fix: graceful psp handling

Signed-off-by: Peter Wilcsinszky <[email protected]>

Author: pepov

main.go

@@ -32,8 +32,10 @@ import (
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/discovery"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
+	"k8s.io/client-go/rest"
 	"k8s.io/klog/v2"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
@@ -43,6 +45,7 @@ import (
 
 	extensionsControllers "github.com/kube-logging/logging-operator/controllers/extensions"
 	loggingControllers "github.com/kube-logging/logging-operator/controllers/logging"
+	"github.com/kube-logging/logging-operator/pkg/resources"
 	extensionsv1alpha1 "github.com/kube-logging/logging-operator/pkg/sdk/extensions/api/v1alpha1"
 	config "github.com/kube-logging/logging-operator/pkg/sdk/extensions/extensionsconfig"
 	loggingv1alpha1 "github.com/kube-logging/logging-operator/pkg/sdk/logging/api/v1alpha1"
@@ -166,6 +169,10 @@ func main() {
 		os.Exit(1)
 	}
 
+	if !PSPEnabled(mgr.GetConfig()) {
+		setupLog.Info("WARNING PodSecurityPolicies are disabled. Can be enabled manually with PSP_ENABLED=1")
+	}
+
 	loggingReconciler := loggingControllers.NewLoggingReconciler(mgr.GetClient(), ctrl.Log.WithName("logging"))
 
 	if err := (&extensionsControllers.EventTailerReconciler{
@@ -216,6 +223,27 @@ func main() {
 	}
 }
 
+func PSPEnabled(cfg *rest.Config) bool {
+	pspenv := os.Getenv("PSP_ENABLED")
+	if pspenv != "" {
+		return cast.ToBool(pspenv)
+	}
+	dsc, err := discovery.NewDiscoveryClientForConfig(cfg)
+	if err != nil {
+		setupLog.Error(err, "discovery client creation")
+		os.Exit(1)
+	}
+	serverVersion, err := dsc.ServerVersion()
+	if err != nil {
+		setupLog.Error(err, "server version")
+		os.Exit(1)
+	}
+	if cast.ToInt(serverVersion.Major) == 1 && cast.ToInt(serverVersion.Minor) < 25 {
+		resources.PSPEnabled = true
+	}
+	return resources.PSPEnabled
+}
+
 func detectContainerRuntime(ctx context.Context, c client.Reader) error {
 	var nodeList corev1.NodeList
 	if err := c.List(ctx, &nodeList, client.Limit(1)); err != nil {

pkg/resources/features.go

@@ -0,0 +1,17 @@
+// Copyright © 2023 Kube logging authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package resources
+
+var PSPEnabled bool

pkg/resources/fluentbit/fluentbit.go

@@ -117,13 +117,10 @@ func (r *Reconciler) Reconcile() (*reconcile.Result, error) {
 		return nil, err
 	}
 
-	for _, factory := range []resources.Resource{
+	objects := []resources.Resource{
 		r.serviceAccount,
 		r.clusterRole,
 		r.clusterRoleBinding,
-		r.clusterPodSecurityPolicy,
-		r.pspClusterRole,
-		r.pspClusterRoleBinding,
 		r.configSecret,
 		r.daemonSet,
 		r.serviceMetrics,
@@ -132,7 +129,11 @@ func (r *Reconciler) Reconcile() (*reconcile.Result, error) {
 		r.monitorBufferServiceMetrics,
 		r.prometheusRules,
 		r.bufferVolumePrometheusRules,
-	} {
+	}
+	if resources.PSPEnabled {
+		objects = append(objects, r.clusterPodSecurityPolicy, r.pspClusterRole, r.pspClusterRoleBinding)
+	}
+	for _, factory := range objects {
 		o, state, err := factory()
 		if err != nil {
 			return nil, errors.WrapIf(err, "failed to create desired object")

pkg/resources/fluentd/fluentd.go

@@ -102,16 +102,19 @@ func (r *Reconciler) Reconcile() (*reconcile.Result, error) {
 	ctx := context.Background()
 	patchBase := client.MergeFrom(r.Logging.DeepCopy())
 
-	for _, res := range []resources.Resource{
+	objects := []resources.Resource{
 		r.serviceAccount,
 		r.role,
 		r.roleBinding,
 		r.clusterRole,
 		r.clusterRoleBinding,
-		r.clusterPodSecurityPolicy,
-		r.pspRole,
-		r.pspRoleBinding,
-	} {
+	}
+
+	if resources.PSPEnabled {
+		objects = append(objects, r.clusterPodSecurityPolicy, r.pspRole, r.pspRoleBinding)
+	}
+
+	for _, res := range objects {
 		o, state, err := res()
 		if err != nil {
 			return nil, errors.WrapIf(err, "failed to create desired object")

pkg/resources/nodeagent/nodeagent.go

@@ -343,18 +343,19 @@ func (r *Reconciler) processAgent(name string, userDefinedAgent v1beta1.NodeAgen
 
 // Reconcile reconciles the nodeAgentInstance resource
 func (n *nodeAgentInstance) Reconcile() (*reconcile.Result, error) {
-	for _, factory := range []resources.Resource{
+	objects := []resources.Resource{
 		n.serviceAccount,
 		n.clusterRole,
 		n.clusterRoleBinding,
-		n.clusterPodSecurityPolicy,
-		n.pspClusterRole,
-		n.pspClusterRoleBinding,
 		n.configSecret,
 		n.daemonSet,
 		n.serviceMetrics,
 		n.monitorServiceMetrics,
-	} {
+	}
+	if resources.PSPEnabled {
+		objects = append(objects, n.clusterPodSecurityPolicy, n.pspClusterRole, n.pspClusterRoleBinding)
+	}
+	for _, factory := range objects {
 		o, state, err := factory()
 		if err != nil {
 			return nil, errors.WrapIf(err, "failed to create desired object")