Add support for checking new MinimallySufficientPodSecurityStandard

annotation when determining whether a namespace would be violating -
falling back to existing check for PSA Audit and Warn labels if it is
not set.

Add support for tracking namespaces where Pod Security Admission
evaluations are inconclusive with a new condition type.

Add relevant tests.

Author: jacobsee

pkg/operator/podsecurityreadinesscontroller/conditions.go

@@ -18,8 +18,12 @@ const (
 	PodSecurityOpenshiftType      = "PodSecurityOpenshiftEvaluationConditionsDetected"
 	PodSecurityRunLevelZeroType   = "PodSecurityRunLevelZeroEvaluationConditionsDetected"
 	PodSecurityDisabledSyncerType = "PodSecurityDisabledSyncerEvaluationConditionsDetected"
+	PodSecurityInconclusiveType   = "PodSecurityInconclusiveEvaluationConditionsDetected"
 
 	labelSyncControlLabel = "security.openshift.io/scc.podSecurityLabelSync"
+
+	violationReason    = "PSViolationsDetected"
+	inconclusiveReason = "PSViolationDecisionInconclusive"
 )
 
 var (
@@ -36,6 +40,7 @@ type podSecurityOperatorConditions struct {
 	violatingRunLevelZeroNamespaces   []string
 	violatingCustomerNamespaces       []string
 	violatingDisabledSyncerNamespaces []string
+	inconclusiveNamespaces            []string
 }
 
 func (c *podSecurityOperatorConditions) addViolation(ns *corev1.Namespace) {
@@ -59,16 +64,31 @@ func (c *podSecurityOperatorConditions) addViolation(ns *corev1.Namespace) {
 	c.violatingCustomerNamespaces = append(c.violatingCustomerNamespaces, ns.Name)
 }
 
-func makeCondition(conditionType string, namespaces []string) operatorv1.OperatorCondition {
+func (c *podSecurityOperatorConditions) addInconclusive(ns *corev1.Namespace) {
+	c.inconclusiveNamespaces = append(c.inconclusiveNamespaces, ns.Name)
+}
+
+func makeCondition(conditionType, conditionReason string, namespaces []string) operatorv1.OperatorCondition {
+	var messageFormatter string
+
+	switch conditionReason {
+	case violationReason:
+		messageFormatter = "Violations detected in namespaces: %v"
+	case inconclusiveReason:
+		messageFormatter = "Could not evaluate violations for namespaces: %v"
+	default:
+		messageFormatter = "Unexpected condition for namespace: %v"
+	}
+
 	if len(namespaces) > 0 {
 		sort.Strings(namespaces)
 		return operatorv1.OperatorCondition{
 			Type:               conditionType,
 			Status:             operatorv1.ConditionTrue,
 			LastTransitionTime: metav1.Now(),
-			Reason:             "PSViolationsDetected",
+			Reason:             conditionReason,
 			Message: fmt.Sprintf(
-				"Violations detected in namespaces: %v",
+				messageFormatter,
 				namespaces,
 			),
 		}
@@ -84,9 +104,10 @@ func makeCondition(conditionType string, namespaces []string) operatorv1.Operato
 
 func (c *podSecurityOperatorConditions) toConditionFuncs() []v1helpers.UpdateStatusFunc {
 	return []v1helpers.UpdateStatusFunc{
-		v1helpers.UpdateConditionFn(makeCondition(PodSecurityCustomerType, c.violatingCustomerNamespaces)),
-		v1helpers.UpdateConditionFn(makeCondition(PodSecurityOpenshiftType, c.violatingOpenShiftNamespaces)),
-		v1helpers.UpdateConditionFn(makeCondition(PodSecurityRunLevelZeroType, c.violatingRunLevelZeroNamespaces)),
-		v1helpers.UpdateConditionFn(makeCondition(PodSecurityDisabledSyncerType, c.violatingDisabledSyncerNamespaces)),
+		v1helpers.UpdateConditionFn(makeCondition(PodSecurityCustomerType, violationReason, c.violatingCustomerNamespaces)),
+		v1helpers.UpdateConditionFn(makeCondition(PodSecurityOpenshiftType, violationReason, c.violatingOpenShiftNamespaces)),
+		v1helpers.UpdateConditionFn(makeCondition(PodSecurityRunLevelZeroType, violationReason, c.violatingRunLevelZeroNamespaces)),
+		v1helpers.UpdateConditionFn(makeCondition(PodSecurityDisabledSyncerType, violationReason, c.violatingDisabledSyncerNamespaces)),
+		v1helpers.UpdateConditionFn(makeCondition(PodSecurityInconclusiveType, inconclusiveReason, c.inconclusiveNamespaces)),
 	}
 }

