diff --git a/assets/apps/0000_60_service-ca_05_deploy.yaml b/assets/apps/0000_60_service-ca_05_deploy.yaml index 547c3bdd52..33b28a1aff 100644 --- a/assets/apps/0000_60_service-ca_05_deploy.yaml +++ b/assets/apps/0000_60_service-ca_05_deploy.yaml @@ -23,7 +23,6 @@ spec: app: service-ca service-ca: "true" spec: - securityContext: {} serviceAccount: service-ca serviceAccountName: service-ca containers: @@ -33,8 +32,8 @@ spec: command: ["service-ca-operator", "controller"] ports: - containerPort: 8443 - # securityContext: - # runAsNonRoot: true + securityContext: + runAsNonRoot: true resources: requests: memory: 120Mi diff --git a/assets/apps/0000_80_cluster_policy_controller_deploy.yaml b/assets/apps/0000_80_cluster_policy_controller_deploy.yaml new file mode 100644 index 0000000000..ec683cbe3e --- /dev/null +++ b/assets/apps/0000_80_cluster_policy_controller_deploy.yaml @@ -0,0 +1,89 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: openshift-kube-controller-manager + name: openshift-cluster-policy-controller + labels: + app: openshift-cluster-policy-controller +spec: + replicas: 1 + selector: + matchLabels: + app: openshift-cluster-policy-controller + template: + metadata: + name: openshift-cluster-policy-controller + labels: + app: openshift-cluster-policy-controller + spec: + serviceAccountName: openshift-cluster-policy-controller-sa + containers: + - name: cluster-policy-controller + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: {{ .ReleaseImage.cluster_policy_controller }} + imagePullPolicy: IfNotPresent + terminationMessagePolicy: FallbackToLogsOnError + command: ["/bin/bash", "-euxo", "pipefail", "-c"] + args: + - | + timeout 3m /bin/bash -exuo pipefail -c 'while [ -n "$(ss -Htanop \( sport = 10357 \))" ]; do sleep 1; done' + exec cluster-policy-controller start --config=/var/run/config/config.yaml + resources: + requests: + memory: 200Mi + cpu: 10m + ports: + - containerPort: 10357 + volumeMounts: + - mountPath: /var/run/kubeadmin + name: kubeconfig-dir + - mountPath: /var/run/secrets + name: signing-key + - mountPath: /var/run/configmaps/signing-cabundle + name: signing-cabundle + - mountPath: /var/run/config + name: config + startupProbe: + httpGet: + scheme: HTTPS + port: 10357 + path: healthz + initialDelaySeconds: 0 + timeoutSeconds: 3 + livenessProbe: + httpGet: + scheme: HTTPS + port: 10357 + path: healthz + initialDelaySeconds: 45 + timeoutSeconds: 10 + readinessProbe: + httpGet: + scheme: HTTPS + port: 10357 + path: healthz + initialDelaySeconds: 10 + timeoutSeconds: 10 + hostNetwork: true + priorityClassName: system-node-critical + volumes: + - name: kubeconfig-dir + hostPath: + path: {{.KubeConfigDir}} + - name: signing-key + hostPath: + path: {{.KeyDir}} + - name: config + hostPath: + path: {{.ConfigDir}} + - hostPath: + path: {{.CADir}} + name: signing-cabundle diff --git a/assets/core/0000_80_cluster-openshift-cluster-policy-controller_00_namespace.yaml b/assets/core/0000_80_cluster-openshift-cluster-policy-controller_00_namespace.yaml new file mode 100644 index 0000000000..65d3ecd21d --- /dev/null +++ b/assets/core/0000_80_cluster-openshift-cluster-policy-controller_00_namespace.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: + openshift.io/node-selector: "" + workload.openshift.io/allowed: "management" + labels: + # set value to avoid depending on kube admission that depends on openshift apis + openshift.io/run-level: "0" + # allow openshift-monitoring to look for ServiceMonitor objects in this namespace + openshift.io/cluster-monitoring: "true" + name: openshift-kube-controller-manager diff --git a/assets/core/0000_80_cluster-openshift-cluster-policy-controller_service-account.yaml b/assets/core/0000_80_cluster-openshift-cluster-policy-controller_service-account.yaml new file mode 100644 index 0000000000..e9735a2cc0 --- /dev/null +++ b/assets/core/0000_80_cluster-openshift-cluster-policy-controller_service-account.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: openshift-kube-controller-manager + name: openshift-cluster-policy-controller-sa diff --git a/assets/core/0000_80_namespace-security-allocation-controller_sa.yaml b/assets/core/0000_80_namespace-security-allocation-controller_sa.yaml new file mode 100644 index 0000000000..15d7b3717d --- /dev/null +++ b/assets/core/0000_80_namespace-security-allocation-controller_sa.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: openshift-infra + name: namespace-security-allocation-controller diff --git a/assets/crd/0000_03_securityinternal-openshift_01_rangeallocation.crd.yaml b/assets/crd/0000_03_securityinternal-openshift_01_rangeallocation.crd.yaml new file mode 100644 index 0000000000..5ae9859025 --- /dev/null +++ b/assets/crd/0000_03_securityinternal-openshift_01_rangeallocation.crd.yaml @@ -0,0 +1,49 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/751 + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + name: rangeallocations.security.internal.openshift.io +spec: + group: security.internal.openshift.io + names: + kind: RangeAllocation + listKind: RangeAllocationList + plural: rangeallocations + singular: rangeallocation + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: RangeAllocation is used so we can easily expose a RangeAllocation + typed for security group This is an internal API, not intended for external + consumption. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + data: + description: data is a byte array representing the serialized state of + a range allocation. It is a bitmap with each bit set to one to represent + a range is taken. + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + range: + description: range is a string representing a unique label for a range + of uids, "1000000000-2000000000/10000". + type: string + type: object + served: true + storage: true diff --git a/assets/rbac/0000_80_cluster-policy-controller_clusterrole.yaml b/assets/rbac/0000_80_cluster-policy-controller_clusterrole.yaml new file mode 100644 index 0000000000..d0fd3445dc --- /dev/null +++ b/assets/rbac/0000_80_cluster-policy-controller_clusterrole.yaml @@ -0,0 +1,33 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + name: namespace-security-allocation-controller +rules: +- apiGroups: + - security.openshift.io + - security.internal.openshift.io + resources: + - rangeallocations + verbs: + - create + - get + - update +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - update + - watch + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update