Merge pull request #1862 from kube-logging/fix/reintroduce-scc

fix: re-introduce scc Signed-off-by: Szilard Parrag <[email protected]>
kube-logging · Dec 11, 2024 · d10c959 · d10c959
1 parent 6beb08c
commit d10c959
Show file tree

Hide file tree

Showing 24 changed files with 202 additions and 14 deletions.
diff --git a/charts/logging-operator/charts/crds/templates/logging.banzaicloud.io_fluentbitagents.yaml b/charts/logging-operator/charts/crds/templates/logging.banzaicloud.io_fluentbitagents.yaml
@@ -2469,6 +2469,8 @@ spec:
                 type: object
               security:
                 properties:
+                  createOpenShiftSCC:
+                    type: boolean
                   podSecurityContext:
                     properties:
                       appArmorProfile:

diff --git a/charts/logging-operator/charts/crds/templates/logging.banzaicloud.io_fluentdconfigs.yaml b/charts/logging-operator/charts/crds/templates/logging.banzaicloud.io_fluentdconfigs.yaml
@@ -2443,6 +2443,8 @@ spec:
                 type: object
               security:
                 properties:
+                  createOpenShiftSCC:
+                    type: boolean
                   podSecurityContext:
                     properties:
                       appArmorProfile:

diff --git a/charts/logging-operator/charts/crds/templates/logging.banzaicloud.io_loggings.yaml b/charts/logging-operator/charts/crds/templates/logging.banzaicloud.io_loggings.yaml
@@ -3516,6 +3516,8 @@ spec:
                     type: object
                   security:
                     properties:
+                      createOpenShiftSCC:
+                        type: boolean
                       podSecurityContext:
                         properties:
                           appArmorProfile:
@@ -6184,6 +6186,8 @@ spec:
                     type: object
                   security:
                     properties:
+                      createOpenShiftSCC:
+                        type: boolean
                       podSecurityContext:
                         properties:
                           appArmorProfile:
@@ -12769,6 +12773,8 @@ spec:
                           type: object
                         security:
                           properties:
+                            createOpenShiftSCC:
+                              type: boolean
                             podSecurityContext:
                               properties:
                                 appArmorProfile:

diff --git a/charts/logging-operator/charts/crds/templates/logging.banzaicloud.io_nodeagents.yaml b/charts/logging-operator/charts/crds/templates/logging.banzaicloud.io_nodeagents.yaml
@@ -4654,6 +4654,8 @@ spec:
                     type: object
                   security:
                     properties:
+                      createOpenShiftSCC:
+                        type: boolean
                       podSecurityContext:
                         properties:
                           appArmorProfile:

diff --git a/charts/logging-operator/crds/logging.banzaicloud.io_fluentbitagents.yaml b/charts/logging-operator/crds/logging.banzaicloud.io_fluentbitagents.yaml
@@ -2466,6 +2466,8 @@ spec:
                 type: object
               security:
                 properties:
+                  createOpenShiftSCC:
+                    type: boolean
                   podSecurityContext:
                     properties:
                       appArmorProfile:

diff --git a/charts/logging-operator/crds/logging.banzaicloud.io_fluentdconfigs.yaml b/charts/logging-operator/crds/logging.banzaicloud.io_fluentdconfigs.yaml
@@ -2440,6 +2440,8 @@ spec:
                 type: object
               security:
                 properties:
+                  createOpenShiftSCC:
+                    type: boolean
                   podSecurityContext:
                     properties:
                       appArmorProfile:

diff --git a/charts/logging-operator/crds/logging.banzaicloud.io_loggings.yaml b/charts/logging-operator/crds/logging.banzaicloud.io_loggings.yaml
@@ -3513,6 +3513,8 @@ spec:
                     type: object
                   security:
                     properties:
+                      createOpenShiftSCC:
+                        type: boolean
                       podSecurityContext:
                         properties:
                           appArmorProfile:
@@ -6181,6 +6183,8 @@ spec:
                     type: object
                   security:
                     properties:
+                      createOpenShiftSCC:
+                        type: boolean
                       podSecurityContext:
                         properties:
                           appArmorProfile:
@@ -12766,6 +12770,8 @@ spec:
                           type: object
                         security:
                           properties:
+                            createOpenShiftSCC:
+                              type: boolean
                             podSecurityContext:
                               properties:
                                 appArmorProfile:

