From 6bcc8fae86ee7d7b5d49f8e3e3c90905eb321e91 Mon Sep 17 00:00:00 2001 From: Levan Machablishvili Date: Tue, 17 Jan 2023 17:03:41 -0500 Subject: [PATCH 1/3] Avoid PodSecurityPolicy cleanup if the resource is not supported by Kubernetes API. --- controllers/datadogagent/dependencies/store.go | 4 ++-- pkg/kubernetes/const.go | 7 +++++-- pkg/kubernetes/platforminfo.go | 13 +++++++++++++ pkg/kubernetes/platforminfo_test.go | 17 +++++++++++++++++ 4 files changed, 37 insertions(+), 4 deletions(-) diff --git a/controllers/datadogagent/dependencies/store.go b/controllers/datadogagent/dependencies/store.go index 0bba69cd8..ec99525b5 100644 --- a/controllers/datadogagent/dependencies/store.go +++ b/controllers/datadogagent/dependencies/store.go @@ -264,7 +264,7 @@ func (ds *Store) Cleanup(ctx context.Context, k8sClient client.Client, ddaNs, dd listOptions := &client.ListOptions{ LabelSelector: labels.NewSelector().Add(*requirementLabel), } - for _, kind := range kubernetes.GetResourcesKind(ds.supportCilium) { + for _, kind := range ds.platformInfo.GetAgentResourcesKind(ds.supportCilium) { objList := kubernetes.ObjectListFromKind(kind, ds.platformInfo) if err := k8sClient.List(ctx, objList, listOptions); err != nil { errs = append(errs, err) @@ -294,7 +294,7 @@ func (ds *Store) DeleteAll(ctx context.Context, k8sClient client.Client) []error var objsToDelete []client.Object - for _, kind := range kubernetes.GetResourcesKind(ds.supportCilium) { + for _, kind := range ds.platformInfo.GetAgentResourcesKind(ds.supportCilium) { requirementLabel, _ := labels.NewRequirement(operatorStoreLabelKey, selection.Exists, nil) listOptions := &client.ListOptions{ LabelSelector: labels.NewSelector().Add(*requirementLabel), diff --git a/pkg/kubernetes/const.go b/pkg/kubernetes/const.go index 17d820c6d..21c0d3ef4 100644 --- a/pkg/kubernetes/const.go +++ b/pkg/kubernetes/const.go @@ -57,7 +57,7 @@ const ( ) // GetResourcesKind return the list of all possible ObjectKind supported as DatadogAgent dependencies -func GetResourcesKind(withCiliumResources bool) []ObjectKind { +func getResourcesKind(withCiliumResources, withPodSecurityPolicy bool) []ObjectKind { resources := []ObjectKind{ ConfigMapKind, ClusterRolesKind, @@ -71,7 +71,6 @@ func GetResourcesKind(withCiliumResources bool) []ObjectKind { ServiceAccountsKind, PodDisruptionBudgetsKind, NetworkPoliciesKind, - PodSecurityPoliciesKind, // SecurityContextConstraintsKind, } @@ -79,5 +78,9 @@ func GetResourcesKind(withCiliumResources bool) []ObjectKind { resources = append(resources, CiliumNetworkPoliciesKind) } + if withPodSecurityPolicy { + resources = append(resources, PodSecurityPoliciesKind) + } + return resources } diff --git a/pkg/kubernetes/platforminfo.go b/pkg/kubernetes/platforminfo.go index c236bc061..067457c7c 100644 --- a/pkg/kubernetes/platforminfo.go +++ b/pkg/kubernetes/platforminfo.go @@ -87,3 +87,16 @@ func (platformInfo *PlatformInfo) CreatePDBObjectList() client.ObjectList { return &policyv1.PodDisruptionBudgetList{} } } + +func (platformInfo *PlatformInfo) GetAgentResourcesKind(withCiliumResources bool) []ObjectKind { + return getResourcesKind(withCiliumResources, platformInfo.supportsPSP()) +} + +func (platformInfo *PlatformInfo) supportsPSP() bool { + if platformInfo.apiOtherVersions == nil || platformInfo.apiPreferredVersions == nil { + return true + } + _, ok1 := platformInfo.apiOtherVersions["PodSecurityPolicy"] + _, ok2 := platformInfo.apiPreferredVersions["PodSecurityPolicy"] + return ok1 || ok2 +} diff --git a/pkg/kubernetes/platforminfo_test.go b/pkg/kubernetes/platforminfo_test.go index d3195bbd2..6ade148a8 100644 --- a/pkg/kubernetes/platforminfo_test.go +++ b/pkg/kubernetes/platforminfo_test.go @@ -94,16 +94,19 @@ func Test_getPDBFlag(t *testing.T) { preferred map[string]string other map[string]string useV1Beta1PDB bool + supportsPSP bool }{ { name: "Chooses preferred version of PodDisruptionBudget", preferred: map[string]string{ "PodDisruptionBudget": "policy/v1", + "PodSecurityPolicy": "anything", }, other: map[string]string{ "PodDisruptionBudget": "policy/v1beta1", }, useV1Beta1PDB: false, + supportsPSP: false, }, { name: "Chooses preferred version of PodDisruptionBudget", @@ -112,8 +115,10 @@ func Test_getPDBFlag(t *testing.T) { }, other: map[string]string{ "PodDisruptionBudget": "policy/v1", + "PodSecurityPolicy": "anything", }, useV1Beta1PDB: true, + supportsPSP: true, }, { name: "Unrecognized preferred version, defaults to v1", @@ -122,6 +127,7 @@ func Test_getPDBFlag(t *testing.T) { }, other: map[string]string{}, useV1Beta1PDB: false, + supportsPSP: false, }, } @@ -129,6 +135,8 @@ func Test_getPDBFlag(t *testing.T) { t.Run(tt.name, func(t *testing.T) { platformInfo := NewPlatformInfoFromVersionMaps(nil, tt.preferred, tt.other) assert.Equal(t, tt.useV1Beta1PDB, platformInfo.UseV1Beta1PDB()) + assert.Equal(t, tt.supportsPSP, platformInfo.supportsPSP()) + assert.Equal(t, tt.supportsPSP, containsObjectKind(platformInfo.GetAgentResourcesKind(false), "PodDisruptionBudget")) }) } } @@ -168,3 +176,12 @@ func newApiGroupPointer(apiGroup v1.APIGroup) *v1.APIGroup { func newApiResourceListPointer(apiResourceList v1.APIResourceList) *v1.APIResourceList { return &apiResourceList } + +func containsObjectKind(list []ObjectKind, s ObjectKind) bool { + for _, v := range list { + if v == s { + return true + } + } + return false +} From aab4a68f9d9be05ee8ab37f5929afffeb00ec2fd Mon Sep 17 00:00:00 2001 From: Levan Machablishvili Date: Tue, 17 Jan 2023 17:39:17 -0500 Subject: [PATCH 2/3] Fix test --- pkg/kubernetes/platforminfo_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/kubernetes/platforminfo_test.go b/pkg/kubernetes/platforminfo_test.go index 6ade148a8..dd16db11b 100644 --- a/pkg/kubernetes/platforminfo_test.go +++ b/pkg/kubernetes/platforminfo_test.go @@ -106,7 +106,7 @@ func Test_getPDBFlag(t *testing.T) { "PodDisruptionBudget": "policy/v1beta1", }, useV1Beta1PDB: false, - supportsPSP: false, + supportsPSP: true, }, { name: "Chooses preferred version of PodDisruptionBudget", @@ -136,7 +136,7 @@ func Test_getPDBFlag(t *testing.T) { platformInfo := NewPlatformInfoFromVersionMaps(nil, tt.preferred, tt.other) assert.Equal(t, tt.useV1Beta1PDB, platformInfo.UseV1Beta1PDB()) assert.Equal(t, tt.supportsPSP, platformInfo.supportsPSP()) - assert.Equal(t, tt.supportsPSP, containsObjectKind(platformInfo.GetAgentResourcesKind(false), "PodDisruptionBudget")) + assert.Equal(t, tt.supportsPSP, containsObjectKind(platformInfo.GetAgentResourcesKind(false), PodSecurityPoliciesKind)) }) } } From 15987271c0a93f7ccb27c3803e98323d3a09926a Mon Sep 17 00:00:00 2001 From: Levan Machablishvili Date: Thu, 19 Jan 2023 09:53:23 -0500 Subject: [PATCH 3/3] Fix variable names --- pkg/kubernetes/platforminfo.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/kubernetes/platforminfo.go b/pkg/kubernetes/platforminfo.go index 067457c7c..9f90e8551 100644 --- a/pkg/kubernetes/platforminfo.go +++ b/pkg/kubernetes/platforminfo.go @@ -96,7 +96,7 @@ func (platformInfo *PlatformInfo) supportsPSP() bool { if platformInfo.apiOtherVersions == nil || platformInfo.apiPreferredVersions == nil { return true } - _, ok1 := platformInfo.apiOtherVersions["PodSecurityPolicy"] - _, ok2 := platformInfo.apiPreferredVersions["PodSecurityPolicy"] - return ok1 || ok2 + _, otherExists := platformInfo.apiOtherVersions["PodSecurityPolicy"] + _, preferredExists := platformInfo.apiPreferredVersions["PodSecurityPolicy"] + return otherExists || preferredExists }