feat: Set "openshift.io/required-scc" annotation on deployments

The annotation pins required SCC.

Signed-off-by: Andrej Krejcir <[email protected]>

Author: akrejcir

config/manager/manager.template.yaml

@@ -3,6 +3,8 @@ kind: Deployment
 metadata:
   name: operator
   namespace: kubevirt
+  annotations:
+    openshift.io/required-scc: restricted-v2
   labels:
     control-plane: ssp-operator
     name: ssp-operator
@@ -14,6 +16,7 @@ spec:
   template:
     metadata:
       annotations:
+        openshift.io/required-scc: restricted-v2
         kubectl.kubernetes.io/default-container: manager
       labels:
         control-plane: ssp-operator

data/olm-catalog/ssp-operator.clusterserviceversion.yaml

@@ -368,6 +368,7 @@ spec:
             metadata:
               annotations:
                 kubectl.kubernetes.io/default-container: manager
+                openshift.io/required-scc: restricted-v2
               labels:
                 control-plane: ssp-operator
                 name: ssp-operator

internal/common/labels.go

@@ -15,6 +15,10 @@ const (
 	AppKubernetesManagedByValue string = "ssp-operator"
 )
 
+const (
+	RequiredSCCAnnotationValue = "restricted-v2"
+)
+
 type AppComponent string
 
 func (a AppComponent) String() string {

internal/operands/template-validator/reconcile_test.go

@@ -6,6 +6,7 @@ import (
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+	securityv1 "github.com/openshift/api/security/v1"
 
 	admission "k8s.io/api/admissionregistration/v1"
 	apps "k8s.io/api/apps/v1"
@@ -396,6 +397,18 @@ var _ = Describe("Template validator operand", func() {
 			Entry("with specific nodeAffinity, podAffinity and podAntiAffinity", []func(*common.Request){setNodeAffinity, setPodAffinity, setPodAntiAffinity}, nodeAffinity, podAffinity, mergedPodAntiAffinity),
 		)
 	})
+
+	It("should add openshift.io/required-scc annotation to deployment", func() {
+		_, err := operand.Reconcile(&request)
+		Expect(err).ToNot(HaveOccurred())
+
+		key := client.ObjectKeyFromObject(newDeployment(namespace, replicas, "test-img"))
+		deployment := &apps.Deployment{}
+		Expect(request.Client.Get(request.Context, key, deployment)).To(Succeed())
+
+		Expect(deployment.Annotations).To(HaveKeyWithValue(securityv1.RequiredSCCAnnotation, common.RequiredSCCAnnotationValue))
+		Expect(deployment.Spec.Template.Annotations).To(HaveKeyWithValue(securityv1.RequiredSCCAnnotation, common.RequiredSCCAnnotationValue))
+	})
 })
 
 func updateDeploymentStatus(key client.ObjectKey, request *common.Request, updateFunc func(deploymentStatus *apps.DeploymentStatus)) {

internal/operands/template-validator/resources.go

@@ -3,6 +3,7 @@ package template_validator
 import (
 	"fmt"
 
+	securityv1 "github.com/openshift/api/security/v1"
 	templatev1 "github.com/openshift/api/template/v1"
 	admission "k8s.io/api/admissionregistration/v1"
 	apps "k8s.io/api/apps/v1"
@@ -15,6 +16,7 @@ import (
 	kubevirt "kubevirt.io/api/core"
 	kubevirtv1 "kubevirt.io/api/core/v1"
 
+	"kubevirt.io/ssp-operator/internal/common"
 	"kubevirt.io/ssp-operator/internal/env"
 	common_templates "kubevirt.io/ssp-operator/internal/operands/common-templates"
 	metrics "kubevirt.io/ssp-operator/internal/operands/metrics"
@@ -160,6 +162,9 @@ func newDeployment(namespace string, replicas int32, image string) *apps.Deploym
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      DeploymentName,
 			Namespace: namespace,
+			Annotations: map[string]string{
+				securityv1.RequiredSCCAnnotation: common.RequiredSCCAnnotationValue,
+			},
 			Labels: map[string]string{
 				"name": DeploymentName,
 			},
@@ -171,7 +176,10 @@ func newDeployment(namespace string, replicas int32, image string) *apps.Deploym
 			},
 			Template: core.PodTemplateSpec{
 				ObjectMeta: metav1.ObjectMeta{
-					Name:   VirtTemplateValidator,
+					Name: VirtTemplateValidator,
+					Annotations: map[string]string{
+						securityv1.RequiredSCCAnnotation: common.RequiredSCCAnnotationValue,
+					},
 					Labels: podLabels,
 				},
 				Spec: core.PodSpec{

internal/operands/vm-console-proxy/reconcile.go

@@ -6,6 +6,7 @@ import (
 
 	ocpv1 "github.com/openshift/api/config/v1"
 	routev1 "github.com/openshift/api/route/v1"
+	securityv1 "github.com/openshift/api/security/v1"
 	"github.com/openshift/library-go/pkg/crypto"
 	apps "k8s.io/api/apps/v1"
 	core "k8s.io/api/core/v1"
@@ -347,6 +348,8 @@ func reconcileDeployment(deployment apps.Deployment) common.ReconcileFunc {
 	return func(request *common.Request) (common.ReconcileResult, error) {
 		deployment.Namespace = request.Instance.Namespace
 		deployment.Spec.Template.Spec.Containers[0].Image = getVmConsoleProxyImage()
+		metav1.SetMetaDataAnnotation(&deployment.ObjectMeta, securityv1.RequiredSCCAnnotation, common.RequiredSCCAnnotationValue)
+		metav1.SetMetaDataAnnotation(&deployment.Spec.Template.ObjectMeta, securityv1.RequiredSCCAnnotation, common.RequiredSCCAnnotationValue)
 		common.AddAppLabels(request.Instance, operandName, operandComponent, &deployment.Spec.Template.ObjectMeta)
 		return common.CreateOrUpdate(request).
 			NamespacedResource(&deployment).

internal/operands/vm-console-proxy/reconcile_test.go

@@ -7,6 +7,7 @@ import (
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+	securityv1 "github.com/openshift/api/security/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 
 	ocpv1 "github.com/openshift/api/config/v1"
@@ -354,6 +355,18 @@ var _ = Describe("VM Console Proxy Operand", func() {
 		ExpectResourceNotExists(bundle.Deployment, request)
 		ExpectResourceNotExists(bundle.ApiService, request)
 	})
+
+	It("should add openshift.io/required-scc annotation to deployment", func() {
+		_, err := operand.Reconcile(&request)
+		Expect(err).ToNot(HaveOccurred())
+
+		key := client.ObjectKeyFromObject(bundle.Deployment)
+		deployment := &apps.Deployment{}
+		Expect(request.Client.Get(request.Context, key, deployment)).To(Succeed())
+
+		Expect(deployment.Annotations).To(HaveKeyWithValue(securityv1.RequiredSCCAnnotation, common.RequiredSCCAnnotationValue))
+		Expect(deployment.Spec.Template.Annotations).To(HaveKeyWithValue(securityv1.RequiredSCCAnnotation, common.RequiredSCCAnnotationValue))
+	})
 })
 
 func TestVmConsoleProxyBundle(t *testing.T) {

tests/scc_annotation_test.go

@@ -0,0 +1,39 @@
+package tests
+
+import (
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	securityv1 "github.com/openshift/api/security/v1"
+	apps "k8s.io/api/apps/v1"
+	core "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"kubevirt.io/ssp-operator/internal/common"
+)
+
+var _ = Describe("Required SCC annotation", func() {
+	It("[test_id:TODO] SSP pods should have 'openshift.io/required-scc' annotation", func() {
+		deployment := &apps.Deployment{}
+		Expect(apiClient.Get(ctx, types.NamespacedName{
+			Name:      strategy.GetSSPDeploymentName(),
+			Namespace: strategy.GetSSPDeploymentNameSpace(),
+		}, deployment)).To(Succeed())
+
+		selector, err := metav1.LabelSelectorAsSelector(deployment.Spec.Selector)
+		Expect(err).ToNot(HaveOccurred())
+
+		pods := &core.PodList{}
+		Expect(apiClient.List(ctx, pods, client.MatchingLabelsSelector{Selector: selector})).To(Succeed())
+		Expect(pods.Items).ToNot(BeEmpty())
+
+		for _, pod := range pods.Items {
+			Expect(pod.Annotations).To(HaveKeyWithValue(securityv1.RequiredSCCAnnotation, common.RequiredSCCAnnotationValue),
+				"SSP pod %s/%s does not have required annotation",
+				pod.Namespace, pod.Name,
+			)
+		}
+	})
+})