Fix scc issues with VMFR

Fixes issue #53

Signed-off-by: Michal Pryc <mpryc@redhat.com>

Author: mpryc

Makefile

@@ -55,7 +55,7 @@ help: ## Display this help.
 
 .PHONY: manifests
 manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
-	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+	$(CONTROLLER_GEN) rbac:roleName=oadp-vmfr-controller-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
 
 .PHONY: generate
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
@@ -263,4 +263,4 @@ endif
 	for file_name in $(shell ls $(shell pwd)/hack/extra-crds);do \
 		cp $(OADP_OPERATOR_PATH)/config/crd/bases/$$file_name $(shell pwd)/hack/extra-crds/$$file_name && \
 		sed -i "1s%^%# Code generated by make update-velero-manifests. DO NOT EDIT.\n%" $(shell pwd)/hack/extra-crds/$$file_name;done ;\
-	}
+	}

config/manager/manager.yaml

@@ -101,5 +101,5 @@ spec:
             memory: 64Mi
         volumeMounts: []
       volumes: []
-      serviceAccountName: controller-manager
+      serviceAccountName: oadp-vmfr-controller
       terminationGracePeriodSeconds: 10

config/rbac/leader_election_role_binding.yaml

@@ -11,5 +11,5 @@ roleRef:
   name: leader-election-role
 subjects:
 - kind: ServiceAccount
-  name: controller-manager
+  name: oadp-vmfr-controller
   namespace: system

config/rbac/metrics_auth_role_binding.yaml

@@ -8,5 +8,5 @@ roleRef:
   name: metrics-auth-role
 subjects:
 - kind: ServiceAccount
-  name: controller-manager
+  name: oadp-vmfr-controller
   namespace: system

config/rbac/role.yaml

@@ -2,7 +2,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: manager-role
+  name: oadp-vmfr-controller-role
 rules:
 - apiGroups:
   - ""
@@ -93,6 +93,14 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - privileged
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
 - apiGroups:
   - velero.io
   resources:

config/rbac/role_binding.yaml

@@ -2,14 +2,18 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    app.kubernetes.io/name: oadp-vm-file-restore
+    app.kubernetes.io/name: clusterrolebinding
+    app.kubernetes.io/instance: oadp-vmfr-controller-rolebinding
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: oadp-operator
+    app.kubernetes.io/part-of: oadp-operator
     app.kubernetes.io/managed-by: kustomize
-  name: manager-rolebinding
+  name: oadp-vmfr-controller-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: manager-role
+  name: oadp-vmfr-controller-role
 subjects:
 - kind: ServiceAccount
-  name: controller-manager
+  name: oadp-vmfr-controller
   namespace: system

config/rbac/service_account.yaml

@@ -2,7 +2,11 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    app.kubernetes.io/name: oadp-vm-file-restore
+    app.kubernetes.io/name: serviceaccount
+    app.kubernetes.io/instance: oadp-vmfr-controller-sa
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: oadp-operator
+    app.kubernetes.io/part-of: oadp-operator
     app.kubernetes.io/managed-by: kustomize
-  name: controller-manager
+  name: oadp-vmfr-controller
   namespace: system

internal/controller/virtualmachinefilerestore_controller.go

@@ -95,6 +95,7 @@ func (e ErrUnsupportedBackup) Error() string {
 // +kubebuilder:rbac:groups="",resources=persistentvolumeclaims,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=security.openshift.io,resources=securitycontextconstraints,resourceNames=privileged,verbs=use
 // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=velero.io,resources=restores,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=velero.io,resources=backups,verbs=get;list;watch