Skip to content

Commit

Permalink
add --dry-run --output opts -> modify_scc
Browse files Browse the repository at this point in the history
  • Loading branch information
@juanvallejo
juanvallejo committed Sep 12, 2017
1 parent d2940a1 commit 7708358
Show file tree
Hide file tree
Showing 6 changed files with 98 additions and 15 deletions.
94 changes: 88 additions & 6 deletions pkg/oc/admin/policy/modify_scc.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"github.com/spf13/cobra"

metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
kapi "k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/kubectl/cmd/templates"
kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
Expand Down Expand Up @@ -40,6 +41,13 @@ type SCCModificationOptions struct {

DefaultSubjectNamespace string
Subjects []kapi.ObjectReference

IsGroup bool
DryRun bool
Output string

PrintObj func(runtime.Object) error
Out io.Writer
}

func NewCmdAddSCCToGroup(name, fullName string, f *clientcmd.Factory, out io.Writer) *cobra.Command {
Expand All @@ -50,7 +58,7 @@ func NewCmdAddSCCToGroup(name, fullName string, f *clientcmd.Factory, out io.Wri
Short: "Add groups to a security context constraint",
Long: `Add groups to a security context constraint`,
Run: func(cmd *cobra.Command, args []string) {
if err := options.CompleteGroups(f, args); err != nil {
if err := options.CompleteGroups(f, cmd, args, out); err != nil {
kcmdutil.CheckErr(kcmdutil.UsageError(cmd, err.Error()))
}

Expand All @@ -60,6 +68,8 @@ func NewCmdAddSCCToGroup(name, fullName string, f *clientcmd.Factory, out io.Wri
},
}

kcmdutil.AddDryRunFlag(cmd)
kcmdutil.AddPrinterFlags(cmd)
return cmd
}

Expand All @@ -73,7 +83,7 @@ func NewCmdAddSCCToUser(name, fullName string, f *clientcmd.Factory, out io.Writ
Long: `Add users or serviceaccount to a security context constraint`,
Example: fmt.Sprintf(addSCCToUserExample, fullName),
Run: func(cmd *cobra.Command, args []string) {
if err := options.CompleteUsers(f, args, saNames); err != nil {
if err := options.CompleteUsers(f, cmd, args, saNames, out); err != nil {
kcmdutil.CheckErr(kcmdutil.UsageError(cmd, err.Error()))
}

Expand All @@ -85,6 +95,8 @@ func NewCmdAddSCCToUser(name, fullName string, f *clientcmd.Factory, out io.Writ

cmd.Flags().StringSliceVarP(&saNames, "serviceaccount", "z", saNames, "service account in the current namespace to use as a user")

kcmdutil.AddDryRunFlag(cmd)
kcmdutil.AddPrinterFlags(cmd)
return cmd
}

Expand All @@ -96,7 +108,7 @@ func NewCmdRemoveSCCFromGroup(name, fullName string, f *clientcmd.Factory, out i
Short: "Remove group from scc",
Long: `Remove group from scc`,
Run: func(cmd *cobra.Command, args []string) {
if err := options.CompleteGroups(f, args); err != nil {
if err := options.CompleteGroups(f, cmd, args, out); err != nil {
kcmdutil.CheckErr(kcmdutil.UsageError(cmd, err.Error()))
}

Expand All @@ -106,6 +118,8 @@ func NewCmdRemoveSCCFromGroup(name, fullName string, f *clientcmd.Factory, out i
},
}

kcmdutil.AddDryRunFlag(cmd)
kcmdutil.AddPrinterFlags(cmd)
return cmd
}

Expand All @@ -118,7 +132,7 @@ func NewCmdRemoveSCCFromUser(name, fullName string, f *clientcmd.Factory, out io
Short: "Remove user from scc",
Long: `Remove user from scc`,
Run: func(cmd *cobra.Command, args []string) {
if err := options.CompleteUsers(f, args, saNames); err != nil {
if err := options.CompleteUsers(f, cmd, args, saNames, out); err != nil {
kcmdutil.CheckErr(kcmdutil.UsageError(cmd, err.Error()))
}