pkg/operator/podsecurityreadinesscontroller/conditions_test.go

@@ -9,7 +9,7 @@ import (
 )
 
 func TestCondition(t *testing.T) {
-	t.Run("with namespaces", func(t *testing.T) {
+	t.Run("with violating namespaces", func(t *testing.T) {
 		namespaces := []string{"namespace1", "namespace2"}
 		expectedCondition := operatorv1.OperatorCondition{
 			Type:    PodSecurityCustomerType,
@@ -18,7 +18,35 @@ func TestCondition(t *testing.T) {
 			Message: "Violations detected in namespaces: [namespace1 namespace2]",
 		}
 
-		condition := makeCondition(PodSecurityCustomerType, namespaces)
+		condition := makeCondition(PodSecurityCustomerType, violationReason, namespaces)
+
+		if condition.Type != expectedCondition.Type {
+			t.Errorf("expected condition type %s, got %s", expectedCondition.Type, condition.Type)
+		}
+
+		if condition.Status != expectedCondition.Status {
+			t.Errorf("expected condition status %s, got %s", expectedCondition.Status, condition.Status)
+		}
+
+		if condition.Reason != expectedCondition.Reason {
+			t.Errorf("expected condition reason %s, got %s", expectedCondition.Reason, condition.Reason)
+		}
+
+		if condition.Message != expectedCondition.Message {
+			t.Errorf("expected condition message %s, got %s", expectedCondition.Message, condition.Message)
+		}
+	})
+
+	t.Run("with inconclusive namespaces", func(t *testing.T) {
+		namespaces := []string{"namespace1", "namespace2"}
+		expectedCondition := operatorv1.OperatorCondition{
+			Type:    PodSecurityCustomerType,
+			Status:  operatorv1.ConditionTrue,
+			Reason:  "PSViolationDecisionInconclusive",
+			Message: "Could not evaluate violations for namespaces: [namespace1 namespace2]",
+		}
+
+		condition := makeCondition(PodSecurityCustomerType, inconclusiveReason, namespaces)
 
 		if condition.Type != expectedCondition.Type {
 			t.Errorf("expected condition type %s, got %s", expectedCondition.Type, condition.Type)
@@ -45,7 +73,7 @@ func TestCondition(t *testing.T) {
 			Reason: "ExpectedReason",
 		}
 
-		condition := makeCondition(PodSecurityCustomerType, namespaces)
+		condition := makeCondition(PodSecurityCustomerType, violationReason, namespaces)
 
 		if condition.Type != expectedCondition.Type {
 			t.Errorf("expected condition type %s, got %s", expectedCondition.Type, condition.Type)
@@ -68,28 +96,32 @@ func TestCondition(t *testing.T) {
 
