[release-v1.32] Attach OpenShift SCC to Calico components (#3375)

* Attach OpenShift SCC to Calico components This changeset attaches OpenShift SCC to Calico OSS and Enterprise components. The pre-defined `nonroot-v2` SCC is used for most of the components to limit access to cluster resources. Core components use pre-defined `privileged` SCC. Certain components like EgressGateway will use custom defined SCCs. * Render SCC resources when needed * Attach OpenShift nonroot-v2 SCC to Prometheus components This change attaches nonroot-v2 SCC to Tigera prometheus operator, prometheus, and prometheus service cluster roles. It is missed in [1]. [1] #3357
tigera · Jun 6, 2024 · 4e3aa8c · 4e3aa8c
1 parent 05ca8fe
commit 4e3aa8c
Show file tree

Hide file tree

Showing 68 changed files with 1,250 additions and 686 deletions.
diff --git a/api/v1/installation_types.go b/api/v1/installation_types.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2023 Tigera, Inc. All rights reserved.
+// Copyright (c) 2023-2024 Tigera, Inc. All rights reserved.
 /*
 
 Licensed under the Apache License, Version 2.0 (the "License");
@@ -301,6 +301,38 @@ var (
 	ProviderTKG       Provider = "TKG"
 )
 
+func (p Provider) IsNone() bool {
+	return p == ProviderNone
+}
+
+func (p Provider) IsAKS() bool {
+	return p == ProviderAKS
+}
+
+func (p Provider) IsDockerEE() bool {
+	return p == ProviderDockerEE
+}
+
+func (p Provider) IsEKS() bool {
+	return p == ProviderEKS
+}
+
+func (p Provider) IsGKE() bool {
+	return p == ProviderGKE
+}
+
+func (p Provider) IsOpenShift() bool {
+	return p == ProviderOpenShift
+}
+
+func (p Provider) IsRKE2() bool {
+	return p == ProviderRKE2
+}
+
+func (p Provider) IsTKG() bool {
+	return p == ProviderTKG
+}
+
 // ProductVariant represents the variant of the product.
 //
 // One of: Calico, TigeraSecureEnterprise

diff --git a/pkg/controller/apiserver/apiserver_controller.go b/pkg/controller/apiserver/apiserver_controller.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2020-2023 Tigera, Inc. All rights reserved.
+// Copyright (c) 2020-2024 Tigera, Inc. All rights reserved.
 
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -33,6 +33,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/source"
 
 	v3 "github.com/tigera/api/pkg/apis/projectcalico/v3"
+
 	operatorv1 "github.com/tigera/operator/api/v1"
 	"github.com/tigera/operator/pkg/common"
 	"github.com/tigera/operator/pkg/common/validation"
@@ -383,7 +384,7 @@ func (r *ReconcileAPIServer) Reconcile(ctx context.Context, request reconcile.Re
 		AmazonCloudIntegration:      amazon,
 		TLSKeyPair:                  tlsSecret,
 		PullSecrets:                 pullSecrets,
-		Openshift:                   r.provider == operatorv1.ProviderOpenShift,
+		OpenShift:                   r.provider.IsOpenShift(),
 		TrustedBundle:               trustedBundle,
 		UsePSP:                      r.usePSP,
 		MultiTenant:                 r.multiTenant,
@@ -446,7 +447,7 @@ func (r *ReconcileAPIServer) Reconcile(ctx context.Context, request reconcile.Re
 
 		packetCaptureApiCfg := &render.PacketCaptureApiConfiguration{
 			PullSecrets:                 pullSecrets,
-			Openshift:                   r.provider == operatorv1.ProviderOpenShift,
+			OpenShift:                   r.provider.IsOpenShift(),
 			Installation:                network,
 			KeyValidatorConfig:          keyValidatorConfig,
 			ServerCertSecret:            packetCaptureCertSecret,

diff --git a/pkg/controller/authentication/authentication_controller.go b/pkg/controller/authentication/authentication_controller.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2020-2023 Tigera, Inc. All rights reserved.
+// Copyright (c) 2020-2024 Tigera, Inc. All rights reserved.
 
