Merge pull request #19 from astoycos/operatorhub-updates

fixup the operator-sdk bundle

Containerfile.bpfman-operator

@@ -49,6 +49,7 @@ ARG TARGETPLATFORM
 WORKDIR /
 COPY --from=bpfman-operator-build /usr/src/bpfman-operator/config/bpfman-deployment/daemonset.yaml ./config/bpfman-deployment/daemonset.yaml
 COPY --from=bpfman-operator-build /usr/src/bpfman-operator/config/bpfman-deployment/csidriverinfo.yaml ./config/bpfman-deployment/csidriverinfo.yaml
+COPY --from=bpfman-operator-build /usr/src/bpfman-operator/config/openshift/restricted-scc.yaml ./config/openshift/restricted-scc.yaml
 COPY --from=bpfman-operator-build /usr/src/bpfman-operator/bpfman-operator .
 USER 65532:65532
 

README.md

@@ -60,16 +60,10 @@ make undeploy-openshift
 The other option for installing the `bpfman-operator` is through the
 [OLM bundle](https://www.redhat.com/en/blog/deploying-operators-olm-bundles).
 
-First create the namespace:
+Use `operator-sdk` to install the bundle like so:
 
 ```bash
-oc create ns openshift-bpfman
-```
-
-Then use `operator-sdk` to install the bundle like so:
-
-```bash
-operator-sdk run bundle quay.io/bpfman/bpfman-operator-bundle:latest --namespace openshift-bpfman
+operator-sdk run bundle quay.io/bpfman/bpfman-operator-bundle:latest --namespace bpfman
 ```
 
