#4983

Committed 25 Oct 2024 06:20AM UTC coverage: 59.27% (+0.003%) from 59.267%

Build # #4983

Build Type

push

travis-ci

Committed by

web-flow

Commit Message

Reduce frequency of "Successfully ensured SecurityContextConstraint exists" Events (#3477)

Signed-off-by: Michael Henriksen <mhenriks@redhat.com>

Run Details

9 of 20 new or added lines in 2 files covered. (45.0%)

1 existing line in 1 file now uncovered.

16697 of 28171 relevant lines covered (59.27%)

0.65 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

67.31

/pkg/operator/controller/scc.go

/*
Copyright 2018 The CDI Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package controller

import (
        "context"
        "fmt"

        "github.com/go-logr/logr"
        secv1 "github.com/openshift/api/security/v1"

        corev1 "k8s.io/api/core/v1"
        apiequality "k8s.io/apimachinery/pkg/api/equality"
        "k8s.io/apimachinery/pkg/api/errors"
        "k8s.io/apimachinery/pkg/api/meta"
        metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

        "sigs.k8s.io/controller-runtime/pkg/client"
        "sigs.k8s.io/controller-runtime/pkg/source"

        cc "kubevirt.io/containerized-data-importer/pkg/controller/common"
        "kubevirt.io/containerized-data-importer/pkg/operator"
        "kubevirt.io/containerized-data-importer/pkg/util"
        sdk "kubevirt.io/controller-lifecycle-operator-sdk/pkg/sdk"
)

const sccName = "containerized-data-importer"

func setSCC(scc *secv1.SecurityContextConstraints) {
        // Ensure we are just good citizens that don't want to compete against other prioritized SCCs
        scc.Priority = nil
        scc.RunAsUser = secv1.RunAsUserStrategyOptions{
                Type: secv1.RunAsUserStrategyMustRunAsNonRoot,
        }
        scc.SELinuxContext = secv1.SELinuxContextStrategyOptions{
                Type: secv1.SELinuxStrategyMustRunAs,
        }
        scc.SupplementalGroups = secv1.SupplementalGroupsStrategyOptions{
                Type: secv1.SupplementalGroupsStrategyMustRunAs,
        }
        scc.SeccompProfiles = []string{
                "runtime/default",
        }
        scc.DefaultAddCapabilities = nil
        scc.RequiredDropCapabilities = []corev1.Capability{
                "ALL",
        }
        scc.Volumes = []secv1.FSType{
                secv1.FSTypeConfigMap,
                secv1.FSTypeDownwardAPI,
                secv1.FSTypeEmptyDir,
                secv1.FSTypePersistentVolumeClaim,
                secv1.FSProjected,
                secv1.FSTypeSecret,
        }
}

func ensureSCCExists(ctx context.Context, logger logr.Logger, c client.Client, saNamespace, saName, cronSaName string) (bool, error) {
        scc := &secv1.SecurityContextConstraints{}
        userName := fmt.Sprintf("system:serviceaccount:%s:%s", saNamespace, saName)
        cronUserName := fmt.Sprintf("system:serviceaccount:%s:%s", saNamespace, cronSaName)

        err := c.Get(ctx, client.ObjectKey{Name: sccName}, scc)
        if meta.IsNoMatchError(err) {
                // not in openshift
                logger.V(3).Info("No match error for SCC, must not be in openshift")
                return false, nil
        } else if errors.IsNotFound(err) {
                cr, err := cc.GetActiveCDI(ctx, c)
                if err != nil {
                        return false, err
                }
                if cr == nil {
                        return false, fmt.Errorf("no active CDI")
                }
                installerLabels := util.GetRecommendedInstallerLabelsFromCr(cr)

                scc = &secv1.SecurityContextConstraints{
                        ObjectMeta: metav1.ObjectMeta{
                                Name: sccName,
                                Labels: map[string]string{
                                        "cdi.kubevirt.io": "",
                                },
                        },
                        Users: []string{
                                userName,
                                cronUserName,
                        },
                }

                setSCC(scc)

                util.SetRecommendedLabels(scc, installerLabels, "cdi-operator")

