[WIP] cluster policy controller

assets/apps/0000_60_service-ca_05_deploy.yaml

@@ -23,7 +23,6 @@ spec:
         app: service-ca
         service-ca: "true"
     spec:
-      securityContext: {}
       serviceAccount: service-ca
       serviceAccountName: service-ca
       containers:
@@ -33,8 +32,8 @@ spec:
         command: ["service-ca-operator", "controller"]
         ports:
         - containerPort: 8443
-        # securityContext:
-        #   runAsNonRoot: true
+        securityContext:
+          runAsNonRoot: true
         resources:
           requests:
             memory: 120Mi

assets/apps/0000_80_cluster_policy_controller_deploy.yaml

@@ -0,0 +1,89 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: openshift-kube-controller-manager
+  name: openshift-cluster-policy-controller
+  labels:
+    app: openshift-cluster-policy-controller
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openshift-cluster-policy-controller
+  template:
+    metadata:
+      name: openshift-cluster-policy-controller
+      labels:
+        app: openshift-cluster-policy-controller
+    spec:
+      serviceAccountName: openshift-cluster-policy-controller-sa
+      containers:
+      - name: cluster-policy-controller
+        env:
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+        image: {{ .ReleaseImage.cluster_policy_controller }}
+        imagePullPolicy: IfNotPresent
+        terminationMessagePolicy: FallbackToLogsOnError
+        command: ["/bin/bash", "-euxo", "pipefail", "-c"]
+        args:
+          - |
+            timeout 3m /bin/bash -exuo pipefail -c 'while [ -n "$(ss -Htanop \( sport = 10357 \))" ]; do sleep 1; done'
+            exec cluster-policy-controller start --config=/var/run/config/config.yaml
+        resources:
+          requests:
+            memory: 200Mi
+            cpu: 10m
+        ports:
+          - containerPort: 10357
+        volumeMounts:
+        - mountPath: /var/run/kubeadmin
+          name: kubeconfig-dir
+        - mountPath: /var/run/secrets
+          name: signing-key
+        - mountPath: /var/run/configmaps/signing-cabundle
+          name: signing-cabundle
+        - mountPath: /var/run/config
+          name: config
+        startupProbe:
+          httpGet:
+            scheme: HTTPS
+            port: 10357
+            path: healthz
+          initialDelaySeconds: 0
+          timeoutSeconds: 3
+        livenessProbe:
+          httpGet:
+            scheme: HTTPS
+            port: 10357
+            path: healthz
+          initialDelaySeconds: 45
+          timeoutSeconds: 10
+        readinessProbe:
+          httpGet:
+            scheme: HTTPS
+            port: 10357
+            path: healthz
+          initialDelaySeconds: 10
+          timeoutSeconds: 10
+      hostNetwork: true
+      priorityClassName: system-node-critical
+      volumes:
+      - name: kubeconfig-dir
+        hostPath:
+          path: {{.KubeConfigDir}}
+      - name: signing-key
+        hostPath:
+          path: {{.KeyDir}}
+      - name: config
+        hostPath:
+          path: {{.ConfigDir}}
+      - hostPath:
+          path: {{.CADir}}
+        name: signing-cabundle

assets/core/0000_80_cluster-openshift-cluster-policy-controller_00_namespace.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  annotations:
+    openshift.io/node-selector: ""
+    workload.openshift.io/allowed: "management"
+  labels:
+    # set value to avoid depending on kube admission that depends on openshift apis
+    openshift.io/run-level: "0"
+    # allow openshift-monitoring to look for ServiceMonitor objects in this namespace
+    openshift.io/cluster-monitoring: "true"
+  name: openshift-kube-controller-manager

assets/core/0000_80_cluster-openshift-cluster-policy-controller_service-account.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: openshift-kube-controller-manager
+  name: openshift-cluster-policy-controller-sa

assets/core/0000_80_namespace-security-allocation-controller_sa.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: openshift-infra
+  name: namespace-security-allocation-controller

assets/crd/0000_03_securityinternal-openshift_01_rangeallocation.crd.yaml

@@ -0,0 +1,49 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.openshift.io: https://github.com/openshift/api/pull/751
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+  name: rangeallocations.security.internal.openshift.io
+spec:
+  group: security.internal.openshift.io
+  names:
+    kind: RangeAllocation
+    listKind: RangeAllocationList
+    plural: rangeallocations
+    singular: rangeallocation
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: RangeAllocation is used so we can easily expose a RangeAllocation
+          typed for security group This is an internal API, not intended for external
+          consumption.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          data:
+            description: data is a byte array representing the serialized state of
+              a range allocation.  It is a bitmap with each bit set to one to represent
+              a range is taken.
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          range:
+            description: range is a string representing a unique label for a range
+              of uids, "1000000000-2000000000/10000".
+            type: string
+        type: object
+    served: true
+    storage: true

assets/rbac/0000_80_cluster-policy-controller_clusterrole.yaml

@@ -0,0 +1,33 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+  name: namespace-security-allocation-controller
+rules:
+- apiGroups:
+  - security.openshift.io
+  - security.internal.openshift.io
+  resources:
+  - rangeallocations
+  verbs:
+  - create
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - update
+  - watch
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+  - update

assets/rbac/0000_80_cluster-policy-controller_clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: namespace-security-allocation-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: namespace-security-allocation-controller
+subjects:
+- kind: ServiceAccount
+  name: namespace-security-allocation-controller
+  namespace: openshift-infra