openshift-knative · matzew · Sep 20, 2022 · Sep 16, 2022 · Sep 19, 2022 · Sep 19, 2022
diff --git a/hack/patches/006-version.patch b/hack/patches/006-version.patch
@@ -0,0 +1,38 @@
+diff --git a/vendor/knative.dev/pkg/environment/client_config.go b/vendor/knative.dev/pkg/environment/client_config.go
+index 04d4220b..d094bf0c 100644
+--- a/vendor/knative.dev/pkg/environment/client_config.go
++++ b/vendor/knative.dev/pkg/environment/client_config.go
+@@ -42,9 +42,10 @@ func (c *ClientConfig) InitFlags(fs *flag.FlagSet) {
+ 	fs.StringVar(&c.ServerURL, "server", "",
+ 		"The address of the Kubernetes API server. Overrides any value in kubeconfig. Only required if out-of-cluster.")
+
+-	fs.StringVar(&c.Kubeconfig, "kubeconfig", os.Getenv("KUBECONFIG"),
+-		"Path to a kubeconfig. Only required if out-of-cluster.")
+-
++	if fs.Lookup("kubeconfig") == nil {
++		fs.StringVar(&c.Kubeconfig, "kubeconfig", os.Getenv("KUBECONFIG"),
++			"Path to a kubeconfig. Only required if out-of-cluster.")
++	}
+ 	fs.IntVar(&c.Burst, "kube-api-burst", 0, "Maximum burst for throttle.")
+
+ 	fs.Float64Var(&c.QPS, "kube-api-qps", 0, "Maximum QPS to the server from the client.")
+diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/client/config/config.go b/vendor/sigs.k8s.io/controller-runtime/pkg/client/config/config.go
+index 235a7e45..d4110dc9 100644
+--- a/vendor/sigs.k8s.io/controller-runtime/pkg/client/config/config.go
++++ b/vendor/sigs.k8s.io/controller-runtime/pkg/client/config/config.go
+@@ -35,9 +35,12 @@ var (
+ )
+
+ func init() {
+-	// TODO: Fix this to allow double vendoring this library but still register flags on behalf of users
+-	flag.StringVar(&kubeconfig, "kubeconfig", "",
+-		"Paths to a kubeconfig. Only required if out-of-cluster.")
++	// Need to avoid conflict with knative sharedmain kubeconfig parsing
++	// For more check here: https://github.com/kubernetes-sigs/controller-runtime/issues/878
++	if flag.Lookup("kubeconfig") == nil {
++		flag.StringVar(&kubeconfig, "kubeconfig", "",
++			"Paths to a kubeconfig. Only required if out-of-cluster.")
++	}
+ }
+
+ // GetConfig creates a *rest.Config for talking to a Kubernetes API server.
diff --git a/knative-operator/pkg/controller/knativekafka/knativekafka_controller.go b/knative-operator/pkg/controller/knativekafka/knativekafka_controller.go
@@ -305,7 +305,8 @@ func (r *ReconcileKnativeKafka) transform(manifest *mf.Manifest, instance *serve
 			return err
 		}
 	}
-	m, err := manifest.Transform(
+	tfs := []mf.Transformer{}
+	tfs = append(append(tfs,
 		mf.InjectOwner(instance),
 		common.SetAnnotations(map[string]string{
 			common.KafkaOwnerName:      instance.Name,
@@ -317,8 +318,8 @@ func (r *ReconcileKnativeKafka) transform(manifest *mf.Manifest, instance *serve
 		ImageTransform(common.BuildImageOverrideMapFromEnviron(os.Environ(), "KAFKA_IMAGE_")),
 		socommon.VersionedJobNameTransform(),
 		socommon.ConfigMapVolumeChecksumTransform(context.Background(), r.client, sets.NewString("config-tracing", "kafka-config-logging")),
-		rbacProxyTranform,
-	)
+		rbacProxyTranform), socommon.DeprecatedAPIsTranformersFromConfig()...)