diff --git a/charts/logging-operator/crds/logging.banzaicloud.io_nodeagents.yaml b/charts/logging-operator/crds/logging.banzaicloud.io_nodeagents.yaml
@@ -4651,6 +4651,8 @@ spec:
                     type: object
                   security:
                     properties:
+                      createOpenShiftSCC:
+                        type: boolean
                       podSecurityContext:
                         properties:
                           appArmorProfile:

diff --git a/config/crd/bases/logging.banzaicloud.io_fluentbitagents.yaml b/config/crd/bases/logging.banzaicloud.io_fluentbitagents.yaml
@@ -2466,6 +2466,8 @@ spec:
                 type: object
               security:
                 properties:
+                  createOpenShiftSCC:
+                    type: boolean
                   podSecurityContext:
                     properties:
                       appArmorProfile:

diff --git a/config/crd/bases/logging.banzaicloud.io_fluentdconfigs.yaml b/config/crd/bases/logging.banzaicloud.io_fluentdconfigs.yaml
@@ -2440,6 +2440,8 @@ spec:
                 type: object
               security:
                 properties:
+                  createOpenShiftSCC:
+                    type: boolean
                   podSecurityContext:
                     properties:
                       appArmorProfile:

diff --git a/config/crd/bases/logging.banzaicloud.io_loggings.yaml b/config/crd/bases/logging.banzaicloud.io_loggings.yaml
@@ -3513,6 +3513,8 @@ spec:
                     type: object
                   security:
                     properties:
+                      createOpenShiftSCC:
+                        type: boolean
                       podSecurityContext:
                         properties:
                           appArmorProfile:
@@ -6181,6 +6183,8 @@ spec:
                     type: object
                   security:
                     properties:
+                      createOpenShiftSCC:
+                        type: boolean
                       podSecurityContext:
                         properties:
                           appArmorProfile:
@@ -12766,6 +12770,8 @@ spec:
                           type: object
                         security:
                           properties:
+                            createOpenShiftSCC:
+                              type: boolean
                             podSecurityContext:
                               properties:
                                 appArmorProfile:

diff --git a/config/crd/bases/logging.banzaicloud.io_nodeagents.yaml b/config/crd/bases/logging.banzaicloud.io_nodeagents.yaml
@@ -4651,6 +4651,8 @@ spec:
                     type: object
                   security:
                     properties:
+                      createOpenShiftSCC:
+                        type: boolean
                       podSecurityContext:
                         properties:
                           appArmorProfile:

diff --git a/docs/configuration/crds/v1beta1/common_types.md b/docs/configuration/crds/v1beta1/common_types.md
@@ -140,6 +140,9 @@ ServiceMonitorConfig defines the ServiceMonitor properties
 
 Security defines Fluentd, FluentbitAgent deployment security properties
 
+### createOpenShiftSCC (*bool, optional) {#security-createopenshiftscc}
+
+
 ### podSecurityContext (*corev1.PodSecurityContext, optional) {#security-podsecuritycontext}
 
 

diff --git a/pkg/resources/eventtailer/clusterrolebinding.go b/pkg/resources/eventtailer/clusterrolebinding.go
@@ -16,6 +16,7 @@ package eventtailer
 
 import (
 	"github.com/cisco-open/operator-tools/pkg/reconciler"
+	rbacv1 "k8s.io/api/rbac/v1"
 	v1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 )
@@ -26,13 +27,13 @@ func (e *EventTailer) ClusterRoleBinding() (runtime.Object, reconciler.DesiredSt
 		ObjectMeta: e.clusterObjectMeta(),
 		Subjects: []v1.Subject{
 			{
-				Kind:      "ServiceAccount",
+				Kind:      rbacv1.ServiceAccountKind,
 				Name:      e.Name(),
 				Namespace: e.customResource.Spec.ControlNamespace,
 			},
 		},
 		RoleRef: v1.RoleRef{
-			APIGroup: "rbac.authorization.k8s.io",
+			APIGroup: rbacv1.GroupName,
 			Kind:     "ClusterRole",
 			Name:     e.Name(),
 		},

diff --git a/pkg/resources/fluentbit/fluentbit.go b/pkg/resources/fluentbit/fluentbit.go
@@ -43,6 +43,7 @@ const (
 	defaultServiceAccountName      = "fluentbit"
 	clusterRoleBindingName         = "fluentbit"
 	clusterRoleName                = "fluentbit"
+	sccRoleName                    = "scc-privileged"
 	fluentBitSecretConfigName      = "fluentbit"
 	fluentbitDaemonSetName         = "fluentbit"
 	fluentbitServiceName           = "fluentbit"
@@ -132,6 +133,10 @@ func (r *Reconciler) Reconcile(ctx context.Context) (*reconcile.Result, error) {
 		r.serviceMetrics,
 		r.serviceBufferMetrics,
 	}
+	if r.fluentbitSpec.Security.CreateOpenShiftSCC != nil && *r.fluentbitSpec.Security.CreateOpenShiftSCC {
+		objects = append(objects, r.sccRole, r.sccRoleBinding)
+	}
+
 	if resources.IsSupported(ctx, resources.ServiceMonitorKey) {
 		objects = append(objects, r.monitorServiceMetrics, r.monitorBufferServiceMetrics)
 	}

