From 1755e2ddeb70ffe1057339fb0e809bf87332ac56 Mon Sep 17 00:00:00 2001 From: amaslennikov Date: Wed, 27 Sep 2023 09:31:48 +0300 Subject: [PATCH] Remove PSP support Pod Security Policy was deprecated for a long time, and in k8s 1.25 it was completely dropped. To align with the newest versions, dropping the PSP from our code Signed-off-by: amaslennikov --- Makefile | 3 - README.md | 4 - api/v1alpha1/nicclusterpolicy_types.go | 9 -- api/v1alpha1/zz_generated.deepcopy.go | 20 --- .../mellanox.com_nicclusterpolicies.yaml | 10 -- ...etwork-operator.clusterserviceversion.yaml | 12 -- .../mellanox.com_nicclusterpolicies.yaml | 10 -- config/psp/kustomization.yaml | 7 - config/psp/manager_psp_role.yaml | 13 -- config/psp/manager_psp_rolebinding.yaml | 12 -- config/psp/pod_security_policy.yaml | 31 ---- config/rbac/role.yaml | 12 -- controllers/nicclusterpolicy_controller.go | 1 - deployment/network-operator/README.md | 1 - .../crds/mellanox.com_nicclusterpolicies.yaml | 10 -- ...anox.com_v1alpha1_nicclusterpolicy_cr.yaml | 2 - .../templates/podsecuritypolicy.yaml | 35 ----- .../network-operator/templates/role.yaml | 12 -- deployment/network-operator/values.yaml | 3 - hack/templates/values/values.template | 3 - .../state-pod-security-policy/0100_role.yaml | 13 -- .../0200_role_binding.yaml | 12 -- pkg/state/factory.go | 7 +- pkg/state/state_pod_security_policy.go | 141 ------------------ 24 files changed, 1 insertion(+), 382 deletions(-) delete mode 100644 config/psp/kustomization.yaml delete mode 100644 config/psp/manager_psp_role.yaml delete mode 100644 config/psp/manager_psp_rolebinding.yaml delete mode 100644 config/psp/pod_security_policy.yaml delete mode 100644 deployment/network-operator/templates/podsecuritypolicy.yaml delete mode 100644 manifests/state-pod-security-policy/0100_role.yaml delete mode 100644 manifests/state-pod-security-policy/0200_role_binding.yaml delete mode 100644 pkg/state/state_pod_security_policy.go diff --git a/Makefile b/Makefile index cf10aa6f5..2aa87d95d 100644 --- a/Makefile +++ b/Makefile @@ -245,9 +245,6 @@ deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in $(KUSTOMIZE) build config/default | kubectl apply -f - kubectl apply -f hack/crds/* -deploy-with-psp: deploy ## Deploy controller to the K8s cluster specified in ~/.kube/config and apply privileged pod security policy - $(KUSTOMIZE) build config/psp | kubectl apply -f - - undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. $(KUSTOMIZE) build config/default | kubectl delete -f - $(KUSTOMIZE) build config/resources-namespace | kubectl delete -f - diff --git a/README.md b/README.md index 542a66cc8..b7a3df355 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,6 @@ - [IPoIBNetwork CRD](#ipoibnetwork-crd) - [IPoIBNetwork spec:](#ipoibnetwork-spec) - [Example for IPoIBNetwork resource:](#example-for-ipoibnetwork-resource) - - [Pod Security Policy](#pod-security-policy) - [System Requirements](#system-requirements) - [Tested Network Adapters](#tested-network-adapters) - [Compatibility Notes](#compatibility-notes) @@ -414,9 +413,6 @@ spec: Can be found at: `example/crs/mellanox.com_v1alpha1_ipoibnetwork_cr.yaml` -## Pod Security Policy -NVIDIA Network Operator supports [Pod Security Policies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/). When NicClusterPolicy is created with `psp.enabled=True`, privileged PSP is created and applied to all network-operator's pods. Requires [admission controller](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#how-do-i-turn-on-an-admission-control-plug-in) to be enabled. - ## System Requirements * RDMA capable hardware: Mellanox ConnectX-5 NIC or newer. * NVIDIA GPU and driver supporting GPUDirect e.g Quadro RTX 6000/8000 or Tesla T4 or Tesla V100 or Tesla V100. diff --git a/api/v1alpha1/nicclusterpolicy_types.go b/api/v1alpha1/nicclusterpolicy_types.go