#5648

Committed 30 Oct 2025 02:23PM UTC coverage: 58.818% (-0.3%) from 59.076%

Build # #5648

Build Type

Pull #3938

travis-ci

Committed by

Acedus

Commit Message

csv-generator: add -dump-network-policies option

This commit adds the -dump-network-policies optional flag to the
csv-generator tool in order to allow dumping CDI's required network
policies in case of a restrictive environment.

Signed-off-by: Adi Aloni <aaloni@redhat.com>

Pull Request Pull Request #3938: Add network policies to CDI

Run Details

31 of 193 new or added lines in 7 files covered. (16.06%)

4 existing lines in 1 file now uncovered.

17270 of 29362 relevant lines covered (58.82%)

0.65 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

61.9

/pkg/operator/resources/utils/common.go

/*
Copyright 2018 The CDI Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package utils

import (
        secv1 "github.com/openshift/api/security/v1"

        appsv1 "k8s.io/api/apps/v1"
        corev1 "k8s.io/api/core/v1"
        metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
        "k8s.io/utils/ptr"

        "kubevirt.io/containerized-data-importer/pkg/common"
        "kubevirt.io/containerized-data-importer/pkg/util"
        sdkapi "kubevirt.io/controller-lifecycle-operator-sdk/api"
        utils "kubevirt.io/controller-lifecycle-operator-sdk/pkg/sdk/resources"
)

const (
        // CDILabel is the labe applied to all non operator resources
        CDILabel = "cdi.kubevirt.io"
        // CDIPriorityClass is the priority class for all CDI pods.
        CDIPriorityClass = "kubevirt-cluster-critical"
)

var commonLabels = map[string]string{
        CDILabel:                           "",
        common.AppKubernetesManagedByLabel: "cdi-operator",
        common.AppKubernetesComponentLabel: "storage",
        common.CDILabelKey:                 common.CDILabelValue,
}

var operatorLabels = map[string]string{
        "operator.cdi.kubevirt.io": "",
}

// ResourceBuilder helps in creating k8s resources
var ResourceBuilder = utils.NewResourceBuilder(commonLabels, operatorLabels)

// CreateContainer creates container
func CreateContainer(name, image, verbosity, pullPolicy string) corev1.Container {
        container := ResourceBuilder.CreateContainer(name, image, pullPolicy)
        container.TerminationMessagePolicy = corev1.TerminationMessageFallbackToLogsOnError
        container.TerminationMessagePath = corev1.TerminationMessagePathDefault
        container.Args = []string{"-v=" + verbosity}
        container.SecurityContext = &corev1.SecurityContext{
                Capabilities: &corev1.Capabilities{
                        Drop: []corev1.Capability{
                                "ALL",
                        },
                },
                SeccompProfile: &corev1.SeccompProfile{
                        Type: corev1.SeccompProfileTypeRuntimeDefault,
                },
                AllowPrivilegeEscalation: ptr.To[bool](false),
                RunAsNonRoot:             ptr.To[bool](true),
        }
        return *container
}

// CreatePortsContainer creates container with ports
func CreatePortsContainer(name, image, pullPolicy string, ports []corev1.ContainerPort) corev1.Container {
        container := ResourceBuilder.CreatePortsContainer(name, image, pullPolicy, ports)
        container.TerminationMessagePolicy = corev1.TerminationMessageFallbackToLogsOnError
        container.TerminationMessagePath = corev1.TerminationMessagePathDefault
        container.SecurityContext = &corev1.SecurityContext{
                Capabilities: &corev1.Capabilities{
                        Drop: []corev1.Capability{
                                "ALL",
                        },
                },
                SeccompProfile: &corev1.SeccompProfile{
                        Type: corev1.SeccompProfileTypeRuntimeDefault,
                },
                AllowPrivilegeEscalation: ptr.To[bool](false),
                RunAsNonRoot:             ptr.To[bool](true),
        }
        return *container
}

