Skip to content

Commit

Permalink
[NET-4414] Revert: Remove anyuid SCC requirement for OpenShift (#4039)
Browse files Browse the repository at this point in the history
Revert: Remove anyuid SCC requirement for OpenShift
  • Loading branch information
nathancoleman authored May 24, 2024
1 parent a59cd59 commit d62733d
Show file tree
Hide file tree
Showing 25 changed files with 207 additions and 590 deletions.
3 changes: 0 additions & 3 deletions .changelog/3813.txt

This file was deleted.

63 changes: 35 additions & 28 deletions acceptance/framework/consul/helm_cluster.go
Original file line number Diff line number Diff line change
Expand Up @@ -219,6 +219,7 @@ func (h *HelmCluster) Destroy(t *testing.T) {
// Retry because sometimes certain resources (like PVC) take time to delete
// in cloud providers.
retry.RunWith(&retry.Counter{Wait: 2 * time.Second, Count: 600}, t, func(r *retry.R) {

// Force delete any pods that have h.releaseName in their name because sometimes
// graceful termination takes a long time and since this is an uninstall
// we don't care that they're stopped gracefully.
Expand All @@ -239,9 +240,7 @@ func (h *HelmCluster) Destroy(t *testing.T) {
require.NoError(r, err)
for _, deployment := range deployments.Items {
if strings.Contains(deployment.Name, h.releaseName) {
err := h.kubernetesClient.AppsV1().
Deployments(h.helmOptions.KubectlOptions.Namespace).
Delete(context.Background(), deployment.Name, metav1.DeleteOptions{})
err := h.kubernetesClient.AppsV1().Deployments(h.helmOptions.KubectlOptions.Namespace).Delete(context.Background(), deployment.Name, metav1.DeleteOptions{})
if !errors.IsNotFound(err) {
require.NoError(r, err)
}
Expand Down Expand Up @@ -550,6 +549,7 @@ func (h *HelmCluster) SetupConsulClient(t *testing.T, secure bool, release ...st
require.NoError(r, err)
}
})

}
}

Expand Down Expand Up @@ -701,40 +701,47 @@ func configureNamespace(t *testing.T, client kubernetes.Interface, cfg *config.T
}

// configureSCCs creates RoleBindings that bind the default service account to cluster roles
// allowing access to the privileged Security Context Constraints on OpenShift.
// allowing access to the anyuid and privileged Security Context Constraints on OpenShift.
func configureSCCs(t *testing.T, client kubernetes.Interface, cfg *config.TestConfig, namespace string) {
const anyuidClusterRole = "system:openshift:scc:anyuid"
const privilegedClusterRole = "system:openshift:scc:privileged"
anyuidRoleBinding := "anyuid-test"
privilegedRoleBinding := "privileged-test"

// A role binding to allow default service account in the installation namespace access to the SCCs.
// Check if this cluster role binding already exists.
_, err := client.RbacV1().RoleBindings(namespace).Get(context.Background(), privilegedRoleBinding, metav1.GetOptions{})

if errors.IsNotFound(err) {
roleBinding := &rbacv1.RoleBinding{
ObjectMeta: metav1.ObjectMeta{
Name: privilegedRoleBinding,
},
Subjects: []rbacv1.Subject{
{
Kind: rbacv1.ServiceAccountKind,
Name: "default",
Namespace: namespace,
},
},
RoleRef: rbacv1.RoleRef{
Kind: "ClusterRole",
Name: privilegedClusterRole,
},
}
{
for clusterRoleName, roleBindingName := range map[string]string{anyuidClusterRole: anyuidRoleBinding, privilegedClusterRole: privilegedRoleBinding} {
// Check if this cluster role binding already exists.
_, err := client.RbacV1().RoleBindings(namespace).Get(context.Background(), roleBindingName, metav1.GetOptions{})

if errors.IsNotFound(err) {
roleBinding := &rbacv1.RoleBinding{
ObjectMeta: metav1.ObjectMeta{
Name: roleBindingName,
},
Subjects: []rbacv1.Subject{
{
Kind: rbacv1.ServiceAccountKind,
Name: "default",
Namespace: namespace,
},
},
RoleRef: rbacv1.RoleRef{
Kind: "ClusterRole",
Name: clusterRoleName,
},
}