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -329,7 +329,7 @@ func (r *ReconcileAuthentication) Reconcile(ctx context.Context, request reconci
 
 	dexComponentCfg := &render.DexComponentConfiguration{
 		PullSecrets:   pullSecrets,
-		Openshift:     r.provider == oprv1.ProviderOpenShift,
+		OpenShift:     r.provider.IsOpenShift(),
 		Installation:  install,
 		DexConfig:     dexCfg,
 		ClusterDomain: r.clusterDomain,

diff --git a/pkg/controller/clusterconnection/clusterconnection_controller.go b/pkg/controller/clusterconnection/clusterconnection_controller.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2020-2023 Tigera, Inc. All rights reserved.
+// Copyright (c) 2020-2024 Tigera, Inc. All rights reserved.
 
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -36,6 +36,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/source"
 
 	v3 "github.com/tigera/api/pkg/apis/projectcalico/v3"
+
 	operatorv1 "github.com/tigera/operator/api/v1"
 	"github.com/tigera/operator/pkg/common"
 	"github.com/tigera/operator/pkg/controller/certificatemanager"
@@ -346,7 +347,7 @@ func (r *ReconcileConnection) Reconcile(ctx context.Context, request reconcile.R
 		URL:               managementClusterConnection.Spec.ManagementClusterAddr,
 		TunnelCAType:      managementClusterConnection.Spec.TLS.CA,
 		PullSecrets:       pullSecrets,
-		Openshift:         r.Provider == operatorv1.ProviderOpenShift,
+		OpenShift:         r.Provider.IsOpenShift(),
 		Installation:      instl,
 		TunnelSecret:      tunnelSecret,
 		TrustedCertBundle: trustedCertBundle,

diff --git a/pkg/controller/compliance/compliance_controller.go b/pkg/controller/compliance/compliance_controller.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2020-2023 Tigera, Inc. All rights reserved.
+// Copyright (c) 2020-2024 Tigera, Inc. All rights reserved.
 
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -18,10 +18,20 @@ import (
 	"context"
 	"fmt"
 
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/kubernetes"
+
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"sigs.k8s.io/controller-runtime/pkg/source"
 
 	v3 "github.com/tigera/api/pkg/apis/projectcalico/v3"
-	"github.com/tigera/operator/pkg/render/common/networkpolicy"
 
 	operatorv1 "github.com/tigera/operator/api/v1"
 	"github.com/tigera/operator/pkg/common"
@@ -34,17 +44,8 @@ import (
 	"github.com/tigera/operator/pkg/render"
 	rcertificatemanagement "github.com/tigera/operator/pkg/render/certificatemanagement"
 	relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch"
+	"github.com/tigera/operator/pkg/render/common/networkpolicy"
 	"github.com/tigera/operator/pkg/tls/certificatemanagement"
-	"k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/client-go/kubernetes"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/controller"
-	"sigs.k8s.io/controller-runtime/pkg/handler"
-	logf "sigs.k8s.io/controller-runtime/pkg/log"
-	"sigs.k8s.io/controller-runtime/pkg/manager"
-	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-	"sigs.k8s.io/controller-runtime/pkg/source"
 )
 
 const ResourceName = "compliance"
@@ -445,7 +446,6 @@ func (r *ReconcileCompliance) Reconcile(ctx context.Context, request reconcile.R
 	namespaceComp := render.NewPassthrough(render.CreateNamespace(render.ComplianceNamespace, network.KubernetesProvider, render.PSSPrivileged))
 
 	hasNoLicense := !utils.IsFeatureActive(license, common.ComplianceFeature)
-	openshift := r.provider == operatorv1.ProviderOpenShift
 	complianceCfg := &render.ComplianceConfiguration{
 		ESSecrets:                   esSecrets,
 		TrustedBundle:               trustedBundle,
@@ -457,7 +457,7 @@ func (r *ReconcileCompliance) Reconcile(ctx context.Context, request reconcile.R
 		ReporterKeyPair:             reporterKeyPair.Interface,
 		ESClusterConfig:             esClusterConfig,
 		PullSecrets:                 pullSecrets,
-		Openshift:                   openshift,
+		OpenShift:                   r.provider.IsOpenShift(),
 		ManagementCluster:           managementCluster,
 		ManagementClusterConnection: managementClusterConnection,
 		KeyValidatorConfig:          keyValidatorConfig,

diff --git a/pkg/controller/egressgateway/egressgateway_controller.go b/pkg/controller/egressgateway/egressgateway_controller.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2023 Tigera, Inc. All rights reserved.
+// Copyright (c) 2023-2024 Tigera, Inc. All rights reserved.
 
