OADP-552: Add privileged pod security labels to operator namespace (#763)

shubham-pampattiwar · web-flow · commit 925f5780ad06 · 2022-07-26T10:02:50.000-04:00
* add privileged pod security labels to operator ns

* handle empty operator ns case

* fix function name typo
diff --git a/bundle/manifests/oadp-operator.clusterserviceversion.yaml b/bundle/manifests/oadp-operator.clusterserviceversion.yaml
@@ -591,6 +591,17 @@ spec:
                 - patch
                 - update
                 - watch
+            - apiGroups:
+                - ""
+              resources:
+                - namespaces
+              verbs:
+                - list
+                - get
+                - create
+                - patch
+                - update
+                - watch
             - apiGroups:
                 - apps
               resources:
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -170,6 +170,17 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - list
+  - get
+  - create
+  - patch
+  - update
+  - watch
 - apiGroups:
   - apps
   resources:
diff --git a/main.go b/main.go
@@ -17,9 +17,12 @@ limitations under the License.
 package main
 
 import (
+	"context"
 	"flag"
 	"fmt"
 	monitor "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
 	"os"
 
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
@@ -78,6 +81,13 @@ func main() {
 			"the manager will watch and manage resources in all namespaces")
 	}
 
+	// setting privileged pod security labels to operator ns
+	err = addPodSecurityPrivilegedLabels(watchNamespace)
+	if err != nil {
+		setupLog.Error(err, "error setting privileged pod security labels to operator namespace")
+		os.Exit(1)
+	}
+
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme:                 scheme,
 		MetricsBindAddress:     metricsAddr,
@@ -171,3 +181,40 @@ func getWatchNamespace() (string, error) {
 	}
 	return ns, nil
 }
+
+// setting privileged pod security labels to OADP operator namespace
+func addPodSecurityPrivilegedLabels(watchNamespaceName string) error {
+	setupLog.Info("patching operator namespace with PSA labels")
+
+	if len(watchNamespaceName) == 0 {
+		return fmt.Errorf("cannot add privileged pod security labels, watchNamespaceName is empty")
+	}
+
+	kubeconf := ctrl.GetConfigOrDie()
+	clientset, err := kubernetes.NewForConfig(kubeconf)
+	if err != nil {
+		setupLog.Error(err, "problem getting client")
+		return err
+	}
+
+	operatorNamespace, err := clientset.CoreV1().Namespaces().Get(context.TODO(), watchNamespaceName, metav1.GetOptions{})
+	if err != nil {
+		setupLog.Error(err, "problem getting operator namespace")
+		return err
+	}
+
+	privilegedLabels := map[string]string{
+		"pod-security.kubernetes.io/enforce": "privileged",
+		"pod-security.kubernetes.io/audit":   "privileged",
+		"pod-security.kubernetes.io/warn":    "privileged",
+	}
+
+	operatorNamespace.SetLabels(privilegedLabels)
+
+	_, err = clientset.CoreV1().Namespaces().Update(context.TODO(), operatorNamespace, metav1.UpdateOptions{})
+	if err != nil {
+		setupLog.Error(err, "problem patching operator namespace for privileged pod security labels")
+		return err
+	}
+	return nil
+}
