WIP: Embedded cluster policy controller

assets/core/0000_10_namespace-security-allocation-controller_sa.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: openshift-infra
+  name: namespace-security-allocation-controller

assets/core/0000_50_cluster-openshift-cluster-policy-controller_00_namespace.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  annotations:
+    openshift.io/node-selector: ""
+    workload.openshift.io/allowed: "management"
+  labels:
+    # set value to avoid depending on kube admission that depends on openshift apis
+    openshift.io/run-level: "0"
+    # allow openshift-monitoring to look for ServiceMonitor objects in this namespace
+    openshift.io/cluster-monitoring: "true"
+  name: openshift-kube-controller-manager

assets/core/0000_80_cluster-openshift-cluster-policy-controller_service-account.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: openshift-kube-controller-manager
+  name: openshift-cluster-policy-controller-sa

assets/crd/0000_03_securityinternal-openshift_01_rangeallocation.crd.yaml

@@ -0,0 +1,49 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.openshift.io: https://github.com/openshift/api/pull/751
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+  name: rangeallocations.security.internal.openshift.io
+spec:
+  group: security.internal.openshift.io
+  names:
+    kind: RangeAllocation
+    listKind: RangeAllocationList
+    plural: rangeallocations
+    singular: rangeallocation
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: RangeAllocation is used so we can easily expose a RangeAllocation
+          typed for security group This is an internal API, not intended for external
+          consumption.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          data:
+            description: data is a byte array representing the serialized state of
+              a range allocation.  It is a bitmap with each bit set to one to represent
+              a range is taken.
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          range:
+            description: range is a string representing a unique label for a range
+              of uids, "1000000000-2000000000/10000".
+            type: string
+        type: object
+    served: true
+    storage: true

assets/rbac/0000_10_cluster-policy-controller_clusterrole.yaml

@@ -0,0 +1,33 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+  name: namespace-security-allocation-controller
+rules:
+- apiGroups:
+  - security.openshift.io
+  - security.internal.openshift.io
+  resources:
+  - rangeallocations
+  verbs:
+  - create
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - update
+  - watch
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+  - update

assets/rbac/0000_10_cluster-policy-controller_clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: namespace-security-allocation-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: namespace-security-allocation-controller
+subjects:
+- kind: ServiceAccount
+  name: namespace-security-allocation-controller
+  namespace: openshift-infra