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -22,18 +22,8 @@ import (
 
 	"github.com/go-logr/logr"
 	ocsv1 "github.com/openshift/api/security/v1"
-	operatorv1 "github.com/tigera/operator/api/v1"
-	crdv1 "github.com/tigera/operator/pkg/apis/crd.projectcalico.org/v1"
-
-	"github.com/tigera/operator/pkg/components"
 
-	"github.com/tigera/operator/pkg/controller/options"
-	"github.com/tigera/operator/pkg/controller/status"
-	"github.com/tigera/operator/pkg/controller/utils"
-	"github.com/tigera/operator/pkg/controller/utils/imageset"
-	"github.com/tigera/operator/pkg/render"
-	rmeta "github.com/tigera/operator/pkg/render/common/meta"
-	"github.com/tigera/operator/pkg/render/egressgateway"
+	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -47,7 +37,17 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 	"sigs.k8s.io/controller-runtime/pkg/source"
 
-	v1 "k8s.io/api/core/v1"
+	operatorv1 "github.com/tigera/operator/api/v1"
+
+	crdv1 "github.com/tigera/operator/pkg/apis/crd.projectcalico.org/v1"
+	"github.com/tigera/operator/pkg/components"
+	"github.com/tigera/operator/pkg/controller/options"
+	"github.com/tigera/operator/pkg/controller/status"
+	"github.com/tigera/operator/pkg/controller/utils"
+	"github.com/tigera/operator/pkg/controller/utils/imageset"
+	"github.com/tigera/operator/pkg/render"
+	rmeta "github.com/tigera/operator/pkg/render/common/meta"
+	"github.com/tigera/operator/pkg/render/egressgateway"
 )
 
 const (
@@ -163,7 +163,7 @@ func (r *ReconcileEgressGateway) Reconcile(ctx context.Context, request reconcil
 	ch := utils.NewComponentHandler(log, r.client, r.scheme, nil)
 	if len(egws) == 0 {
 		var objects []client.Object
-		if r.provider == operatorv1.ProviderOpenShift {
+		if r.provider.IsOpenShift() {
 			objects = append(objects, egressgateway.SecurityContextConstraints())
 		}
 		if r.usePSP {
@@ -205,7 +205,7 @@ func (r *ReconcileEgressGateway) Reconcile(ctx context.Context, request reconcil
 			// In the case of OpenShift, we are using a single SCC.
 			// Whenever a EGW resource is deleted, remove the corresponding user from the SCC
 			// and update the resource.
-			if r.provider == operatorv1.ProviderOpenShift {
+			if r.provider.IsOpenShift() {
 				scc, err := getOpenShiftSCC(ctx, r.client)
 				if err != nil {
 					reqLogger.Error(err, "Error querying SecurityContextConstraints")
@@ -398,7 +398,6 @@ func (r *ReconcileEgressGateway) reconcileEgressGateway(ctx context.Context, egw
 		}
 	}
 
-	openshift := r.provider == operatorv1.ProviderOpenShift
 	config := &egressgateway.Config{
 		PullSecrets:       pullSecrets,
 		Installation:      installation,
@@ -408,7 +407,7 @@ func (r *ReconcileEgressGateway) reconcileEgressGateway(ctx context.Context, egw
 		VXLANVNI:          egwVXLANVNI,
 		IptablesBackend:   ipTablesBackend,
 		UsePSP:            r.usePSP,
-		OpenShift:         openshift,
+		OpenShift:         r.provider.IsOpenShift(),
 		NamespaceAndNames: namespaceAndNames,
 	}