p/o/podsecurityreadinesscontroller: add disabled syncer

Author: ibihim

pkg/operator/podsecurityreadinesscontroller/conditions.go

@@ -5,6 +5,7 @@ import (
 	"sort"
 	"strings"
 
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 
@@ -13,9 +14,12 @@ import (
 )
 
 const (
-	PodSecurityCustomerType     = "PodSecurityCustomerEvaluationConditionsDetected"
-	PodSecurityOpenshiftType    = "PodSecurityOpenshiftEvaluationConditionsDetected"
-	PodSecurityRunLevelZeroType = "PodSecurityRunLevelZeroEvaluationConditionsDetected"
+	PodSecurityCustomerType       = "PodSecurityCustomerEvaluationConditionsDetected"
+	PodSecurityOpenshiftType      = "PodSecurityOpenshiftEvaluationConditionsDetected"
+	PodSecurityRunLevelZeroType   = "PodSecurityRunLevelZeroEvaluationConditionsDetected"
+	PodSecurityDisabledSyncerType = "PodSecurityDisabledSyncerEvaluationConditionsDetected"
+
+	labelSyncControlLabel = "security.openshift.io/scc.podSecurityLabelSync"
 )
 
 var (
@@ -28,24 +32,31 @@ var (
 )
 
 type podSecurityOperatorConditions struct {
-	violatingOpenShiftNamespaces    []string
-	violatingRunLevelZeroNamespaces []string
-	violatingCustomerNamespaces     []string
+	violatingOpenShiftNamespaces      []string
+	violatingRunLevelZeroNamespaces   []string
+	violatingCustomerNamespaces       []string
+	violatingDisabledSyncerNamespaces []string
 }
 
-func (c *podSecurityOperatorConditions) addViolation(name string) {
-	if runLevelZeroNamespaces.Has(name) {
-		c.violatingRunLevelZeroNamespaces = append(c.violatingRunLevelZeroNamespaces, name)
+func (c *podSecurityOperatorConditions) addViolation(ns *corev1.Namespace) {
+	if runLevelZeroNamespaces.Has(ns.Name) {
+		c.violatingRunLevelZeroNamespaces = append(c.violatingRunLevelZeroNamespaces, ns.Name)
 		return
 	}
 
-	isOpenShift := strings.HasPrefix(name, "openshift")
+	isOpenShift := strings.HasPrefix(ns.Name, "openshift")
 	if isOpenShift {
-		c.violatingOpenShiftNamespaces = append(c.violatingOpenShiftNamespaces, name)
+		c.violatingOpenShiftNamespaces = append(c.violatingOpenShiftNamespaces, ns.Name)
+		return
+	}
+
+	if ns.Labels[labelSyncControlLabel] == "false" {
+		// This is the only case in which the controller wouldn't enforce the pod security standards.
+		c.violatingDisabledSyncerNamespaces = append(c.violatingDisabledSyncerNamespaces, ns.Name)
 		return
 	}
 
-	c.violatingCustomerNamespaces = append(c.violatingCustomerNamespaces, name)
+	c.violatingCustomerNamespaces = append(c.violatingCustomerNamespaces, ns.Name)
 }
 
 func makeCondition(conditionType string, namespaces []string) operatorv1.OperatorCondition {
@@ -76,5 +87,6 @@ func (c *podSecurityOperatorConditions) toConditionFuncs() []v1helpers.UpdateSta
 		v1helpers.UpdateConditionFn(makeCondition(PodSecurityCustomerType, c.violatingCustomerNamespaces)),
 		v1helpers.UpdateConditionFn(makeCondition(PodSecurityOpenshiftType, c.violatingOpenShiftNamespaces)),
 		v1helpers.UpdateConditionFn(makeCondition(PodSecurityRunLevelZeroType, c.violatingRunLevelZeroNamespaces)),
+		v1helpers.UpdateConditionFn(makeCondition(PodSecurityDisabledSyncerType, c.violatingDisabledSyncerNamespaces)),
 	}
 }

pkg/operator/podsecurityreadinesscontroller/conditions_test.go

@@ -4,6 +4,8 @@ import (
 	"testing"
 
 	operatorv1 "github.com/openshift/api/operator/v1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 func TestCondition(t *testing.T) {
@@ -62,8 +64,184 @@ func TestCondition(t *testing.T) {
 		}
 	})
 
-	t.Run("without anything", func(t *testing.T) {
-		cond := podSecurityOperatorConditions{}
-		cond.addViolation("hello world")
-	})
+}
+
+func TestOperatorStatus(t *testing.T) {
+	for _, tt := range []struct {
+		name      string
+		namespace []*corev1.Namespace
+		expected  map[string]operatorv1.ConditionStatus
+	}{
+		{
+			name: "with default namespace",
+			namespace: []*corev1.Namespace{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "syncer-by-default",
+					},
+				},
+			},
+			expected: map[string]operatorv1.ConditionStatus{
+				"PodSecurityCustomerEvaluationConditionsDetected":       operatorv1.ConditionTrue,
+				"PodSecurityOpenshiftEvaluationConditionsDetected":      operatorv1.ConditionFalse,
+				"PodSecurityRunLevelZeroEvaluationConditionsDetected":   operatorv1.ConditionFalse,
+				"PodSecurityDisabledSyncerEvaluationConditionsDetected": operatorv1.ConditionFalse,
+			},
+		},
+		{
+			name: "with customer disabled syncer",
+			namespace: []*corev1.Namespace{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "syncer-no-thx",
+						Labels: map[string]string{
+							"security.openshift.io/scc.podSecurityLabelSync": "false",
+						},
+					},
+				},
+			},
+			expected: map[string]operatorv1.ConditionStatus{
+				"PodSecurityCustomerEvaluationConditionsDetected":       operatorv1.ConditionFalse,
+				"PodSecurityOpenshiftEvaluationConditionsDetected":      operatorv1.ConditionFalse,
+				"PodSecurityRunLevelZeroEvaluationConditionsDetected":   operatorv1.ConditionFalse,
+				"PodSecurityDisabledSyncerEvaluationConditionsDetected": operatorv1.ConditionTrue,
+			},
+		},
+		{
+			name: "with customer re-enabled syncer",
+			namespace: []*corev1.Namespace{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "syncer-yes-plz",
+						Labels: map[string]string{
+							"security.openshift.io/scc.podSecurityLabelSync": "true",
+						},
+					},
+				},
+			},
+			expected: map[string]operatorv1.ConditionStatus{
+				"PodSecurityCustomerEvaluationConditionsDetected":       operatorv1.ConditionTrue,
+				"PodSecurityOpenshiftEvaluationConditionsDetected":      operatorv1.ConditionFalse,
+				"PodSecurityRunLevelZeroEvaluationConditionsDetected":   operatorv1.ConditionFalse,
+				"PodSecurityDisabledSyncerEvaluationConditionsDetected": operatorv1.ConditionFalse,
+			},
+		},
+		{
+			name: "with openshift namespace",
+			namespace: []*corev1.Namespace{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "openshift-fail",
+					},
+				},
+			},
+			expected: map[string]operatorv1.ConditionStatus{
+				"PodSecurityCustomerEvaluationConditionsDetected":       operatorv1.ConditionFalse,
+				"PodSecurityOpenshiftEvaluationConditionsDetected":      operatorv1.ConditionTrue,
+				"PodSecurityRunLevelZeroEvaluationConditionsDetected":   operatorv1.ConditionFalse,
+				"PodSecurityDisabledSyncerEvaluationConditionsDetected": operatorv1.ConditionFalse,
+			},
+		},
+		{
+			name: "with run-level 0 namespace",
+			namespace: []*corev1.Namespace{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "kube-system",
+					},
+				},
+			},
+			expected: map[string]operatorv1.ConditionStatus{
+				"PodSecurityCustomerEvaluationConditionsDetected":       operatorv1.ConditionFalse,
+				"PodSecurityOpenshiftEvaluationConditionsDetected":      operatorv1.ConditionFalse,
+				"PodSecurityRunLevelZeroEvaluationConditionsDetected":   operatorv1.ConditionTrue,
+				"PodSecurityDisabledSyncerEvaluationConditionsDetected": operatorv1.ConditionFalse,
+			},
+		},
+		{
+			name: "with other customer types in combination",
+			namespace: []*corev1.Namespace{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "foobar",
+					},
+				},
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "foobar",
+						Labels: map[string]string{
+							"security.openshift.io/scc.podSecurityLabelSync": "false",
+						},
+					},
+				},
+			},
+			expected: map[string]operatorv1.ConditionStatus{
+				"PodSecurityCustomerEvaluationConditionsDetected":       operatorv1.ConditionTrue,
+				"PodSecurityOpenshiftEvaluationConditionsDetected":      operatorv1.ConditionFalse,
+				"PodSecurityRunLevelZeroEvaluationConditionsDetected":   operatorv1.ConditionFalse,
+				"PodSecurityDisabledSyncerEvaluationConditionsDetected": operatorv1.ConditionTrue,
+			},
+		},
+		{
+			name: "with other system types in combination",
+			namespace: []*corev1.Namespace{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "openshift-namespace",
+						Labels: map[string]string{
+							"pod-security.kubernetes.io/audit":         "restricted",
+							"pod-security.kubernetes.io/audit-version": "v1.24",
+							"pod-security.kubernetes.io/warn":          "restricted",
+							"pod-security.kubernetes.io/warn-version":  "v1.24",
+						},
+					},
+				},
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:   "kube-system",
+						Labels: map[string]string{},
+					},
+				},
+			},
+			expected: map[string]operatorv1.ConditionStatus{
+				"PodSecurityCustomerEvaluationConditionsDetected":       operatorv1.ConditionFalse,
+				"PodSecurityOpenshiftEvaluationConditionsDetected":      operatorv1.ConditionTrue,
+				"PodSecurityRunLevelZeroEvaluationConditionsDetected":   operatorv1.ConditionTrue,
+				"PodSecurityDisabledSyncerEvaluationConditionsDetected": operatorv1.ConditionFalse,
+			},
+		},
+	} {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			cond := podSecurityOperatorConditions{}
+
+			for _, ns := range tt.namespace {
+				cond.addViolation(ns)
+			}
+
+			status := &operatorv1.OperatorStatus{}
+			for _, f := range cond.toConditionFuncs() {
+				if err := f(status); err != nil {
+					t.Fatalf("unexpected error: %v", err)
+				}
+			}
+
+			for expectedType, expectedStatus := range tt.expected {
+				found := false
+
+				for _, condition := range status.Conditions {
+					if condition.Type == expectedType {
+						found = true
+						if condition.Status != expectedStatus {
+							t.Errorf("expected %s to be %v, have %v", expectedType, expectedStatus, condition.Status)
+						}
+					}
+				}
+
+				if !found {
+					t.Errorf("expected condition %s not found", expectedType)
+				}
+			}
+		})
+	}
 }

pkg/operator/podsecurityreadinesscontroller/podsecurityreadinesscontroller.go

@@ -79,7 +79,7 @@ func (c *PodSecurityReadinessController) sync(ctx context.Context, syncCtx facto
 				return err
 			}
 			if isViolating {
-				conditions.addViolation(ns.Name)
+				conditions.addViolation(&ns)
 			}
 
 			return nil