 To clean up at a later time, execute:
@@ -78,12 +72,6 @@ To clean up at a later time, execute:
 operator-sdk cleanup bpfman-operator
 ```
 
-followed by
-
-```bash
-oc delete ns openshift-bpfman
-```
-
 ## Verify the Installation
 
 Regardless of the deployment method, if the `bpfman-operator` was deployed successfully,

bundle/manifests/bpfman-agent-rolebinding_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml

@@ -16,4 +16,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: bpfman-daemon
-  namespace: openshift-bpfman
+  namespace: bpfman

bundle/manifests/bpfman-agent-rolebinding_rbac.authorization.k8s.io_v1_rolebinding.yaml

@@ -16,4 +16,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: bpfman-daemon
-  namespace: openshift-bpfman
+  namespace: bpfman

bundle/manifests/bpfman-operator.clusterserviceversion.yaml

@@ -214,8 +214,25 @@ metadata:
         }
       ]
     capabilities: Basic Install
+    categories: OpenShift Optional
     containerImage: quay.io/bpfman/bpfman-operator:v0.0.0
-    createdAt: "2024-06-04T18:15:26Z"
+    createdAt: "2024-06-07T18:48:53Z"
+    operatorframework.io/suggested-namespace-template: |-
+      {
+        "apiVersion": "v1",
+        "kind": "Namespace",
+        "metadata": {
+          "name": "bpfman",
+          "labels": {
+            "pod-security.kubernetes.io/enforce": "privileged",
+            "pod-security.kubernetes.io/audit": "privileged",
+            "pod-security.kubernetes.io/warn": "privileged",
+          },
+          "annotations": {
+            "openshift.io/node-selector": ""
+          },
+        }
+      }
     operators.operatorframework.io/builder: operator-sdk-v1.27.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
     repository: https://github.com/bpfman/bpfman
@@ -268,22 +285,20 @@ spec:
   description: "The bpfman Operator is a Kubernetes Operator for deploying [bpfman](https://bpfman.netlify.app/),
     a system daemon\nfor managing eBPF programs. It deploys bpfman itself along with
     CRDs to make deploying\neBPF programs in Kubernetes much easier.\n\n## Quick Start\n\nTo
-    get bpfman up and running quickly with self signed certificates simply do \nthe
-    following.\n\n```bash\nkubectl create namespace openshift-bpfman\n```\n After
-    creating the namespace simply install the bpfman-operator in the desired namespace
-    from operator-hub\n## Configuration\n\nThe `bpfman-config` configmap is automatically
-    created in the `bpfman` namespace and used to configure the bpfman deployment.\n\nTo
-    edit the config simply run\n\n```bash\nkubectl edit cm bpfman-config\n```\n\nThe
-    following fields are adjustable\n\n- `bpfman.agent.image`: The image used for
-    the bpfman-agent, defaults to `quay.io/bpfman/bpfman-agent:latest`\n- `bpfman.image`:
-    The image used for bpfman, defaults to `quay.io/bpfman/bpfman:latest`\n- `bpfman.log.level`:
-    the log level for bpfman, currently supports `debug`, `info`, `warn`, `error`,
-    and `fatal`, defaults to `info`\n- `bpfman.agent.log.level`: the log level for
-    the bpfman-agent currently supports `info`, `debug`, and `trace` \n\nThe bpfman
-    operator deploys eBPF programs via CRDs. The following CRDs are currently available,
-    \n\n- XdpProgram\n- TcProgram\n- TracepointProgram\n- KprobeProgram\n- UprobeProgram\n-
-    FentryProgram\n- FexitProgram\n\n## More information\n\nPlease checkout the [bpfman
-    community website](https://bpfman.io/) for more information."
+    get bpfman up and running quickly simply click 'install' to deploy the bpfman-operator
+    in the bpfman namespace via operator-hub.\n## Configuration\n\nThe `bpfman-config`
+    configmap is automatically created in the `bpfman` namespace and used to configure
+    the bpfman deployment.\n\nTo edit the config simply run\n\n```bash\nkubectl edit
+    cm bpfman-config\n```\n\nThe following fields are adjustable\n\n- `bpfman.agent.image`:
+    The image used for the bpfman-agent, defaults to `quay.io/bpfman/bpfman-agent:latest`\n-
+    `bpfman.image`: The image used for bpfman, defaults to `quay.io/bpfman/bpfman:latest`\n-
+    `bpfman.log.level`: the log level for bpfman, currently supports `debug`, `info`,
+    `warn`, `error`, and `fatal`, defaults to `info`\n- `bpfman.agent.log.level`:
+    the log level for the bpfman-agent currently supports `info`, `debug`, and `trace`
+    \n\nThe bpfman operator deploys eBPF programs via CRDs. The following CRDs are
+    currently available, \n\n- XdpProgram\n- TcProgram\n- TracepointProgram\n- KprobeProgram\n-
+    UprobeProgram\n- FentryProgram\n- FexitProgram\n\n## More information\n\nPlease
+    checkout the [bpfman community website](https://bpfman.io/) for more information."
   displayName: Bpfman Operator
   icon:
   - base64data: |
@@ -814,6 +829,16 @@ spec:
           - get
           - list
           - watch
+        - apiGroups:
+          - security.openshift.io
+          resources:
+          - securitycontextconstraints
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - watch
         - apiGroups:
           - storage.k8s.io
           resources:

bundle/manifests/bpfman-privileged-scc_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml

@@ -10,4 +10,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: bpfman-daemon
-  namespace: openshift-bpfman
+  namespace: bpfman

cmd/bpfman-operator/main.go

@@ -25,11 +25,14 @@ import (
 	bpfmanoperator "github.com/bpfman/bpfman-operator/controllers/bpfman-operator"
 	"github.com/bpfman/bpfman-operator/internal"
 
+	osv1 "github.com/openshift/api/security/v1"
 	"go.uber.org/zap/zapcore"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/client-go/discovery"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