+	m, err := manifest.Transform(tfs...)
 	if err != nil {
 		return fmt.Errorf("failed to transform manifest: %w", err)
 	}

diff --git a/olm-catalog/serverless-operator/manifests/serverless-operator.clusterserviceversion.yaml b/olm-catalog/serverless-operator/manifests/serverless-operator.clusterserviceversion.yaml
@@ -492,7 +492,9 @@ spec:
                       runAsNonRoot: true
                       capabilities:
                         drop:
-                          - all
+                          - ALL
+                      seccompProfile:
+                        type: RuntimeDefault
         # Openshift specific extensions in the "old" operator format. Ships KnativeKafka and
         # other Openshift specifica that have not yet been moved to the operator above.
         - name: knative-openshift
@@ -515,6 +517,14 @@ spec:
                     volumeMounts:
                       - mountPath: /cli-artifacts
                         name: cli-artifacts
+                    securityContext:
+                      allowPrivilegeEscalation: false
+                      runAsNonRoot: true
+                      capabilities:
+                        drop:
+                          - ALL
+                      seccompProfile:
+                        type: RuntimeDefault
                 containers:
                   - name: knative-openshift
                     # This reference will be replaced in local builds and CI via hack/lib/catalogsource.bash.
@@ -657,7 +667,9 @@ spec:
                       runAsNonRoot: true
                       capabilities:
                         drop:
-                          - all
+                          - ALL
+                      seccompProfile:
+                        type: RuntimeDefault
                 volumes:
                   - name: cli-artifacts
                     emptyDir: {}
@@ -703,7 +715,9 @@ spec:
                       runAsNonRoot: true
                       capabilities:
                         drop:
-                          - all
+                          - ALL
+                      seccompProfile:
+                        type: RuntimeDefault
   webhookdefinitions:
     - generateName: validating.knativeeventings.operator.serverless.openshift.io
       type: ValidatingAdmissionWebhook

diff --git a/openshift-knative-operator/pkg/common/api.go b/openshift-knative-operator/pkg/common/api.go
@@ -0,0 +1,177 @@
+package common
+
+import (
+	"fmt"
+
+	"strings"
+
+	batchv1 "k8s.io/api/batch/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/kubernetes/scheme"
+
+	"github.com/blang/semver/v4"
+	mf "github.com/manifestival/manifestival"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+
+	"knative.dev/pkg/ptr"
+	"sigs.k8s.io/controller-runtime/pkg/client/config"
+)
+
+// UpgradePodDisruptionBudget upgrade the API version to policy/v1
+func UpgradePodDisruptionBudget() mf.Transformer {
+	return func(u *unstructured.Unstructured) error {
+		if u.GetKind() != "PodDisruptionBudget" {
+			return nil
+		}
+		if u.GetAPIVersion() != "policy/v1beta1" {
+			return nil
+		}
+		u.SetAPIVersion("policy/v1")
+		return nil
+	}
+}
+
+// UpgradeHorizontalPodAutoscaler upgrade the API version to autoscaling/v2
+func UpgradeHorizontalPodAutoscaler() mf.Transformer {
+	return func(u *unstructured.Unstructured) error {
+		if u.GetKind() != "HorizontalPodAutoscaler" {
+			return nil
+		}
+		if u.GetAPIVersion() != "autoscaling/v2beta2" {
+			return nil
+		}
+		u.SetAPIVersion("autoscaling/v2")
+		return nil
+	}
+}
+
+// SetSecurityContextForAdmissionController set the required pod security context to avoid issues on K8s 1.25+.