// CreateDeployment creates deployment
func CreateDeployment(name, matchKey, matchValue, serviceAccountName string, imagePullSecrets []corev1.LocalObjectReference, replicas int32, infraNodePlacement *sdkapi.NodePlacement) *appsv1.Deployment {
        podSpec := corev1.PodSpec{
                SecurityContext: &corev1.PodSecurityContext{
                        RunAsNonRoot: &[]bool{true}[0],
                },
                ImagePullSecrets: imagePullSecrets,
        }
        inpCopy := infraNodePlacement.DeepCopy()
        if inpCopy == nil {
                inpCopy = &sdkapi.NodePlacement{}
        }
        inpCopy.Affinity = AddPodPreferredDuringSchedulingIgnoredDuringExecution(name, inpCopy.Affinity)
        deployment := ResourceBuilder.CreateDeployment(name, "", matchKey, matchValue, serviceAccountName, replicas, podSpec, inpCopy)
        return deployment
}

// CreateOperatorDeployment creates operator deployment
func CreateOperatorDeployment(name, namespace, matchKey, matchValue, serviceAccount string, imagePullSecrets []corev1.LocalObjectReference, numReplicas int32) *appsv1.Deployment {
        podSpec := corev1.PodSpec{
                SecurityContext: &corev1.PodSecurityContext{
                        RunAsNonRoot: &[]bool{true}[0],
                },
                ImagePullSecrets: imagePullSecrets,
                NodeSelector:     map[string]string{"kubernetes.io/os": "linux"},
                Tolerations: []corev1.Toleration{
                        {
                                Key:      "CriticalAddonsOnly",
                                Operator: corev1.TolerationOpExists,
                        },
                },
                Affinity: &corev1.Affinity{
                        PodAffinity: &corev1.PodAffinity{
                                PreferredDuringSchedulingIgnoredDuringExecution: []corev1.WeightedPodAffinityTerm{
                                        {
                                                Weight: int32(1),
                                                PodAffinityTerm: corev1.PodAffinityTerm{
                                                        LabelSelector: &metav1.LabelSelector{
                                                                MatchExpressions: []metav1.LabelSelectorRequirement{
                                                                        {
                                                                                Key:      "cdi.kubevirt.io",
                                                                                Operator: metav1.LabelSelectorOpIn,
                                                                                Values:   []string{name}},
                                                                },
                                                        },
                                                        TopologyKey: "kubernetes.io/hostname",
                                                },
                                        },
                                },
                        },
                },
        }
        deployment := ResourceBuilder.CreateOperatorDeployment(name, namespace, matchKey, matchValue, serviceAccount, numReplicas, podSpec)
        labels := util.MergeLabels(deployment.Spec.Template.GetLabels(), map[string]string{
                common.PrometheusLabelKey:                common.PrometheusLabelValue,
                common.CDIComponentLabel:                 common.CDIOperatorName,
                common.AllowAccessClusterServicesNPLabel: "true",
        })
        deployment.SetLabels(labels)
        deployment.Spec.Template.SetLabels(labels)
        if deployment.Spec.Template.Annotations == nil {
                deployment.Spec.Template.Annotations = make(map[string]string)
        }
        deployment.Spec.Template.Annotations[secv1.RequiredSCCAnnotation] = common.RestrictedSCCName

        return deployment
}

// AddPodPreferredDuringSchedulingIgnoredDuringExecution to affinity
func AddPodPreferredDuringSchedulingIgnoredDuringExecution(name string, affinity *corev1.Affinity) *corev1.Affinity {
        var affinityCopy *corev1.Affinity
        preferredDuringSchedulingIgnoredDuringExecution := corev1.WeightedPodAffinityTerm{
                Weight: int32(1),
                PodAffinityTerm: corev1.PodAffinityTerm{
                        LabelSelector: &metav1.LabelSelector{
                                MatchExpressions: []metav1.LabelSelectorRequirement{
                                        {
                                                Key:      "cdi.kubevirt.io",
                                                Operator: metav1.LabelSelectorOpIn,
                                                Values:   []string{name}},
                                },
                        },
                        TopologyKey: "kubernetes.io/hostname",
                },
        }

