diff --git a/pkg/controllers/resourceexport/reconcile.go b/pkg/controllers/resourceexport/reconcile.go index 1e6316990..56fb7b4a9 100644 --- a/pkg/controllers/resourceexport/reconcile.go +++ b/pkg/controllers/resourceexport/reconcile.go @@ -38,14 +38,6 @@ type updateResourceExportFields struct { LargeResourceEnabled bool } -func getAnnotationValue(re *kdmpapi.ResourceExport, key string) string { - var val string - if _, ok := re.Annotations[key]; ok { - val = re.Annotations[key] - } - return val -} - func (c *Controller) process(ctx context.Context, in *kdmpapi.ResourceExport) (bool, error) { funct := "resourceExport.process" if in == nil { diff --git a/pkg/drivers/kopiabackup/kopiabackup.go b/pkg/drivers/kopiabackup/kopiabackup.go index 9ec53af97..2fd6f5e32 100644 --- a/pkg/drivers/kopiabackup/kopiabackup.go +++ b/pkg/drivers/kopiabackup/kopiabackup.go @@ -208,6 +208,14 @@ func (d Driver) JobStatus(id string) (*drivers.JobStatus, error) { } + // Check whether job has violated the pod security standard + psaViolated := utils.IsJobPodSecurityFailed(job, namespace) + if psaViolated { + utils.DisplayJobpodLogandEvents(job.Name, job.Namespace) + errMsg := fmt.Sprintf("job [%v/%v] failed to meet the pod security standard, please check job pod's description for more detail", namespace, name) + return utils.ToJobStatus(0, errMsg, batchv1.JobFailed), nil + } + // Check whether mount point failure mountFailed := utils.IsJobPodMountFailed(job, namespace) if mountFailed { diff --git a/pkg/drivers/kopiarestore/kopiarestore.go b/pkg/drivers/kopiarestore/kopiarestore.go index bc3160e2a..5e700428c 100644 --- a/pkg/drivers/kopiarestore/kopiarestore.go +++ b/pkg/drivers/kopiarestore/kopiarestore.go @@ -116,6 +116,15 @@ func (d Driver) JobStatus(id string) (*drivers.JobStatus, error) { if err != nil { return nil, err } + + // Check whether job has violated the pod security standard + psaViolated := utils.IsJobPodSecurityFailed(job, namespace) + if psaViolated { + utils.DisplayJobpodLogandEvents(job.Name, job.Namespace) + errMsg := fmt.Sprintf("job [%v/%v] failed to meet the pod security standard, please check job pod's description for more detail", namespace, name) + return utils.ToJobStatus(0, errMsg, batchv1.JobFailed), nil + } + // Check whether mount point failure mountFailed := utils.IsJobPodMountFailed(job, namespace) if mountFailed { diff --git a/pkg/drivers/nfsbackup/nfsbackup.go b/pkg/drivers/nfsbackup/nfsbackup.go index 48c6f8e88..6e576d20b 100644 --- a/pkg/drivers/nfsbackup/nfsbackup.go +++ b/pkg/drivers/nfsbackup/nfsbackup.go @@ -82,6 +82,13 @@ func (d Driver) JobStatus(id string) (*drivers.JobStatus, error) { logrus.Errorf("%s: %v", fn, errMsg) return nil, fmt.Errorf(errMsg) } + // Check whether job has violated the pod security standard + psaViolated := utils.IsJobPodSecurityFailed(job, namespace) + if psaViolated { + utils.DisplayJobpodLogandEvents(job.Name, job.Namespace) + errMsg := fmt.Sprintf("job [%v/%v] failed to meet the pod security standard, please check job pod's description for more detail", namespace, name) + return utils.ToJobStatus(0, errMsg, batchv1.JobFailed), nil + } // Check whether mount point failure mountFailed := utils.IsJobPodMountFailed(job, namespace) diff --git a/pkg/drivers/nfscsirestore/nfscsirestore.go b/pkg/drivers/nfscsirestore/nfscsirestore.go index 3a4d4cd1b..2cc6024db 100644 --- a/pkg/drivers/nfscsirestore/nfscsirestore.go +++ b/pkg/drivers/nfscsirestore/nfscsirestore.go @@ -80,6 +80,15 @@ func (d Driver) JobStatus(id string) (*drivers.JobStatus, error) { logrus.Errorf("%s: %v", fn, errMsg) return nil, fmt.Errorf(errMsg) } + + // Check whether job has violated the pod security standard + psaViolated := utils.IsJobPodSecurityFailed(job, namespace) + if psaViolated { + utils.DisplayJobpodLogandEvents(job.Name, job.Namespace) + errMsg := fmt.Sprintf("job [%v/%v] failed to meet the pod security standard, please check job pod's description for more detail", namespace, name) + return utils.ToJobStatus(0, errMsg, batchv1.JobFailed), nil + } + // Check for mount point failure mountFailed := utils.IsJobPodMountFailed(job, namespace) if mountFailed { diff --git a/pkg/drivers/nfsrestore/nfsrestore.go b/pkg/drivers/nfsrestore/nfsrestore.go index fbff30e03..b9be4c7af 100644 --- a/pkg/drivers/nfsrestore/nfsrestore.go +++ b/pkg/drivers/nfsrestore/nfsrestore.go @@ -83,6 +83,14 @@ func (d Driver) JobStatus(id string) (*drivers.JobStatus, error) { logrus.Errorf("%s: %v", fn, errMsg) return nil, fmt.Errorf(errMsg) } + // Check whether job has violated the pod security standard + psaViolated := utils.IsJobPodSecurityFailed(job, namespace) + if psaViolated { + utils.DisplayJobpodLogandEvents(job.Name, job.Namespace) + errMsg := fmt.Sprintf("job [%v/%v] failed to meet the pod security standard, please check job pod's description for more detail", namespace, name) + return utils.ToJobStatus(0, errMsg, batchv1.JobFailed), nil + } + // Check for mount point failure mountFailed := utils.IsJobPodMountFailed(job, namespace) if mountFailed { diff --git a/pkg/drivers/utils/utils.go b/pkg/drivers/utils/utils.go index feb9048c1..9d4e674f7 100644 --- a/pkg/drivers/utils/utils.go +++ b/pkg/drivers/utils/utils.go @@ -889,6 +889,29 @@ func IsJobPodMountFailed(job *batchv1.Job, namespace string) bool { return false } +// Check if a job has failed because of podSecurity violation +func IsJobPodSecurityFailed(job *batchv1.Job, namespace string) bool { + fn := "IsJobPodSecurityFailed" + + opts := metav1.ListOptions{ + FieldSelector: "involvedObject.name=" + string(job.Name), + } + events, err := core.Instance().ListEvents(namespace, opts) + if err != nil { + errMsg := fmt.Sprintf("failed to fetch events for job [%s/%s]: %v", namespace, job.Name, err) + logrus.Debugf("%s: %v", fn, errMsg) + return false + } + // if the job event reason is Failedcreate due to fobidden podSecurity violation + // then return true + for _, event := range events.Items { + if event.Reason == "FailedCreate" && strings.Contains(event.Message, "violates PodSecurity") { + return true + } + } + return false +} + // DisplayJobpodLogandEvents - Prints the Job pod description, log and events func DisplayJobpodLogandEvents(jobName string, namespace string) { // Get job from the namespace