                if err = operator.SetOwnerRuntime(c, scc); err != nil {
                        return false, err
                }

                if err := c.Create(ctx, scc); err != nil {
                        return false, err
                }

                return true, nil
        } else if err != nil {
                return false, err
        }

        origSCC := scc.DeepCopy()

        setSCC(scc)

        if !sdk.ContainsStringValue(scc.Users, userName) {
                scc.Users = append(scc.Users, userName)
        }
        if !sdk.ContainsStringValue(scc.Users, cronUserName) {
                scc.Users = append(scc.Users, cronUserName)
        }

        if !apiequality.Semantic.DeepEqual(origSCC, scc) {
                if err := c.Update(context.TODO(), scc); err != nil {
                        return false, err
                }

                return true, nil
        }

        return false, nil
}

func (r *ReconcileCDI) watchSecurityContextConstraints() error {
        err := r.uncachedClient.List(context.TODO(), &secv1.SecurityContextConstraintsList{}, &client.ListOptions{
                Limit: 1,
        })
        if err == nil {
                var scc client.Object = &secv1.SecurityContextConstraints{}
                return r.controller.Watch(source.Kind(r.getCache(), scc, enqueueCDI(r.client)))
        }
        if meta.IsNoMatchError(err) {
                log.Info("Not watching SecurityContextConstraints")
                return nil
        }

