Skip to content

Commit

Permalink
Fix creation of OVA server pod under enforced restricted namesapces
Browse files Browse the repository at this point in the history
Signed-off-by: Bella Khizgiyaev <bkhizgiy@redhat.com>
  • Loading branch information
bkhizgiy authored and liranr23 committed Nov 23, 2023
1 parent 9b412a2 commit 498a42b
Showing 1 changed file with 67 additions and 35 deletions.
102 changes: 67 additions & 35 deletions pkg/controller/provider/ova-setup.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,14 +12,18 @@ import (
"k8s.io/apimachinery/pkg/api/resource"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"
"sigs.k8s.io/controller-runtime/pkg/client"
)

const (
ovaServer = "ova-server"
ovaImageVar = "OVA_PROVIDER_SERVER_IMAGE"
nfsVolumeNamePrefix = "nfs-volume"
mountPath = "/ova"
pvSize = "1Gi"
ovaServer = "ova-server"
ovaImageVar = "OVA_PROVIDER_SERVER_IMAGE"
nfsVolumeNamePrefix = "nfs-volume"
mountPath = "/ova"
pvSize = "1Gi"
auditRestrictedLabel = "pod-security.kubernetes.io/audit"
enforceRestrictedLabel = "pod-security.kubernetes.io/enforce"
qemuGroup = 107
)

func (r Reconciler) CreateOVAServerDeployment(provider *api.Provider, ctx context.Context) {
Expand Down Expand Up @@ -143,7 +147,7 @@ func (r *Reconciler) createServerDeployment(provider *api.Provider, ctx context.
ObjectMeta: metav1.ObjectMeta{
Labels: labels,
},
Spec: r.makeOvaProviderPodSpec(pvcName, provider.Name),
Spec: r.makeOvaProviderPodSpec(pvcName, provider.Name, provider.Namespace),
},
},
}
Expand Down Expand Up @@ -185,47 +189,75 @@ func (r *Reconciler) createServerService(provider *api.Provider, ctx context.Con
return
}

func (r *Reconciler) makeOvaProviderPodSpec(pvcName string, providerName string) core.PodSpec {
func (r *Reconciler) makeOvaProviderPodSpec(pvcName, providerName, providerNamespace string) core.PodSpec {
imageName, ok := os.LookupEnv(ovaImageVar)
if !ok {
r.Log.Error(nil, "Failed to find OVA server image")
r.Log.Info("Failed to find OVA server image")
return core.PodSpec{}

This comment has been minimized.

Copy link
@ahadas

ahadas Nov 26, 2023

Member

better to return an error here instead of an empty spec

}

nfsVolumeName := fmt.Sprintf("%s-%s", nfsVolumeNamePrefix, providerName)
ovaContainerName := fmt.Sprintf("%s-pod-%s", ovaServer, providerName)
allowPrivilegeEscalation := false
nonRoot := true
user := int64(qemuGroup)
allowPrivilegeEscalation := false

securityContext := &core.SecurityContext{
AllowPrivilegeEscalation: &allowPrivilegeEscalation,
Capabilities: &core.Capabilities{
Drop: []core.Capability{"ALL"},
},
}

return core.PodSpec{
Containers: []core.Container{
restricted := r.isEnforcedRestrictionNamespace(providerNamespace)
if restricted {
seccompProfile := &core.SeccompProfile{
Type: core.SeccompProfileTypeRuntimeDefault,
}
securityContext.RunAsUser = &user
securityContext.RunAsNonRoot = &nonRoot
securityContext.SeccompProfile = seccompProfile
}

container := core.Container{
Name: ovaContainerName,
Image: imageName,
Ports: []core.ContainerPort{{ContainerPort: 8080, Protocol: core.ProtocolTCP}},
VolumeMounts: []core.VolumeMount{
{
Name: ovaContainerName,
Ports: []core.ContainerPort{{ContainerPort: 8080, Protocol: core.ProtocolTCP}},
Image: imageName,
VolumeMounts: []core.VolumeMount{
{
Name: nfsVolumeName,
MountPath: mountPath,
},
},
SecurityContext: &core.SecurityContext{
AllowPrivilegeEscalation: &allowPrivilegeEscalation,
RunAsNonRoot: &nonRoot,
Capabilities: &core.Capabilities{
Drop: []core.Capability{"ALL"},
},
},
Name: nfsVolumeName,
MountPath: mountPath,
},
},
Volumes: []core.Volume{
{
Name: nfsVolumeName,
VolumeSource: core.VolumeSource{
PersistentVolumeClaim: &core.PersistentVolumeClaimVolumeSource{
ClaimName: pvcName,
},
},
SecurityContext: securityContext,
}

volume := core.Volume{
Name: nfsVolumeName,
VolumeSource: core.VolumeSource{
PersistentVolumeClaim: &core.PersistentVolumeClaimVolumeSource{
ClaimName: pvcName,
},
},
}

podSpec := core.PodSpec{
Containers: []core.Container{container},
Volumes: []core.Volume{volume},
}
return podSpec
}

func (r *Reconciler) isEnforcedRestrictionNamespace(namespaceName string) bool {
ns := core.Namespace{}
err := r.Get(context.TODO(), client.ObjectKey{Name: namespaceName}, &ns)
if err != nil {
r.Log.Error(err, "Error getting namespace for restriction check")
return false
}

enforceLabel, enforceExists := ns.Labels[enforceRestrictedLabel]
auditLabel, auditExists := ns.Labels[auditRestrictedLabel]

return enforceExists && enforceLabel == "restricted" && !(auditExists && auditLabel == "restricted")
}

0 comments on commit 498a42b

Please sign in to comment.