diff --git a/pkg/resources/fluentbit/rbac.go b/pkg/resources/fluentbit/rbac.go
@@ -23,6 +23,48 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 )
 
+func (r *Reconciler) sccRole() (runtime.Object, reconciler.DesiredState, error) {
+	if *r.fluentbitSpec.Security.CreateOpenShiftSCC {
+		return &rbacv1.Role{
+			ObjectMeta: r.FluentbitObjectMeta(sccRoleName),
+			Rules: []rbacv1.PolicyRule{
+				{
+					APIGroups:     []string{"security.openshift.io"},
+					ResourceNames: []string{"privileged"},
+					Resources:     []string{"securitycontextconstraints"},
+					Verbs:         []string{"use"},
+				},
+			},
+		}, reconciler.StatePresent, nil
+	}
+	return &rbacv1.Role{
+		ObjectMeta: r.FluentbitObjectMeta(sccRoleName),
+		Rules:      []rbacv1.PolicyRule{}}, reconciler.StateAbsent, nil
+}
+
+func (r *Reconciler) sccRoleBinding() (runtime.Object, reconciler.DesiredState, error) {
+	if *r.fluentbitSpec.Security.CreateOpenShiftSCC {
+		return &rbacv1.RoleBinding{
+			ObjectMeta: r.FluentbitObjectMeta(sccRoleName),
+			RoleRef: rbacv1.RoleRef{
+				Kind:     "Role",
+				APIGroup: rbacv1.GroupName,
+				Name:     r.nameProvider.ComponentName(sccRoleName),
+			},
+			Subjects: []rbacv1.Subject{
+				{
+					Kind:      rbacv1.ServiceAccountKind,
+					Name:      r.getServiceAccount(),
+					Namespace: r.Logging.Spec.ControlNamespace,
+				},
+			},
+		}, reconciler.StatePresent, nil
+	}
+	return &rbacv1.RoleBinding{
+		ObjectMeta: r.FluentbitObjectMeta(sccRoleName),
+		RoleRef:    rbacv1.RoleRef{}}, reconciler.StateAbsent, nil
+}
+
 func (r *Reconciler) clusterRole() (runtime.Object, reconciler.DesiredState, error) {
 	if *r.fluentbitSpec.Security.RoleBasedAccessControlCreate {
 		clusterRoleResources := []string{"pods", "namespaces"}
@@ -51,12 +93,12 @@ func (r *Reconciler) clusterRoleBinding() (runtime.Object, reconciler.DesiredSta
 			ObjectMeta: r.FluentbitObjectMetaClusterScope(clusterRoleBindingName),
 			RoleRef: rbacv1.RoleRef{
 				Kind:     "ClusterRole",
-				APIGroup: "rbac.authorization.k8s.io",
+				APIGroup: rbacv1.GroupName,
 				Name:     r.nameProvider.ComponentName(clusterRoleName),
 			},
 			Subjects: []rbacv1.Subject{
 				{
-					Kind:      "ServiceAccount",
+					Kind:      rbacv1.ServiceAccountKind,
 					Name:      r.getServiceAccount(),
 					Namespace: r.Logging.Spec.ControlNamespace,
 				},

diff --git a/pkg/resources/fluentd/fluentd.go b/pkg/resources/fluentd/fluentd.go
@@ -58,6 +58,7 @@ const (
 	defaultServiceAccountName      = "fluentd"
 	roleBindingName                = "fluentd"
 	roleName                       = "fluentd"
+	sccRoleName                    = "scc-anyuid"
 	clusterRoleBindingName         = "fluentd"
 	clusterRoleName                = "fluentd"
 	containerName                  = "fluentd"
@@ -131,6 +132,8 @@ func (r *Reconciler) Reconcile(ctx context.Context) (*reconcile.Result, error) {
 		r.serviceAccount,
 		r.role,
 		r.roleBinding,
+		r.sccRole,
+		r.sccRoleBinding,
 		r.clusterRole,
 		r.clusterRoleBinding,
 	}

