Check the CSV against the allowed versions list

controllers/operatorpolicy_controller.go

@@ -1890,7 +1890,31 @@ func (r *OperatorPolicyReconciler) handleCSV(
  return foundCSV, nil, updateStatus(policy, missingWantedCond("ClusterServiceVersion"), relatedCSVs...), nil
  }
 
- return foundCSV, nil, updateStatus(policy, buildCSVCond(foundCSV), relatedCSVs...), nil
+ // Check if the CSV is an approved version
+ if len(policy.Spec.Versions) != 0 {
+ allowedVersions := make([]policyv1.NonEmptyString, 0, len(policy.Spec.Versions)+1)
+ allowedVersions = append(allowedVersions, policy.Spec.Versions...)
+
+ if sub.Spec.StartingCSV != "" {
+ allowedVersions = append(allowedVersions, policyv1.NonEmptyString(sub.Spec.StartingCSV))
+ }
+
+ allowed := false
+
+ for _, allowedVersion := range allowedVersions {
+ if string(allowedVersion) == foundCSV.Name {
+ allowed = true
+
+ break
+ }
+ }
+
+ if !allowed {
+ return foundCSV, nil, updateStatus(policy, disallowedCSVCond(foundCSV), disallowedCSVObj(foundCSV)), nil
+ }
+ }
+
+ return foundCSV, nil, updateStatus(policy, allowedCSVCond(foundCSV), relatedCSVs...), nil
 }
 
 func (r *OperatorPolicyReconciler) mustnothaveCSV(

controllers/operatorpolicy_status.go

@@ -729,8 +729,9 @@ func installPlanApprovedCond(version string) metav1.Condition {
  }
 }
 
-// buildCSVCond takes a csv and returns a shortened version of its most recent Condition
-func buildCSVCond(csv *operatorv1alpha1.ClusterServiceVersion) metav1.Condition {
+// allowedCSVCond takes an approved CSV and returns a shortened version of its most recent Condition.
+// It will be Compliant if the CSV is in the Succeeded phase, and NonCompliant otherwise.
+func allowedCSVCond(csv *operatorv1alpha1.ClusterServiceVersion) metav1.Condition {
  status := metav1.ConditionFalse
  if csv.Status.Phase == operatorv1alpha1.CSVPhaseSucceeded {
  status = metav1.ConditionTrue
@@ -744,6 +745,17 @@ func buildCSVCond(csv *operatorv1alpha1.ClusterServiceVersion) metav1.Condition
  }
 }
 
+// disallowedCSVCond is a NonCompliant condition with Reason 'UnapprovedVersion'
+// and a message like 'ClusterServiceVersion (_____) is not an approved version'
+func disallowedCSVCond(csv *operatorv1alpha1.ClusterServiceVersion) metav1.Condition {
+ return metav1.Condition{
+ Type: condType(csv.Kind),
+ Status: metav1.ConditionFalse,
+ Reason: "UnapprovedVersion",
+ Message: "ClusterServiceVersion (" + csv.Name + ") is not an approved version",
+ }
+}
+
 // noCSVCond is a NonCompliant condition with Reason 'RelevantCSVNotFound'
 var noCSVCond = metav1.Condition{
  Type: csvConditionType,
@@ -1184,6 +1196,19 @@ func existingCSVObj(csv *operatorv1alpha1.ClusterServiceVersion) policyv1.Relate
  }
 }
 
+// disallowedCSVObj returns a NonCompliant RelatedObject for the ClusterServiceVersion,
+// with Reason 'ClusterServiceVersion (_____) is not an approved version'.
+func disallowedCSVObj(csv *operatorv1alpha1.ClusterServiceVersion) policyv1.RelatedObject {
+ return policyv1.RelatedObject{
+ Object: policyv1.ObjectResourceFromObj(csv),
+ Compliant: string(policyv1.NonCompliant),
+ Reason: "ClusterServiceVersion (" + csv.Name + ") is not an approved version",
+ Properties: &policyv1.ObjectProperties{
+ UID: string(csv.GetUID()),
+ },
+ }
+}
+
 // represents a lack of relevant CSV
 var noExistingCSVObj = policyv1.RelatedObject{
  Object: policyv1.ObjectResource{

test/e2e/case38_install_operator_test.go

@@ -3541,4 +3541,84 @@ var _ = Describe("Testing OperatorPolicy", Ordered, Label("supports-hosted"), fu
  }, olmWaitTimeout, 1).Should(Succeed())
  })
  })
+ Describe("Test reporting of unapproved version after installation", func() {
+ const (
+ opPolYAML = "../resources/case38_operator_install/operator-policy-no-group-enforce.yaml"
+ opPolName = "oppol-no-group-enforce"
+ )
+
+ BeforeEach(func() {
+ preFunc()
+
+ createObjWithParent(parentPolicyYAML, parentPolicyName,
+ opPolYAML, testNamespace, gvrPolicy, gvrOperatorPolicy)
+ })
+
+ It("Should start compliant", func(ctx SpecContext) {
+ Eventually(func(ctx SpecContext) string {
+ csv, _ := targetK8sDynamic.Resource(gvrClusterServiceVersion).Namespace(opPolTestNS).
+ Get(ctx, "quay-operator.v3.10.5", metav1.GetOptions{})
+
+ if csv == nil {
+ return ""
+ }
+
+ reason, _, _ := unstructured.NestedString(csv.Object, "status", "reason")
+
+ return reason
+ }, olmWaitTimeout, 5, ctx).Should(Equal("InstallSucceeded"))
+
+ check(
+ opPolName,
+ false,
+ []policyv1.RelatedObject{{
+ Object: policyv1.ObjectResource{
+ Kind: "InstallPlan",
+ APIVersion: "operators.coreos.com/v1alpha1",
+ Metadata: policyv1.ObjectMetadata{
+ Namespace: opPolTestNS,
+ },
+ },
+ Compliant: "Compliant",
+ Reason: "The InstallPlan is Complete",
+ }},
+ metav1.Condition{
+ Type: "InstallPlanCompliant",
+ Status: metav1.ConditionTrue,
+ Reason: "NoInstallPlansRequiringApproval",
+ Message: "no InstallPlans requiring approval were found",
+ },
+ "no InstallPlans requiring approval were found",
+ )
+ })
+ It("Should report a violation after the versions list is patched to exclude the current version", func() {
+ By("Patching the versions field to exclude the installed version")
+ utils.Kubectl("patch", "operatorpolicy", opPolName, "-n", testNamespace, "--type=json", "-p",
+ `[{"op": "replace", "path": "/spec/versions", "value": ["pie.v3.14159"]}]`)
+
+ check(
+ opPolName,
+ false,
+ []policyv1.RelatedObject{{
+ Object: policyv1.ObjectResource{
+ Kind: "ClusterServiceVersion",
+ APIVersion: "operators.coreos.com/v1alpha1",
+ Metadata: policyv1.ObjectMetadata{
+ Namespace: opPolTestNS,
+ Name: "quay-operator.v3.10.5",
+ },
+ },
+ Compliant: "NonCompliant",
+ Reason: "ClusterServiceVersion (quay-operator.v3.10.5) is not an approved version",
+ }},
+ metav1.Condition{
+ Type: "ClusterServiceVersionCompliant",
+ Status: metav1.ConditionFalse,
+ Reason: "UnapprovedVersion",
+ Message: "ClusterServiceVersion (quay-operator.v3.10.5) is not an approved version",
+ },
+ "ClusterServiceVersion .* is not an approved version",
+ )
+ })
+ })
 })