 func TestOperatorStatus(t *testing.T) {
 	for _, tt := range []struct {
-		name      string
-		namespace []*corev1.Namespace
-		expected  map[string]operatorv1.ConditionStatus
+		name                          string
+		namespace                     []*corev1.Namespace
+		expected                      map[string]operatorv1.ConditionStatus
+		addViolation, addInconclusive bool
 	}{
 		{
-			name: "with default namespace",
+			name: "with violating default namespace",
 			namespace: []*corev1.Namespace{
 				{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "syncer-by-default",
 					},
 				},
 			},
+			addViolation:    true,
+			addInconclusive: false,
 			expected: map[string]operatorv1.ConditionStatus{
 				"PodSecurityCustomerEvaluationConditionsDetected":       operatorv1.ConditionTrue,
 				"PodSecurityOpenshiftEvaluationConditionsDetected":      operatorv1.ConditionFalse,
 				"PodSecurityRunLevelZeroEvaluationConditionsDetected":   operatorv1.ConditionFalse,
 				"PodSecurityDisabledSyncerEvaluationConditionsDetected": operatorv1.ConditionFalse,
+				"PodSecurityInconclusiveEvaluationConditionsDetected":   operatorv1.ConditionFalse,
 			},
 		},
 		{
-			name: "with customer disabled syncer",
+			name: "with violating customer disabled syncer",
 			namespace: []*corev1.Namespace{
 				{
 					ObjectMeta: metav1.ObjectMeta{
@@ -100,15 +132,17 @@ func TestOperatorStatus(t *testing.T) {
 					},
 				},
 			},
+			addViolation: true,
 			expected: map[string]operatorv1.ConditionStatus{
 				"PodSecurityCustomerEvaluationConditionsDetected":       operatorv1.ConditionFalse,
 				"PodSecurityOpenshiftEvaluationConditionsDetected":      operatorv1.ConditionFalse,
 				"PodSecurityRunLevelZeroEvaluationConditionsDetected":   operatorv1.ConditionFalse,
 				"PodSecurityDisabledSyncerEvaluationConditionsDetected": operatorv1.ConditionTrue,
+				"PodSecurityInconclusiveEvaluationConditionsDetected":   operatorv1.ConditionFalse,
 			},
 		},
 		{
-			name: "with customer re-enabled syncer",
+			name: "with violating customer re-enabled syncer",
 			namespace: []*corev1.Namespace{
 				{
 					ObjectMeta: metav1.ObjectMeta{
@@ -119,47 +153,53 @@ func TestOperatorStatus(t *testing.T) {
 					},
 				},
 			},
+			addViolation: true,
 			expected: map[string]operatorv1.ConditionStatus{
 				"PodSecurityCustomerEvaluationConditionsDetected":       operatorv1.ConditionTrue,
 				"PodSecurityOpenshiftEvaluationConditionsDetected":      operatorv1.ConditionFalse,
 				"PodSecurityRunLevelZeroEvaluationConditionsDetected":   operatorv1.ConditionFalse,
 				"PodSecurityDisabledSyncerEvaluationConditionsDetected": operatorv1.ConditionFalse,
+				"PodSecurityInconclusiveEvaluationConditionsDetected":   operatorv1.ConditionFalse,
 			},
 		},
 		{
-			name: "with openshift namespace",
+			name: "with violating openshift namespace",
 			namespace: []*corev1.Namespace{
 				{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "openshift-fail",
 					},
 				},
 			},
+			addViolation: true,
 			expected: map[string]operatorv1.ConditionStatus{
 				"PodSecurityCustomerEvaluationConditionsDetected":       operatorv1.ConditionFalse,
 				"PodSecurityOpenshiftEvaluationConditionsDetected":      operatorv1.ConditionTrue,
 				"PodSecurityRunLevelZeroEvaluationConditionsDetected":   operatorv1.ConditionFalse,
 				"PodSecurityDisabledSyncerEvaluationConditionsDetected": operatorv1.ConditionFalse,
+				"PodSecurityInconclusiveEvaluationConditionsDetected":   operatorv1.ConditionFalse,
 			},
 		},
 		{
-			name: "with run-level 0 namespace",
+			name: "with violating run-level 0 namespace",
 			namespace: []*corev1.Namespace{
