// ChangedSCCs returns the SCCs that must be created and/or updated to match the // recommended bootstrap SCCs. func (o *ReconcileSCCOptions) ChangedSCCs() ([]*kapi.SecurityContextConstraints, error) { changedSCCs := []*kapi.SecurityContextConstraints{} groups, users := bootstrappolicy.GetBoostrapSCCAccess(o.InfraNamespace) bootstrapSCCs := bootstrappolicy.GetBootstrapSecurityContextConstraints(groups, users) for i := range bootstrapSCCs { expectedSCC := &bootstrapSCCs[i] actualSCC, err := o.SCCClient.Get(expectedSCC.Name) // if not found it needs to be created if kapierrors.IsNotFound(err) { changedSCCs = append(changedSCCs, expectedSCC) continue } if err != nil { return nil, err } // if found then we need to diff to see if it needs updated if updatedSCC, needsUpdating := o.computeUpdatedSCC(*expectedSCC, *actualSCC); needsUpdating { changedSCCs = append(changedSCCs, updatedSCC) } } return changedSCCs, nil }
func (c *MasterConfig) ensureDefaultSecurityContextConstraints() { sccSupported, err := c.securityContextConstraintsSupported() if err != nil { glog.Errorf("Unable to determine if security context constraints are supported. Got error: %v", err) return } if !sccSupported { glog.Infof("Ignoring default security context constraints when running on external Kubernetes.") return } ns := c.Options.PolicyConfig.OpenShiftInfrastructureNamespace bootstrapSCCGroups, bootstrapSCCUsers := bootstrappolicy.GetBoostrapSCCAccess(ns) for _, scc := range bootstrappolicy.GetBootstrapSecurityContextConstraints(bootstrapSCCGroups, bootstrapSCCUsers) { _, err := c.KubeClient().SecurityContextConstraints().Create(&scc) if kapierror.IsAlreadyExists(err) { continue } if err != nil { glog.Errorf("Unable to create default security context constraint %s. Got error: %v", scc.Name, err) continue } glog.Infof("Created default security context constraint %s", scc.Name) } }
func (c *MasterConfig) ensureDefaultSecurityContextConstraints() { sccList, err := c.KubeClient().SecurityContextConstraints().List(labels.Everything(), fields.Everything()) if err != nil { glog.Errorf("Unable to initialize security context constraints: %v. This may prevent the creation of pods", err) return } if len(sccList.Items) > 0 { return } glog.Infof("No security context constraints detected, adding defaults") // add the build user to the privileged SCC access ns := c.Options.PolicyConfig.OpenShiftInfrastructureNamespace buildControllerUsername := serviceaccount.MakeUsername(ns, c.BuildControllerServiceAccount) bootstrapSCCGroups, bootstrapSCCUsers := bootstrappolicy.GetBoostrapSCCAccess() bootstrapSCCUsers[bootstrappolicy.SecurityContextConstraintPrivileged] = append(bootstrapSCCUsers[bootstrappolicy.SecurityContextConstraintPrivileged], buildControllerUsername) for _, scc := range bootstrappolicy.GetBootstrapSecurityContextConstraints(bootstrapSCCGroups, bootstrapSCCUsers) { _, err = c.KubeClient().SecurityContextConstraints().Create(&scc) if err != nil { glog.Errorf("Unable to create default security context constraint %s. Got error: %v", scc.Name, err) } } }
func (c *MasterConfig) ensureDefaultSecurityContextConstraints() { ns := c.Options.PolicyConfig.OpenShiftInfrastructureNamespace bootstrapSCCGroups, bootstrapSCCUsers := bootstrappolicy.GetBoostrapSCCAccess(ns) for _, scc := range bootstrappolicy.GetBootstrapSecurityContextConstraints(bootstrapSCCGroups, bootstrapSCCUsers) { _, err := c.KubeClient().SecurityContextConstraints().Create(&scc) if kapierror.IsAlreadyExists(err) { continue } if err != nil { glog.Errorf("Unable to create default security context constraint %s. Got error: %v", scc.Name, err) continue } glog.Infof("Created default security context constraint %s", scc.Name) } }