diff --git a/assets/rbac/0000_80_cluster-policy-controller_clusterrolebinding.yaml b/assets/rbac/0000_80_cluster-policy-controller_clusterrolebinding.yaml new file mode 100644 index 0000000000..ec9324bc6f --- /dev/null +++ b/assets/rbac/0000_80_cluster-policy-controller_clusterrolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: namespace-security-allocation-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: namespace-security-allocation-controller +subjects: +- kind: ServiceAccount + name: namespace-security-allocation-controller + namespace: openshift-infra diff --git a/pkg/assets/apps/bindata.go b/pkg/assets/apps/bindata.go index 2d83e07f68..30c7204930 100644 --- a/pkg/assets/apps/bindata.go +++ b/pkg/assets/apps/bindata.go @@ -4,6 +4,7 @@ // assets/apps/0000_60_service-ca_05_deploy.yaml // assets/apps/0000_70_dns_01-dns-daemonset.yaml // assets/apps/0000_70_dns_01-node-resolver-daemonset.yaml +// assets/apps/0000_80_cluster_policy_controller_deploy.yaml // assets/apps/0000_80_openshift-router-deployment.yaml // assets/apps/000_80_hostpath-provisioner-daemonset.yaml package assets @@ -190,7 +191,6 @@ spec: app: service-ca service-ca: "true" spec: - securityContext: {} serviceAccount: service-ca serviceAccountName: service-ca containers: @@ -200,8 +200,8 @@ spec: command: ["service-ca-operator", "controller"] ports: - containerPort: 8443 - # securityContext: - # runAsNonRoot: true + securityContext: + runAsNonRoot: true resources: requests: memory: 120Mi @@ -517,6 +517,112 @@ func assetsApps0000_70_dns_01NodeResolverDaemonsetYaml() (*asset, error) { return a, nil } +var _assetsApps0000_80_cluster_policy_controller_deployYaml = []byte(`apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: openshift-kube-controller-manager + name: openshift-cluster-policy-controller + labels: + app: openshift-cluster-policy-controller +spec: + replicas: 1 + selector: + matchLabels: + app: openshift-cluster-policy-controller + template: + metadata: + name: openshift-cluster-policy-controller + labels: + app: openshift-cluster-policy-controller + spec: + serviceAccountName: openshift-cluster-policy-controller-sa + containers: + - name: cluster-policy-controller + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: {{ .ReleaseImage.cluster_policy_controller }} + imagePullPolicy: IfNotPresent + terminationMessagePolicy: FallbackToLogsOnError + command: ["/bin/bash", "-euxo", "pipefail", "-c"] + args: + - | + timeout 3m /bin/bash -exuo pipefail -c 'while [ -n "$(ss -Htanop \( sport = 10357 \))" ]; do sleep 1; done' + exec cluster-policy-controller start --config=/var/run/config/config.yaml + resources: + requests: + memory: 200Mi + cpu: 10m + ports: + - containerPort: 10357 + volumeMounts: + - mountPath: /var/run/kubeadmin + name: kubeconfig-dir + - mountPath: /var/run/secrets + name: signing-key + - mountPath: /var/run/configmaps/signing-cabundle + name: signing-cabundle + - mountPath: /var/run/config + name: config + startupProbe: + httpGet: + scheme: HTTPS + port: 10357 + path: healthz + initialDelaySeconds: 0 + timeoutSeconds: 3 + livenessProbe: + httpGet: + scheme: HTTPS + port: 10357 + path: healthz + initialDelaySeconds: 45 + timeoutSeconds: 10 + readinessProbe: + httpGet: + scheme: HTTPS + port: 10357 + path: healthz + initialDelaySeconds: 10 + timeoutSeconds: 10 + hostNetwork: true + priorityClassName: system-node-critical + volumes: + - name: kubeconfig-dir + hostPath: + path: {{.KubeConfigDir}} + - name: signing-key + hostPath: + path: {{.KeyDir}} + - name: config + hostPath: + path: {{.ConfigDir}} + - hostPath: + path: {{.CADir}} + name: signing-cabundle +`) + +func assetsApps0000_80_cluster_policy_controller_deployYamlBytes() ([]byte, error) { + return _assetsApps0000_80_cluster_policy_controller_deployYaml, nil +} + +func assetsApps0000_80_cluster_policy_controller_deployYaml() (*asset, error) { + bytes, err := assetsApps0000_80_cluster_policy_controller_deployYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/apps/0000_80_cluster_policy_controller_deploy.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + var _assetsApps0000_80_openshiftRouterDeploymentYaml = []byte(`# Deployment with default values # Ingress Controller specific values are applied at runtime. kind: Deployment @@ -782,12 +888,13 @@ func AssetNames() []string { // _bindata is a table, holding each asset generator, mapped to its name. var _bindata = map[string]func() (*asset, error){ - "assets/apps/0000_00_flannel-daemonset.yaml": assetsApps0000_00_flannelDaemonsetYaml, - "assets/apps/0000_60_service-ca_05_deploy.yaml": assetsApps0000_60_serviceCa_05_deployYaml, - "assets/apps/0000_70_dns_01-dns-daemonset.yaml": assetsApps0000_70_dns_01DnsDaemonsetYaml, - "assets/apps/0000_70_dns_01-node-resolver-daemonset.yaml": assetsApps0000_70_dns_01NodeResolverDaemonsetYaml, - "assets/apps/0000_80_openshift-router-deployment.yaml": assetsApps0000_80_openshiftRouterDeploymentYaml, - "assets/apps/000_80_hostpath-provisioner-daemonset.yaml": assetsApps000_80_hostpathProvisionerDaemonsetYaml, + "assets/apps/0000_00_flannel-daemonset.yaml": assetsApps0000_00_flannelDaemonsetYaml, + "assets/apps/0000_60_service-ca_05_deploy.yaml": assetsApps0000_60_serviceCa_05_deployYaml, + "assets/apps/0000_70_dns_01-dns-daemonset.yaml": assetsApps0000_70_dns_01DnsDaemonsetYaml, + "assets/apps/0000_70_dns_01-node-resolver-daemonset.yaml": assetsApps0000_70_dns_01NodeResolverDaemonsetYaml, + "assets/apps/0000_80_cluster_policy_controller_deploy.yaml": assetsApps0000_80_cluster_policy_controller_deployYaml, + "assets/apps/0000_80_openshift-router-deployment.yaml": assetsApps0000_80_openshiftRouterDeploymentYaml, + "assets/apps/000_80_hostpath-provisioner-daemonset.yaml": assetsApps000_80_hostpathProvisionerDaemonsetYaml, } // AssetDir returns the file names below a certain @@ -833,12 +940,13 @@ type bintree struct { var _bintree = &bintree{nil, map[string]*bintree{ "assets": {nil, map[string]*bintree{ "apps": {nil, map[string]*bintree{ - "0000_00_flannel-daemonset.yaml": {assetsApps0000_00_flannelDaemonsetYaml, map[string]*bintree{}}, - "0000_60_service-ca_05_deploy.yaml": {assetsApps0000_60_serviceCa_05_deployYaml, map[string]*bintree{}}, - "0000_70_dns_01-dns-daemonset.yaml": {assetsApps0000_70_dns_01DnsDaemonsetYaml, map[string]*bintree{}}, - "0000_70_dns_01-node-resolver-daemonset.yaml": {assetsApps0000_70_dns_01NodeResolverDaemonsetYaml, map[string]*bintree{}}, - "0000_80_openshift-router-deployment.yaml": {assetsApps0000_80_openshiftRouterDeploymentYaml, map[string]*bintree{}}, - "000_80_hostpath-provisioner-daemonset.yaml": {assetsApps000_80_hostpathProvisionerDaemonsetYaml, map[string]*bintree{}}, + "0000_00_flannel-daemonset.yaml": {assetsApps0000_00_flannelDaemonsetYaml, map[string]*bintree{}}, + "0000_60_service-ca_05_deploy.yaml": {assetsApps0000_60_serviceCa_05_deployYaml, map[string]*bintree{}}, + "0000_70_dns_01-dns-daemonset.yaml": {assetsApps0000_70_dns_01DnsDaemonsetYaml, map[string]*bintree{}}, + "0000_70_dns_01-node-resolver-daemonset.yaml": {assetsApps0000_70_dns_01NodeResolverDaemonsetYaml, map[string]*bintree{}}, + "0000_80_cluster_policy_controller_deploy.yaml": {assetsApps0000_80_cluster_policy_controller_deployYaml, map[string]*bintree{}}, + "0000_80_openshift-router-deployment.yaml": {assetsApps0000_80_openshiftRouterDeploymentYaml, map[string]*bintree{}}, + "000_80_hostpath-provisioner-daemonset.yaml": {assetsApps000_80_hostpathProvisionerDaemonsetYaml, map[string]*bintree{}}, }}, }}, }} diff --git a/pkg/assets/core/bindata.go b/pkg/assets/core/bindata.go index c5fbf26810..ad9c20d4d7 100644 --- a/pkg/assets/core/bindata.go +++ b/pkg/assets/core/bindata.go @@ -10,13 +10,16 @@ // assets/core/0000_70_dns_01-dns-service-account.yaml // assets/core/0000_70_dns_01-node-resolver-service-account.yaml // assets/core/0000_70_dns_01-service.yaml +// assets/core/0000_80_cluster-openshift-cluster-policy-controller_00_namespace.yaml +// assets/core/0000_80_cluster-openshift-cluster-policy-controller_service-account.yaml // assets/core/0000_80_hostpath-provisioner-namespace.yaml // assets/core/0000_80_hostpath-provisioner-serviceaccount.yaml +// assets/core/0000_80_namespace-security-allocation-controller_sa.yaml // assets/core/0000_80_openshift-router-cm.yaml +// assets/core/0000_80_openshift-router-external-service.yaml // assets/core/0000_80_openshift-router-namespace.yaml // assets/core/0000_80_openshift-router-service-account.yaml // assets/core/0000_80_openshift-router-service.yaml -// assets/core/0000_80_openshift-router-external-service.yaml package assets import ( @@ -381,6 +384,57 @@ func assetsCore0000_70_dns_01ServiceYaml() (*asset, error) { return a, nil } +var _assetsCore0000_80_clusterOpenshiftClusterPolicyController_00_namespaceYaml = []byte(`apiVersion: v1 +kind: Namespace +metadata: + annotations: + openshift.io/node-selector: "" + workload.openshift.io/allowed: "management" + labels: + # set value to avoid depending on kube admission that depends on openshift apis + openshift.io/run-level: "0" + # allow openshift-monitoring to look for ServiceMonitor objects in this namespace + openshift.io/cluster-monitoring: "true" + name: openshift-kube-controller-manager +`) + +func assetsCore0000_80_clusterOpenshiftClusterPolicyController_00_namespaceYamlBytes() ([]byte, error) { + return _assetsCore0000_80_clusterOpenshiftClusterPolicyController_00_namespaceYaml, nil +} + +func assetsCore0000_80_clusterOpenshiftClusterPolicyController_00_namespaceYaml() (*asset, error) { + bytes, err := assetsCore0000_80_clusterOpenshiftClusterPolicyController_00_namespaceYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/core/0000_80_cluster-openshift-cluster-policy-controller_00_namespace.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsCore0000_80_clusterOpenshiftClusterPolicyController_serviceAccountYaml = []byte(`apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: openshift-kube-controller-manager + name: openshift-cluster-policy-controller-sa +`) + +func assetsCore0000_80_clusterOpenshiftClusterPolicyController_serviceAccountYamlBytes() ([]byte, error) { + return _assetsCore0000_80_clusterOpenshiftClusterPolicyController_serviceAccountYaml, nil +} + +func assetsCore0000_80_clusterOpenshiftClusterPolicyController_serviceAccountYaml() (*asset, error) { + bytes, err := assetsCore0000_80_clusterOpenshiftClusterPolicyController_serviceAccountYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/core/0000_80_cluster-openshift-cluster-policy-controller_service-account.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + var _assetsCore0000_80_hostpathProvisionerNamespaceYaml = []byte(`apiVersion: v1 kind: Namespace metadata: @@ -422,6 +476,28 @@ func assetsCore0000_80_hostpathProvisionerServiceaccountYaml() (*asset, error) { return a, nil } +var _assetsCore0000_80_namespaceSecurityAllocationController_saYaml = []byte(`apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: openshift-infra + name: namespace-security-allocation-controller +`) + +func assetsCore0000_80_namespaceSecurityAllocationController_saYamlBytes() ([]byte, error) { + return _assetsCore0000_80_namespaceSecurityAllocationController_saYaml, nil +} + +func assetsCore0000_80_namespaceSecurityAllocationController_saYaml() (*asset, error) { + bytes, err := assetsCore0000_80_namespaceSecurityAllocationController_saYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/core/0000_80_namespace-security-allocation-controller_sa.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + var _assetsCore0000_80_openshiftRouterCmYaml = []byte(`apiVersion: v1 kind: ConfigMap metadata: @@ -446,6 +522,45 @@ func assetsCore0000_80_openshiftRouterCmYaml() (*asset, error) { return a, nil } +var _assetsCore0000_80_openshiftRouterExternalServiceYaml = []byte(`kind: Service +apiVersion: v1 +metadata: + annotations: + service.alpha.openshift.io/serving-cert-secret-name: router-certs-default + labels: + ingresscontroller.operator.openshift.io/deployment-ingresscontroller: default + name: router-external-default + namespace: openshift-ingress +spec: + selector: + ingresscontroller.operator.openshift.io/deployment-ingresscontroller: default + type: NodePort + ports: + - name: http + port: 80 + targetPort: 80 + nodePort: 30001 + - name: https + port: 443 + targetPort: 443 + nodePort: 30002 +`) + +func assetsCore0000_80_openshiftRouterExternalServiceYamlBytes() ([]byte, error) { + return _assetsCore0000_80_openshiftRouterExternalServiceYaml, nil +} + +func assetsCore0000_80_openshiftRouterExternalServiceYaml() (*asset, error) { + bytes, err := assetsCore0000_80_openshiftRouterExternalServiceYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/core/0000_80_openshift-router-external-service.