index 9cd126e61..58ceb5e49 100644 --- a/api/v1alpha1/nicclusterpolicy_types.go +++ b/api/v1alpha1/nicclusterpolicy_types.go @@ -180,14 +180,6 @@ type SecondaryNetworkSpec struct { IpamPlugin *ImageSpec `json:"ipamPlugin,omitempty"` } -// PSPSpec describes configuration for PodSecurityPolicies to apply for all Pods -type PSPSpec struct { - // Enabled indicates if PodSecurityPolicies needs to be enabled for all Pods - // +optional - // +kubebuilder:default:=false - Enabled bool `json:"enabled,omitempty"` -} - // IBKubernetesSpec describes configuration options for ib-kubernetes type IBKubernetesSpec struct { // Image information for ib-kubernetes @@ -233,7 +225,6 @@ type NicClusterPolicySpec struct { IBKubernetes *IBKubernetesSpec `json:"ibKubernetes,omitempty"` SecondaryNetwork *SecondaryNetworkSpec `json:"secondaryNetwork,omitempty"` NvIpam *NVIPAMSpec `json:"nvIpam,omitempty"` - PSP *PSPSpec `json:"psp,omitempty"` NicFeatureDiscovery *NICFeatureDiscoverySpec `json:"nicFeatureDiscovery,omitempty"` } diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index f22338132..6e790446c 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -593,11 +593,6 @@ func (in *NicClusterPolicySpec) DeepCopyInto(out *NicClusterPolicySpec) { *out = new(NVIPAMSpec) (*in).DeepCopyInto(*out) } - if in.PSP != nil { - in, out := &in.PSP, &out.PSP - *out = new(PSPSpec) - **out = **in - } if in.NicFeatureDiscovery != nil { in, out := &in.NicFeatureDiscovery, &out.NicFeatureDiscovery *out = new(NICFeatureDiscoverySpec) @@ -688,21 +683,6 @@ func (in *OFEDDriverSpec) DeepCopy() *OFEDDriverSpec { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *PSPSpec) DeepCopyInto(out *PSPSpec) { - *out = *in -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PSPSpec. -func (in *PSPSpec) DeepCopy() *PSPSpec { - if in == nil { - return nil - } - out := new(PSPSpec) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PodProbeSpec) DeepCopyInto(out *PodProbeSpec) { *out = *in diff --git a/bundle/manifests/mellanox.com_nicclusterpolicies.yaml b/bundle/manifests/mellanox.com_nicclusterpolicies.yaml index f77223182..a3a0ccdef 100644 --- a/bundle/manifests/mellanox.com_nicclusterpolicies.yaml +++ b/bundle/manifests/mellanox.com_nicclusterpolicies.yaml @@ -580,16 +580,6 @@ spec: - repository - version type: object - psp: - description: PSPSpec describes configuration for PodSecurityPolicies - to apply for all Pods - properties: - enabled: - default: false - description: Enabled indicates if PodSecurityPolicies needs to - be enabled for all Pods - type: boolean - type: object rdmaSharedDevicePlugin: description: DevicePluginSpec describes configuration options for device plugin 1. Image information for device plugin 2. Device plugin diff --git a/bundle/manifests/nvidia-network-operator.clusterserviceversion.yaml b/bundle/manifests/nvidia-network-operator.clusterserviceversion.yaml index ee0e74b76..bd0be3858 100644 --- a/bundle/manifests/nvidia-network-operator.clusterserviceversion.yaml +++ b/bundle/manifests/nvidia-network-operator.clusterserviceversion.yaml @@ -445,18 +445,6 @@ spec: - get - patch - update - - apiGroups: - - policy - resources: - - podsecuritypolicies - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - apiGroups: - rbac.authorization.k8s.io resources: diff --git a/config/crd/bases/mellanox.com_nicclusterpolicies.yaml b/config/crd/bases/mellanox.com_nicclusterpolicies.yaml index 6e9afd6cd..3c2a0d9f2 100644 --- a/config/crd/bases/mellanox.com_nicclusterpolicies.yaml +++ b/config/crd/bases/mellanox.com_nicclusterpolicies.yaml @@ -581,16 +581,6 @@ spec: - repository - version type: object - psp: - description: PSPSpec describes configuration for PodSecurityPolicies - to apply for all Pods - properties: - enabled: - default: false - description: Enabled indicates if PodSecurityPolicies