+// For more check:  https://connect.redhat.com/en/blog/important-openshift-changes-pod-security-standards
+func SetSecurityContextForAdmissionController() mf.Transformer {
+	return func(u *unstructured.Unstructured) error {
+		switch u.GetKind() {
+		case "Deployment":
+			deployment := &appsv1.Deployment{}
+			if err := scheme.Scheme.Convert(u, deployment, nil); err != nil {
+				return fmt.Errorf("failed to convert Unstructured to Deployment: %w", err)
+			}
+			obj := deployment
+			podSpec := &deployment.Spec.Template.Spec
+			containers := podSpec.Containers
+			for i := range containers {
+				setPodSecurityContext(&containers[i])
+			}
+			if err := scheme.Scheme.Convert(obj, u, nil); err != nil {
+				return err
+			}
+		case "Job":
+			job := &batchv1.Job{}
+			if err := scheme.Scheme.Convert(u, job, nil); err != nil {
+				return fmt.Errorf("failed to convert Unstructured to Job: %w", err)
+			}
+			obj := job
+			podSpec := &job.Spec.Template.Spec
+			containers := podSpec.Containers
+			for i := range containers {
+				setPodSecurityContext(&containers[i])
+			}
+			if err := scheme.Scheme.Convert(obj, u, nil); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+}
+
+func setPodSecurityContext(container *corev1.Container) {
+	if container.SecurityContext == nil {
+		container.SecurityContext = &corev1.SecurityContext{
+			AllowPrivilegeEscalation: ptr.Bool(false),
+			ReadOnlyRootFilesystem:   ptr.Bool(true),
+			RunAsNonRoot:             ptr.Bool(true),
+			Capabilities:             &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}},
+			SeccompProfile:           &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
+		}
+	} else {
+		if container.SecurityContext.RunAsNonRoot == nil {
+			container.SecurityContext.RunAsNonRoot = ptr.Bool(true)
+		}
+		if container.SecurityContext.ReadOnlyRootFilesystem == nil {
+			container.SecurityContext.ReadOnlyRootFilesystem = ptr.Bool(true)
+		}
+		if container.SecurityContext.AllowPrivilegeEscalation == nil {
+			container.SecurityContext.AllowPrivilegeEscalation = ptr.Bool(false)
+		}
+		container.SecurityContext.Capabilities = &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}}
+		if container.SecurityContext.SeccompProfile == nil {
+			container.SecurityContext.SeccompProfile = &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}
+		}
+	}
+}
+
+// CheckMinimumVersion checks if current K8s version we are on is higher than the one passed.
+// If an error is returned then we
+func CheckMinimumVersion(versioner discovery.ServerVersionInterface, version string) error {
+	v, err := versioner.ServerVersion()
+	if err != nil {
+		return err
+	}
+	currentVersion, err := semver.Make(normalizeVersion(v.GitVersion))
+	if err != nil {
+		return err
+	}
+
+	minimumVersion, err := semver.Make(normalizeVersion(version))
+	if err != nil {
+		return err
+	}
+
+	// If no specific pre-release requirement is set, we default to "-0" to always allow
+	// pre-release versions of the same Major.Minor.Patch version.
+	if len(minimumVersion.Pre) == 0 {
+		minimumVersion.Pre = []semver.PRVersion{{VersionNum: 0, IsNum: true}}
+	}
+
+	if currentVersion.LT(minimumVersion) {
+		return fmt.Errorf("kubernetes version %q is not compatible, need at least %q",
+			currentVersion, minimumVersion)
+	}
+	return nil
+}
+
+// DeprecatedAPIsTranformersFromConfig check if we are on the right K8s version and return
+// the related transformers. Meant to be used by the knative-openshift operator which uses controller runtime
+// and for which we need to construct the discovery value.
+func DeprecatedAPIsTranformersFromConfig() []mf.Transformer {
+	cfg, err := config.GetConfig()
+	if err != nil {
+		panic(err)
+	}
+	clset := kubernetes.NewForConfigOrDie(cfg)
+	return DeprecatedAPIsTranformers(clset.Discovery())
+}
+
+// DeprecatedAPIsTranformers check if we are on the right K8s version and return
+// the related transformers.
+func DeprecatedAPIsTranformers(d discovery.DiscoveryInterface) []mf.Transformer {
+	transformers := []mf.Transformer{}
+	// Enforce the new version, try to upgrade existing resources for 4.11 to also avoid warnings.
+	// The policy/v1beta1 API version of PodDisruptionBudget will no longer be served in v1.25.
+	// The autoscaling/v2beta2 API version of HorizontalPodAutoscaler will no longer be served in v1.26
+	// TODO: When we move away from releases that bring v1beta1 we can remove this part
+	if err := CheckMinimumVersion(d, "1.24.0"); err == nil {
+		transformers = append(transformers, UpgradePodDisruptionBudget(), UpgradeHorizontalPodAutoscaler(), SetSecurityContextForAdmissionController())
+	}
+	return transformers
+}
+
+func normalizeVersion(v string) string {
+	if strings.HasPrefix(v, "v") {
+		// No need to account for unicode widths.
+		return v[1:]
+	}
+	return v
+}