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + var _assetsCore0000_80_openshiftRouterNamespaceYaml = []byte(`kind: Namespace apiVersion: v1 metadata: @@ -546,45 +661,6 @@ func assetsCore0000_80_openshiftRouterServiceYaml() (*asset, error) { return a, nil } -var _assetsCore0000_80_openshiftRouterExternalServiceYaml = []byte(`kind: Service -apiVersion: v1 -metadata: - annotations: - service.alpha.openshift.io/serving-cert-secret-name: router-certs-default - labels: - ingresscontroller.operator.openshift.io/deployment-ingresscontroller: default - name: router-external-default - namespace: openshift-ingress -spec: - selector: - ingresscontroller.operator.openshift.io/deployment-ingresscontroller: default - type: NodePort - ports: - - name: external-http - port: 80 - targetPort: 80 - nodePort: 30001 - - name: external-https - port: 443 - targetPort: 443 - nodePort: 30002 -`) - -func assetsCore0000_80_openshiftRouterExternalServiceYamlBytes() ([]byte, error) { - return _assetsCore0000_80_openshiftRouterExternalServiceYaml, nil -} - -func assetsCore0000_80_openshiftRouterExternalServiceYaml() (*asset, error) { - bytes, err := assetsCore0000_80_openshiftRouterExternalServiceYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "assets/core/0000_80_openshift-router-service.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - // Asset loads and returns the asset for the given name. // It returns an error if the asset could not be found or // could not be loaded. @@ -637,23 +713,26 @@ func AssetNames() []string { // _bindata is a table, holding each asset generator, mapped to its name. var _bindata = map[string]func() (*asset, error){ - "assets/core/0000_00_flannel-configmap.yaml": assetsCore0000_00_flannelConfigmapYaml, - "assets/core/0000_00_flannel-service-account.yaml": assetsCore0000_00_flannelServiceAccountYaml, - "assets/core/0000_50_cluster-openshift-controller-manager_00_namespace.yaml": assetsCore0000_50_clusterOpenshiftControllerManager_00_namespaceYaml, - "assets/core/0000_60_service-ca_01_namespace.yaml": assetsCore0000_60_serviceCa_01_namespaceYaml, - "assets/core/0000_60_service-ca_04_sa.yaml": assetsCore0000_60_serviceCa_04_saYaml, - "assets/core/0000_70_dns_00-namespace.yaml": assetsCore0000_70_dns_00NamespaceYaml, - "assets/core/0000_70_dns_01-configmap.yaml": assetsCore0000_70_dns_01ConfigmapYaml, - "assets/core/0000_70_dns_01-dns-service-account.yaml": assetsCore0000_70_dns_01DnsServiceAccountYaml, - "assets/core/0000_70_dns_01-node-resolver-service-account.yaml": assetsCore0000_70_dns_01NodeResolverServiceAccountYaml, - "assets/core/0000_70_dns_01-service.yaml": assetsCore0000_70_dns_01ServiceYaml, - "assets/core/0000_80_hostpath-provisioner-namespace.yaml": assetsCore0000_80_hostpathProvisionerNamespaceYaml, - "assets/core/0000_80_hostpath-provisioner-serviceaccount.yaml": assetsCore0000_80_hostpathProvisionerServiceaccountYaml, - "assets/core/0000_80_openshift-router-cm.yaml": assetsCore0000_80_openshiftRouterCmYaml, - "assets/core/0000_80_openshift-router-namespace.yaml": assetsCore0000_80_openshiftRouterNamespaceYaml, - "assets/core/0000_80_openshift-router-service-account.yaml": assetsCore0000_80_openshiftRouterServiceAccountYaml, - "assets/core/0000_80_openshift-router-service.yaml": assetsCore0000_80_openshiftRouterServiceYaml, - "assets/core/0000_80_openshift-router-external-service.yaml": assetsCore0000_80_openshiftRouterExternalServiceYaml, + "assets/core/0000_00_flannel-configmap.yaml": assetsCore0000_00_flannelConfigmapYaml, + "assets/core/0000_00_flannel-service-account.yaml": assetsCore0000_00_flannelServiceAccountYaml, + "assets/core/0000_50_cluster-openshift-controller-manager_00_namespace.yaml": assetsCore0000_50_clusterOpenshiftControllerManager_00_namespaceYaml, + "assets/core/0000_60_service-ca_01_namespace.yaml": assetsCore0000_60_serviceCa_01_namespaceYaml, + "assets/core/0000_60_service-ca_04_sa.yaml": assetsCore0000_60_serviceCa_04_saYaml, + "assets/core/0000_70_dns_00-namespace.yaml": assetsCore0000_70_dns_00NamespaceYaml, + "assets/core/0000_70_dns_01-configmap.yaml": assetsCore0000_70_dns_01ConfigmapYaml, + "assets/core/0000_70_dns_01-dns-service-account.yaml": assetsCore0000_70_dns_01DnsServiceAccountYaml, + "assets/core/0000_70_dns_01-node-resolver-service-account.yaml": assetsCore0000_70_dns_01NodeResolverServiceAccountYaml, + "assets/core/0000_70_dns_01-service.yaml": assetsCore0000_70_dns_01ServiceYaml, + "assets/core/0000_80_cluster-openshift-cluster-policy-controller_00_namespace.yaml": assetsCore0000_80_clusterOpenshiftClusterPolicyController_00_namespaceYaml, + "assets/core/0000_80_cluster-openshift-cluster-policy-controller_service-account.yaml": assetsCore0000_80_clusterOpenshiftClusterPolicyController_serviceAccountYaml, + "assets/core/0000_80_hostpath-provisioner-namespace.yaml": assetsCore0000_80_hostpathProvisionerNamespaceYaml, + "assets/core/0000_80_hostpath-provisioner-serviceaccount.yaml": assetsCore0000_80_hostpathProvisionerServiceaccountYaml, + "assets/core/0000_80_namespace-security-allocation-controller_sa.yaml": assetsCore0000_80_namespaceSecurityAllocationController_saYaml, + "assets/core/0000_80_openshift-router-cm.yaml": assetsCore0000_80_openshiftRouterCmYaml, + "assets/core/0000_80_openshift-router-external-service.yaml": assetsCore0000_80_openshiftRouterExternalServiceYaml, + "assets/core/0000_80_openshift-router-namespace.yaml": assetsCore0000_80_openshiftRouterNamespaceYaml, + "assets/core/0000_80_openshift-router-service-account.yaml": assetsCore0000_80_openshiftRouterServiceAccountYaml, + "assets/core/0000_80_openshift-router-service.yaml": assetsCore0000_80_openshiftRouterServiceYaml, } // AssetDir returns the file names below a certain @@ -699,22 +778,26 @@ type bintree struct { var _bintree = &bintree{nil, map[string]*bintree{ "assets": {nil, map[string]*bintree{ "core": {nil, map[string]*bintree{ - "0000_00_flannel-configmap.yaml": {assetsCore0000_00_flannelConfigmapYaml, map[string]*bintree{}}, - "0000_00_flannel-service-account.yaml": {assetsCore0000_00_flannelServiceAccountYaml, map[string]*bintree{}}, - "0000_50_cluster-openshift-controller-manager_00_namespace.yaml": {assetsCore0000_50_clusterOpenshiftControllerManager_00_namespaceYaml, map[string]*bintree{}}, - "0000_60_service-ca_01_namespace.yaml": {assetsCore0000_60_serviceCa_01_namespaceYaml, map[string]*bintree{}}, - "0000_60_service-ca_04_sa.yaml": {assetsCore0000_60_serviceCa_04_saYaml, map[string]*bintree{}}, - "0000_70_dns_00-namespace.yaml": {assetsCore0000_70_dns_00NamespaceYaml, map[string]*bintree{}}, - "0000_70_dns_01-configmap.yaml": {assetsCore0000_70_dns_01ConfigmapYaml, map[string]*bintree{}}, - "0000_70_dns_01-dns-service-account.yaml": {assetsCore0000_70_dns_01DnsServiceAccountYaml, map[string]*bintree{}}, - "0000_70_dns_01-node-resolver-service-account.yaml": {assetsCore0000_70_dns_01NodeResolverServiceAccountYaml, map[string]*bintree{}}, - "0000_70_dns_01-service.yaml": {assetsCore0000_70_dns_01ServiceYaml, map[string]*bintree{}}, - "0000_80_hostpath-provisioner-namespace.yaml": {assetsCore0000_80_hostpathProvisionerNamespaceYaml, map[string]*bintree{}}, - "0000_80_hostpath-provisioner-serviceaccount.yaml": {assetsCore0000_80_hostpathProvisionerServiceaccountYaml, map[string]*bintree{}}, - "0000_80_openshift-router-cm.yaml": {assetsCore0000_80_openshiftRouterCmYaml, map[string]*bintree{}}, - "0000_80_openshift-router-namespace.yaml": {assetsCore0000_80_openshiftRouterNamespaceYaml, map[string]*bintree{}}, - "0000_80_openshift-router-service-account.yaml": {assetsCore0000_80_openshiftRouterServiceAccountYaml, map[string]*bintree{}}, - "0000_80_openshift-router-service.yaml": {assetsCore0000_80_openshiftRouterServiceYaml, map[string]*bintree{}}, + "0000_00_flannel-configmap.yaml": {assetsCore0000_00_flannelConfigmapYaml, map[string]*bintree{}}, + "0000_00_flannel-service-account.yaml": {assetsCore0000_00_flannelServiceAccountYaml, map[string]*bintree{}}, + "0000_50_cluster-openshift-controller-manager_00_namespace.yaml": {assetsCore0000_50_clusterOpenshiftControllerManager_00_namespaceYaml, map[string]*bintree{}}, + "0000_60_service-ca_01_namespace.yaml": {assetsCore0000_60_serviceCa_01_namespaceYaml, map[string]*bintree{}}, + "0000_60_service-ca_04_sa.yaml": {assetsCore0000_60_serviceCa_04_saYaml, map[string]*bintree{}}, + "0000_70_dns_00-namespace.yaml": {assetsCore0000_70_dns_00NamespaceYaml, map[string]*bintree{}}, + "0000_70_dns_01-configmap.yaml": {assetsCore0000_70_dns_01ConfigmapYaml, map[string]*bintree{}}, + "0000_70_dns_01-dns-service-account.yaml": {assetsCore0000_70_dns_01DnsServiceAccountYaml, map[string]*bintree{}}, + "0000_70_dns_01-node-resolver-service-account.yaml": {assetsCore0000_70_dns_01NodeResolverServiceAccountYaml, map[string]*bintree{}}, + "0000_70_dns_01-service.yaml": {assetsCore0000_70_dns_01ServiceYaml, map[string]*bintree{}}, + "0000_80_cluster-openshift-cluster-policy-controller_00_namespace.yaml": {assetsCore0000_80_clusterOpenshiftClusterPolicyController_00_namespaceYaml, map[string]*bintree{}}, + "0000_80_cluster-openshift-cluster-policy-controller_service-account.yaml": {assetsCore0000_80_clusterOpenshiftClusterPolicyController_serviceAccountYaml, map[string]*bintree{}}, + "0000_80_hostpath-provisioner-namespace.yaml": {assetsCore0000_80_hostpathProvisionerNamespaceYaml, map[string]*bintree{}}, + "0000_80_hostpath-provisioner-serviceaccount.yaml": {assetsCore0000_80_hostpathProvisionerServiceaccountYaml, map[string]*bintree{}}, + "0000_80_namespace-security-allocation-controller_sa.yaml": {assetsCore0000_80_namespaceSecurityAllocationController_saYaml, map[string]*bintree{}}, + "0000_80_openshift-router-cm.yaml": {assetsCore0000_80_openshiftRouterCmYaml, map[string]*bintree{}}, + "0000_80_openshift-router-external-service.yaml": {assetsCore0000_80_openshiftRouterExternalServiceYaml, map[string]*bintree{}}, + "0000_80_openshift-router-namespace.yaml": {assetsCore0000_80_openshiftRouterNamespaceYaml, map[string]*bintree{}}, + "0000_80_openshift-router-service-account.yaml": {assetsCore0000_80_openshiftRouterServiceAccountYaml, map[string]*bintree{}}, + "0000_80_openshift-router-service.yaml": {assetsCore0000_80_openshiftRouterServiceYaml, map[string]*bintree{}}, }}, }}, }} diff --git a/pkg/assets/crd.go b/pkg/assets/crd.go index 88f3072e4a..7f719e3527 100755 --- a/pkg/assets/crd.go +++ b/pkg/assets/crd.go @@ -34,6 +34,7 @@ var ( apiExtensionsCodecs = serializer.NewCodecFactory(apiExtensionsScheme) crds = []string{ "assets/crd/0000_03_security-openshift_01_scc.crd.yaml", + "assets/crd/0000_03_securityinternal-openshift_01_rangeallocation.crd.yaml", "assets/crd/0000_11_imageregistry-configs.crd.yaml", "assets/crd/0000_03_authorization-openshift_01_rolebindingrestriction.crd.yaml", "assets/crd/0000_10_config-operator_01_imagecontentsourcepolicy.crd.yaml", diff --git a/pkg/assets/crd/bindata.go b/pkg/assets/crd/bindata.go index fd84306756..e570a6b28f 100644 --- a/pkg/assets/crd/bindata.go +++ b/pkg/assets/crd/bindata.go @@ -4,6 +4,7 @@ // assets/crd/0000_03_config-operator_01_proxy.crd.yaml // assets/crd/0000_03_quota-openshift_01_clusterresourcequota.crd.yaml // assets/crd/0000_03_security-openshift_01_scc.crd.yaml +// assets/crd/0000_03_securityinternal-openshift_01_rangeallocation.crd.yaml // assets/crd/0000_10_config-operator_01_build.crd.yaml // assets/crd/0000_10_config-operator_01_featuregate.crd.yaml // assets/crd/0000_10_config-operator_01_image.crd.yaml @@ -1056,6 +1057,72 @@ func assetsCrd0000_03_securityOpenshift_01_sccCrdYaml() (*asset, error) { return a, nil } +var _assetsCrd0000_03_securityinternalOpenshift_01_rangeallocationCrdYaml = []byte(`apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/751 + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + name: rangeallocations.security.internal.openshift.io +spec: + group: security.internal.openshift.io + names: + kind: RangeAllocation + listKind: RangeAllocationList + plural: rangeallocations + singular: rangeallocation + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: RangeAllocation is used so we can easily expose a RangeAllocation + typed for security group This is an internal API, not intended for external + consumption. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + data: + description: data is a byte array representing the serialized state of + a range allocation. It is a bitmap with each bit set to one to represent + a range is taken. + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + range: + description: range is a string representing a unique label for a range + of uids, "1000000000-2000000000/10000". + type: string + type: object + served: true + storage: true +`) + +func assetsCrd0000_03_securityinternalOpenshift_01_rangeallocationCrdYamlBytes() ([]byte, error) { + return _assetsCrd0000_03_securityinternalOpenshift_01_rangeallocationCrdYaml, nil +} + +func assetsCrd0000_03_securityinternalOpenshift_01_rangeallocationCrdYaml() (*asset, error) { + bytes, err := assetsCrd0000_03_securityinternalOpenshift_01_rangeallocationCrdYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/crd/0000_03_securityinternal-openshift_01_rangeallocation.crd.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + var _assetsCrd0000_10_configOperator_01_buildCrdYaml = []byte(`apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -3476,6 +3543,7 @@ var _bindata = map[string]func() (*asset, error){ "assets/crd/0000_03_config-operator_01_proxy.crd.yaml": assetsCrd0000_03_configOperator_01_proxyCrdYaml, "assets/crd/0000_03_quota-openshift_01_clusterresourcequota.crd.yaml": assetsCrd0000_03_quotaOpenshift_01_clusterresourcequotaCrdYaml, "assets/crd/0000_03_security-openshift_01_scc.crd.yaml": assetsCrd0000_03_securityOpenshift_01_sccCrdYaml, + "assets/crd/0000_03_securityinternal-openshift_01_rangeallocation.crd.yaml": assetsCrd0000_03_securityinternalOpenshift_01_rangeallocationCrdYaml, "assets/crd/0000_10_config-operator_01_build.crd.yaml": assetsCrd0000_10_configOperator_01_buildCrdYaml, "assets/crd/0000_10_config-operator_01_featuregate.crd.yaml": assetsCrd0000_10_configOperator_01_featuregateCrdYaml, "assets/crd/0000_10_config-operator_01_image.crd.yaml": assetsCrd0000_10_configOperator_01_imageCrdYaml, @@ -3530,6 +3598,7 @@ var _bintree = &bintree{nil, map[string]*bintree{ "0000_03_config-operator_01_proxy.crd.yaml": {assetsCrd0000_03_configOperator_01_proxyCrdYaml, map[string]*bintree{}}, "0000_03_quota-openshift_01_clusterresourcequota.crd.yaml": {assetsCrd0000_03_quotaOpenshift_01_clusterresourcequotaCrdYaml, map[string]*bintree{}}, "0000_03_security-openshift_01_scc.crd.yaml": {assetsCrd0000_03_securityOpenshift_01_sccCrdYaml, map[string]*bintree{}}, + "0000_03_securityinternal-openshift_01_rangeallocation.crd.yaml": {assetsCrd0000_03_securityinternalOpenshift_01_rangeallocationCrdYaml, map[string]*bintree{}}, "0000_10_config-operator_01_build.crd.yaml": {assetsCrd0000_10_configOperator_01_buildCrdYaml, map[string]*bintree{}}, "0000_10_config-operator_01_featuregate.crd.yaml": {assetsCrd0000_10_configOperator_01_featuregateCrdYaml, map[string]*bintree{}}, "0000_10_config-operator_01_image.crd.yaml": {assetsCrd0000_10_configOperator_01_imageCrdYaml, map[string]*bintree{}}, diff --git a/pkg/assets/rbac/bindata.go b/pkg/assets/rbac/bindata.go index 6f5979161a..b5238eacca 100644 --- a/pkg/assets/rbac/bindata.go +++ b/pkg/assets/rbac/bindata.go @@ -9,6 +9,8 @@ // assets/rbac/0000_60_service-ca_00_rolebinding.yaml // assets/rbac/0000_70_dns_01-cluster-role-binding.yaml // assets/rbac/0000_70_dns_01-cluster-role.yaml +// assets/rbac/0000_80_cluster-policy-controller_clusterrole.yaml +// assets/rbac/0000_80_cluster-policy-controller_clusterrolebinding.yaml // assets/rbac/0000_80_hostpath-provisioner-clusterrole.yaml // assets/rbac/0000_80_hostpath-provisioner-clusterrolebinding.yaml // assets/rbac/0000_80_openshift-router-cluster-role-binding.yaml @@ -485,6 +487,85 @@ func assetsRbac0000_70_dns_01ClusterRoleYaml() (*asset, error) { return a, nil } +var _assetsRbac0000_80_clusterPolicyController_clusterroleYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + name: namespace-security-allocation-controller +rules: +- apiGroups: + - security.openshift.io + - security.internal.openshift.io + resources: + - rangeallocations + verbs: + - create + - get + - update +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - update + - watch + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update +`) + +func assetsRbac0000_80_clusterPolicyController_clusterroleYamlBytes() ([]byte, error) { + return _assetsRbac0000_80_clusterPolicyController_clusterroleYaml, nil +} + +func assetsRbac0000_80_clusterPolicyController_clusterroleYaml() (*asset, error) { + bytes, err := assetsRbac0000_80_clusterPolicyController_clusterroleYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/rbac/0000_80_cluster-policy-controller_clusterrole.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _assetsRbac0000_80_clusterPolicyController_clusterrolebindingYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: namespace-security-allocation-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: namespace-security-allocation-controller +subjects: +- kind: ServiceAccount + name: namespace-security-allocation-controller + namespace: openshift-infra +`) + +func assetsRbac0000_80_clusterPolicyController_clusterrolebindingYamlBytes() ([]byte, error) { + return _assetsRbac0000_80_clusterPolicyController_clusterrolebindingYaml, nil +} + +func assetsRbac0000_80_clusterPolicyController_clusterrolebindingYaml() (*asset, error) { + bytes, err := assetsRbac0000_80_clusterPolicyController_clusterrolebindingYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "assets/rbac/0000_80_cluster-policy-controller_clusterrolebinding.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + var _assetsRbac0000_80_hostpathProvisionerClusterroleYaml = []byte(`kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -712,19 +793,21 @@ func AssetNames() []string { // _bindata is a table, holding each asset generator, mapped to its name. var _bindata = map[string]func() (*asset, error){ - "assets/rbac/0000_00_flannel-clusterrole.yaml": assetsRbac0000_00_flannelClusterroleYaml, - "assets/rbac/0000_00_flannel-clusterrolebinding.yaml": assetsRbac0000_00_flannelClusterrolebindingYaml, - "assets/rbac/0000_00_podsecuritypolicy-flannel.yaml": assetsRbac0000_00_podsecuritypolicyFlannelYaml, - "assets/rbac/0000_60_service-ca_00_clusterrole.yaml": assetsRbac0000_60_serviceCa_00_clusterroleYaml, - "assets/rbac/0000_60_service-ca_00_clusterrolebinding.yaml": assetsRbac0000_60_serviceCa_00_clusterrolebindingYaml, - "assets/rbac/0000_60_service-ca_00_role.yaml": assetsRbac0000_60_serviceCa_00_roleYaml, - "assets/rbac/0000_60_service-ca_00_rolebinding.yaml": assetsRbac0000_60_serviceCa_00_rolebindingYaml, - "assets/rbac/0000_70_dns_01-cluster-role-binding.yaml": assetsRbac0000_70_dns_01ClusterRoleBindingYaml, - "assets/rbac/0000_70_dns_01-cluster-role.yaml": assetsRbac0000_70_dns_01ClusterRoleYaml, - "assets/rbac/0000_80_hostpath-provisioner-clusterrole.yaml": assetsRbac0000_80_hostpathProvisionerClusterroleYaml, - "assets/rbac/0000_80_hostpath-provisioner-clusterrolebinding.yaml": assetsRbac0000_80_hostpathProvisionerClusterrolebindingYaml, - "assets/rbac/0000_80_openshift-router-cluster-role-binding.yaml": assetsRbac0000_80_openshiftRouterClusterRoleBindingYaml, - "assets/rbac/0000_80_openshift-router-cluster-role.yaml": assetsRbac0000_80_openshiftRouterClusterRoleYaml, + "assets/rbac/0000_00_flannel-clusterrole.yaml": assetsRbac0000_00_flannelClusterroleYaml, + "assets/rbac/0000_00_flannel-clusterrolebinding.yaml": assetsRbac0000_00_flannelClusterrolebindingYaml, + "assets/rbac/0000_00_podsecuritypolicy-flannel.yaml": assetsRbac0000_00_podsecuritypolicyFlannelYaml, + "assets/rbac/0000_60_service-ca_00_clusterrole.yaml": assetsRbac0000_60_serviceCa_00_clusterroleYaml, + "assets/rbac/0000_60_service-ca_00_clusterrolebinding.yaml": assetsRbac0000_60_serviceCa_00_clusterrolebindingYaml, + "assets/rbac/0000_60_service-ca_00_role.yaml": assetsRbac0000_60_serviceCa_00_roleYaml, + "assets/rbac/0000_60_service-ca_00_rolebinding.yaml": assetsRbac0000_60_serviceCa_00_rolebindingYaml, + "assets/rbac/0000_70_dns_01-cluster-role-binding.yaml": assetsRbac0000_70_dns_01ClusterRoleBindingYaml, + "assets/rbac/0000_70_dns_01-cluster-role.yaml": assetsRbac0000_70_dns_01ClusterRoleYaml, + "assets/rbac/0000_80_cluster-policy-controller_clusterrole.yaml": assetsRbac0000_80_clusterPolicyController_clusterroleYaml, + "assets/rbac/0000_80_cluster-policy-controller_clusterrolebinding.yaml": assetsRbac0000_80_clusterPolicyController_clusterrolebindingYaml, + "assets/rbac/0000_80_hostpath-provisioner-clusterrole.yaml": assetsRbac0000_80_hostpathProvisionerClusterroleYaml, + "assets/rbac/0000_80_hostpath-provisioner-clusterrolebinding.yaml": assetsRbac0000_80_hostpathProvisionerClusterrolebindingYaml, + "assets/rbac/0000_80_openshift-router-cluster-role-binding.yaml": assetsRbac0000_80_openshiftRouterClusterRoleBindingYaml, + "assets/rbac/0000_80_openshift-router-cluster-role.yaml": assetsRbac0000_80_openshiftRouterClusterRoleYaml, } // AssetDir returns the file names below a certain @@ -770,19 +853,21 @@ type bintree struct { var _bintree = &bintree{nil, map[string]*bintree{ "assets": {nil, map[string]*bintree{ "rbac": {nil, map[string]*bintree{ - "0000_00_flannel-clusterrole.yaml": {assetsRbac0000_00_flannelClusterroleYaml, map[string]*bintree{}}, - "0000_00_flannel-clusterrolebinding.yaml": {assetsRbac0000_00_flannelClusterrolebindingYaml, map[string]*bintree{}}, - "0000_00_podsecuritypolicy-flannel.yaml": {assetsRbac0000_00_podsecuritypolicyFlannelYaml, map[string]*bintree{}}, - "0000_60_service-ca_00_clusterrole.yaml": {assetsRbac0000_60_serviceCa_00_clusterroleYaml, map[string]*bintree{}}, - "0000_60_service-ca_00_clusterrolebinding.yaml": {assetsRbac0000_60_serviceCa_00_clusterrolebindingYaml, map[string]*bintree{}}, - "0000_60_service-ca_00_role.yaml": {assetsRbac0000_60_serviceCa_00_roleYaml, map[string]*bintree{}}, - "0000_60_service-ca_00_rolebinding.yaml": {assetsRbac0000_60_serviceCa_00_rolebindingYaml, map[string]*bintree{}}, - "0000_70_dns_01-cluster-role-binding.yaml": {assetsRbac0000_70_dns_01ClusterRoleBindingYaml, map[string]*bintree{}}, - "0000_70_dns_01-cluster-role.yaml": {assetsRbac0000_70_dns_01ClusterRoleYaml, map[string]*bintree{}}, - "0000_80_hostpath-provisioner-clusterrole.yaml": {assetsRbac0000_80_hostpathProvisionerClusterroleYaml, map[string]*bintree{}}, - "0000_80_hostpath-provisioner-clusterrolebinding.yaml": {assetsRbac0000_80_hostpathProvisionerClusterrolebindingYaml, map[string]*bintree{}}, - "0000_80_openshift-router-cluster-role-binding.yaml": {assetsRbac0000_80_openshiftRouterClusterRoleBindingYaml, map[string]*bintree{}}, - "0000_80_openshift-router-cluster-role.yaml": {assetsRbac0000_80_openshiftRouterClusterRoleYaml, map[string]*bintree{}}, + "0000_00_flannel-clusterrole.yaml": {assetsRbac0000_00_flannelClusterroleYaml, map[string]*bintree{}}, + "0000_00_flannel-clusterrolebinding.yaml": {assetsRbac0000_00_flannelClusterrolebindingYaml, map[string]*bintree{}}, + "0000_00_podsecuritypolicy-flannel.yaml": {assetsRbac0000_00_podsecuritypolicyFlannelYaml, map[string]*bintree{}}, + "0000_60_service-ca_00_clusterrole.yaml": {assetsRbac0000_60_serviceCa_00_clusterroleYaml, map[string]*bintree{}}, + "0000_60_service-ca_00_clusterrolebinding.yaml": {assetsRbac0000_60_serviceCa_00_clusterrolebindingYaml, map[string]*bintree{}}, + "0000_60_service-ca_00_role.yaml": {assetsRbac0000_60_serviceCa_00_roleYaml, map[string]*bintree{}}, + "0000_60_service-ca_00_rolebinding.yaml": {assetsRbac0000_60_serviceCa_00_rolebindingYaml, map[string]*bintree{}}, + "0000_70_dns_01-cluster-role-binding.yaml": {assetsRbac0000_70_dns_01ClusterRoleBindingYaml, map[string]*bintree{}}, + "0000_70_dns_01-cluster-role.yaml": {assetsRbac0000_70_dns_01ClusterRoleYaml, map[string]*bintree{}}, + "0000_80_cluster-policy-controller_clusterrole.yaml": {assetsRbac0000_80_clusterPolicyController_clusterroleYaml, map[string]*bintree{}}, + "0000_80_cluster-policy-controller_clusterrolebinding.yaml": {assetsRbac0000_80_clusterPolicyController_clusterrolebindingYaml, map[string]*bintree{}}, + "0000_80_hostpath-provisioner-clusterrole.yaml": {assetsRbac0000_80_hostpathProvisionerClusterroleYaml, map[string]*bintree{}}, + "0000_80_hostpath-provisioner-clusterrolebinding.yaml": {assetsRbac0000_80_hostpathProvisionerClusterrolebindingYaml, map[string]*bintree{}}, + "0000_80_openshift-router-cluster-role-binding.yaml": {assetsRbac0000_80_openshiftRouterClusterRoleBindingYaml, map[string]*bintree{}}, + "0000_80_openshift-router-cluster-role.yaml": {assetsRbac0000_80_openshiftRouterClusterRoleYaml, map[string]*bintree{}}, }}, }}, }} diff --git a/pkg/cmd/init.go b/pkg/cmd/init.go index 8819d744c2..7237cb1935 100644 --- a/pkg/cmd/init.go +++ b/pkg/cmd/init.go @@ -129,6 +129,10 @@ func initCerts(cfg *config.MicroshiftConfig) error { if err := util.GenCerts("openshift-oauth-apiserver", cfg.DataDir+"/resources/openshift-oauth-apiserver/secrets", "tls.crt", "tls.key", []string{"openshift-oauth-apiserver", cfg.NodeIP, "127.0.0.1", "openshift-oauth-apiserver.default.svc", "openshift-oauth-apiserver.svc", "kubernetes.default.svc", "kubernetes.default", "kubernetes", "localhost"}); err != nil { + } + if err := util.GenCerts("openshift-cluster-policy-controller", cfg.DataDir+"/resources/openshift-cluster-policy-controller/secrets", + "tls.crt", "tls.key", + []string{"openshift-cluster-policy-controller", cfg.NodeIP, "127.0.0.1", "kubernetes.default.svc", "kubernetes.default", "kubernetes", "localhost"}); err != nil { return err } return nil diff --git a/pkg/components/components.go b/pkg/components/components.go index 5bd937fd20..3a8c5101fc 100755 --- a/pkg/components/components.go +++ b/pkg/components/components.go @@ -20,10 +20,17 @@ func StartComponents(cfg *config.MicroshiftConfig) error { logrus.Warningf("failed to start ingress router controller: %v", err) return err } + if err := startDNSController(cfg, cfg.DataDir+"/resources/kubeadmin/kubeconfig"); err != nil { logrus.Warningf("failed to start DNS controller: %v", err) return err } + + if err := startClusterPolicyController(cfg, cfg.DataDir+"/resources/kubeadmin/kubeconfig"); err != nil { + logrus.Warningf("failed to start openshift-cluster-policy controller: %v", err) + return err + } + if err := startFlannel(cfg.DataDir + "/resources/kubeadmin/kubeconfig"); err != nil { logrus.Warningf("failed to start Flannel: %v", err) return err diff --git a/pkg/components/controllers.go b/pkg/components/controllers.go index 863491ef16..003cadb20e 100644 --- a/pkg/components/controllers.go +++ b/pkg/components/controllers.go @@ -1,12 +1,63 @@ package components import ( + "io/ioutil" + "os" + "path/filepath" + "github.com/openshift/microshift/pkg/assets" "github.com/openshift/microshift/pkg/config" "github.com/sirupsen/logrus" ) +func startClusterPolicyController(cfg *config.MicroshiftConfig, kubeconfigPath string) error { + if err := writeConfig(cfg); err != nil { + logrus.Fatalf("Failed to write openshift-cluster-policy-controller config: %v", err) + } + + var ( + clusterRole = []string{ + "assets/rbac/0000_80_cluster-policy-controller_clusterrole.yaml", + } + clusterRoleBinding = []string{ + "assets/rbac/0000_80_cluster-policy-controller_clusterrolebinding.yaml", + } + apps = []string{ + "assets/apps/0000_80_cluster_policy_controller_deploy.yaml", + } + ns = []string{ + "assets/core/0000_80_cluster-openshift-cluster-policy-controller_00_namespace.yaml", + } + sa = []string{ + "assets/core/0000_80_cluster-openshift-cluster-policy-controller_service-account.yaml", + "assets/core/0000_80_namespace-security-allocation-controller_sa.yaml", + } + ) + if err := assets.ApplyNamespaces(ns, kubeconfigPath); err != nil { + logrus.Warningf("failed to apply ns %v: %v", ns, err) + return err + } + if err := assets.ApplyClusterRoles(clusterRole, kubeconfigPath); err != nil { + logrus.Warningf("failed to apply clusterRolebinding %v: %v", clusterRole, err) + return err + } + if err := assets.ApplyClusterRoleBindings(clusterRoleBinding, kubeconfigPath); err != nil { + logrus.Warningf("failed to apply clusterRolebinding %v: %v", clusterRoleBinding, err) + return err + } + if err := assets.ApplyServiceAccounts(sa, kubeconfigPath); err != nil { + logrus.Warningf("failed to apply sa %v: %v", sa, err) + return err + } + if err := assets.ApplyDeployments(apps, renderClusterPolicyController, assets.RenderParams{"DataDir": cfg.DataDir}, kubeconfigPath); err != nil { + logrus.Warningf("failed to apply apps %v: %v", apps, err) + return err + } + + return nil +} + func startServiceCAController(cfg *config.MicroshiftConfig, kubeconfigPath string) error { var ( //TODO: fix the rolebinding and sa @@ -182,3 +233,19 @@ func startDNSController(cfg *config.MicroshiftConfig, kubeconfigPath string) err } return nil } + +func writeConfig(cfg *config.MicroshiftConfig) error { + data := []byte(`apiVersion: openshiftcontrolplane.config.openshift.io/v1 +kind: OpenShiftControllerManagerConfig +kubeClientConfig: + kubeConfig: /var/run/kubeadmin/kubeconfig +servingInfo: + bindAddress: "0.0.0.0:10357" + certFile: /var/run/secrets/tls.crt + keyFile: /var/run/secrets/tls.key + clientCA: /var/run/configmaps/signing-cabundle/ca-bundle.crt`) + + path := filepath.Join(cfg.DataDir, "resources", "openshift-cluster-policy-controller", "config", "config.yaml") + os.MkdirAll(filepath.Dir(path), os.FileMode(0755)) + return ioutil.WriteFile(path, data, 0644) +} diff --git a/pkg/components/render.go b/pkg/components/render.go index 594cd2fbb0..f31c10ebfb 100755 --- a/pkg/components/render.go +++ b/pkg/components/render.go @@ -8,6 +8,26 @@ import ( "github.com/openshift/microshift/pkg/release" ) +func renderClusterPolicyController(b []byte, p assets.RenderParams) ([]byte, error) { + data := struct { + ReleaseImage assets.RenderParams + KeyDir, CADir, KubeConfigDir, ConfigDir string + }{ + ReleaseImage: release.Image, + KeyDir: p["DataDir"] + "/resources/openshift-cluster-policy-controller/secrets", + ConfigDir: p["DataDir"] + "/resources/openshift-cluster-policy-controller/config", + KubeConfigDir: p["DataDir"] + "/resources/kubeadmin", + CADir: p["DataDir"] + "/certs/ca-bundle", + } + tpl := template.Must(template.New("cpc").Parse(string(b))) + var byteBuff bytes.Buffer + + if err := tpl.Execute(&byteBuff, data); err != nil { + return nil, err + } + return byteBuff.Bytes(), nil +} + func renderSCController(b []byte, p assets.RenderParams) ([]byte, error) { data := struct { ReleaseImage assets.RenderParams diff --git a/pkg/release/release.go b/pkg/release/release.go index 4764a6ca16..362257840b 100644 --- a/pkg/release/release.go +++ b/pkg/release/release.go @@ -20,6 +20,7 @@ var Base = "4.8.0-0.okd-2021-10-10-030117" var Image = map[string]string{ "cli": "quay.io/microshift/cli:" + Base, + "cluster_policy_controller": "quay.io/microshift/cluster-policy-controller:" + Base, "coredns": "quay.io/microshift/coredns:" + Base, "haproxy_router": "quay.io/microshift/haproxy-router:" + Base, "kube_flannel": "quay.io/microshift/flannel:" + Base, diff --git a/pkg/release/release_amd64.go b/pkg/release/release_amd64.go index 992d3821ec..d1ba94859c 100644 --- a/pkg/release/release_amd64.go +++ b/pkg/release/release_amd64.go @@ -22,6 +22,7 @@ package release func init() { Image = map[string]string{ "cli": "quay.io/openshift/okd-content@sha256:27f7918b5f0444e278118b2ee054f5b6fadfc4005cf91cb78106c3f5e1833edd", + "cluster_policy_controller": "quay.io/openshift/okd-content@sha256:caf8254cbd4f3fc3e923682106a39f3bcfc62e9746ca909ed50b930e2d17a166", "coredns": "quay.io/openshift/okd-content@sha256:bcdefdbcee8af1e634e68a850c52fe1e9cb31364525e30f5b20ee4eacb93c3e8", "haproxy_router": "quay.io/openshift/okd-content@sha256:01cfbbfdc11e2cbb8856f31a65c83acc7cfbd1986c1309f58c255840efcc0b64", "kube_flannel": "quay.io/coreos/flannel:v0.14.0", diff --git a/scripts/rebase.sh b/scripts/rebase.sh index 5c9b62b3be..9520f96ce5 100755 --- a/scripts/rebase.sh +++ b/scripts/rebase.sh @@ -25,7 +25,7 @@ REPOROOT="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/../")" STAGING_DIR="$REPOROOT/_output/staging" EMBEDDED_COMPONENTS="etcd hyperkube openshift-apiserver openshift-controller-manager" -LOADED_COMPONENTS="cluster-dns-operator cluster-ingress-operator service-ca-operator" +LOADED_COMPONENTS="cluster-dns-operator cluster-ingress-operator openshift-cluster-policy-controller service-ca-operator" title() {