diff --git a/pkg/resources/fluentd/rbac.go b/pkg/resources/fluentd/rbac.go
@@ -47,12 +47,12 @@ func (r *Reconciler) roleBinding() (runtime.Object, reconciler.DesiredState, err
 			ObjectMeta: r.FluentdObjectMeta(roleBindingName, ComponentFluentd),
 			RoleRef: rbacv1.RoleRef{
 				Kind:     "Role",
-				APIGroup: "rbac.authorization.k8s.io",
+				APIGroup: rbacv1.GroupName,
 				Name:     r.Logging.QualifiedName(roleName),
 			},
 			Subjects: []rbacv1.Subject{
 				{
-					Kind:      "ServiceAccount",
+					Kind:      rbacv1.ServiceAccountKind,
 					Name:      r.getServiceAccount(),
 					Namespace: r.Logging.Spec.ControlNamespace,
 				},
@@ -64,6 +64,49 @@ func (r *Reconciler) roleBinding() (runtime.Object, reconciler.DesiredState, err
 		RoleRef:    rbacv1.RoleRef{}}, reconciler.StateAbsent, nil
 }
 
+func (r *Reconciler) sccRole() (runtime.Object, reconciler.DesiredState, error) {
+	if *r.fluentdSpec.Security.CreateOpenShiftSCC {
+		return &rbacv1.Role{
+			ObjectMeta: r.FluentdObjectMeta(sccRoleName, ComponentFluentd),
+			Rules: []rbacv1.PolicyRule{
+				{
+					APIGroups:     []string{"security.openshift.io"},
+					ResourceNames: []string{"anyuid"},
+					Resources:     []string{"securitycontextconstraints"},
+					Verbs:         []string{"use"},
+				},
+			},
+		}, reconciler.StatePresent, nil
+	}
+
+	return &rbacv1.Role{
+		ObjectMeta: r.FluentdObjectMeta(sccRoleName, ComponentFluentd),
+		Rules:      []rbacv1.PolicyRule{}}, reconciler.StateAbsent, nil
+}
+
+func (r *Reconciler) sccRoleBinding() (runtime.Object, reconciler.DesiredState, error) {
+	if *r.fluentdSpec.Security.CreateOpenShiftSCC {
+		return &rbacv1.RoleBinding{
+			ObjectMeta: r.FluentdObjectMeta(sccRoleName, ComponentFluentd),
+			RoleRef: rbacv1.RoleRef{
+				Kind:     "Role",
+				APIGroup: rbacv1.GroupName,
+				Name:     r.Logging.QualifiedName(sccRoleName),
+			},
+			Subjects: []rbacv1.Subject{
+				{
+					Kind:      rbacv1.ServiceAccountKind,
+					Name:      r.getServiceAccount(),
+					Namespace: r.Logging.Spec.ControlNamespace,
+				},
+			},
+		}, reconciler.StatePresent, nil
+	}
+	return &rbacv1.RoleBinding{
+		ObjectMeta: r.FluentdObjectMeta(sccRoleName, ComponentFluentd),
+		RoleRef:    rbacv1.RoleRef{}}, reconciler.StateAbsent, nil
+}
+
 func (r *Reconciler) isEnhanceK8sFilter() bool {
 	for _, f := range r.Logging.Spec.GlobalFilters {
 		if f.EnhanceK8s != nil {
@@ -120,12 +163,12 @@ func (r *Reconciler) clusterRoleBinding() (runtime.Object, reconciler.DesiredSta
 			ObjectMeta: r.FluentdObjectMetaClusterScope(clusterRoleBindingName, ComponentFluentd),
 			RoleRef: rbacv1.RoleRef{
 				Kind:     "ClusterRole",
-				APIGroup: "rbac.authorization.k8s.io",
+				APIGroup: rbacv1.GroupName,
 				Name:     r.Logging.QualifiedName(roleName),
 			},
 			Subjects: []rbacv1.Subject{
 				{
-					Kind:      "ServiceAccount",
+					Kind:      rbacv1.ServiceAccountKind,
 					Name:      r.getServiceAccount(),
 					Namespace: r.Logging.Spec.ControlNamespace,
 				},
Original file line number	Diff line number	Diff line change
Expand Up		@@ -140,6 +140,9 @@ ServiceMonitorConfig defines the ServiceMonitor properties

		Security defines Fluentd, FluentbitAgent deployment security properties

		### createOpenShiftSCC (*bool, optional) {#security-createopenshiftscc}


		### podSecurityContext (*corev1.PodSecurityContext, optional) {#security-podsecuritycontext}


Expand Down