Skip to content

Commit

Permalink
manifests: rte: export scc v2
Browse files Browse the repository at this point in the history
A missing change prevents the SCC V2 to be emitted
when calling ToObjects(). Fix this.

Signed-off-by: Francesco Romani <[email protected]>
  • Loading branch information
ffromani committed Dec 18, 2024
1 parent cb5605f commit 1e7e94f
Showing 1 changed file with 11 additions and 3 deletions.
14 changes: 11 additions & 3 deletions pkg/manifests/rte/rte.go
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,6 @@ func (mf Manifests) Render(opts options.UpdaterDaemon) (Manifests, error) {
rteupdate.DaemonSet(ret.DaemonSet, mf.plat, rteConfigMapName, opts.DaemonSet)

if mf.plat == platform.OpenShift || mf.plat == platform.HyperShift {
selinuxType := selinuxassets.RTEContextType
if mf.MachineConfig != nil {
if opts.Name != "" {
ret.MachineConfig.Name = ocpupdate.MakeMachineConfigName(opts.Name)
Expand All @@ -123,16 +122,22 @@ func (mf Manifests) Render(opts options.UpdaterDaemon) (Manifests, error) {
ret.MachineConfig.Labels = opts.MachineConfigPoolSelector.MatchLabels
}
// the MachineConfig installs this custom policy which is obsolete starting from OCP v4.18
selinuxType = selinuxassets.RTEContextTypeLegacy
}
rteupdate.SecurityContext(ret.DaemonSet, selinuxType)
ocpupdate.SecurityContextConstraint(ret.SecurityContextConstraint, ret.ServiceAccount)
ocpupdate.SecurityContextConstraint(ret.SecurityContextConstraintV2, ret.ServiceAccount)
rteupdate.SecurityContext(ret.DaemonSet, selinuxTypeFromSCCVersion(opts.DaemonSet.SCCVersion, (mf.MachineConfig != nil)))
}

return ret, nil
}

func selinuxTypeFromSCCVersion(ver options.SCCVersion, hasCustomPolicy bool) string {
if ver == options.SCCV1 && hasCustomPolicy { // custom policy is the only vehicle which enables Legacy type
return selinuxassets.RTEContextTypeLegacy
}
return selinuxassets.RTEContextType
}

func CreateConfigMap(namespace, name, configData string) *corev1.ConfigMap {
cm := &corev1.ConfigMap{
// TODO: why is this needed?
Expand Down Expand Up @@ -165,6 +170,9 @@ func (mf Manifests) ToObjects() []client.Object {
if mf.SecurityContextConstraint != nil {
objs = append(objs, mf.SecurityContextConstraint)
}
if mf.SecurityContextConstraintV2 != nil {
objs = append(objs, mf.SecurityContextConstraintV2)
}

return append(objs,
mf.Role,
Expand Down

0 comments on commit 1e7e94f

Please sign in to comment.