needs to - be enabled for all Pods - type: boolean - type: object rdmaSharedDevicePlugin: description: DevicePluginSpec describes configuration options for device plugin 1. Image information for device plugin 2. Device plugin diff --git a/config/psp/kustomization.yaml b/config/psp/kustomization.yaml deleted file mode 100644 index 04ac312fd..000000000 --- a/config/psp/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -bases: -- ../default - -resources: - - pod_security_policy.yaml - - manager_psp_role.yaml - - manager_psp_rolebinding.yaml diff --git a/config/psp/manager_psp_role.yaml b/config/psp/manager_psp_role.yaml deleted file mode 100644 index aeb1b4ba2..000000000 --- a/config/psp/manager_psp_role.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: manager-psp-role -rules: - - apiGroups: - - policy - resourceNames: - - nvidia-network-operator-privileged - resources: - - podsecuritypolicies - verbs: - - use diff --git a/config/psp/manager_psp_rolebinding.yaml b/config/psp/manager_psp_rolebinding.yaml deleted file mode 100644 index 96abe87ea..000000000 --- a/config/psp/manager_psp_rolebinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: manager-psp-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: manager-psp-role -subjects: - - kind: ServiceAccount - name: controller-manager - namespace: system diff --git a/config/psp/pod_security_policy.yaml b/config/psp/pod_security_policy.yaml deleted file mode 100644 index e5efcab87..000000000 --- a/config/psp/pod_security_policy.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: nvidia-network-operator-privileged - annotations: - kubernetes.io/description: "restricted denies access to all host features and requires - pods to be run with a UID, read-only root filesystem and SELinux context that are - allocated to the namespace." -spec: - privileged: true - hostIPC: false - hostNetwork: true - hostPID: false - allowPrivilegeEscalation: true - readOnlyRootFilesystem: false - allowedHostPaths: [] - allowedCapabilities: - - '*' - fsGroup: - rule: RunAsAny - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - configMap - - hostPath - - secret - - downwardAPI diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 7f55420d1..18f3447f9 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -316,18 +316,6 @@ rules: - get - patch - update -- apiGroups: - - policy - resources: - - podsecuritypolicies - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - apiGroups: - rbac.authorization.k8s.io resources: diff --git a/controllers/nicclusterpolicy_controller.go b/controllers/nicclusterpolicy_controller.go index 7d8b740d1..dbad39fee 100644 --- a/controllers/nicclusterpolicy_controller.go +++ b/controllers/nicclusterpolicy_controller.go @@ -63,7 +63,6 @@ type NicClusterPolicyReconciler struct { // +kubebuilder:rbac:groups=mellanox.com,resources=nicclusterpolicies/finalizers,verbs=update // +kubebuilder:rbac:groups=security.openshift.io,resourceNames=privileged,resources=securitycontextconstraints,verbs=use // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings;roles;rolebindings,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=policy,resources=podsecuritypolicies,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=events.k8s.io,resources=events,verbs=create;patch;update // +kubebuilder:rbac:groups="",resources=namespaces;serviceaccounts;pods;pods/status;services;services/finalizers;endpoints,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups="",resources=persistentvolumeclaims;events;configmaps;secrets,verbs=get;list;watch;create;update;patch;delete diff --git a/deployment/network-operator/README.md b/deployment/network-operator/README.md index 0bef0137e..a1ebc4ac0 100644 --- a/deployment/network-operator/README.md +++ b/deployment/network-operator/README.md @@ -373,7 +373,6 @@ parameters. | `sriovNetworkOperator.enabled` | bool | `False` | deploy SR-IOV Network Operator | | `upgradeCRDs` | bool | `True` | enable CRDs upgrade with helm pre-install and pre-upgrade hooks | | `sriovNetworkOperator.configDaemonNodeSelectorExtra` | object | `{"node-role.kubernetes.io/worker": ""}` | Additional nodeSelector for sriov-network-operator config daemon. These values will be added in addition to default values managed by the network-operator. | -| `psp.enabled` | bool | `False` | deploy Pod Security Policy | | `imagePullSecrets` | list | `[]` | An optional list of references to secrets to use for pulling any of the Network Operator image if it's not overrided | | `operator.repository` | string | `nvcr.io/nvidia/cloud-native` | Network Operator image repository | | `operator.image` | string | `network-operator` | Network Operator image name | diff --git a/deployment/network-operator/crds/mellanox.com_nicclusterpolicies.yaml b/deployment/network-operator/crds/mellanox.com_nicclusterpolicies.yaml index 6e9afd6cd..3c2a0d9f2 100644 --- a/deployment/network-operator/crds/mellanox.com_nicclusterpolicies.yaml +++ b/deployment/network-operator/crds/mellanox.com_nicclusterpolicies.yaml @@ -581,16 +581,6 @@ spec: - repository - version type: object - psp: - description: PSPSpec describes configuration for PodSecurityPolicies - to apply for all Pods - properties: - enabled: - default: false - description: Enabled indicates if PodSecurityPolicies needs to - be enabled for all Pods - type: boolean - type: object rdmaSharedDevicePlugin: description: DevicePluginSpec describes configuration options for device plugin 1. Image information for device plugin 2. Device plugin diff --git a/deployment/network-operator/templates/mellanox.com_v1alpha1_nicclusterpolicy_cr.yaml b/deployment/network-operator/templates/mellanox.com_v1alpha1_nicclusterpolicy_cr.yaml index 4da2ac340..65dbb0fc6 100644 --- a/deployment/network-operator/templates/mellanox.com_v1alpha1_nicclusterpolicy_cr.yaml +++ b/deployment/network-operator/templates/mellanox.com_v1alpha1_nicclusterpolicy_cr.yaml @@ -174,8 +174,6 @@ spec: imagePullSecrets: {{ include "network-operator.secondaryNetwork.ipamPlugin.imagePullSecrets" . }} {{- end }} {{- end }} - psp: - enabled: {{ .Values.psp.enabled }} {{- if .Values.nvIpam.deploy }} nvIpam: image: {{ .Values.nvIpam.image }} diff --git a/deployment/network-operator/templates/podsecuritypolicy.yaml b/deployment/network-operator/templates/podsecuritypolicy.yaml deleted file mode 100644 index dd427547a..000000000 --- a/deployment/network-operator/templates/podsecuritypolicy.yaml +++ /dev/null @@ -1,35 +0,0 @@ -{{- if .Values.psp.enabled }} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: nvidia-network-operator-privileged - labels: - {{- include "network-operator.labels" . | nindent 4 }} - annotations: - kubernetes.io/description: "restricted denies access to all host features and requires - pods to be run with a UID, read-only root filesystem and SELinux context that are - allocated to the namespace." -spec: - privileged: true - hostIPC: false - hostNetwork: true - hostPID: false - allowPrivilegeEscalation: true - readOnlyRootFilesystem: false - allowedHostPaths: [] - allowedCapabilities: - - '*' - fsGroup: - rule: RunAsAny - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - configMap - - hostPath - - secret - - downwardAPI -{{- end }} diff --git a/deployment/network-operator/templates/role.yaml b/deployment/network-operator/templates/role.yaml index 547646acf..0352e5c68 100644 --- a/deployment/network-operator/templates/role.yaml +++ b/deployment/network-operator/templates/role.yaml @@ -330,18 +330,6 @@ rules: - get - patch - update -- apiGroups: - - policy - resources: - - podsecuritypolicies - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - apiGroups: - rbac.authorization.k8s.io