 				{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "kube-system",
 					},
 				},
 			},
+			addViolation: true,
 			expected: map[string]operatorv1.ConditionStatus{
 				"PodSecurityCustomerEvaluationConditionsDetected":       operatorv1.ConditionFalse,
 				"PodSecurityOpenshiftEvaluationConditionsDetected":      operatorv1.ConditionFalse,
 				"PodSecurityRunLevelZeroEvaluationConditionsDetected":   operatorv1.ConditionTrue,
 				"PodSecurityDisabledSyncerEvaluationConditionsDetected": operatorv1.ConditionFalse,
+				"PodSecurityInconclusiveEvaluationConditionsDetected":   operatorv1.ConditionFalse,
 			},
 		},
 		{
-			name: "with other customer types in combination",
+			name: "with other violating customer types in combination",
 			namespace: []*corev1.Namespace{
 				{
 					ObjectMeta: metav1.ObjectMeta{
@@ -175,15 +215,17 @@ func TestOperatorStatus(t *testing.T) {
 					},
 				},
 			},
+			addViolation: true,
 			expected: map[string]operatorv1.ConditionStatus{
 				"PodSecurityCustomerEvaluationConditionsDetected":       operatorv1.ConditionTrue,
 				"PodSecurityOpenshiftEvaluationConditionsDetected":      operatorv1.ConditionFalse,
 				"PodSecurityRunLevelZeroEvaluationConditionsDetected":   operatorv1.ConditionFalse,
 				"PodSecurityDisabledSyncerEvaluationConditionsDetected": operatorv1.ConditionTrue,
+				"PodSecurityInconclusiveEvaluationConditionsDetected":   operatorv1.ConditionFalse,
 			},
 		},
 		{
-			name: "with other system types in combination",
+			name: "with other violating system types in combination",
 			namespace: []*corev1.Namespace{
 				{
 					ObjectMeta: metav1.ObjectMeta{
@@ -203,11 +245,32 @@ func TestOperatorStatus(t *testing.T) {
 					},
 				},
 			},
+			addViolation: true,
 			expected: map[string]operatorv1.ConditionStatus{
 				"PodSecurityCustomerEvaluationConditionsDetected":       operatorv1.ConditionFalse,
 				"PodSecurityOpenshiftEvaluationConditionsDetected":      operatorv1.ConditionTrue,
 				"PodSecurityRunLevelZeroEvaluationConditionsDetected":   operatorv1.ConditionTrue,
 				"PodSecurityDisabledSyncerEvaluationConditionsDetected": operatorv1.ConditionFalse,
+				"PodSecurityInconclusiveEvaluationConditionsDetected":   operatorv1.ConditionFalse,
+			},
+		},
+		{
+			name: "with inconclusive namespace",
+			namespace: []*corev1.Namespace{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "syncer-by-default",
+					},
+				},
+			},
+			addViolation:    false,
+			addInconclusive: true,
+			expected: map[string]operatorv1.ConditionStatus{
+				"PodSecurityCustomerEvaluationConditionsDetected":       operatorv1.ConditionFalse,
+				"PodSecurityOpenshiftEvaluationConditionsDetected":      operatorv1.ConditionFalse,
+				"PodSecurityRunLevelZeroEvaluationConditionsDetected":   operatorv1.ConditionFalse,
+				"PodSecurityDisabledSyncerEvaluationConditionsDetected": operatorv1.ConditionFalse,
+				"PodSecurityInconclusiveEvaluationConditionsDetected":   operatorv1.ConditionTrue,
 			},
 		},
 	} {
@@ -216,7 +279,12 @@ func TestOperatorStatus(t *testing.T) {
 			cond := podSecurityOperatorConditions{}
 
 			for _, ns := range tt.namespace {
-				cond.addViolation(ns)
+				if tt.addViolation {
+					cond.addViolation(ns)
+				}
+				if tt.addInconclusive {
+					cond.addInconclusive(ns)
+				}
 			}
 
 			status := &operatorv1.OperatorStatus{}

pkg/operator/podsecurityreadinesscontroller/podsecurityreadinesscontroller.go

@@ -87,9 +87,7 @@ func (c *PodSecurityReadinessController) sync(ctx context.Context, syncCtx facto
 		if err != nil {
 			klog.V(2).ErrorS(err, "namespace:", ns.Name)
 
-			// We don't want to sync more often than the resync interval.
-			return nil
-
+			conditions.addInconclusive(&ns)
 		}
 	}