Allow Controller SA to modify SCC

sats-23 · sats-23 · commit 4f627f328545 · 2025-09-17T18:59:19.000+05:30
diff --git a/cmd/main.go b/cmd/main.go
@@ -25,6 +25,7 @@ import (
 	// to ensure that exec-entrypoint and run can make use of them.
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 
+	securityv1 "github.com/openshift/api/security/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
@@ -49,6 +50,7 @@ func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 
 	utilruntime.Must(rsctv1alpha1.AddToScheme(scheme))
+	utilruntime.Must(securityv1.AddToScheme(scheme))
 	//+kubebuilder:scaffold:scheme
 }
 
diff --git a/internal/controller/service_account.go b/internal/controller/service_account.go
@@ -20,13 +20,14 @@ import (
 	"context"
 	"fmt"
 
+	operatorv1alpha1 "github.com/ocp-power-automation/rsct-operator/api/v1alpha1"
+	securityv1 "github.com/openshift/api/security/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
-
-	operatorv1alpha1 "github.com/ocp-power-automation/rsct-operator/api/v1alpha1"
 )
 
 // ensureRSCTServiceAccount ensures that the RSCT service account exists.
@@ -54,7 +55,7 @@ func (r *RSCTReconciler) ensureRSCTServiceAccount(ctx context.Context, rsct *ope
 	return true, current, nil
 }
 
-// currentRSCTServiceAccount gets the current RSCT service account resource.
+// currentRSCTServiceAccount gets the current RSCT service account resource and ensures it has privileged SCC.
 func (r *RSCTReconciler) currentRSCTServiceAccount(ctx context.Context, nsName types.NamespacedName) (bool, *corev1.ServiceAccount, error) {
 	sa := &corev1.ServiceAccount{}
 	if err := r.Client.Get(ctx, nsName, sa); err != nil {
@@ -63,9 +64,35 @@ func (r *RSCTReconciler) currentRSCTServiceAccount(ctx context.Context, nsName t
 		}
 		return false, nil, err
 	}
+
+	scc := &securityv1.SecurityContextConstraints{}
+	if err := r.Client.Get(ctx, types.NamespacedName{Name: "privileged"}, scc); err != nil {
+		return true, sa, fmt.Errorf("error getting privileged SCC: %w", err)
+	}
+
+	saUser := fmt.Sprintf("system:serviceaccount:%s:%s", nsName.Namespace, nsName.Name)
+
+	if !contains(scc.Users, saUser) {
+		patch := client.MergeFrom(scc.DeepCopy())
+		scc.Users = append(scc.Users, saUser)
+
+		if err := r.Client.Patch(ctx, scc, patch); err != nil {
+			return true, sa, fmt.Errorf("failed to patch privileged SCC: %w", err)
+		}
+	}
+
 	return true, sa, nil
 }
 
+func contains(list []string, s string) bool {
+	for _, v := range list {
+		if v == s {
+			return true
+		}
+	}
+	return false
+}
+
 // desiredRSCTServiceAccount returns the desired serivce account resource.
 func desiredRSCTServiceAccount(nsName types.NamespacedName) *corev1.ServiceAccount {
 	return &corev1.ServiceAccount{