        if affinity != nil && affinity.PodAntiAffinity != nil {
                affinityCopy = affinity.DeepCopy()
                affinityCopy.PodAntiAffinity.PreferredDuringSchedulingIgnoredDuringExecution = append(affinityCopy.PodAntiAffinity.PreferredDuringSchedulingIgnoredDuringExecution, preferredDuringSchedulingIgnoredDuringExecution)
        } else if affinity != nil {
                affinityCopy = affinity.DeepCopy()
                affinityCopy.PodAntiAffinity = &corev1.PodAntiAffinity{
                        PreferredDuringSchedulingIgnoredDuringExecution: []corev1.WeightedPodAffinityTerm{preferredDuringSchedulingIgnoredDuringExecution},
                }
        } else {
                affinityCopy = &corev1.Affinity{
                        PodAntiAffinity: &corev1.PodAntiAffinity{
                                PreferredDuringSchedulingIgnoredDuringExecution: []corev1.WeightedPodAffinityTerm{preferredDuringSchedulingIgnoredDuringExecution},
                        },
                }
        }
        return affinityCopy
}

1	/*
2	Copyright 2018 The CDI Authors.
3
4	Licensed under the Apache License, Version 2.0 (the "License");
5	you may not use this file except in compliance with the License.
6	You may obtain a copy of the License at
7
8	http://www.apache.org/licenses/LICENSE-2.0
9
10	Unless required by applicable law or agreed to in writing, software
11	distributed under the License is distributed on an "AS IS" BASIS,
12	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13	See the License for the specific language governing permissions and
14	limitations under the License.
15	*/
16
17	package utils
18
19	import (
20	secv1 "github.com/openshift/api/security/v1"
21
22	appsv1 "k8s.io/api/apps/v1"
23	corev1 "k8s.io/api/core/v1"
24	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
25	"k8s.io/utils/ptr"
26
27	"kubevirt.io/containerized-data-importer/pkg/common"
28	"kubevirt.io/containerized-data-importer/pkg/util"
29	sdkapi "kubevirt.io/controller-lifecycle-operator-sdk/api"
30	utils "kubevirt.io/controller-lifecycle-operator-sdk/pkg/sdk/resources"
31	)
32
33	const (
34	// CDILabel is the labe applied to all non operator resources
35	CDILabel = "cdi.kubevirt.io"
36	// CDIPriorityClass is the priority class for all CDI pods.
37	CDIPriorityClass = "kubevirt-cluster-critical"
38	)
39
40	var commonLabels = map[string]string{
41	CDILabel: "",
42	common.AppKubernetesManagedByLabel: "cdi-operator",
43	common.AppKubernetesComponentLabel: "storage",
44	common.CDILabelKey: common.CDILabelValue,
45	}
46
47	var operatorLabels = map[string]string{
48	"operator.cdi.kubevirt.io": "",
49	}
50
51	// ResourceBuilder helps in creating k8s resources
52	var ResourceBuilder = utils.NewResourceBuilder(commonLabels, operatorLabels)
53
54	// CreateContainer creates container
55	func CreateContainer(name, image, verbosity, pullPolicy string) corev1.Container {	1✔
56	container := ResourceBuilder.CreateContainer(name, image, pullPolicy)	1✔
