From 19c7f7f29c57de7e6c6852e2c3b7a0c7a764d291 Mon Sep 17 00:00:00 2001
From: Francesco Romani <fromani@redhat.com>
Date: Wed, 18 Dec 2024 15:32:39 +0100
Subject: [PATCH 1/2] manifests: rte: export scc v2

A missing change prevents the SCC V2 to be emitted
when calling ToObjects(). Fix this.

Signed-off-by: Francesco Romani <fromani@redhat.com>
(cherry picked from commit 1e7e94fc935051dac9d081eb2a5c6b122f26f17c)
---
 pkg/manifests/rte/rte.go | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/pkg/manifests/rte/rte.go b/pkg/manifests/rte/rte.go
index a7ebb196..f5654aea 100644
--- a/pkg/manifests/rte/rte.go
+++ b/pkg/manifests/rte/rte.go
@@ -114,7 +114,6 @@ func (mf Manifests) Render(opts options.UpdaterDaemon) (Manifests, error) {
 	rteupdate.DaemonSet(ret.DaemonSet, mf.plat, rteConfigMapName, opts.DaemonSet)
 
 	if mf.plat == platform.OpenShift || mf.plat == platform.HyperShift {
-		selinuxType := selinuxassets.RTEContextType
 		if mf.MachineConfig != nil {
 			if opts.Name != "" {
 				ret.MachineConfig.Name = ocpupdate.MakeMachineConfigName(opts.Name)
@@ -123,16 +122,22 @@ func (mf Manifests) Render(opts options.UpdaterDaemon) (Manifests, error) {
 				ret.MachineConfig.Labels = opts.MachineConfigPoolSelector.MatchLabels
 			}
 			// the MachineConfig installs this custom policy which is obsolete starting from OCP v4.18
-			selinuxType = selinuxassets.RTEContextTypeLegacy
 		}
-		rteupdate.SecurityContext(ret.DaemonSet, selinuxType)
 		ocpupdate.SecurityContextConstraint(ret.SecurityContextConstraint, ret.ServiceAccount)
 		ocpupdate.SecurityContextConstraint(ret.SecurityContextConstraintV2, ret.ServiceAccount)
+		rteupdate.SecurityContext(ret.DaemonSet, selinuxTypeFromSCCVersion(opts.DaemonSet.SCCVersion, (mf.MachineConfig != nil)))
 	}
 
 	return ret, nil
 }
 
+func selinuxTypeFromSCCVersion(ver options.SCCVersion, hasCustomPolicy bool) string {
+	if ver == options.SCCV1 && hasCustomPolicy { // custom policy is the only vehicle which enables Legacy type
+		return selinuxassets.RTEContextTypeLegacy
+	}
+	return selinuxassets.RTEContextType
+}
+
 func CreateConfigMap(namespace, name, configData string) *corev1.ConfigMap {
 	cm := &corev1.ConfigMap{
 		// TODO: why is this needed?
@@ -165,6 +170,9 @@ func (mf Manifests) ToObjects() []client.Object {
 	if mf.SecurityContextConstraint != nil {
 		objs = append(objs, mf.SecurityContextConstraint)
 	}
+	if mf.SecurityContextConstraintV2 != nil {
+		objs = append(objs, mf.SecurityContextConstraintV2)
+	}
 
 	return append(objs,
 		mf.Role,

From 4c59cb71c9f6b53a43a1563e7d35c5d8b7b3517a Mon Sep 17 00:00:00 2001
From: Francesco Romani <fromani@redhat.com>
Date: Wed, 18 Dec 2024 15:34:14 +0100
Subject: [PATCH 2/2] ocp: render: add option to toggle the SCC to use

default is the native and more restrictive v2,
but if we supply the MachineConfig, v1 is
still supported.

Signed-off-by: Francesco Romani <fromani@redhat.com>
(cherry picked from commit d7105005376ea8791c17eb44144ac790385110dc)
---
 pkg/commands/root.go   |  9 ++++++++-
 pkg/options/options.go | 14 ++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/pkg/commands/root.go b/pkg/commands/root.go
index c45a0f4d..8e587a07 100644
--- a/pkg/commands/root.go
+++ b/pkg/commands/root.go
@@ -42,6 +42,7 @@ type internalOptions struct {
 	rteConfigFile               string
 	schedScoringStratConfigFile string
 	schedCacheParamsConfigFile  string
+	updaterSCCVersion           string
 	plat                        string
 }
 
@@ -96,6 +97,7 @@ func InitFlags(flags *pflag.FlagSet, commonOpts *options.Options, internalOpts *
 	flags.StringVar(&internalOpts.schedScoringStratConfigFile, "sched-scoring-strat-config-file", "", "inject scheduler scoring strategy configuration reading from this file.")
 	flags.StringVar(&internalOpts.schedCacheParamsConfigFile, "sched-cache-params-config-file", "", "inject scheduler fine cache params configuration reading from this file.")
 	flags.IntVarP(&internalOpts.replicas, "replicas", "R", 1, "set the replica value - where relevant.")
+	flags.StringVar(&internalOpts.updaterSCCVersion, "updater-scc", "v2", "select the SecurityContextConstraint version to use. v2 by default")
 
 	flags.DurationVarP(&commonOpts.WaitInterval, "wait-interval", "E", 2*time.Second, "wait interval.")
 	flags.DurationVarP(&commonOpts.WaitTimeout, "wait-timeout", "T", 2*time.Minute, "wait timeout.")
@@ -104,7 +106,7 @@ func InitFlags(flags *pflag.FlagSet, commonOpts *options.Options, internalOpts *
 	flags.BoolVar(&commonOpts.UpdaterPFPEnable, "updater-pfp-enable", true, "toggle PFP support on the updater side.")
 	flags.BoolVar(&commonOpts.UpdaterNotifEnable, "updater-notif-enable", false, "toggle event-based notification support on the updater side.")
 	flags.BoolVar(&commonOpts.UpdaterCRIHooksEnable, "updater-cri-hooks-enable", false, "toggle installation of CRI hooks on the updater side.")
-	flags.BoolVar(&commonOpts.UpdaterCustomSELinuxPolicy, "updater-custom-selinux-policy", false, "toggle installation of selinux policy on the updater side. off by default")
+	flags.BoolVar(&commonOpts.UpdaterCustomSELinuxPolicy, "updater-custom-selinux-policy", true, "toggle installation of selinux policy in the legacy policy on the updater side. on by default")
 	flags.DurationVar(&commonOpts.UpdaterSyncPeriod, "updater-sync-period", manifests.DefaultUpdaterSyncPeriod, "tune the updater synchronization (nrt update) interval. Use 0 to disable.")
 	flags.IntVar(&commonOpts.UpdaterVerbose, "updater-verbose", manifests.DefaultUpdaterVerbose, "set the updater verbosiness.")
 	flags.StringVar(&commonOpts.SchedProfileName, "sched-profile-name", schedmanifests.DefaultProfileName, "inject scheduler profile name.")
@@ -120,6 +122,11 @@ func PostSetupOptions(env *deployer.Environment, commonOpts *options.Options, in
 	env.Log.V(3).Info("global polling settings", "interval", commonOpts.WaitInterval, "timeout", commonOpts.WaitTimeout)
 	wait.SetBaseValues(commonOpts.WaitInterval, commonOpts.WaitTimeout)
 
+	if !options.IsValidSCCVersion(internalOpts.updaterSCCVersion) {
+		return fmt.Errorf("SCC version %q is invalid", internalOpts.updaterSCCVersion)
+	}
+	commonOpts.UpdaterSCCVersion = options.SCCVersion(internalOpts.updaterSCCVersion)
+
 	if internalOpts.replicas < 0 {
 		err := env.EnsureClient()
 		if err != nil {
diff --git a/pkg/options/options.go b/pkg/options/options.go
index e666e959..502f1f05 100644
--- a/pkg/options/options.go
+++ b/pkg/options/options.go
@@ -24,6 +24,17 @@ import (
 	"github.com/k8stopologyawareschedwg/deployer/pkg/deployer/platform"
 )
 
+type SCCVersion string
+
+const (
+	SCCV1 SCCVersion = "v1"
+	SCCV2 SCCVersion = "v2"
+)
+
+func IsValidSCCVersion(ver string) bool {
+	return ver == string(SCCV1) || ver == string(SCCV2)
+}
+
 type Options struct {
 	UserPlatform                platform.Platform
 	UserPlatformVersion         platform.Version
@@ -35,6 +46,7 @@ type Options struct {
 	UpdaterNotifEnable          bool
 	UpdaterCRIHooksEnable       bool
 	UpdaterCustomSELinuxPolicy  bool
+	UpdaterSCCVersion           SCCVersion
 	UpdaterSyncPeriod           time.Duration
 	UpdaterVerbose              int
 	SchedProfileName            string
@@ -78,6 +90,7 @@ type DaemonSet struct {
 	NotificationEnable bool
 	NodeSelector       *metav1.LabelSelector
 	UpdateInterval     time.Duration
+	SCCVersion         SCCVersion
 }
 
 type UpdaterDaemon struct {
@@ -104,6 +117,7 @@ func ForDaemonSet(commonOpts *Options) DaemonSet {
 		PFPEnable:          commonOpts.UpdaterPFPEnable,
 		NotificationEnable: commonOpts.UpdaterNotifEnable,
 		UpdateInterval:     commonOpts.UpdaterSyncPeriod,
+		SCCVersion:         commonOpts.UpdaterSCCVersion,
 		Verbose:            commonOpts.UpdaterVerbose,
 	}
 }