resources: diff --git a/deployment/network-operator/values.yaml b/deployment/network-operator/values.yaml index 6c029925f..ae883c2a1 100644 --- a/deployment/network-operator/values.yaml +++ b/deployment/network-operator/values.yaml @@ -20,9 +20,6 @@ nfd: enabled: true deployNodeFeatureRules: true -psp: - enabled: false - upgradeCRDs: true sriovNetworkOperator: diff --git a/hack/templates/values/values.template b/hack/templates/values/values.template index 7cb716510..f7f760282 100644 --- a/hack/templates/values/values.template +++ b/hack/templates/values/values.template @@ -20,9 +20,6 @@ nfd: enabled: true deployNodeFeatureRules: true -psp: - enabled: false - upgradeCRDs: true sriovNetworkOperator: diff --git a/manifests/state-pod-security-policy/0100_role.yaml b/manifests/state-pod-security-policy/0100_role.yaml deleted file mode 100644 index 42cc2890d..000000000 --- a/manifests/state-pod-security-policy/0100_role.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: network-operator-psp-privileged -rules: -- apiGroups: - - policy - resources: - - podsecuritypolicies - verbs: - - use - resourceNames: - - nvidia-network-operator-privileged diff --git a/manifests/state-pod-security-policy/0200_role_binding.yaml b/manifests/state-pod-security-policy/0200_role_binding.yaml deleted file mode 100644 index 3fb193fe6..000000000 --- a/manifests/state-pod-security-policy/0200_role_binding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: network-operator-psp-privileged -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: network-operator-psp-privileged -subjects: -- kind: Group - apiGroup: rbac.authorization.k8s.io - name: system:serviceaccounts:{{ .RuntimeSpec.Namespace }} diff --git a/pkg/state/factory.go b/pkg/state/factory.go index 4904146a9..08f2e6a22 100644 --- a/pkg/state/factory.go +++ b/pkg/state/factory.go @@ -108,11 +108,6 @@ func newNicClusterPolicyStates(k8sAPIClient client.Client, scheme *runtime.Schem if err != nil { return nil, errors.Wrapf(err, "failed to create Whereabouts CNI State") } - podSecurityPolicyState, err := NewStatePodSecurityPolicy( - k8sAPIClient, scheme, filepath.Join(manifestBaseDir, "state-pod-security-policy")) - if err != nil { - return nil, errors.Wrapf(err, "failed to create Pod Security Policy State") - } ibKubernetesState, err := NewStateIBKubernetes( k8sAPIClient, scheme, filepath.Join(manifestBaseDir, "state-ib-kubernetes")) if err != nil { @@ -130,7 +125,7 @@ func newNicClusterPolicyStates(k8sAPIClient client.Client, scheme *runtime.Schem } return []State{ - podSecurityPolicyState, multusState, cniPluginsState, ipoibState, whereaboutState, + multusState, cniPluginsState, ipoibState, whereaboutState, ofedState, sriovDpState, sharedDpState, ibKubernetesState, nvIpamCniState, nicFeatureDiscoveryState}, nil } diff --git a/pkg/state/state_pod_security_policy.go b/pkg/state/state_pod_security_policy.go deleted file mode 100644 index 0f282726a..000000000 --- a/pkg/state/state_pod_security_policy.go +++ /dev/null @@ -1,141 +0,0 @@ -/* -2021 NVIDIA CORPORATION & AFFILIATES - -Licensed under the Apache License, Version 2.0 (the License); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an AS IS BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package state //nolint:dupl - -import ( - "context" - - "github.com/go-logr/logr" - "github.com/pkg/errors" - policyv1beta1 "k8s.io/api/policy/v1beta1" - "k8s.io/apimachinery/pkg/api/meta" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "k8s.io/apimachinery/pkg/runtime" - "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" - "sigs.k8s.io/controller-runtime/pkg/log" - - mellanoxv1alpha1 "github.com/Mellanox/network-operator/api/v1alpha1" - "github.com/Mellanox/network-operator/pkg/config" - "github.com/Mellanox/network-operator/pkg/consts" - "github.com/Mellanox/network-operator/pkg/render" - "github.com/Mellanox/network-operator/pkg/utils" -) - -// NewStatePodSecurityPolicy