        return err
}

1	/*
2	Copyright 2018 The CDI Authors.
3
4	Licensed under the Apache License, Version 2.0 (the "License");
5	you may not use this file except in compliance with the License.
6	You may obtain a copy of the License at
7
8	http://www.apache.org/licenses/LICENSE-2.0
9
10	Unless required by applicable law or agreed to in writing, software
11	distributed under the License is distributed on an "AS IS" BASIS,
12	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13	See the License for the specific language governing permissions and
14	limitations under the License.
15	*/
16
17	package controller
18
19	import (
20	"context"
21	"fmt"
22
23	"github.com/go-logr/logr"
24	secv1 "github.com/openshift/api/security/v1"
25
26	corev1 "k8s.io/api/core/v1"
27	apiequality "k8s.io/apimachinery/pkg/api/equality"
28	"k8s.io/apimachinery/pkg/api/errors"
29	"k8s.io/apimachinery/pkg/api/meta"
30	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
31
32	"sigs.k8s.io/controller-runtime/pkg/client"
33	"sigs.k8s.io/controller-runtime/pkg/source"
34
35	cc "kubevirt.io/containerized-data-importer/pkg/controller/common"
36	"kubevirt.io/containerized-data-importer/pkg/operator"
37	"kubevirt.io/containerized-data-importer/pkg/util"
38	sdk "kubevirt.io/controller-lifecycle-operator-sdk/pkg/sdk"
39	)
40
41	const sccName = "containerized-data-importer"
42
43	func setSCC(scc *secv1.SecurityContextConstraints) {	1✔
44	// Ensure we are just good citizens that don't want to compete against other prioritized SCCs	1✔
45	scc.Priority = nil	1✔
46	scc.RunAsUser = secv1.RunAsUserStrategyOptions{	1✔
47	Type: secv1.RunAsUserStrategyMustRunAsNonRoot,	1✔
48	}	1✔
49	scc.SELinuxContext = secv1.SELinuxContextStrategyOptions{	1✔
50	Type: secv1.SELinuxStrategyMustRunAs,	1✔
51	}	1✔
52	scc.SupplementalGroups = secv1.SupplementalGroupsStrategyOptions{	1✔
53	Type: secv1.SupplementalGroupsStrategyMustRunAs,	1✔
54	}	1✔
55	scc.SeccompProfiles = []string{	1✔
56	"runtime/default",	1✔
57	}	1✔
58	scc.DefaultAddCapabilities = nil	1✔
59	scc.RequiredDropCapabilities = []corev1.Capability{	1✔
60	"ALL",	1✔
61	}	1✔
62	scc.Volumes = []secv1.FSType{	1✔
63	secv1.FSTypeConfigMap,	1✔
64	secv1.FSTypeDownwardAPI,	1✔
65	secv1.FSTypeEmptyDir,	1✔
66	secv1.FSTypePersistentVolumeClaim,	1✔
67	secv1.FSProjected,	1✔
68	secv1.FSTypeSecret,	1✔
69	}	1✔
70	}	1✔
71
72	func ensureSCCExists(ctx context.Context, logger logr.Logger, c client.Client, saNamespace, saName, cronSaName string) (bool, error) {	1✔
73	scc := &secv1.SecurityContextConstraints{}	1✔
74	userName := fmt.Sprintf("system:serviceaccount:%s:%s", saNamespace, saName)	1✔
75	cronUserName := fmt.Sprintf("system:serviceaccount:%s:%s", saNamespace, cronSaName)	1✔
76		1✔
77	err := c.Get(ctx, client.ObjectKey{Name: sccName}, scc)	1✔
78	if meta.IsNoMatchError(err) {	1✔
79	// not in openshift	×
80	logger.V(3).Info("No match error for SCC, must not be in openshift")	×
NEW 81	return false, nil	×
82	} else if errors.IsNotFound(err) {	2✔
83	cr, err := cc.GetActiveCDI(ctx, c)	1✔
84	if err != nil {	1✔
NEW 85	return false, err	×
86	}	×
87	if cr == nil {	1✔
NEW 88	return false, fmt.Errorf("no active CDI")	×
89	}	×
90	installerLabels := util.GetRecommendedInstallerLabelsFromCr(cr)	1✔
91		1✔
92	scc = &secv1.SecurityContextConstraints{	1✔
93	ObjectMeta: metav1.ObjectMeta{	1✔
94	Name: sccName,	1✔
95	Labels: map[string]string{	1✔
96	"cdi.kubevirt.io": "",	1✔
97	},	1✔
98	},	1✔
99	Users: []string{	1✔
100	userName,	1✔
101	cronUserName,	1✔
102	},	1✔
103	}	1✔
104		1✔
105	setSCC(scc)	1✔
106		1✔
107	util.SetRecommendedLabels(scc, installerLabels, "cdi-operator")	1✔
108		1✔
109	if err = operator.SetOwnerRuntime(c, scc); err != nil {	1✔
NEW 110	return false, err	×
NEW 111	}	×
112
113	if err := c.Create(ctx, scc); err != nil {	1✔
NEW 114	return false, err	×
UNCOV 115	}	×
116
117	return true, nil	1✔
118	} else if err != nil {	1✔
NEW 119	return false, err	×
120	}	×
121
122	origSCC := scc.DeepCopy()	1✔
123		1✔
124	setSCC(scc)	1✔
125		1✔
126	if !sdk.ContainsStringValue(scc.Users, userName) {	1✔
127	scc.Users = append(scc.Users, userName)	×
128	}	×
129	if !sdk.ContainsStringValue(scc.Users, cronUserName) {	1✔
130	scc.Users = append(scc.Users, cronUserName)	×
131	}	×
132
133	if !apiequality.Semantic.DeepEqual(origSCC, scc) {	1✔
NEW 134	if err := c.Update(context.TODO(), scc); err != nil {	×
NEW 135	return false, err	×
NEW 136	}	×
137
NEW 138	return true, nil	×
139	}
140
141	return false, nil	1✔
142	}
143
144	func (r *ReconcileCDI) watchSecurityContextConstraints() error {	×
145	err := r.uncachedClient.List(context.TODO(), &secv1.SecurityContextConstraintsList{}, &client.ListOptions{	×
146	Limit: 1,	×
147	})	×
148	if err == nil {	×
149	var scc client.Object = &secv1.SecurityContextConstraints{}	×
150	return r.controller.Watch(source.Kind(r.getCache(), scc, enqueueCDI(r.client)))	×
151	}	×
152	if meta.IsNoMatchError(err) {	×
153	log.Info("Not watching SecurityContextConstraints")	×
154	return nil	×
155	}	×
156
157	return err	×
158	}

kubevirt / containerized-data-importer / #4983

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous