From 498a42bb08103214e6fd97857a56c2f4232e81cc Mon Sep 17 00:00:00 2001
From: Bella Khizgiyaev <bkhizgiy@redhat.com>
Date: Thu, 23 Nov 2023 16:17:34 +0200
Subject: [PATCH] Fix creation of OVA server pod under enforced restricted
 namesapces

Signed-off-by: Bella Khizgiyaev <bkhizgiy@redhat.com>
---
 pkg/controller/provider/ova-setup.go | 102 ++++++++++++++++++---------
 1 file changed, 67 insertions(+), 35 deletions(-)

diff --git a/pkg/controller/provider/ova-setup.go b/pkg/controller/provider/ova-setup.go
index 3ee358ffd..705078e1b 100644
--- a/pkg/controller/provider/ova-setup.go
+++ b/pkg/controller/provider/ova-setup.go
@@ -12,14 +12,18 @@ import (
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 const (
-	ovaServer           = "ova-server"
-	ovaImageVar         = "OVA_PROVIDER_SERVER_IMAGE"
-	nfsVolumeNamePrefix = "nfs-volume"
-	mountPath           = "/ova"
-	pvSize              = "1Gi"
+	ovaServer              = "ova-server"
+	ovaImageVar            = "OVA_PROVIDER_SERVER_IMAGE"
+	nfsVolumeNamePrefix    = "nfs-volume"
+	mountPath              = "/ova"
+	pvSize                 = "1Gi"
+	auditRestrictedLabel   = "pod-security.kubernetes.io/audit"
+	enforceRestrictedLabel = "pod-security.kubernetes.io/enforce"
+	qemuGroup              = 107
 )
 
 func (r Reconciler) CreateOVAServerDeployment(provider *api.Provider, ctx context.Context) {
@@ -143,7 +147,7 @@ func (r *Reconciler) createServerDeployment(provider *api.Provider, ctx context.
 				ObjectMeta: metav1.ObjectMeta{
 					Labels: labels,
 				},
-				Spec: r.makeOvaProviderPodSpec(pvcName, provider.Name),
+				Spec: r.makeOvaProviderPodSpec(pvcName, provider.Name, provider.Namespace),
 			},
 		},
 	}
@@ -185,47 +189,75 @@ func (r *Reconciler) createServerService(provider *api.Provider, ctx context.Con
 	return
 }
 
-func (r *Reconciler) makeOvaProviderPodSpec(pvcName string, providerName string) core.PodSpec {
+func (r *Reconciler) makeOvaProviderPodSpec(pvcName, providerName, providerNamespace string) core.PodSpec {
 	imageName, ok := os.LookupEnv(ovaImageVar)
 	if !ok {
-		r.Log.Error(nil, "Failed to find OVA server image")
+		r.Log.Info("Failed to find OVA server image")
+		return core.PodSpec{}
 	}
 
 	nfsVolumeName := fmt.Sprintf("%s-%s", nfsVolumeNamePrefix, providerName)
 	ovaContainerName := fmt.Sprintf("%s-pod-%s", ovaServer, providerName)
-	allowPrivilegeEscalation := false
 	nonRoot := true
+	user := int64(qemuGroup)
+	allowPrivilegeEscalation := false
+
+	securityContext := &core.SecurityContext{
+		AllowPrivilegeEscalation: &allowPrivilegeEscalation,
+		Capabilities: &core.Capabilities{
+			Drop: []core.Capability{"ALL"},
+		},
+	}
 
-	return core.PodSpec{
-		Containers: []core.Container{
+	restricted := r.isEnforcedRestrictionNamespace(providerNamespace)
+	if restricted {
+		seccompProfile := &core.SeccompProfile{
+			Type: core.SeccompProfileTypeRuntimeDefault,
+		}
+		securityContext.RunAsUser = &user
+		securityContext.RunAsNonRoot = &nonRoot
+		securityContext.SeccompProfile = seccompProfile
+	}
+
+	container := core.Container{
+		Name:  ovaContainerName,
+		Image: imageName,
+		Ports: []core.ContainerPort{{ContainerPort: 8080, Protocol: core.ProtocolTCP}},
+		VolumeMounts: []core.VolumeMount{
 			{
-				Name:  ovaContainerName,
-				Ports: []core.ContainerPort{{ContainerPort: 8080, Protocol: core.ProtocolTCP}},
-				Image: imageName,
-				VolumeMounts: []core.VolumeMount{
-					{
-						Name:      nfsVolumeName,
-						MountPath: mountPath,
-					},
-				},
-				SecurityContext: &core.SecurityContext{
-					AllowPrivilegeEscalation: &allowPrivilegeEscalation,
-					RunAsNonRoot:             &nonRoot,
-					Capabilities: &core.Capabilities{
-						Drop: []core.Capability{"ALL"},
-					},
-				},
+				Name:      nfsVolumeName,
+				MountPath: mountPath,
 			},
 		},
-		Volumes: []core.Volume{
-			{
-				Name: nfsVolumeName,
-				VolumeSource: core.VolumeSource{
-					PersistentVolumeClaim: &core.PersistentVolumeClaimVolumeSource{
-						ClaimName: pvcName,
-					},
-				},
+		SecurityContext: securityContext,
+	}
+
+	volume := core.Volume{
+		Name: nfsVolumeName,
+		VolumeSource: core.VolumeSource{
+			PersistentVolumeClaim: &core.PersistentVolumeClaimVolumeSource{
+				ClaimName: pvcName,
 			},
 		},
 	}
+
+	podSpec := core.PodSpec{
+		Containers: []core.Container{container},
+		Volumes:    []core.Volume{volume},
+	}
+	return podSpec
+}
+
+func (r *Reconciler) isEnforcedRestrictionNamespace(namespaceName string) bool {
+	ns := core.Namespace{}
+	err := r.Get(context.TODO(), client.ObjectKey{Name: namespaceName}, &ns)
+	if err != nil {
+		r.Log.Error(err, "Error getting namespace for restriction check")
+		return false
+	}
+
+	enforceLabel, enforceExists := ns.Labels[enforceRestrictedLabel]
+	auditLabel, auditExists := ns.Labels[auditRestrictedLabel]
+
+	return enforceExists && enforceLabel == "restricted" && !(auditExists && auditLabel == "restricted")
 }