_, err = client.RbacV1().RoleBindings(namespace).Create(context.Background(), roleBinding, metav1.CreateOptions{})
require.NoError(t, err)
} else {
require.NoError(t, err)
_, err = client.RbacV1().RoleBindings(namespace).Create(context.Background(), roleBinding, metav1.CreateOptions{})
require.NoError(t, err)
} else {
require.NoError(t, err)
}
}
}

helpers.Cleanup(t, cfg.NoCleanupOnFailure, cfg.NoCleanup, func() {
_ = client.RbacV1().RoleBindings(namespace).Delete(context.Background(), anyuidRoleBinding, metav1.DeleteOptions{})
_ = client.RbacV1().RoleBindings(namespace).Delete(context.Background(), privilegedRoleBinding, metav1.DeleteOptions{})
})
}
Expand Down
8 changes: 4 additions & 4 deletions acceptance/tests/api-gateway/api_gateway_kitchen_sink_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -142,10 +142,6 @@ func TestAPIGateway_KitchenSink(t *testing.T) {
checkStatusCondition(r, gateway.Status.Conditions, trueCondition("ConsulAccepted", "Accepted"))
require.Len(r, gateway.Status.Listeners, 2)

// http route checks
err = k8sClient.Get(context.Background(), types.NamespacedName{Name: "http-route", Namespace: "default"}, &httpRoute)
require.NoError(r, err)

require.EqualValues(r, int32(1), gateway.Status.Listeners[0].AttachedRoutes)
checkStatusCondition(r, gateway.Status.Listeners[0].Conditions, trueCondition("Accepted", "Accepted"))
checkStatusCondition(r, gateway.Status.Listeners[0].Conditions, falseCondition("Conflicted", "NoConflicts"))
Expand All @@ -156,6 +152,10 @@ func TestAPIGateway_KitchenSink(t *testing.T) {
// now we know we have an address, set it so we can use it
gatewayAddress = gateway.Status.Addresses[0].Value

// http route checks
err = k8sClient.Get(context.Background(), types.NamespacedName{Name: "http-route", Namespace: "default"}, &httpRoute)
require.NoError(r, err)

// check our finalizers
require.Len(r, httpRoute.Finalizers, 1)
require.EqualValues(r, gatewayFinalizer, httpRoute.Finalizers[0])
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: multiport-openshift-anyuid
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:openshift:scc:anyuid
subjects:
- kind: ServiceAccount
name: multiport
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: multiport-admin-openshift-anyuid
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:openshift:scc:anyuid
subjects:
- kind: ServiceAccount
name: multiport-admin
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,5 @@ resources:
- secret.yaml
- serviceaccount.yaml
- psp-rolebinding.yaml
- privileged-scc-rolebinding.yaml
- anyuid-scc-rolebinding.yaml
- privileged-scc-rolebinding.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: static-client-openshift-anyuid
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:openshift:scc:anyuid
subjects:
- kind: ServiceAccount
name: static-client
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,5 @@ resources:
- service.yaml
- serviceaccount.yaml
- psp-rolebinding.yaml
- privileged-scc-rolebinding.yaml
- anyuid-scc-rolebinding.yaml
- privileged-scc-rolebinding.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: static-server-openshift-anyuid
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:openshift:scc:anyuid
subjects:
- kind: ServiceAccount
name: static-server
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,5 @@ resources:
- service.yaml
- serviceaccount.yaml
- psp-rolebinding.yaml
- privileged-scc-rolebinding.yaml
- anyuid-scc-rolebinding.yaml
- privileged-scc-rolebinding.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: static-server-tcp-openshift-anyuid
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:openshift:scc:anyuid
subjects:
- kind: ServiceAccount
name: static-server-tcp
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,5 @@ resources:
- serviceaccount.yaml
- servicedefaults.yaml
- psp-rolebinding.yaml
- privileged-scc-rolebinding.yaml
- anyuid-scc-rolebinding.yaml
- privileged-scc-rolebinding.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: static-server-openshift-anyuid
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:openshift:scc:anyuid
subjects:
- kind: ServiceAccount
name: static-server
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,5 @@ resources:
- service.yaml
- serviceaccount.yaml
- psp-rolebinding.yaml
- privileged-scc-rolebinding.yaml
- anyuid-scc-rolebinding.yaml
- privileged-scc-rolebinding.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: multiport-openshift-anyuid
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:openshift:scc:anyuid
subjects:
- kind: ServiceAccount
name: multiport
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: multiport-admin-openshift-anyuid
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:openshift:scc:anyuid
subjects:
- kind: ServiceAccount
name: multiport-admin
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,5 @@ resources:
- secret.yaml
- serviceaccount.yaml
- psp-rolebinding.yaml
- privileged-scc-rolebinding.yaml
- anyuid-scc-rolebinding.yaml
- privileged-scc-rolebinding.yaml
Loading

0 comments on commit d62733d

Please sign in to comment.