go.mod

@@ -267,7 +267,7 @@ replace (
 	github.com/openshift/apiserver-library-go => github.com/openshift/apiserver-library-go v0.0.0-20210721120111-70ce3cad7d84
 	github.com/openshift/build-machinery-go => github.com/openshift/build-machinery-go v0.0.0-20210209125900-0da259a2c359
 	github.com/openshift/client-go => github.com/openshift/client-go v0.0.0-20210422153130-25c8450d1535
-	github.com/openshift/library-go => github.com/openshift/library-go v0.0.0-20210407092538-7021fda6f427
+	github.com/openshift/library-go => github.com/openshift/library-go v0.0.0-20210720151324-cfbfc8feace0
 	github.com/pascaldekloe/goe => github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c
 	github.com/pelletier/go-toml => github.com/pelletier/go-toml v1.2.0
 	github.com/peterbourgon/diskv => github.com/peterbourgon/diskv v2.0.1+incompatible
@@ -401,7 +401,7 @@ replace (
 	k8s.io/kubelet => k8s.io/kubelet v0.21.0
 	k8s.io/kubernetes => github.com/openshift/kubernetes v0.0.0-20210918023457-a620f506e956
 	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.21.0
-	k8s.io/metrics => k8s.io/metrics v0.21.0
+	k8s.io/metrics => k8s.io/metrics v0.21.2
 	k8s.io/mount-utils => k8s.io/mount-utils v0.21.0
 	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.21.0
 	k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.21.0
@@ -441,30 +441,32 @@ require (
 	github.com/moby/sys/mount v0.2.0 // indirect
 	github.com/mohae/deepcopy v0.0.0-00010101000000-000000000000 // indirect
 	github.com/openshift/api v0.0.0-20210910062324-a41d3573a3ba
-	github.com/openshift/build-machinery-go v0.0.0-20210423112049-9415d7ebd33e
-	github.com/openshift/client-go v0.0.0-20210521082421-73d9475a9142
+	github.com/openshift/build-machinery-go v0.0.0-20210806203541-4ea9b6da3a37
+	github.com/openshift/client-go v0.0.0-20210831095141-e19a065e79f7
+	github.com/openshift/cluster-policy-controller v0.0.0-20210723200948-8fbffaf2b3c7
+	github.com/openshift/library-go v0.0.0-20210825122301-7f0bf922c345
 	github.com/openshift/oauth-apiserver v0.0.0-20210508031825-09435a5dd505
 	github.com/openshift/openshift-apiserver v0.0.0-20210812003746-628b46ccb012
 	github.com/openshift/openshift-controller-manager v0.0.0-20210609062424-2e25328c64ac
 	github.com/pkg/errors v0.9.1
 	github.com/sirupsen/logrus v1.8.1
-	github.com/spf13/cobra v1.1.1
+	github.com/spf13/cobra v1.1.3
 	github.com/spf13/pflag v1.0.5
 	github.com/urfave/negroni v0.0.0-00010101000000-000000000000 // indirect
 	go.etcd.io/etcd v0.5.0-alpha.5.0.20200910180754-dd1b699fc489
 	gopkg.in/yaml.v2 v2.4.0
-	k8s.io/api v0.21.1
-	k8s.io/apiextensions-apiserver v0.21.0
-	k8s.io/apimachinery v0.21.1
-	k8s.io/apiserver v0.21.1
+	k8s.io/api v0.22.1
+	k8s.io/apiextensions-apiserver v0.22.1
+	k8s.io/apimachinery v0.22.1
+	k8s.io/apiserver v0.22.1
 	k8s.io/cli-runtime v0.21.0
-	k8s.io/client-go v0.21.1
-	k8s.io/component-base v0.21.1
-	k8s.io/controller-manager v0.21.0
-	k8s.io/klog/v2 v2.8.0
-	k8s.io/kube-aggregator v0.21.0
+	k8s.io/client-go v0.22.1
+	k8s.io/component-base v0.22.1
+	k8s.io/controller-manager v0.21.2
+	k8s.io/klog/v2 v2.9.0
+	k8s.io/kube-aggregator v0.22.1
 	k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7
 	k8s.io/kubectl v0.21.0
-	k8s.io/kubernetes v1.21.1
+	k8s.io/kubernetes v1.21.2
 	sigs.k8s.io/yaml v1.2.0
 )

