Merge pull request #117 from darkowlzz/ocp-scc

Add OCP SCC support

Author: darkowlzz

.travis.yml

@@ -23,6 +23,7 @@ before_install:
         fi
       fi
   - sudo apt -y update && sudo apt install -y jq
+  - curl -Lo yq https://github.com/mikefarah/yq/releases/download/2.3.0/yq_linux_amd64 && chmod +x yq && sudo mv yq /usr/local/bin/
   - curl -Lo storageos https://github.com/storageos/go-cli/releases/download/1.0.0/storageos_linux_amd64 && chmod +x storageos && sudo mv storageos /usr/local/bin/
 #  - docker run -d -p 2399:2399 quay.io/coreos/etcd:v3.3.10 /usr/local/bin/etcd -advertise-client-urls http://0.0.0.0:2399 -listen-client-urls http://0.0.0.0:2399
 
@@ -38,6 +39,13 @@ jobs:
         - "INSTALL_METHOD=olm"
       name: OLM on KinD (k8s-1.13)
       script: ./test/e2e.sh $TEST_CLUSTER $INSTALL_METHOD
+    - go: "1.11"
+      sudo: required
+      env:
+        - "TEST_CLUSTER=openshift"
+        - "INSTALL_METHOD=olm"
+      name: OLM on OpenShift (k8s-1.11)
+      script: ./test/e2e.sh $TEST_CLUSTER $INSTALL_METHOD
     - &base-test
       go: "1.11"
       sudo: required

deploy/olm/csv-rhel/storageos.clusterserviceversion.yaml

@@ -287,6 +287,18 @@ spec:
           verbs:
           - create
           - delete
+        - apiGroups:
+          - security.openshift.io
+          resources:
+          - securitycontextconstraints
+          verbs:
+          - create
+          - delete
+          - update
+          - get
+          - use
+          resourceNames:
+          - privileged
       deployments:
       - name: storageos-operator
         spec:

deploy/olm/storageos/storageos.clusterserviceversion.yaml

@@ -287,6 +287,18 @@ spec:
           verbs:
           - create
           - delete
+        - apiGroups:
+          - security.openshift.io
+          resources:
+          - securitycontextconstraints
+          verbs:
+          - create
+          - delete
+          - update
+          - get
+          - use
+          resourceNames:
+          - privileged
       deployments:
       - name: storageos-operator
         spec:

deploy/role.yaml

@@ -93,3 +93,16 @@ rules:
   verbs:
   - create
   - delete
+# OpenShift specific rule.
+- apiGroups:
+  - security.openshift.io
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - create
+  - delete
+  - update
+  - get
+  - use
+  resourceNames:
+  - privileged

deploy/storageos-operators.configmap.yaml

@@ -495,6 +495,18 @@ data:
                 verbs:
                 - create
                 - delete
+              - apiGroups:
+                - security.openshift.io
+                resources:
+                - securitycontextconstraints
+                verbs:
+                - create
+                - delete
+                - update
+                - get
+                - use
+                resourceNames:
+                - privileged
             deployments:
             - name: storageos-operator
               spec:

pkg/storageos/delete.go

@@ -1,5 +1,7 @@
 package storageos
 
+import "strings"
+
 // Delete deletes all the storageos resources.
 // This explicit delete is implemented instead of depending on the garbage
 // collector because sometimes the garbage collector deletes the resources
@@ -78,6 +80,17 @@ func (s *Deployment) Delete() error {
 		}
 	}
 
+	// Delete cluster role for openshift security context constraints.
+	if strings.Contains(s.stos.Spec.K8sDistro, k8sDistroOpenShift) {
+		if err := s.deleteClusterRoleBinding(OpenShiftSCCClusterBindingName); err != nil {
+			return err
+		}
+
+		if err := s.deleteClusterRole(OpenShiftSCCClusterRoleName); err != nil {
+			return err
+		}
+	}
+
 	// Delete role for Pod Fencing.
 	if !s.stos.Spec.DisableFencing {
 		if err := s.deleteClusterRoleBinding(FencingClusterBindingName); err != nil {

pkg/storageos/deploy.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"log"
+	"strings"
 
 	"github.com/blang/semver"
 	storageosv1 "github.com/storageos/cluster-operator/pkg/apis/storageos/v1"
@@ -65,6 +66,9 @@ const (
 
 	defaultUsername = "storageos"
 	defaultPassword = "storageos"
+
+	// k8s distribution vendor specific keywords.
+	k8sDistroOpenShift = "openshift"
 )
 
 // Deploy deploys storageos by creating all the resources needed to run storageos.
@@ -156,6 +160,17 @@ func (s *Deployment) Deploy() error {
 		}
 	}
 
+	// Add openshift security context constraints.
+	if strings.Contains(s.stos.Spec.K8sDistro, k8sDistroOpenShift) {
+		if err := s.createClusterRoleForSCC(); err != nil {
+			return err
+		}
+
+		if err := s.createClusterRoleBindingForSCC(); err != nil {
+			return err
+		}
+	}
+
 	// Create role for Pod Fencing.
 	if !s.stos.Spec.DisableFencing {
 		if err := s.createClusterRoleForFencing(); err != nil {

pkg/storageos/rbac.go

@@ -21,6 +21,10 @@ const (
 	CSIDriverRegistrarClusterBindingName    = "storageos:driver-registrar"
 	CSIK8SDriverRegistrarClusterBindingName = "storageos:k8s-driver-registrar"
 
+	// OpenShift Security Context Constraints role and role binding names.
+	OpenShiftSCCClusterRoleName    = "storageos:openshift-scc"
+	OpenShiftSCCClusterBindingName = "storageos:openshift-scc"
+
 	KeyManagementRoleName    = "storageos:key-management"
 	KeyManagementBindingName = "storageos:key-management"
 
@@ -393,3 +397,46 @@ func (s *Deployment) createClusterRoleBindingForAttacher() error {
 	}
 	return s.createClusterRoleBinding(CSIAttacherClusterBindingName, subjects, roleRef)
 }
+
+// createClusterRoleForSCC creates cluster role with api group and resource
+// specific to openshift. This permission is required for by daemonsets and
+// statefulsets.
+func (s *Deployment) createClusterRoleForSCC() error {
+	rules := []rbacv1.PolicyRule{
+		{
+			APIGroups:     []string{"security.openshift.io"},
+			Resources:     []string{"securitycontextconstraints"},
+			Verbs:         []string{"use"},
+			ResourceNames: []string{"privileged"},
+		},
+	}
+	return s.createClusterRole(OpenShiftSCCClusterRoleName, rules)
+}
+
+// createClusterRoleBindingForSCC creates a cluster role binding of the
+// openshift SCC role with daemonset and statefulset service account.
+func (s *Deployment) createClusterRoleBindingForSCC() error {
+	subjects := []rbacv1.Subject{
+		{
+			Kind:      rbacv1.ServiceAccountKind,
+			Name:      DaemonsetSA,
+			Namespace: s.stos.Spec.GetResourceNS(),
+		},
+	}
+
+	// Add Statefulset service account if CSI is enabled.
+	if s.stos.Spec.CSI.Enable {
+		subjects = append(subjects, rbacv1.Subject{
+			Kind:      rbacv1.ServiceAccountKind,
+			Name:      StatefulsetSA,
+			Namespace: s.stos.Spec.GetResourceNS(),
+		})
+	}
+
+	roleRef := rbacv1.RoleRef{
+		Kind:     "ClusterRole",
+		Name:     OpenShiftSCCClusterRoleName,
+		APIGroup: "rbac.authorization.k8s.io",
+	}
+	return s.createClusterRoleBinding(OpenShiftSCCClusterBindingName, subjects, roleRef)
+}

scripts/openshift/.gitignore

@@ -0,0 +1 @@
+.vagrant

scripts/openshift/README.md

@@ -0,0 +1,27 @@
+# Setup OpenShift Test Environment
+
+`Vagrantfile` contains configuration for creating an ubuntu trusty VM with
+enough memory and diskspace to setup openshift and run the operator tests.
+
+Create the VM:
+```console
+$ vagrant up
+```
+
+Once the VM is ready, ssh into the VM and run the setup scripts in it to setup
+everything. Read the comments in the scripts for reasons why things are done
+in certain ways. Most of the parts of the scripts is a combination of the travis
+CI configuration file and e2e.sh file, but only the parts that apply to
+openshift setup.
+
+```console
+$ vagrant ssh
+$ bash /vagrant/openshift-seutp-1.sh
+
+# Re-login
+$ exit
+$ vagrant ssh
+
+# Continue setup
+$ bash /vagrant/openshift-seutp-2.sh
+```