+	"k8s.io/client-go/rest"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
@@ -46,9 +49,34 @@ var (
 func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 	utilruntime.Must(bpfmaniov1alpha1.Install(scheme))
+	utilruntime.Must(osv1.Install(scheme))
 	//+kubebuilder:scaffold:scheme
 }
 
+// Returns true if the current platform is Openshift.
+func isOpenshift(client discovery.DiscoveryInterface, cfg *rest.Config) (bool, error) {
+	k8sVersion, err := client.ServerVersion()
+	if err != nil {
+		setupLog.Info("issue occurred while fetching ServerVersion")
+		return false, err
+	}
+
+	setupLog.Info("detected platform version", "PlatformVersion", k8sVersion)
+	apiList, err := client.ServerGroups()
+	if err != nil {
+		setupLog.Info("issue occurred while fetching ServerGroups")
+		return false, err
+	}
+
+	for _, v := range apiList.Groups {
+		if v.Name == "route.openshift.io" {
+			setupLog.Info("route.openshift.io found in apis, platform is OpenShift")
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
 func main() {
 	var metricsAddr string
 	var enableLeaderElection bool
@@ -129,10 +157,26 @@ func main() {
 		Scheme: mgr.GetScheme(),
 	}
 
+	setupLog.Info("Discovering APIs")
+	dc, err := discovery.NewDiscoveryClientForConfig(mgr.GetConfig())
+	if err != nil {
+		setupLog.Error(err, "can't instantiate discovery client")
+		os.Exit(1)
+	}
+
+	isOpenshift, err := isOpenshift(dc, mgr.GetConfig())
+	if err != nil {
+		setupLog.Error(err, "unable to determine platform")
+		os.Exit(1)
+
+	}
+
 	if err = (&bpfmanoperator.BpfmanConfigReconciler{
 		ReconcilerCommon:         common,
 		BpfmanStandardDeployment: internal.BpfmanDaemonManifestPath,
 		CsiDriverDeployment:      internal.BpfmanCsiDriverPath,
+		RestrictedSCC:            internal.BpfmanRestrictedSCCPath,
+		IsOpenshift:              isOpenshift,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create bpfmanCofig controller", "controller", "BpfProgram")
 		os.Exit(1)

config/manifests/bases/bpfman-operator.clusterserviceversion.yaml

@@ -3,9 +3,26 @@ kind: ClusterServiceVersion
 metadata:
   annotations:
     alm-examples: "[]"
+    categories: OpenShift Optional
     capabilities: Basic Install
     containerImage: quay.io/bpfman/bpfman-operator:v0.0.0
     repository: https://github.com/bpfman/bpfman
+    operatorframework.io/suggested-namespace-template: |-
+      {
+        "apiVersion": "v1",
+        "kind": "Namespace",
+        "metadata": {
+          "name": "bpfman",
+          "labels": {
+            "pod-security.kubernetes.io/enforce": "privileged",
+            "pod-security.kubernetes.io/audit": "privileged",
+            "pod-security.kubernetes.io/warn": "privileged",
+          },
+          "annotations": {
+            "openshift.io/node-selector": ""
+          },
+        }
+      }
   name: bpfman-operator.v0.0.0
   namespace: placeholder
 spec:
@@ -56,9 +73,8 @@ spec:
     "The bpfman Operator is a Kubernetes Operator for deploying [bpfman](https://bpfman.netlify.app/),
     a system daemon\nfor managing eBPF programs. It deploys bpfman itself along with
     CRDs to make deploying\neBPF programs in Kubernetes much easier.\n\n##
-    Quick Start\n\nTo get bpfman up and running quickly with self signed certificates
-    simply do \nthe following.\n\n```bash\nkubectl create namespace openshift-bpfman\n```\n After creating the namespace simply install
-    the bpfman-operator in the desired namespace from operator-hub\n##
+    Quick Start\n\nTo get bpfman up and running quickly simply click 'install'
+    to deploy the bpfman-operator in the bpfman namespace via operator-hub.\n##
     Configuration\n\nThe `bpfman-config` configmap is automatically created in the `bpfman`
     namespace and used to configure the bpfman deployment.\n\nTo edit the config simply
     run\n\n```bash\nkubectl edit cm bpfman-config\n```\n\nThe following fields are adjustable\n\n-

config/openshift/kustomization.yaml

@@ -1,5 +1,5 @@
 # Adds namespace to all resources.
-namespace: openshift-bpfman
+namespace: bpfman
 
 # Value of this field is prepended to the
 # names of all resources, e.g. a deployment named
@@ -33,4 +33,3 @@ resources:
   - ../bpfman-operator-deployment
   - ../bpfman-deployment
   - rbac.yaml
-  - user-scc.yaml

config/openshift/rbac.yaml

@@ -9,4 +9,18 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: bpfman-daemon
-    namespace: openshift-bpfman
+    namespace: bpfman
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: user
+rules:
+  - apiGroups:
+      - security.openshift.io
+    resourceNames:
+      - bpfman-restricted
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - use

config/openshift/user-scc.yaml → config/openshift/restricted-scc.yaml

@@ -1,8 +1,9 @@
 ---
+## This is part of the payload deployed by the bpfman-operator NOT kustomize.
 apiVersion: security.openshift.io/v1
 kind: SecurityContextConstraints
 metadata:
-  name: restricted
+  name: bpfman-restricted
 allowHostDirVolumePlugin: false
 allowHostIPC: false
 allowHostNetwork: false
@@ -18,7 +19,7 @@ readOnlyRootFilesystem: false
 requiredDropCapabilities:
   - ALL
 runAsUser:
-  type: RunAsAny
+  type: MustRunAsNonRoot
 seLinuxContext:
   type: RunAsAny
 seccompProfiles: null
@@ -35,18 +36,3 @@ volumes:
   - persistentVolumeClaim
   - projected
   - secret
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: user
-rules:
-  - apiGroups:
-      - security.openshift.io
-    resourceNames:
-      - bpfman-restricted
-    resources:
-      - securitycontextconstraints
-    verbs:
-      - use
----

config/rbac/bpfman-operator/role.yaml

@@ -229,6 +229,16 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - security.openshift.io
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - watch
 - apiGroups:
   - storage.k8s.io
   resources: