Skip to content

Commit 48421a0

Browse files
sats-23sats-23
committed
Inject SCC within reconcile logic
1 parent 952f2bf commit 48421a0

File tree

1 file changed

+35
-3
lines changed

1 file changed

+35
-3
lines changed

internal/controller/service_account.go

Lines changed: 35 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -20,13 +20,13 @@ import (
2020
"context"
2121
"fmt"
2222

23+
operatorv1alpha1 "github.com/ocp-power-automation/rsct-operator/api/v1alpha1"
24+
securityv1 "github.com/openshift/api/security/v1"
2325
corev1 "k8s.io/api/core/v1"
2426
"k8s.io/apimachinery/pkg/api/errors"
2527
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
2628
"k8s.io/apimachinery/pkg/types"
2729
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
28-
29-
operatorv1alpha1 "github.com/ocp-power-automation/rsct-operator/api/v1alpha1"
3030
)
3131

3232
// ensureRSCTServiceAccount ensures that the RSCT service account exists.
@@ -54,7 +54,7 @@ func (r *RSCTReconciler) ensureRSCTServiceAccount(ctx context.Context, rsct *ope
5454
return true, current, nil
5555
}
5656

57-
// currentRSCTServiceAccount gets the current RSCT service account resource.
57+
// currentRSCTServiceAccount gets the current RSCT service account resource and ensures it has privileged SCC.
5858
func (r *RSCTReconciler) currentRSCTServiceAccount(ctx context.Context, nsName types.NamespacedName) (bool, *corev1.ServiceAccount, error) {
5959
sa := &corev1.ServiceAccount{}
6060
if err := r.Client.Get(ctx, nsName, sa); err != nil {
@@ -63,9 +63,41 @@ func (r *RSCTReconciler) currentRSCTServiceAccount(ctx context.Context, nsName t
6363
}
6464
return false, nil, err
6565
}
66+
67+
// Try to get the privileged SCC; if not found, skip SCC logic (not OpenShift)
68+
scc := &securityv1.SecurityContextConstraints{}
69+
err := r.Client.Get(ctx, types.NamespacedName{Name: "privileged"}, scc)
70+
if err != nil {
71+
// If SCC resource type not found, skip (not OpenShift)
72+
if errors.IsNotFound(err) || isNoMatchError(err) {
73+
return true, sa, nil
74+
}
75+
return true, sa, fmt.Errorf("error getting privileged SCC: %w", err)
76+
}
77+
78+
saUser := fmt.Sprintf("system:serviceaccount:%s:%s", nsName.Namespace, nsName.Name)
79+
found := false
80+
for _, user := range scc.Users {
81+
if user == saUser {
82+
found = true
83+
break
84+
}
85+
}
86+
if !found {
87+
scc.Users = append(scc.Users, saUser)
88+
if err := r.Client.Update(ctx, scc); err != nil {
89+
return true, sa, fmt.Errorf("failed to update privileged SCC: %w", err)
90+
}
91+
}
92+
6693
return true, sa, nil
6794
}
6895

96+
// isNoMatchError checks if the error is a NoMatchError (resource not registered, i.e., not OpenShift)
97+
func isNoMatchError(err error) bool {
98+
return err != nil && (err.Error() == "no matches for kind \"SecurityContextConstraints\" in group \"security.openshift.io\"")
99+
}
100+
69101
// desiredRSCTServiceAccount returns the desired serivce account resource.
70102
func desiredRSCTServiceAccount(nsName types.NamespacedName) *corev1.ServiceAccount {
71103
return &corev1.ServiceAccount{

0 commit comments

Comments
 (0)