Expand All @@ -130,21 +144,33 @@ func NewCmdRemoveSCCFromUser(name, fullName string, f *clientcmd.Factory, out io

cmd.Flags().StringSliceVarP(&saNames, "serviceaccount", "z", saNames, "service account in the current namespace to use as a user")

kcmdutil.AddDryRunFlag(cmd)
kcmdutil.AddPrinterFlags(cmd)
return cmd
}

func (o *SCCModificationOptions) CompleteUsers(f *clientcmd.Factory, args []string, saNames []string) error {
func (o *SCCModificationOptions) CompleteUsers(f *clientcmd.Factory, cmd *cobra.Command, args []string, saNames []string, out io.Writer) error {
if len(args) < 1 {
return errors.New("you must specify a scc")
}

o.Out = out
o.SCCName = args[0]
o.Subjects = authorizationapi.BuildSubjects(args[1:], []string{}, uservalidation.ValidateUserName, uservalidation.ValidateGroupName)

if (len(o.Subjects) == 0) && (len(saNames) == 0) {
return errors.New("you must specify at least one user or service account")
}

o.DryRun = kcmdutil.GetFlagBool(cmd, "dry-run")
o.Output = kcmdutil.GetFlagString(cmd, "output")

mapper, _ := f.Object()

o.PrintObj = func(obj runtime.Object) error {
return f.PrintObject(cmd, false, mapper, obj, out)
}

_, kc, err := f.Clients()
if err != nil {
return err
Expand All @@ -163,14 +189,26 @@ func (o *SCCModificationOptions) CompleteUsers(f *clientcmd.Factory, args []stri
return nil
}

func (o *SCCModificationOptions) CompleteGroups(f *clientcmd.Factory, args []string) error {
func (o *SCCModificationOptions) CompleteGroups(f *clientcmd.Factory, cmd *cobra.Command, args []string, out io.Writer) error {
if len(args) < 2 {
return errors.New("you must specify at least two arguments: <scc> <group> [group]...")
}

o.Out = out
o.Output = kcmdutil.GetFlagString(cmd, "output")

mapper, _ := f.Object()

o.PrintObj = func(obj runtime.Object) error {
return f.PrintObject(cmd, false, mapper, obj, out)
}

o.IsGroup = true
o.SCCName = args[0]
o.Subjects = authorizationapi.BuildSubjects([]string{}, args[1:], uservalidation.ValidateUserName, uservalidation.ValidateGroupName)

o.DryRun = kcmdutil.GetFlagBool(cmd, "dry-run")

_, kc, err := f.Clients()
if err != nil {
return err
Expand Down Expand Up @@ -198,11 +236,21 @@ func (o *SCCModificationOptions) AddSCC() error {
scc.Users = append(scc.Users, usersToAdd...)
scc.Groups = append(scc.Groups, groupsToAdd...)

if len(o.Output) > 0 && o.PrintObj != nil {
return o.PrintObj(scc)
}

if o.DryRun {
printSuccess(o.SCCName, true, o.IsGroup, users, groups, o.DryRun, o.Out)
return nil
}

_, err = o.SCCInterface.Update(scc)
if err != nil {
return err
}

printSuccess(o.SCCName, true, o.IsGroup, users, groups, o.DryRun, o.Out)
return nil
}

Expand All @@ -219,11 +267,21 @@ func (o *SCCModificationOptions) RemoveSCC() error {
scc.Users = remainingUsers
scc.Groups = remainingGroups

if len(o.Output) > 0 && o.PrintObj != nil {
return o.PrintObj(scc)
}

if o.DryRun {
printSuccess(o.SCCName, false, o.IsGroup, users, groups, o.DryRun, o.Out)
return nil
}

_, err = o.SCCInterface.Update(scc)
if err != nil {
return err
}

printSuccess(o.SCCName, false, o.IsGroup, users, groups, o.DryRun, o.Out)
return nil
}

Expand All @@ -248,3 +306,27 @@ func singleDiff(lhsSlice, rhsSlice []string) (lhsOnly []string) {

return lhsOnly
}

// prints affirmative output
func printSuccess(scc string, didAdd bool, isGroup bool, usersToAdd, groupsToAdd []string, dryRun bool, out io.Writer) {
verb := "removed from"
allTargets := fmt.Sprintf("%q", usersToAdd)
dryRunText := ""

if isGroup {
allTargets = fmt.Sprintf("%q", groupsToAdd)
}
if didAdd {
verb = "added to"
}
if isGroup {
verb += " groups"
}

msg := "scc %q %s: %s%s"
if dryRun {
dryRunText = " (dry run)"
}

fmt.Fprintf(out, msg+"\n", scc, verb, allTargets, dryRunText)
}
6 changes: 2 additions & 4 deletions pkg/oc/admin/policy/subject_review.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,11 +112,9 @@ func (o *sccSubjectReviewOptions) Complete(f *clientcmd.Factory, args []string,
o.RESTClientFactory = f.ClientForMapping

output := kcmdutil.GetFlagString(cmd, "output")
if len(output) > 0 {
if output != "json" && output != "yaml" {
return fmt.Errorf("invalid output format %q, only yaml|json supported", output)
}
wide := len(output) > 0 && output == "wide"

if len(output) > 0 && !wide {
printer, err := f.PrinterForCommand(cmd, false, nil, kprinters.PrintOptions{})
if err != nil {
return err
Expand Down
6 changes: 4 additions & 2 deletions pkg/oc/bootstrap/docker/openshift/admin.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ func (h *Helper) InstallRegistry(kubeClient kclientset.Interface, f *clientcmd.F
return errors.NewError("error retrieving docker registry service").WithCause(err).WithDetails(h.OriginLog())
}

err = AddSCCToServiceAccount(kubeClient, "privileged", "registry", "default")
err = AddSCCToServiceAccount(kubeClient, "privileged", "registry", "default", out)
if err != nil {
return errors.NewError("cannot add privileged SCC to registry service account").WithCause(err).WithDetails(h.OriginLog())
}
Expand Down Expand Up @@ -215,7 +215,7 @@ func AddRoleToServiceAccount(osClient client.Interface, role, sa, namespace stri
return addRole.AddRole()
}

func AddSCCToServiceAccount(kubeClient kclientset.Interface, scc, sa, namespace string) error {
func AddSCCToServiceAccount(kubeClient kclientset.Interface, scc, sa, namespace string, out io.Writer) error {
modifySCC := policy.SCCModificationOptions{
SCCName: scc,
SCCInterface: legacyclient.NewFromClient(kubeClient.Core().RESTClient()),
Expand All @@ -226,6 +226,8 @@ func AddSCCToServiceAccount(kubeClient kclientset.Interface, scc, sa, namespace
Kind: "ServiceAccount",
},
},

Out: out,
}
return modifySCC.AddSCC()
}
Expand Down
2 changes: 1 addition & 1 deletion pkg/oc/bootstrap/docker/openshift/ansible.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -195,7 +195,7 @@ func (r *ansibleRunner) createServiceAccount(namespace string) error {
return errors.NewError(fmt.Sprintf("cannot create %s service account", serviceAccount.Name)).WithCause(err).WithDetails(r.Helper.OriginLog())
}
// Add privileged SCC to serviceAccount
if err = AddSCCToServiceAccount(r.KubeClient, "privileged", serviceAccount.Name, namespace); err != nil {
if err = AddSCCToServiceAccount(r.KubeClient, "privileged", serviceAccount.Name, namespace, &bytes.Buffer{}); err != nil {
return errors.NewError("cannot add privileged security context constraint to service account").WithCause(err).WithDetails(r.Helper.OriginLog())
}
return nil
Expand Down
2 changes: 1 addition & 1 deletion pkg/oc/bootstrap/docker/openshift/logging.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ func (h *Helper) InstallLogging(f *clientcmd.Factory, publicHostname, loggerHost
}

// Add privileged SCC to aggregated-logging-fluentd sa
if err = AddSCCToServiceAccount(kubeClient, "privileged", "aggregated-logging-fluentd", loggingNamespace); err != nil {
if err = AddSCCToServiceAccount(kubeClient, "privileged", "aggregated-logging-fluentd", loggingNamespace, out); err != nil {
return errors.NewError("cannot add privileged security context constraint to logging fluentd service account").WithCause(err).WithDetails(h.OriginLog())
}

Expand Down
3 changes: 2 additions & 1 deletion pkg/oc/bootstrap/docker/openshift/pvsetup.go
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package openshift

import (
"bytes"
"fmt"

kerrors "k8s.io/apimachinery/pkg/api/errors"
Expand Down Expand Up @@ -123,7 +124,7 @@ func (h *Helper) ensurePVInstallerSA(osclient client.Interface, kclient kclients
}
}

err = AddSCCToServiceAccount(kclient, "privileged", "pvinstaller", "default")
err = AddSCCToServiceAccount(kclient, "privileged", "pvinstaller", "default", &bytes.Buffer{})
if err != nil {
return errors.NewError("cannot add privileged SCC to pvinstaller service account").WithCause(err).WithDetails(h.OriginLog())
}
Expand Down

0 comments on commit 7708358

Please sign in to comment.