creates a new pod security policy state -func NewStatePodSecurityPolicy(k8sAPIClient client.Client, scheme *runtime.Scheme, manifestDir string) (State, error) { - files, err := utils.GetFilesWithSuffix(manifestDir, render.ManifestFileSuffix...) - if err != nil { - return nil, errors.Wrap(err, "failed to get files from manifest dir") - } - - renderer := render.NewRenderer(files) - return &statePodSecurityPolicy{ - stateSkel: stateSkel{ - name: "state-pod-security-policy", - description: "Privileged pod security policy deployed in the cluster", - client: k8sAPIClient, - scheme: scheme, - renderer: renderer, - }}, nil -} - -type statePodSecurityPolicy struct { - stateSkel -} - -type podSecurityPolicyManifestRenderData struct { - RuntimeSpec *runtimeSpec -} - -// Sync attempt to get the system to match the desired state which State represent. -// a sync operation must be relatively short and must not block the execution thread. -// -//nolint:dupl -func (s *statePodSecurityPolicy) Sync( - ctx context.Context, customResource interface{}, _ InfoCatalog) (SyncState, error) { - reqLogger := log.FromContext(ctx) - cr := customResource.(*mellanoxv1alpha1.NicClusterPolicy) - reqLogger.V(consts.LogLevelInfo).Info( - "Sync Custom resource", "State:", s.name, "Name:", cr.Name, "Namespace:", cr.Namespace) - - if cr.Spec.PSP == nil || !cr.Spec.PSP.Enabled { - // Either this state was not required to run or an update occurred and we need to remove - // the resources that where created. - return s.handleStateObjectsDeletion(ctx) - } - - objs, err := s.getManifestObjects(reqLogger) - if err != nil { - return SyncStateNotReady, errors.Wrap(err, "failed to create k8s objects from manifest") - } - if len(objs) == 0 { - return SyncStateNotReady, nil - } - - // Create objects if they dont exist, Update objects if they do exist - err = s.createOrUpdateObjs(ctx, func(obj *unstructured.Unstructured) error { - if err := controllerutil.SetControllerReference(cr, obj, s.scheme); err != nil { - return errors.Wrap(err, "failed to set controller reference for object") - } - return nil - }, objs) - if err != nil { - return SyncStateNotReady, errors.Wrap(err, "failed to create/update objects") - } - waitForStaleObjectsRemoval, err := s.handleStaleStateObjects(ctx, objs) - if err != nil { - return SyncStateNotReady, errors.Wrap(err, "failed to handle state stale objects") - } - if waitForStaleObjectsRemoval { - return SyncStateNotReady, nil - } - // Check objects status - syncState, err := s.getSyncState(ctx, objs) - if err != nil { - return SyncStateNotReady, errors.Wrap(err, "failed to get sync state") - } - return syncState, nil -} - -// Get a map of source kinds that should be watched for the state keyed by the source kind name -func (s *statePodSecurityPolicy) GetWatchSources() map[string]client.Object { - wr := make(map[string]client.Object) - psp := &policyv1beta1.PodSecurityPolicyList{} - err := s.client.List(context.TODO(), psp) - if meta.IsNoMatchError(err) { - // We assume it's k8s v1.25 or newer so PodSecurityPolicy is not supported and no need to reconcile them - return wr - } - wr["PodSecurityPolicy"] = &policyv1beta1.PodSecurityPolicy{} - return wr -} - -func (s *statePodSecurityPolicy) getManifestObjects(reqLogger logr.Logger) ([]*unstructured.Unstructured, error) { - renderData := &podSecurityPolicyManifestRenderData{ - RuntimeSpec: &runtimeSpec{ - Namespace: config.FromEnv().State.NetworkOperatorResourceNamespace, - }, - } - // render objects - objs, err := s.renderer.RenderObjects(&render.TemplatingData{Data: renderData}) - if err != nil { - return nil, errors.Wrap(err, "failed to render objects") - } - reqLogger.V(consts.LogLevelDebug).Info("Rendered", "objects:", objs) - return objs, nil -}