57	container.TerminationMessagePolicy = corev1.TerminationMessageFallbackToLogsOnError	1✔
58	container.TerminationMessagePath = corev1.TerminationMessagePathDefault	1✔
59	container.Args = []string{"-v=" + verbosity}	1✔
60	container.SecurityContext = &corev1.SecurityContext{	1✔
61	Capabilities: &corev1.Capabilities{	1✔
62	Drop: []corev1.Capability{	1✔
63	"ALL",	1✔
64	},	1✔
65	},	1✔
66	SeccompProfile: &corev1.SeccompProfile{	1✔
67	Type: corev1.SeccompProfileTypeRuntimeDefault,	1✔
68	},	1✔
69	AllowPrivilegeEscalation: ptr.To[bool](false),	1✔
70	RunAsNonRoot: ptr.To[bool](true),	1✔
71	}	1✔
72	return *container	1✔
73	}	1✔
74
75	// CreatePortsContainer creates container with ports
76	func CreatePortsContainer(name, image, pullPolicy string, ports []corev1.ContainerPort) corev1.Container {	1✔
77	container := ResourceBuilder.CreatePortsContainer(name, image, pullPolicy, ports)	1✔
78	container.TerminationMessagePolicy = corev1.TerminationMessageFallbackToLogsOnError	1✔
79	container.TerminationMessagePath = corev1.TerminationMessagePathDefault	1✔
80	container.SecurityContext = &corev1.SecurityContext{	1✔
81	Capabilities: &corev1.Capabilities{	1✔
82	Drop: []corev1.Capability{	1✔
83	"ALL",	1✔
84	},	1✔
85	},	1✔
86	SeccompProfile: &corev1.SeccompProfile{	1✔
87	Type: corev1.SeccompProfileTypeRuntimeDefault,	1✔
88	},	1✔
89	AllowPrivilegeEscalation: ptr.To[bool](false),	1✔
90	RunAsNonRoot: ptr.To[bool](true),	1✔
91	}	1✔
92	return *container	1✔
93	}	1✔
94
95	// CreateDeployment creates deployment
96	func CreateDeployment(name, matchKey, matchValue, serviceAccountName string, imagePullSecrets []corev1.LocalObjectReference, replicas int32, infraNodePlacement sdkapi.NodePlacement) appsv1.Deployment {	1✔
97	podSpec := corev1.PodSpec{	1✔
98	SecurityContext: &corev1.PodSecurityContext{	1✔
99	RunAsNonRoot: &[]bool{true}[0],	1✔
100	},	1✔
101	ImagePullSecrets: imagePullSecrets,	1✔
102	}	1✔
103	inpCopy := infraNodePlacement.DeepCopy()	1✔
104	if inpCopy == nil {	2✔
105	inpCopy = &sdkapi.NodePlacement{}	1✔
106	}	1✔
107	inpCopy.Affinity = AddPodPreferredDuringSchedulingIgnoredDuringExecution(name, inpCopy.Affinity)	1✔
108	deployment := ResourceBuilder.CreateDeployment(name, "", matchKey, matchValue, serviceAccountName, replicas, podSpec, inpCopy)	1✔
109	return deployment	1✔
110	}
111
112	// CreateOperatorDeployment creates operator deployment
113	func CreateOperatorDeployment(name, namespace, matchKey, matchValue, serviceAccount string, imagePullSecrets []corev1.LocalObjectReference, numReplicas int32) *appsv1.Deployment {	×
114	podSpec := corev1.PodSpec{	×
115	SecurityContext: &corev1.PodSecurityContext{	×
116	RunAsNonRoot: &[]bool{true}[0],	×
117	},	×
118	ImagePullSecrets: imagePullSecrets,	×
119	NodeSelector: map[string]string{"kubernetes.io/os": "linux"},	×
120	Tolerations: []corev1.Toleration{	×
121	{	×
122	Key: "CriticalAddonsOnly",	×
123	Operator: corev1.TolerationOpExists,	×
124	},	×
125	},	×
126	Affinity: &corev1.Affinity{	×
127	PodAffinity: &corev1.PodAffinity{	×
128	PreferredDuringSchedulingIgnoredDuringExecution: []corev1.WeightedPodAffinityTerm{	×
129	{	×
130	Weight: int32(1),	×
131	PodAffinityTerm: corev1.PodAffinityTerm{	×
132	LabelSelector: &metav1.LabelSelector{	×
133	MatchExpressions: []metav1.LabelSelectorRequirement{	×
134	{	×
135	Key: "cdi.kubevirt.io",	×
136	Operator: metav1.LabelSelectorOpIn,	×
137	Values: []string{name}},	×
138	},	×
139	},	×
140	TopologyKey: "kubernetes.io/hostname",	×
141	},	×
142	},	×
143	},	×
144	},	×
145	},	×
146	}	×
147	deployment := ResourceBuilder.CreateOperatorDeployment(name, namespace, matchKey, matchValue, serviceAccount, numReplicas, podSpec)	×
NEW 148	labels := util.MergeLabels(deployment.Spec.Template.GetLabels(), map[string]string{	×
NEW 149	common.PrometheusLabelKey: common.PrometheusLabelValue,	×
NEW 150	common.CDIComponentLabel: common.CDIOperatorName,	×
NEW 151	common.AllowAccessClusterServicesNPLabel: "true",	×
NEW 152	})	×
153	deployment.SetLabels(labels)	×
154	deployment.Spec.Template.SetLabels(labels)	×
155	if deployment.Spec.Template.Annotations == nil {
156	deployment.Spec.Template.Annotations = make(map[string]string)
157	}
158	deployment.Spec.Template.Annotations[secv1.RequiredSCCAnnotation] = common.RestrictedSCCName	1✔
159		1✔
160	return deployment	1✔
161	}	1✔
162		1✔
163	// AddPodPreferredDuringSchedulingIgnoredDuringExecution to affinity	1✔
164	func AddPodPreferredDuringSchedulingIgnoredDuringExecution(name string, affinity corev1.Affinity) corev1.Affinity {	1✔
165	var affinityCopy *corev1.Affinity	1✔
166	preferredDuringSchedulingIgnoredDuringExecution := corev1.WeightedPodAffinityTerm{	1✔
167	Weight: int32(1),	1✔
168	PodAffinityTerm: corev1.PodAffinityTerm{	1✔
169	LabelSelector: &metav1.LabelSelector{	1✔
170	MatchExpressions: []metav1.LabelSelectorRequirement{	1✔
171	{	1✔
172	Key: "cdi.kubevirt.io",	1✔
173	Operator: metav1.LabelSelectorOpIn,	1✔
174	Values: []string{name}},	1✔
175	},	1✔
176	},	×
177	TopologyKey: "kubernetes.io/hostname",	×
178	},	1✔
179	}	×
180		×
181	if affinity != nil && affinity.PodAntiAffinity != nil {	×
182	affinityCopy = affinity.DeepCopy()	×
183	affinityCopy.PodAntiAffinity.PreferredDuringSchedulingIgnoredDuringExecution = append(affinityCopy.PodAntiAffinity.PreferredDuringSchedulingIgnoredDuringExecution, preferredDuringSchedulingIgnoredDuringExecution)	1✔
184	} else if affinity != nil {	1✔
185	affinityCopy = affinity.DeepCopy()	1✔
186	affinityCopy.PodAntiAffinity = &corev1.PodAntiAffinity{	1✔
187	PreferredDuringSchedulingIgnoredDuringExecution: []corev1.WeightedPodAffinityTerm{preferredDuringSchedulingIgnoredDuringExecution},	1✔
188	}	1✔
189	} else {	1✔
190	affinityCopy = &corev1.Affinity{	1✔
191	PodAntiAffinity: &corev1.PodAntiAffinity{
192	PreferredDuringSchedulingIgnoredDuringExecution: []corev1.WeightedPodAffinityTerm{preferredDuringSchedulingIgnoredDuringExecution},
193	},
194	}
195	}
196	return affinityCopy
197	}

kubevirt / containerized-data-importer / #5648

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous