role{ + ObjectMeta: r.FluentbitObjectMeta(sccRoleName), + Rules: []rbacv1.PolicyRule{}}, reconciler.StateAbsent, nil +} + +func (r *Reconciler) sccRoleBinding() (runtime.Object, reconciler.DesiredState, error) { + if *r.fluentbitSpec.Security.CreateOpenShiftSCC { + return &rbacv1.RoleBinding{ + ObjectMeta: r.FluentbitObjectMeta(sccRoleName), + RoleRef: rbacv1.RoleRef{ + Kind: "Role", + APIGroup: rbacv1.GroupName, + Name: r.nameProvider.ComponentName(sccRoleName), + }, + Subjects: []rbacv1.Subject{ + { + Kind: rbacv1.ServiceAccountKind, + Name: r.getServiceAccount(), + Namespace: r.Logging.Spec.ControlNamespace, + }, + }, + }, reconciler.StatePresent, nil + } + return &rbacv1.RoleBinding{ + ObjectMeta: r.FluentbitObjectMeta(sccRoleName), + RoleRef: rbacv1.RoleRef{}}, reconciler.StateAbsent, nil +} + func (r *Reconciler) clusterRole() (runtime.Object, reconciler.DesiredState, error) { if *r.fluentbitSpec.Security.RoleBasedAccessControlCreate { clusterRoleResources := []string{"pods", "namespaces"} @@ -51,12 +93,12 @@ func (r *Reconciler) clusterRoleBinding() (runtime.Object, reconciler.DesiredSta ObjectMeta: r.FluentbitObjectMetaClusterScope(clusterRoleBindingName), RoleRef: rbacv1.RoleRef{ Kind: "ClusterRole", - APIGroup: "rbac.authorization.k8s.io", + APIGroup: rbacv1.GroupName, Name: r.nameProvider.ComponentName(clusterRoleName), }, Subjects: []rbacv1.Subject{ { - Kind: "ServiceAccount", + Kind: rbacv1.ServiceAccountKind, Name: r.getServiceAccount(), Namespace: r.Logging.Spec.ControlNamespace, }, diff --git a/pkg/resources/fluentd/fluentd.go b/pkg/resources/fluentd/fluentd.go index aba9872f7..ecdde41c9 100644 --- a/pkg/resources/fluentd/fluentd.go +++ b/pkg/resources/fluentd/fluentd.go @@ -58,6 +58,7 @@ const ( defaultServiceAccountName = "fluentd" roleBindingName = "fluentd" roleName = "fluentd" + sccRoleName = "scc-anyuid" clusterRoleBindingName = "fluentd" clusterRoleName = "fluentd" containerName = "fluentd" @@ -131,6 +132,8 @@ func (r *Reconciler) Reconcile(ctx context.Context) (*reconcile.Result, error) { r.serviceAccount, r.role, r.roleBinding, + r.sccRole, + r.sccRoleBinding, r.clusterRole, r.clusterRoleBinding, } diff --git a/pkg/resources/fluentd/rbac.go b/pkg/resources/fluentd/rbac.go index 5dfb8703d..d1f966348 100644 --- a/pkg/resources/fluentd/rbac.go +++ b/pkg/resources/fluentd/rbac.go @@ -47,12 +47,12 @@ func (r *Reconciler) roleBinding() (runtime.Object, reconciler.DesiredState, err ObjectMeta: r.FluentdObjectMeta(roleBindingName, ComponentFluentd), RoleRef: rbacv1.RoleRef{ Kind: "Role", - APIGroup: "rbac.authorization.k8s.io", + APIGroup: rbacv1.GroupName, Name: r.Logging.QualifiedName(roleName), }, Subjects: []rbacv1.Subject{ { - Kind: "ServiceAccount", + Kind: rbacv1.ServiceAccountKind, Name: r.getServiceAccount(), Namespace: r.Logging.Spec.ControlNamespace, }, @@ -64,6 +64,49 @@ func (r *Reconciler) roleBinding() (runtime.Object, reconciler.DesiredState, err RoleRef: rbacv1.RoleRef{}}, reconciler.StateAbsent, nil } +func (r *Reconciler) sccRole() (runtime.Object, reconciler.DesiredState, error) { + if *r.fluentdSpec.Security.CreateOpenShiftSCC { + return &rbacv1.Role{ + ObjectMeta: r.FluentdObjectMeta(sccRoleName, ComponentFluentd), + Rules: []rbacv1.PolicyRule{ + { + APIGroups: []string{"security.openshift.io"}, + ResourceNames: []string{"anyuid"}, + Resources: []string{"securitycontextconstraints"}, + Verbs: []string{"use"}, + }, + }, + }, reconciler.StatePresent, nil + } + + return &rbacv1.Role{ + ObjectMeta: r.FluentdObjectMeta(sccRoleName, ComponentFluentd), + Rules: []rbacv1.PolicyRule{}}, reconciler.StateAbsent, nil +} + +func (r *Reconciler) sccRoleBinding() (runtime.Object, reconciler.DesiredState, error) { + if *r.fluentdSpec.Security.CreateOpenShiftSCC { + return &rbacv1.RoleBinding{ + ObjectMeta: r.FluentdObjectMeta(sccRoleName, ComponentFluentd), + RoleRef: rbacv1.RoleRef{ + Kind: "Role", + APIGroup: rbacv1.GroupName, + Name: r.Logging.QualifiedName(sccRoleName), + }, + Subjects: []rbacv1.Subject{ + { + Kind: rbacv1.ServiceAccountKind, + Name: r.getServiceAccount(), + Namespace: r.Logging.Spec.ControlNamespace, + }, + }, + }, reconciler.StatePresent, nil + } + return &rbacv1.RoleBinding{ + ObjectMeta: r.FluentdObjectMeta(sccRoleName, ComponentFluentd), + RoleRef: rbacv1.RoleRef{}}, reconciler.StateAbsent, nil +} + func (r *Reconciler) isEnhanceK8sFilter() bool { for _, f := range r.Logging.Spec.GlobalFilters { if f.EnhanceK8s != nil { @@ -120,12 +163,12 @@ func (r *Reconciler) clusterRoleBinding() (runtime.Object, reconciler.DesiredSta ObjectMeta: r.FluentdObjectMetaClusterScope(clusterRoleBindingName, ComponentFluentd), RoleRef: rbacv1.RoleRef{ Kind: "ClusterRole", - APIGroup: "rbac.authorization.k8s.io", + APIGroup: rbacv1.GroupName, Name: r.Logging.QualifiedName(roleName), }, Subjects: []rbacv1.Subject{ { - Kind: "ServiceAccount", + Kind: rbacv1.ServiceAccountKind, Name: r.getServiceAccount(), Namespace: r.Logging.Spec.ControlNamespace, }, diff --git a/pkg/resources/nodeagent/nodeagent.go b/pkg/resources/nodeagent/nodeagent.go index f56afd130..77ef6501b 100644 --- a/pkg/resources/nodeagent/nodeagent.go +++ b/pkg/resources/nodeagent/nodeagent.go @@ -42,6 +42,7 @@ const ( defaultServiceAccountName = "fluentbit" clusterRoleBindingName = "fluentbit" clusterRoleName = "fluentbit" + sccRoleName = "scc-privileged" fluentBitSecretConfigName = "fluentbit" fluentbitDaemonSetName = "fluentbit" fluentbitServiceName = "fluentbit" @@ -96,6 +97,7 @@ func NodeAgentFluentbitDefaults(userDefined v1beta1.NodeAgentConfig) (*v1beta1.N RoleBasedAccessControlCreate: util.BoolPointer(true), SecurityContext: &corev1.SecurityContext{}, PodSecurityContext: &corev1.PodSecurityContext{}, + CreateOpenShiftSCC: util.BoolPointer(false), }, ContainersPath: "/var/lib/docker/containers", VarLogsPath: "/var/log", @@ -352,6 +354,8 @@ func (r *Reconciler) processAgent(ctx context.Context, name string, userDefinedA func (n *nodeAgentInstance) Reconcile(ctx context.Context) (*reconcile.Result, error) { objects := []resources.Resource{ n.serviceAccount, + n.sccRole, + n.sccRoleBinding, n.clusterRole, n.clusterRoleBinding, n.configSecret, diff --git a/pkg/resources/nodeagent/rbac.go b/pkg/resources/nodeagent/rbac.go index 61f8f392a..ff318cc78 100644 --- a/pkg/resources/nodeagent/rbac.go +++ b/pkg/resources/nodeagent/rbac.go @@ -23,6 +23,48 @@ import ( "k8s.io/apimachinery/pkg/runtime" ) +func (n *nodeAgentInstance) sccRole() (runtime.Object, reconciler.DesiredState, error) { + if *n.nodeAgent.FluentbitSpec.Security.CreateOpenShiftSCC { + return &rbacv1.Role{ + ObjectMeta: n.NodeAgentObjectMeta(sccRoleName), + Rules: []rbacv1.PolicyRule{ + { + APIGroups: []string{"security.openshift.io"}, + ResourceNames: []string{"privileged"}, + Resources: []string{"securitycontextconstraints"}, + Verbs: []string{"use"}, + }, + }, + }, reconciler.StatePresent, nil + } + return &rbacv1.Role{ + ObjectMeta: n.NodeAgentObjectMeta(sccRoleName), + Rules: []rbacv1.PolicyRule{}}, reconciler.StateAbsent, nil +} + +func (n *nodeAgentInstance) sccRoleBinding() (runtime.Object, reconciler.DesiredState, error) { + if *n.nodeAgent.FluentbitSpec.Security.CreateOpenShiftSCC { + return &rbacv1.RoleBinding{ + ObjectMeta: n.NodeAgentObjectMeta(sccRoleName), + RoleRef: rbacv1.RoleRef{ + Kind: "Role", + APIGroup: rbacv1.GroupName, + Name: n.QualifiedName(sccRoleName), + }, + Subjects: []rbacv1.Subject{ + { + Kind: rbacv1.ServiceAccountKind, + Name: n.getServiceAccount(), + Namespace: n.logging.Spec.ControlNamespace, + }, + }, + }, reconciler.StatePresent, nil + } + return &rbacv1.RoleBinding{ + ObjectMeta: n.NodeAgentObjectMeta(sccRoleName), + RoleRef: rbacv1.RoleRef{}}, reconciler.StateAbsent, nil +} + func (n *nodeAgentInstance) clusterRole() (runtime.Object, reconciler.DesiredState, error) { if *n.nodeAgent.FluentbitSpec.Security.RoleBasedAccessControlCreate { return &rbacv1.ClusterRole{ @@ -47,12 +89,12 @@ func (n *nodeAgentInstance) clusterRoleBinding() (runtime.Object, reconciler.Des ObjectMeta: n.NodeAgentObjectMetaClusterScope(clusterRoleBindingName), RoleRef: rbacv1.RoleRef{ Kind: "ClusterRole", - APIGroup: "rbac.authorization.k8s.io", + APIGroup: rbacv1.GroupName, Name: n.QualifiedName(clusterRoleName), }, Subjects: []rbacv1.Subject{ { - Kind: "ServiceAccount", + Kind: rbacv1.ServiceAccountKind, Name: n.getServiceAccount(), Namespace: n.logging.Spec.ControlNamespace, }, diff --git a/pkg/resources/syslogng/rbac.go b/pkg/resources/syslogng/rbac.go index 5c09681ae..cd2de725f 100644 --- a/pkg/resources/syslogng/rbac.go +++ b/pkg/resources/syslogng/rbac.go @@ -49,12 +49,12 @@ func (r *Reconciler) roleBinding() (runtime.Object, reconciler.DesiredState, err } binding.RoleRef = rbacv1.RoleRef{ Kind: "Role", - APIGroup: "rbac.authorization.k8s.io", + APIGroup: rbacv1.GroupName, Name: r.Logging.QualifiedName(roleName), } binding.Subjects = []rbacv1.Subject{ { - Kind: "ServiceAccount", + Kind: rbacv1.ServiceAccountKind, Name: r.getServiceAccountName(), Namespace: r.Logging.Spec.ControlNamespace, }, @@ -121,12 +121,12 @@ func (r *Reconciler) clusterRoleBinding() (runtime.Object, reconciler.DesiredSta } binding.RoleRef = rbacv1.RoleRef{ Kind: "ClusterRole", - APIGroup: "rbac.authorization.k8s.io", + APIGroup: rbacv1.GroupName, Name: r.Logging.QualifiedName(roleName), } binding.Subjects = []rbacv1.Subject{ { - Kind: "ServiceAccount", + Kind: rbacv1.ServiceAccountKind, Name: r.getServiceAccountName(), Namespace: r.Logging.Spec.ControlNamespace, }, diff --git a/pkg/sdk/logging/api/v1beta1/common_types.go b/pkg/sdk/logging/api/v1beta1/common_types.go index 251fdf642..c3b35c750 100644 --- a/pkg/sdk/logging/api/v1beta1/common_types.go +++ b/pkg/sdk/logging/api/v1beta1/common_types.go @@ -152,6 +152,7 @@ type Security struct { PodSecurityPolicyCreate bool `json:"podSecurityPolicyCreate,omitempty"` SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"` PodSecurityContext *corev1.PodSecurityContext `json:"podSecurityContext,omitempty"` + CreateOpenShiftSCC *bool `json:"createOpenShiftSCC,omitempty"` } // ReadinessDefaultCheck Enable default readiness checks diff --git a/pkg/sdk/logging/api/v1beta1/fluentd_types.go b/pkg/sdk/logging/api/v1beta1/fluentd_types.go index c35cbed45..63c01fa77 100644 --- a/pkg/sdk/logging/api/v1beta1/fluentd_types.go +++ b/pkg/sdk/logging/api/v1beta1/fluentd_types.go @@ -172,6 +172,9 @@ func (f *FluentdSpec) SetDefaults() error { if f.Security.PodSecurityContext.FSGroup == nil { f.Security.PodSecurityContext.FSGroup = util.IntPointer64(101) } + if f.Security.CreateOpenShiftSCC == nil { + f.Security.CreateOpenShiftSCC = util.BoolPointer(false) + } if f.Workers <= 0 { f.Workers = 1 } diff --git a/pkg/sdk/logging/api/v1beta1/zz_generated.deepcopy.go b/pkg/sdk/logging/api/v1beta1/zz_generated.deepcopy.go index 0e2c9eeaa..94a8c86c1 100644 --- a/pkg/sdk/logging/api/v1beta1/zz_generated.deepcopy.go +++ b/pkg/sdk/logging/api/v1beta1/zz_generated.deepcopy.go @@ -2737,6 +2737,11 @@ func (in *Security) DeepCopyInto(out *Security) { *out = new(v1.PodSecurityContext) (*in).DeepCopyInto(*out) } + if in.CreateOpenShiftSCC != nil { + in, out := &in.CreateOpenShiftSCC, &out.CreateOpenShiftSCC + *out = new(bool) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Security.