Adds OLM Operator Plugin interface and CSV Namespace labeller plug-in

Signed-off-by: perdasilva <[email protected]>
Upstream-repository: perdasilva
Upstream-commit: baaafa10f8d9f5c3251bfccb207c20bb84cdbc80
Signed-off-by: perdasilva <[email protected]>

Author: perdasilva

staging/operator-lifecycle-manager/pkg/controller/operators/olm/downstream_plugins.go

@@ -0,0 +1,13 @@
+package olm
+
+import (
+	"github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/olm/plugins"
+)
+
+func init() {
+	operatorPlugInFactoryFuncs = []plugins.OperatorPlugInFactoryFunc{
+		// labels unlabeled non-payload openshift-* csv namespaces with
+		// security.openshift.io/scc.podSecurityLabelSync: true
+		plugins.NewCsvNamespaceLabelerPlugInfunc,
+	}
+}

staging/operator-lifecycle-manager/pkg/controller/operators/olm/operator_plugin.go

@@ -0,0 +1,247 @@
+package plugins
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/operator-framework/api/pkg/operators/v1alpha1"
+	"github.com/operator-framework/operator-lifecycle-manager/pkg/api/client/clientset/versioned"
+	"github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/internal/pruning"
+	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/kubestate"
+	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/operatorclient"
+	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/queueinformer"
+	"github.com/sirupsen/logrus"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/client-go/informers"
+	listerv1 "k8s.io/client-go/listers/core/v1"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/client-go/util/workqueue"
+)
+
+const NamespaceLabelSyncerLabelKey = "security.openshift.io/scc.podSecurityLabelSync"
+
+// systemNSSyncExemptions is the list of namespaces deployed by an OpenShift install
+// payload, as retrieved by listing the namespaces after a successful installation
+// IMPORTANT: The Namespace openshift-operators must be an exception to this rule
+// since it is used by OCP/OLM users to install their Operator bundle solutions.
+var systemNSSyncExemptions = sets.NewString(
+	// kube-specific system namespaces
+	"default",
+	"kube-node-lease",
+	"kube-public",
+	"kube-system",
+
+	// openshift payload namespaces
+	"openshift",
+	"openshift-apiserver",
+	"openshift-apiserver-operator",
+	"openshift-authentication",
+	"openshift-authentication-operator",
+	"openshift-cloud-controller-manager",
+	"openshift-cloud-controller-manager-operator",
+	"openshift-cloud-credential-operator",
+	"openshift-cloud-network-config-controller",
+	"openshift-cluster-csi-drivers",
+	"openshift-cluster-machine-approver",
+	"openshift-cluster-node-tuning-operator",
+	"openshift-cluster-samples-operator",
+	"openshift-cluster-storage-operator",
+	"openshift-cluster-version",
+	"openshift-config",
+	"openshift-config-managed",
+	"openshift-config-operator",
+	"openshift-console",
+	"openshift-console-operator",
+	"openshift-console-user-settings",
+	"openshift-controller-manager",
+	"openshift-controller-manager-operator",
+	"openshift-dns",
+	"openshift-dns-operator",
+	"openshift-etcd",
+	"openshift-etcd-operator",
+	"openshift-host-network",
+	"openshift-image-registry",
+	"openshift-infra",
+	"openshift-ingress",
+	"openshift-ingress-canary",
+	"openshift-ingress-operator",
+	"openshift-insights",
+	"openshift-kni-infra",
+	"openshift-kube-apiserver",
+	"openshift-kube-apiserver-operator",
+	"openshift-kube-controller-manager",
+	"openshift-kube-controller-manager-operator",
+	"openshift-kube-scheduler",
+	"openshift-kube-scheduler-operator",
+	"openshift-kube-storage-version-migrator",
+	"openshift-kube-storage-version-migrator-operator",
+	"openshift-machine-api",
+	"openshift-machine-config-operator",
+	"openshift-marketplace",
+	"openshift-monitoring",
+	"openshift-multus",
+	"openshift-network-diagnostics",
+	"openshift-network-operator",
+	"openshift-node",
+	"openshift-nutanix-infra",
+	"openshift-oauth-apiserver",
+	"openshift-openstack-infra",
+	"openshift-operator-lifecycle-manager",
+	"openshift-ovirt-infra",
+	"openshift-sdn",
+	"openshift-service-ca",
+	"openshift-service-ca-operator",
+	"openshift-user-workload-monitoring",
+	"openshift-vsphere-infra",
+)
+
+// csvNamespaceLabelerPlugin is responsible for labeling non-payload openshift-* namespaces
+// with the label "security.openshift.io/scc.podSecurityLabelSync=true" so that the  PSA Label Syncer
+// see https://github.com/openshift/cluster-policy-controller/blob/master/pkg/psalabelsyncer/podsecurity_label_sync_controller.go
+// can help ensure that the operator payloads in the namespace continue to work even if they don't yet respect the
+// upstream Pod Security Admission controller, which will become active in k8s 1.15.
+// see https://kubernetes.io/docs/concepts/security/pod-security-admission/
+// If a CSV is created or modified, this controller will look at the csv's namespace. If it is a non-payload namespace,
+// if the namespace name is prefixed with 'openshift-', and if the namespace does not contain the label (whatever
+// value it may be set to), it will add the "security.openshift.io/scc.podSecurityLabelSync=true" to the namespace.
+type csvNamespaceLabelerPlugin struct {
+	namespaceListerMap map[string]listerv1.NamespaceLister
+	kubeClient         operatorclient.ClientInterface
+	externalClient     versioned.Interface
+	logger             *logrus.Logger
+}
+
+func NewCsvNamespaceLabelerPlugInfunc(ctx context.Context, config OperatorConfig, hostOperator HostOperator) (OperatorPlugin, error) {
+
+	if hostOperator == nil {
+		return nil, fmt.Errorf("cannot initialize plugin: operator undefined")
+	}
+
+	plugin := &csvNamespaceLabelerPlugin{
+		kubeClient:         config.OperatorClient(),
+		externalClient:     config.ExternalClient(),
+		logger:             config.Logger(),
+		namespaceListerMap: map[string]listerv1.NamespaceLister{},
+	}
+
+	for _, namespace := range config.WatchedNamespaces() {
+
+		// create a namespace informer for namespaces that do not include
+		// the label syncer label
+		namespaceInformer := informers.NewSharedInformerFactoryWithOptions(
+			plugin.kubeClient.KubernetesInterface(),
+			config.ResyncPeriod()(),
+			informers.WithNamespace(namespace),
+		).Core().V1().Namespaces()
+
+		if err := hostOperator.RegisterInformer(namespaceInformer.Informer()); err != nil {
+			return nil, err
+		}
+		plugin.namespaceListerMap[namespace] = namespaceInformer.Lister()
+
+		// create a new csv informer and prune status to reduce memory footprint
+		csvNamespaceLabelerInformer := cache.NewSharedIndexInformer(
+			pruning.NewListerWatcher(
+				plugin.externalClient,
+				namespace,
+				func(opts *metav1.ListOptions) {
+					opts.LabelSelector = fmt.Sprintf("!%s", v1alpha1.CopiedLabelKey)
+				},
+				pruning.PrunerFunc(func(csv *v1alpha1.ClusterServiceVersion) {
+					*csv = v1alpha1.ClusterServiceVersion{
+						TypeMeta:   csv.TypeMeta,
+						ObjectMeta: csv.ObjectMeta,
+					}
+				}),
+			),
+			&v1alpha1.ClusterServiceVersion{},
+			config.ResyncPeriod()(),
+			cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc},
+		)
+
+		csvNamespaceLabelerPluginQueue := workqueue.NewNamedRateLimitingQueue(
+			workqueue.DefaultControllerRateLimiter(),
+			fmt.Sprintf("%s/csv-ns-labeler-plugin", namespace),
+		)
+		csvNamespaceLabelerPluginQueueInformer, err := queueinformer.NewQueueInformer(
+			ctx,
+			queueinformer.WithInformer(csvNamespaceLabelerInformer),
+			queueinformer.WithLogger(config.Logger()),
+			queueinformer.WithQueue(csvNamespaceLabelerPluginQueue),
+			queueinformer.WithIndexer(csvNamespaceLabelerInformer.GetIndexer()),
+			queueinformer.WithSyncer(plugin),
+		)
+		if err != nil {
+			return nil, err
+		}
+		if err := hostOperator.RegisterQueueInformer(csvNamespaceLabelerPluginQueueInformer); err != nil {
+			return nil, err
+		}
+	}
+
+	return plugin, nil
+}
+
+func (p *csvNamespaceLabelerPlugin) Shutdown() error {
+	return nil
+}
+
+func (p *csvNamespaceLabelerPlugin) Sync(ctx context.Context, event kubestate.ResourceEvent) error {
+	// only act on csv added and updated events
+	if event.Type() != kubestate.ResourceAdded && event.Type() != kubestate.ResourceUpdated {
+		return nil
+	}
+
+	csv, ok := event.Resource().(*v1alpha1.ClusterServiceVersion)
+	if !ok {
+		return fmt.Errorf("event resource is not a ClusterServiceVersion")
+	}
+
+	// ignore copied csvs
+	// informer should already be filtering these out - but just in case
+	if csv.IsCopied() {
+		return nil
+	}
+
+	// ignore non-openshift-* and payload openshift-* namespaces
+	if !strings.HasPrefix(csv.GetNamespace(), "openshift-") || systemNSSyncExemptions.Has(csv.GetNamespace()) {
+		return nil
+	}
+
+	namespace, err := p.getNamespace(csv.GetNamespace())
+	if err != nil {
+		return fmt.Errorf("error getting csv namespace (%s) for label sync'er labeling", csv.GetNamespace())
+	}
+
+	// add label sync'er label if it does not exist
+	if _, ok := namespace.GetLabels()[NamespaceLabelSyncerLabelKey]; !ok {
+		nsCopy := namespace.DeepCopy()
+		if nsCopy.GetLabels() == nil {
+			nsCopy.SetLabels(map[string]string{})
+		}
+		nsCopy.GetLabels()[NamespaceLabelSyncerLabelKey] = "true"
+		if _, err := p.kubeClient.KubernetesInterface().CoreV1().Namespaces().Update(ctx, nsCopy, metav1.UpdateOptions{}); err != nil {
+			return fmt.Errorf("error updating csv namespace (%s) with label sync'er label", nsCopy.GetNamespace())
+		}
+
+		if p.logger != nil {
+			p.logger.Infof("applied %s=true label to namespace %s", NamespaceLabelSyncerLabelKey, nsCopy.GetNamespace())
+		}
+	}
+
+	return nil
+}
+
+func (p *csvNamespaceLabelerPlugin) getNamespace(namespace string) (*v1.Namespace, error) {
+	lister, ok := p.namespaceListerMap[namespace]
+	if !ok {
+		lister, ok = p.namespaceListerMap[metav1.NamespaceAll]
+		if !ok {
+			return nil, fmt.Errorf("no namespace lister found for namespace: %s", namespace)
+		}
+	}
+	return lister.Get(namespace)
+}