Use OpenShift's required-scc annotation on components (#1931)

* ipam-ext: use w/ openshift required-scc annotation

Signed-off-by: Miguel Duarte Barroso <[email protected]>

* kubemacpool: use w/ openshift required-scc annotation

Signed-off-by: Miguel Duarte Barroso <[email protected]>

* linux-bridge: use w/ openshift required-scc annotation

Signed-off-by: Miguel Duarte Barroso <[email protected]>

* kube-secondary-dns: use w/ openshift required-scc annotation

Signed-off-by: Miguel Duarte Barroso <[email protected]>

---------

Signed-off-by: Miguel Duarte Barroso <[email protected]>

data/kube-secondary-dns/secondarydns.yaml

@@ -73,6 +73,7 @@ spec:
         k8s-app: secondary-dns
       annotations:
         kubectl.kubernetes.io/default-container: status-monitor
+        openshift.io/required-scc: "restricted-v2"
     spec:
       serviceAccountName: secondary
       securityContext:

data/kubemacpool/kubemacpool.yaml

@@ -145,6 +145,8 @@ spec:
     type: Recreate
   template:
     metadata:
+      annotations:
+        openshift.io/required-scc: restricted-v2
       labels:
         app: kubemacpool
         control-plane: cert-manager
@@ -235,6 +237,7 @@ spec:
     metadata:
       annotations:
         description: KubeMacPool manages MAC allocation to Pods and VMs
+        openshift.io/required-scc: restricted-v2
       labels:
         app: kubemacpool
         control-plane: mac-controller-manager

data/kubevirt-ipam-controller/001-kubevirtipamcontroller.yaml

@@ -172,6 +172,9 @@ spec:
     metadata:
       annotations:
         kubectl.kubernetes.io/default-container: manager
+{{ if .IsOpenshift }}
+        openshift.io/required-scc: "restricted-v2"
+{{ end }}
       labels:
         app: ipam-virt-workloads
         control-plane: manager

data/kubevirt-ipam-controller/003-passtbindingcni.yaml

@@ -23,6 +23,9 @@ spec:
         app: passt-binding-cni
       annotations:
         description: passt-binding-cni installs passt binding CNI on cluster nodes
+{{ if .EnableSCC }}
+        openshift.io/required-scc: "passt-binding-cni"
+{{ end }}
     spec:
       priorityClassName: system-cluster-critical
 {{ if .EnableSCC }}

data/linux-bridge/002-linux-bridge.yaml

@@ -22,6 +22,9 @@ spec:
         tier: node
         app: cni-plugins
       annotations:
+{{ if .EnableSCC }}
+        openshift.io/required-scc: "linux-bridge"
+{{ end }}
         description: LinuxBridge installs 'bridge' CNI on cluster nodes, so it can be later used to attach Pods/VMs to Linux bridges
     spec:
 {{ if .EnableSCC }}

data/linux-bridge/003-bridge-marker.yaml

@@ -23,6 +23,7 @@ spec:
         name: bridge-marker
       annotations:
         description: Bridge marker exposes network bridges available on nodes as node resources
+        openshift.io/required-scc: "bridge-marker"
     spec:
       serviceAccountName: bridge-marker
       hostNetwork: true

hack/components/bump-bridge-marker.sh

@@ -24,6 +24,7 @@ function __parametize_by_object() {
 				yaml-utils::update_param ${f} spec.template.spec.containers[0].imagePullPolicy  '{{ .ImagePullPolicy }}'
 				yaml-utils::update_param ${f} spec.template.spec.nodeSelector '{{ toYaml .Placement.NodeSelector | nindent 8 }}'
 				yaml-utils::set_param ${f} spec.template.spec.affinity '{{ toYaml .Placement.Affinity | nindent 8 }}'
+				yaml-utils::set_param ${f} 'spec.template.metadata.annotations."openshift.io/required-scc"' '"bridge-marker"'
 				yaml-utils::update_param ${f} spec.template.spec.tolerations '{{ toYaml .Placement.Tolerations | nindent 8 }}'
 				yaml-utils::remove_single_quotes_from_yaml ${f}
 				;;

hack/components/bump-kube-secondary-dns.sh

@@ -34,6 +34,7 @@ function __parametize_by_object() {
         yaml-utils::set_param ${f} spec.template.spec.nodeSelector '{{ toYaml .Placement.NodeSelector | nindent 8 }}'
         yaml-utils::set_param ${f} spec.template.spec.affinity '{{ toYaml .Placement.Affinity | nindent 8 }}'
         yaml-utils::set_param ${f} spec.template.spec.tolerations '{{ toYaml .Placement.Tolerations | nindent 8 }}'
+        yaml-utils::set_param ${f} 'spec.template.metadata.annotations."openshift.io/required-scc"' '"restricted-v2"'
         yaml-utils::remove_single_quotes_from_yaml ${f}
         ;;
       ./ServiceAccount_secondary.yaml)

hack/components/bump-kubemacpool.sh

@@ -69,6 +69,9 @@ metadata:
   namespace: system
 spec:
   template:
+    metadata:
+      annotations:
+        openshift.io/required-scc: "restricted-v2"
     spec:
       containers:
       - image: "{{ .KubeMacPoolImage }}"
@@ -95,6 +98,9 @@ metadata:
   namespace: system
 spec:
   template:
+    metadata:
+      annotations:
+        openshift.io/required-scc: "restricted-v2"
     spec:
       containers:
       - image: "{{ .KubeMacPoolImage }}"

hack/components/bump-kubevirt-ipam-controller.sh

@@ -125,6 +125,10 @@ echo 'Adjust kubevirt-ipam-controller to CNAO'
     service.beta.openshift.io/serving-cert-secret-name: kubevirt-ipam-controller-webhook-service\
 {{ end }}' Service_kubevirt-ipam-controller-webhook-service.yaml
 
+  sed -i '/        kubectl.kubernetes.io\/default-container: manager/a\{{ if .IsOpenshift }}\
+        openshift.io/required-scc: "restricted-v2"\
+{{ end }}' Deployment_kubevirt-ipam-controller-manager.yaml
+
   echo 'rejoin sub-manifests to a final manifest'
   cat Namespace_kubevirt-ipam-controller-system.yaml \
       ServiceAccount_kubevirt-ipam-controller-manager.yaml \
@@ -144,6 +148,10 @@ echo 'Adjust kubevirt-ipam-controller to CNAO'
   sed -i '/containers:/i\{{ if .EnableSCC }}\
       serviceAccountName: passt-binding-cni\
 {{ end }}' 003-passtbindingcni.yaml
+
+  sed -i '/        description: passt-binding-cni installs passt binding CNI on cluster nodes/a\{{ if .EnableSCC }}\
+        openshift.io/required-scc: "passt-binding-cni"\
+{{ end }}' 003-passtbindingcni.yaml
 )
 
 echo 'Copy manifests'