go.sum

@@ -421,6 +421,8 @@ github.com/openshift/build-machinery-go v0.0.0-20210209125900-0da259a2c359 h1:eh
 github.com/openshift/build-machinery-go v0.0.0-20210209125900-0da259a2c359/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE=
 github.com/openshift/client-go v0.0.0-20210422153130-25c8450d1535 h1:JGSJhDJiQxqUETyqseqeXD7X/hgA6V/F3WW/2dN4QCs=
 github.com/openshift/client-go v0.0.0-20210422153130-25c8450d1535/go.mod h1:v5/AYttPCjfqMGC1Ed/vutuDpuXmgWc5O+W9nwQ7EtE=
+github.com/openshift/cluster-policy-controller v0.0.0-20210723200948-8fbffaf2b3c7 h1:TGfOG8GvODRfk7n0nFTFt9apYkL0ke1i4FZmM2NJwhM=
+github.com/openshift/cluster-policy-controller v0.0.0-20210723200948-8fbffaf2b3c7/go.mod h1:/0PACanksGAKueGDm+5bkxiiYaVNlReEMTTVdyqXrZw=
 github.com/openshift/docker-distribution v0.0.0-20180925154709-d4c35485a70d h1:tupVADlF1SZrGy0Y0kg1FKUi2mVPzRwxVb+8LLMu8ws=
 github.com/openshift/docker-distribution v0.0.0-20180925154709-d4c35485a70d/go.mod h1:XmfFzbwryblvZ29NebonirM7RBuNEO7+yVCOapaouAk=
 github.com/openshift/etcd v0.0.0-20210524101026-aefa6bf59b38 h1:4qSF/Ggum/moP9j+QHHXdGgOOIhc7aaLKD3tQAahEic=
@@ -433,8 +435,8 @@ github.com/openshift/kubernetes v0.0.0-20210918023457-a620f506e956 h1:+Y0phJ87Xk
 github.com/openshift/kubernetes v0.0.0-20210918023457-a620f506e956/go.mod h1:L+xhAJq2OM55Nm0E4QjJngTH+BrUQmeC2jnl0jinPV0=
 github.com/openshift/kubernetes-apiserver v0.0.0-20210527175848-55ee66589915 h1:sFX4VkwXx4bv3YxceFO5PMtRbZxiVi5BiPDCcAN8GxE=
 github.com/openshift/kubernetes-apiserver v0.0.0-20210527175848-55ee66589915/go.mod h1:w2YSn4/WIwYuxG5zJmcqtRdtqgW/J2JRgFAqps3bBpg=
-github.com/openshift/library-go v0.0.0-20210407092538-7021fda6f427 h1:/6Xf107BJIzdfRe9xfuU4xnx7TUHQ7vzDMWiNYPmxfM=
-github.com/openshift/library-go v0.0.0-20210407092538-7021fda6f427/go.mod h1:pnz961veImKsbn7pQcuFbcVpCQosYiC1fUOjzEDeOLU=
+github.com/openshift/library-go v0.0.0-20210720151324-cfbfc8feace0 h1:uO9z0Yq3L87fGSuqI82VGwfma2dWOWo4J68PaDPxvDE=
+github.com/openshift/library-go v0.0.0-20210720151324-cfbfc8feace0/go.mod h1:rln3LbFNOpENSvhmsfH7g/hqc58IF78+o96yAAp5mq0=
 github.com/openshift/oauth-apiserver v0.0.0-20210508031825-09435a5dd505 h1:6THFBGtaiGS+7iQb+Q9j9tMe+ZnY9KStogtDQA6Xkl4=
 github.com/openshift/oauth-apiserver v0.0.0-20210508031825-09435a5dd505/go.mod h1:ktVSvRtD7UqyfbWlabNTLDnW92I2kBHzhUcugSdbcqo=
 github.com/openshift/openshift-apiserver v0.0.0-20210812003746-628b46ccb012 h1:K4PxZepDaMdtdFaQ1ToUgDFi9+hrjEpqUzpCqfNNyZc=
@@ -675,8 +677,8 @@ k8s.io/kubelet v0.21.0 h1:1VUfM5vKqLPlWFI0zee6fm9kwIZ/UEOGCodVFN+OZrg=
 k8s.io/kubelet v0.21.0/go.mod h1:G5ZxMTVev9t4bhmsSxDAWhH6wXDYEVHVVFyYsw4laR4=
 k8s.io/legacy-cloud-providers v0.21.0 h1:iWf5xaX9yvYT5mkz8UB96UtISQ5IkrWeuMPMhRp01ZY=
 k8s.io/legacy-cloud-providers v0.21.0/go.mod h1:bNxo7gDg+PGkBmT/MFZswLTWdSWK9kAlS1s8DJca5q4=
-k8s.io/metrics v0.21.0 h1:uwS3CgheLKaw3PTpwhjMswnm/PMqeLbdLH88VI7FMQQ=
-k8s.io/metrics v0.21.0/go.mod h1:L3Ji9EGPP1YBbfm9sPfEXSpnj8i24bfQbAFAsW0NueQ=
+k8s.io/metrics v0.21.2 h1:6ajprhWZnI64RSrNqET0cBdwzaxPxr9Vh8zURBkR1zY=
+k8s.io/metrics v0.21.2/go.mod h1:wzlOINZMCtWq8dR9gHlyaOemmYlOpAoldEIXE82gAhI=
 k8s.io/mount-utils v0.21.0 h1:Z8mCBpIBG26Q9TFg6d0Wvai6AL1mMPqSYBbNVxo6J2A=
 k8s.io/mount-utils v0.21.0/go.mod h1:dwXbIPxKtTjrBEaX1aK/CMEf1KZ8GzMHpe3NEBfdFXI=
 k8s.io/sample-apiserver v0.21.0/go.mod h1:yMffYq14yQZtuVPVBGaBJ+3Scb2xHT6QeqFfk3v+AEY=