From f9acec8e8f4073a63c8302f70a4f94500bfc2b77 Mon Sep 17 00:00:00 2001 From: Fred Rolland Date: Mon, 16 Oct 2023 15:46:29 +0300 Subject: [PATCH] feat: Admission Controller in OpenShift - Add 'openshift' kustomize dir under config/manifests - Add Admission Controller yamls to CSV - Fix Mellanox CRD finalizers permission - Add Env variable to skip validations if needed Signed-off-by: Fred Rolland --- api/v1alpha1/hostdevicenetwork_webhook.go | 15 ++ api/v1alpha1/nicclusterpolicy_webhook.go | 22 +++ ...er-manager-metrics-service_v1_service.yaml | 17 --- ...-operator-manager-config_v1_configmap.yaml | 17 --- ...c.authorization.k8s.io_v1_clusterrole.yaml | 10 -- ...k-operator-webhook-service_v1_service.yaml | 18 +++ ...etwork-operator.clusterserviceversion.yaml | 133 ++++++++++++------ config/manager/kustomization.yaml | 8 +- config/manager/manager.yaml | 8 +- config/manifests/kustomization.yaml | 2 +- config/manifests/openshift/kustomization.yaml | 19 +++ .../openshift/manager_webhook_patch.yaml | 26 ++++ .../webhookservicecainjection_patch.yaml | 8 ++ config/rbac/kustomization.yaml | 8 +- config/rbac/role.yaml | 24 ++++ config/webhook/kustomization.yaml | 3 + controllers/hostdevicenetwork_controller.go | 1 + controllers/ipoibnetwork_controller.go | 1 + controllers/macvlannetwork_controller.go | 1 + controllers/nicclusterpolicy_controller.go | 1 + docs/operator-bundle.md | 23 +++ main.go | 4 + 22 files changed, 269 insertions(+), 100 deletions(-) delete mode 100644 bundle/manifests/nvidia-network-operator-controller-manager-metrics-service_v1_service.yaml delete mode 100644 bundle/manifests/nvidia-network-operator-manager-config_v1_configmap.yaml delete mode 100644 bundle/manifests/nvidia-network-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 bundle/manifests/nvidia-network-operator-webhook-service_v1_service.yaml create mode 100644 config/manifests/openshift/kustomization.yaml create mode 100644 config/manifests/openshift/manager_webhook_patch.yaml create mode 100644 config/manifests/openshift/webhookservicecainjection_patch.yaml diff --git a/api/v1alpha1/hostdevicenetwork_webhook.go b/api/v1alpha1/hostdevicenetwork_webhook.go index a773ebd3..95b2125e 100644 --- a/api/v1alpha1/hostdevicenetwork_webhook.go +++ b/api/v1alpha1/hostdevicenetwork_webhook.go @@ -44,6 +44,11 @@ var _ webhook.Validator = &HostDeviceNetwork{} // ValidateCreate implements webhook.Validator so a webhook will be registered for the type func (w *HostDeviceNetwork) ValidateCreate() error { + if skipValidations { + nicClusterPolicyLog.Info("skipping CR validation") + return nil + } + hostDeviceNetworkLog.Info("validate create", "name", w.Name) return w.validateHostDeviceNetwork() @@ -51,6 +56,11 @@ func (w *HostDeviceNetwork) ValidateCreate() error { // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type func (w *HostDeviceNetwork) ValidateUpdate(_ runtime.Object) error { + if skipValidations { + nicClusterPolicyLog.Info("skipping CR validation") + return nil + } + hostDeviceNetworkLog.Info("validate update", "name", w.Name) return w.validateHostDeviceNetwork() @@ -58,6 +68,11 @@ func (w *HostDeviceNetwork) ValidateUpdate(_ runtime.Object) error { // ValidateDelete implements webhook.Validator so a webhook will be registered for the type func (w *HostDeviceNetwork) ValidateDelete() error { + if skipValidations { + nicClusterPolicyLog.Info("skipping CR validation") + return nil + } + hostDeviceNetworkLog.Info("validate delete", "name", w.Name) // Validation for delete call is not required diff --git a/api/v1alpha1/nicclusterpolicy_webhook.go b/api/v1alpha1/nicclusterpolicy_webhook.go index 74c7db55..1cc16c49 100644 --- a/api/v1alpha1/nicclusterpolicy_webhook.go +++ b/api/v1alpha1/nicclusterpolicy_webhook.go @@ -39,6 +39,8 @@ var nicClusterPolicyLog = logf.Log.WithName("nicclusterpolicy-resource") var schemaValidators *schemaValidator +var skipValidations = false + func (w *NicClusterPolicy) SetupWebhookWithManager(mgr ctrl.Manager) error { nicClusterPolicyLog.Info("Nic cluster policy webhook admission controller") InitSchemaValidator("./webhook-schemas") @@ -54,18 +56,33 @@ var _ webhook.Validator = &NicClusterPolicy{} // ValidateCreate implements webhook.Validator so a webhook will be registered for the type func (w *NicClusterPolicy) ValidateCreate() error { + if skipValidations { + nicClusterPolicyLog.Info("skipping CR validation") + return nil + } + nicClusterPolicyLog.Info("validate create", "name", w.Name) return w.validateNicClusterPolicy() } // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type func (w *NicClusterPolicy) ValidateUpdate(_ runtime.Object) error { + if skipValidations { + nicClusterPolicyLog.Info("skipping CR validation") + return nil + } + nicClusterPolicyLog.Info("validate update", "name", w.Name) return w.validateNicClusterPolicy() } // ValidateDelete implements webhook.Validator so a webhook will be registered for the type func (w *NicClusterPolicy) ValidateDelete() error { + if skipValidations { + nicClusterPolicyLog.Info("skipping CR validation") + return nil + } + nicClusterPolicyLog.Info("validate delete", "name", w.Name) // Validation for delete call is not required @@ -362,3 +379,8 @@ func InitSchemaValidator(schemaPath string) { } schemaValidators = sv } + +// DisableValidations will disable all CRs admission validations +func DisableValidations() { + skipValidations = true +} diff --git a/bundle/manifests/nvidia-network-operator-controller-manager-metrics-service_v1_service.yaml b/bundle/manifests/nvidia-network-operator-controller-manager-metrics-service_v1_service.yaml deleted file mode 100644 index dc74a10a..00000000 --- a/bundle/manifests/nvidia-network-operator-controller-manager-metrics-service_v1_service.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - creationTimestamp: null - labels: - control-plane: controller-manager - name: nvidia-network-operator-controller-manager-metrics-service -spec: - ports: - - name: https - port: 8443 - protocol: TCP - targetPort: https - selector: - control-plane: controller-manager -status: - loadBalancer: {} diff --git a/bundle/manifests/nvidia-network-operator-manager-config_v1_configmap.yaml b/bundle/manifests/nvidia-network-operator-manager-config_v1_configmap.yaml deleted file mode 100644 index 454cff33..00000000 --- a/bundle/manifests/nvidia-network-operator-manager-config_v1_configmap.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -data: - controller_manager_config.yaml: | - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: 12620820.mellanox.com -kind: ConfigMap -metadata: - name: nvidia-network-operator-manager-config diff --git a/bundle/manifests/nvidia-network-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/nvidia-network-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml deleted file mode 100644 index 634416a1..00000000 --- a/bundle/manifests/nvidia-network-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: nvidia-network-operator-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get diff --git a/bundle/manifests/nvidia-network-operator-webhook-service_v1_service.yaml b/bundle/manifests/nvidia-network-operator-webhook-service_v1_service.yaml new file mode 100644 index 00000000..7b221742 --- /dev/null +++ b/bundle/manifests/nvidia-network-operator-webhook-service_v1_service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + service.alpha.openshift.io/serving-cert-secret-name: webhook-server-cert + creationTimestamp: null + labels: + control-plane: nvidia-network-operator-controller + name: nvidia-network-operator-webhook-service +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + selector: + control-plane: nvidia-network-operator-controller +status: + loadBalancer: {} diff --git a/bundle/manifests/nvidia-network-operator.clusterserviceversion.yaml b/bundle/manifests/nvidia-network-operator.clusterserviceversion.yaml index 67331542..ee0e74b7 100644 --- a/bundle/manifests/nvidia-network-operator.clusterserviceversion.yaml +++ b/bundle/manifests/nvidia-network-operator.clusterserviceversion.yaml @@ -59,7 +59,7 @@ metadata: "initialDelaySeconds": 10, "periodSeconds": 30 }, - "repository": "nvcr.io/nvidia/mellanox", + "repository": "nvcr.io/nvstaging/mellanox", "startupProbe": { "initialDelaySeconds": 10, "periodSeconds": 20 @@ -76,13 +76,13 @@ metadata: }, "maxParallelUpgrades": 1 }, - "version": "23.07-0.5.0.0" + "version": "23.10-0.2.8.0" }, "rdmaSharedDevicePlugin": { "config": "{\n \"configList\": [\n {\n \"resourceName\": \"rdma_shared_device_a\",\n \"rdmaHcaMax\": 63,\n \"selectors\": {\n \"vendors\": [\"15b3\"]\n }\n }\n ]\n}\n", "image": "k8s-rdma-shared-dev-plugin", - "repository": "nvcr.io/nvidia/cloud-native", - "version": "v1.3.2" + "repository": "ghcr.io/mellanox", + "version": "sha-fe7f371c7e1b8315bf900f71cd25cfc1251dc775" } } } @@ -284,6 +284,7 @@ spec: - apiGroups: - config.openshift.io resources: + - clusterversions - proxies verbs: - get @@ -333,6 +334,12 @@ spec: - patch - update - watch + - apiGroups: + - mellanox.com + resources: + - hostdevicenetworks/finalizers + verbs: + - update - apiGroups: - mellanox.com resources: @@ -353,6 +360,12 @@ spec: - patch - update - watch + - apiGroups: + - mellanox.com + resources: + - ipoibnetworks/finalizers + verbs: + - update - apiGroups: - mellanox.com resources: @@ -373,6 +386,12 @@ spec: - patch - update - watch + - apiGroups: + - mellanox.com + resources: + - macvlannetworks/finalizers + verbs: + - update - apiGroups: - mellanox.com resources: @@ -394,6 +413,12 @@ spec: - patch - update - watch + - apiGroups: + - mellanox.com + resources: + - nicclusterpolicies/finalizers + verbs: + - update - apiGroups: - monitoring.coreos.com resources: @@ -479,35 +504,23 @@ spec: - patch - update - watch - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create serviceAccountName: nvidia-network-operator-controller-manager deployments: - label: - control-plane: controller-manager + control-plane: nvidia-network-operator-controller name: nvidia-network-operator-controller-manager spec: replicas: 1 selector: matchLabels: - control-plane: controller-manager + control-plane: nvidia-network-operator-controller strategy: {} template: metadata: annotations: kubectl.kubernetes.io/default-container: manager labels: - control-plane: controller-manager + control-plane: nvidia-network-operator-controller nvidia.com/ofed-driver-upgrade-drain.skip: "true" spec: affinity: @@ -529,28 +542,12 @@ spec: weight: 1 containers: - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy@sha256:db06cc4c084dd0253134f156dddaaf53ef1c3fb3cc809e5d81711baa4029ea4c - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - --leader-elect command: - /manager + env: + - name: ENABLE_WEBHOOKS + value: "true" image: nvcr.io/nvidia/cloud-native/network-operator@sha256:7005fa24a1ae52d927e76d50d90fddf6b6c7b08885a2dad3c7e5e2c2ac21c834 imagePullPolicy: IfNotPresent livenessProbe: @@ -560,6 +557,10 @@ spec: initialDelaySeconds: 15 periodSeconds: 20 name: manager + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP readinessProbe: httpGet: path: /readyz @@ -572,9 +573,13 @@ spec: memory: 128Mi requests: cpu: 5m - memory: 64M + memory: 64Mi securityContext: allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true securityContext: runAsUser: 65532 serviceAccountName: nvidia-network-operator-controller-manager @@ -586,6 +591,11 @@ spec: - effect: NoSchedule key: node-role.kubernetes.io/control-plane operator: Equal + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert permissions: - rules: - apiGroups: @@ -645,6 +655,48 @@ spec: provider: name: NVIDIA url: https://github.com/Mellanox/network-operator/ + version: 23.7.0 + webhookdefinitions: + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: nvidia-network-operator-controller-manager + failurePolicy: Fail + generateName: vhostdevicenetwork.kb.io + rules: + - apiGroups: + - mellanox.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - hostdevicenetworks + sideEffects: None + targetPort: 9443 + type: ValidatingAdmissionWebhook + webhookPath: /validate-mellanox-com-v1alpha1-hostdevicenetwork + - admissionReviewVersions: + - v1 + containerPort: 443 + deploymentName: nvidia-network-operator-controller-manager + failurePolicy: Fail + generateName: vnicclusterpolicy.kb.io + rules: + - apiGroups: + - mellanox.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - nicclusterpolicies + sideEffects: None + targetPort: 9443 + type: ValidatingAdmissionWebhook + webhookPath: /validate-mellanox-com-v1alpha1-nicclusterpolicy relatedImages: - image: nvcr.io/nvidia/mellanox/mofed@sha256:a0c4562af2d25f87f5b37e53b6e4085559dfeed873279c77a355f7ad738afb60 name: mofed @@ -652,8 +704,5 @@ spec: name: sriov-network-device-plugin - image: nvcr.io/nvidia/cloud-native/k8s-rdma-shared-dev-plugin@sha256:941ad9ff5013e9e7ad5abeb0ea9f79d45379cfae88a628d923f87d2259bdd132 name: rdma-shared-device-plugin - - image: gcr.io/kubebuilder/kube-rbac-proxy@sha256:db06cc4c084dd0253134f156dddaaf53ef1c3fb3cc809e5d81711baa4029ea4c - name: kube-rbac-proxy - image: nvcr.io/nvidia/cloud-native/network-operator@sha256:7005fa24a1ae52d927e76d50d90fddf6b6c7b08885a2dad3c7e5e2c2ac21c834 name: network-operator - version: 23.7.0 diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index b9adbfca..3003fa20 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -1,14 +1,12 @@ resources: - manager.yaml +commonLabels: + control-plane: nvidia-network-operator-controller + generatorOptions: disableNameSuffixHash: true -configMapGenerator: -- files: - - controller_manager_config.yaml - name: manager-config -apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization images: - name: controller diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 1771793c..9cdae066 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -78,10 +78,10 @@ spec: periodSeconds: 10 resources: limits: - cpu: 300m - memory: 100Mi + cpu: 500m + memory: 128Mi requests: - cpu: 200m - memory: 50Mi + cpu: 5m + memory: 64Mi serviceAccountName: controller-manager terminationGracePeriodSeconds: 10 diff --git a/config/manifests/kustomization.yaml b/config/manifests/kustomization.yaml index 7338a609..0f20bc2a 100644 --- a/config/manifests/kustomization.yaml +++ b/config/manifests/kustomization.yaml @@ -1,5 +1,5 @@ resources: - bases/nvidia-network-operator.clusterserviceversion.yaml -- ../default +- openshift - ../samples - ../scorecard diff --git a/config/manifests/openshift/kustomization.yaml b/config/manifests/openshift/kustomization.yaml new file mode 100644 index 00000000..552105bf --- /dev/null +++ b/config/manifests/openshift/kustomization.yaml @@ -0,0 +1,19 @@ +# Adds namespace to all resources. +namespace: nvidia-network-operator + +# Value of this field is prepended to the +# names of all resources, e.g. a deployment named +# "wordpress" becomes "alices-wordpress". +# Note that it should also match with the prefix (text before '-') of the namespace +# field above. +namePrefix: nvidia-network-operator- + +bases: +- ../../crd +- ../../rbac +- ../../manager +- ../../webhook + +patchesStrategicMerge: +- manager_webhook_patch.yaml +- webhookservicecainjection_patch.yaml diff --git a/config/manifests/openshift/manager_webhook_patch.yaml b/config/manifests/openshift/manager_webhook_patch.yaml new file mode 100644 index 00000000..2247cf04 --- /dev/null +++ b/config/manifests/openshift/manager_webhook_patch.yaml @@ -0,0 +1,26 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + env: + - name: "ENABLE_WEBHOOKS" + value: "true" + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert diff --git a/config/manifests/openshift/webhookservicecainjection_patch.yaml b/config/manifests/openshift/webhookservicecainjection_patch.yaml new file mode 100644 index 00000000..57f11de1 --- /dev/null +++ b/config/manifests/openshift/webhookservicecainjection_patch.yaml @@ -0,0 +1,8 @@ + +apiVersion: v1 +kind: Service +metadata: + name: webhook-service + namespace: system + annotations: + service.alpha.openshift.io/serving-cert-secret-name: webhook-server-cert diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 731832a6..fb5a2b88 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -12,7 +12,7 @@ resources: # Comment the following 4 lines if you want to disable # the auth proxy (https://github.com/brancz/kube-rbac-proxy) # which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +# - auth_proxy_service.yaml +# - auth_proxy_role.yaml +# - auth_proxy_role_binding.yaml +# - auth_proxy_client_clusterrole.yaml diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index e0f4d24e..7f55420d 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -205,6 +205,12 @@ rules: - patch - update - watch +- apiGroups: + - mellanox.com + resources: + - hostdevicenetworks/finalizers + verbs: + - update - apiGroups: - mellanox.com resources: @@ -225,6 +231,12 @@ rules: - patch - update - watch +- apiGroups: + - mellanox.com + resources: + - ipoibnetworks/finalizers + verbs: + - update - apiGroups: - mellanox.com resources: @@ -245,6 +257,12 @@ rules: - patch - update - watch +- apiGroups: + - mellanox.com + resources: + - macvlannetworks/finalizers + verbs: + - update - apiGroups: - mellanox.com resources: @@ -266,6 +284,12 @@ rules: - patch - update - watch +- apiGroups: + - mellanox.com + resources: + - nicclusterpolicies/finalizers + verbs: + - update - apiGroups: - monitoring.coreos.com resources: diff --git a/config/webhook/kustomization.yaml b/config/webhook/kustomization.yaml index 9cf26134..5399eaf8 100644 --- a/config/webhook/kustomization.yaml +++ b/config/webhook/kustomization.yaml @@ -4,3 +4,6 @@ resources: configurations: - kustomizeconfig.yaml + +commonLabels: + control-plane: nvidia-network-operator-controller diff --git a/controllers/hostdevicenetwork_controller.go b/controllers/hostdevicenetwork_controller.go index 88fd297d..1e4b15f3 100644 --- a/controllers/hostdevicenetwork_controller.go +++ b/controllers/hostdevicenetwork_controller.go @@ -50,6 +50,7 @@ type HostDeviceNetworkReconciler struct { //nolint:lll // +kubebuilder:rbac:groups=mellanox.com,resources=hostdevicenetworks,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=mellanox.com,resources=hostdevicenetworks/finalizers,verbs=update // +kubebuilder:rbac:groups=mellanox.com,resources=hostdevicenetworks/status,verbs=get;update;patch // +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch;create;update;patch;delete diff --git a/controllers/ipoibnetwork_controller.go b/controllers/ipoibnetwork_controller.go index 358db6af..fa027c11 100644 --- a/controllers/ipoibnetwork_controller.go +++ b/controllers/ipoibnetwork_controller.go @@ -50,6 +50,7 @@ type IPoIBNetworkReconciler struct { //nolint:lll // +kubebuilder:rbac:groups=mellanox.com,resources=ipoibnetworks,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=mellanox.com,resources=ipoibnetworks/finalizers,verbs=update // +kubebuilder:rbac:groups=mellanox.com,resources=ipoibnetworks/status,verbs=get;update;patch // +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch;create;update;patch;delete diff --git a/controllers/macvlannetwork_controller.go b/controllers/macvlannetwork_controller.go index d23510fa..973f52bb 100644 --- a/controllers/macvlannetwork_controller.go +++ b/controllers/macvlannetwork_controller.go @@ -52,6 +52,7 @@ type MacvlanNetworkReconciler struct { //nolint:lll // +kubebuilder:rbac:groups=mellanox.com,resources=macvlannetworks,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=mellanox.com,resources=macvlannetworks/finalizers,verbs=update // +kubebuilder:rbac:groups=mellanox.com,resources=macvlannetworks/status,verbs=get;update;patch // +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch;create;update;patch;delete diff --git a/controllers/nicclusterpolicy_controller.go b/controllers/nicclusterpolicy_controller.go index d5f9db49..c0a31917 100644 --- a/controllers/nicclusterpolicy_controller.go +++ b/controllers/nicclusterpolicy_controller.go @@ -59,6 +59,7 @@ type NicClusterPolicyReconciler struct { //nolint:lll // +kubebuilder:rbac:groups=mellanox.com,resources=nicclusterpolicies;nicclusterpolicies/status,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=mellanox.com,resources=nicclusterpolicies/finalizers,verbs=update // +kubebuilder:rbac:groups=security.openshift.io,resourceNames=privileged,resources=securitycontextconstraints,verbs=use // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings;roles;rolebindings,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=policy,resources=podsecuritypolicies,verbs=get;list;watch;create;update;patch;delete diff --git a/docs/operator-bundle.md b/docs/operator-bundle.md index ad6eb9d9..239238a0 100644 --- a/docs/operator-bundle.md +++ b/docs/operator-bundle.md @@ -81,3 +81,26 @@ To remove the operator when installed via `operator-sdk run`, use: operator-sdk cleanup --namespace nvidia-network-operator nvidia-network-operator ``` +### Add Environment Variables to Operator Deployment in OpenShift + +It is possible to add environment variables to operator deployment in OpenShift +using the deployed operator's `Subscription`. + +Get the `Subscription` name: + +``` +kubectl get subscriptions.operators.coreos.com -n nvidia-network-operator +NAME PACKAGE SOURCE CHANNEL +nvidia-network-operator-v23-7-0-sub nvidia-network-operator nvidia-network-operator-catalog v23.7.0 +``` + +Edit the `Subscription`, and add a section `spec.config.env` with needed vars and values. +For example: + +``` +spec: + config: + env: + - name: SKIP_VALIDATIONS + value: "true" +``` \ No newline at end of file diff --git a/main.go b/main.go index 26c31712..7bdb6bcb 100644 --- a/main.go +++ b/main.go @@ -59,6 +59,10 @@ func init() { } func setupWebhookControllers(mgr ctrl.Manager) error { + if os.Getenv("SKIP_VALIDATIONS") == "true" { + setupLog.Info("disabling admission controller validations") + mellanoxcomv1alpha1.DisableValidations() + } if err := (&mellanoxcomv1alpha1.HostDeviceNetwork{}).SetupWebhookWithManager(mgr); err != nil { setupLog.Error(err, "unable to create webhook", "webhook", "HostDeviceNetwork") return err