Fix scc issues with VMFR

Fixes issue #53

Signed-off-by: Michal Pryc <mpryc@redhat.com>

Author: mpryc

Makefile

@@ -55,7 +55,7 @@ help: ## Display this help.
 
 .PHONY: manifests
 manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
-	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+	$(CONTROLLER_GEN) rbac:roleName=oadp-vmfr-controller-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
 
 .PHONY: generate
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
@@ -263,4 +263,4 @@ endif
 	for file_name in $(shell ls $(shell pwd)/hack/extra-crds);do \
 		cp $(OADP_OPERATOR_PATH)/config/crd/bases/$$file_name $(shell pwd)/hack/extra-crds/$$file_name && \
 		sed -i "1s%^%# Code generated by make update-velero-manifests. DO NOT EDIT.\n%" $(shell pwd)/hack/extra-crds/$$file_name;done ;\
-	}
+	}

config/default/kustomization.yaml

@@ -6,7 +6,7 @@ namespace: openshift-adp
 # "wordpress" becomes "alices-wordpress".
 # Note that it should also match with the prefix (text before '-') of the namespace
 # field above.
-namePrefix: oadp-vm-file-restore-
+namePrefix:
 
 # Labels to add to all resources and selectors.
 #labels:

config/manager/manager.yaml

@@ -101,5 +101,5 @@ spec:
             memory: 64Mi
         volumeMounts: []
       volumes: []
-      serviceAccountName: controller-manager
+      serviceAccountName: oadp-vmfr-controller
       terminationGracePeriodSeconds: 10

config/rbac/leader_election_role_binding.yaml

@@ -11,5 +11,5 @@ roleRef:
   name: leader-election-role
 subjects:
 - kind: ServiceAccount
-  name: controller-manager
+  name: oadp-vmfr-controller
   namespace: system

config/rbac/metrics_auth_role_binding.yaml

@@ -8,5 +8,5 @@ roleRef:
   name: metrics-auth-role
 subjects:
 - kind: ServiceAccount
-  name: controller-manager
+  name: oadp-vmfr-controller
   namespace: system

config/rbac/role.yaml

@@ -2,7 +2,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: manager-role
+  name: oadp-vmfr-controller-role
 rules:
 - apiGroups:
   - ""
@@ -93,6 +93,14 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - privileged
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
 - apiGroups:
   - velero.io
   resources:

config/rbac/role_binding.yaml

@@ -2,14 +2,18 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    app.kubernetes.io/name: oadp-vm-file-restore
+    app.kubernetes.io/name: clusterrolebinding
+    app.kubernetes.io/instance: oadp-vmfr-controller-rolebinding
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: oadp-operator
+    app.kubernetes.io/part-of: oadp-operator
     app.kubernetes.io/managed-by: kustomize
-  name: manager-rolebinding
+  name: oadp-vmfr-controller-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: manager-role
+  name: oadp-vmfr-controller-role
 subjects:
 - kind: ServiceAccount
-  name: controller-manager
+  name: oadp-vmfr-controller
   namespace: system

config/rbac/service_account.yaml

@@ -2,7 +2,11 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    app.kubernetes.io/name: oadp-vm-file-restore
+    app.kubernetes.io/name: serviceaccount
+    app.kubernetes.io/instance: oadp-vmfr-controller-sa
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: oadp-operator
+    app.kubernetes.io/part-of: oadp-operator
     app.kubernetes.io/managed-by: kustomize
-  name: controller-manager
+  name: oadp-vmfr-controller
   namespace: system

internal/controller/virtualmachinefilerestore_controller.go

@@ -95,6 +95,7 @@ func (e ErrUnsupportedBackup) Error() string {
 // +kubebuilder:rbac:groups="",resources=persistentvolumeclaims,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=security.openshift.io,resources=securitycontextconstraints,resourceNames=privileged,verbs=use
 // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=velero.io,resources=restores,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=velero.io,resources=backups,verbs=get;list;watch

test/e2e/e2e_test.go

@@ -37,13 +37,13 @@ import (
 const namespace = "openshift-adp"
 
 // serviceAccountName created for the project
-const serviceAccountName = "oadp-vm-file-restore-controller-manager"
+const serviceAccountName = "oadp-vmfr-controller"
 
 // metricsServiceName is the name of the metrics service of the project
-const metricsServiceName = "oadp-vm-file-restore-controller-manager-metrics-service"
+const metricsServiceName = "controller-manager-metrics-service"
 
 // metricsRoleBindingName is the name of the RBAC that will be created to allow get the metrics data
-const metricsRoleBindingName = "oadp-vm-file-restore-metrics-binding"
+const metricsRoleBindingName = "metrics-binding"
 
 var _ = Describe("Manager", Ordered, func() {
 	var controllerPodName string
@@ -76,7 +76,7 @@ var _ = Describe("Manager", Ordered, func() {
 
 		By("patching the deployment to use IfNotPresent imagePullPolicy for e2e tests")
 		cmd = exec.Command("kubectl", "patch", "deployment",
-			"oadp-vm-file-restore-controller-manager",
+			"controller-manager",
 			"-n", namespace,
 			"-p", `{"spec":{"template":{"spec":{"containers":[{"name":"manager","imagePullPolicy":"IfNotPresent"}]}}}}`)
 		_, err = utils.Run(cmd)
@@ -195,7 +195,7 @@ var _ = Describe("Manager", Ordered, func() {
 
 			// Now create the ClusterRoleBinding
 			cmd = exec.Command("kubectl", "create", "clusterrolebinding", metricsRoleBindingName,
-				"--clusterrole=oadp-vm-file-restore-metrics-reader",
+				"--clusterrole=metrics-reader",
 				fmt.Sprintf("--serviceaccount=%s:%s", namespace, serviceAccountName),
 			)
 			_, err := utils.Run(cmd)