Add PSA file to API

Signed-off-by: Alexandr Demicev <alexandr.demicev@suse.com>
rancher · Oct 22, 2024 · da2bcd3 · da2bcd3
1 parent c42dfc8
commit da2bcd3
Show file tree

Hide file tree

Showing 9 changed files with 72 additions and 29 deletions.
diff --git a/bootstrap/api/v1alpha1/conversion.go b/bootstrap/api/v1alpha1/conversion.go
@@ -47,6 +47,10 @@ func (src *RKE2Config) ConvertTo(dstRaw conversion.Hub) error {
 		dst.Spec.AgentConfig.AirGappedChecksum = restored.Spec.AgentConfig.AirGappedChecksum
 	}
 
+	if restored.Spec.AgentConfig.PodSecurityAdmissionConfigFile != "" {
+		dst.Spec.AgentConfig.PodSecurityAdmissionConfigFile = restored.Spec.AgentConfig.PodSecurityAdmissionConfigFile
+	}
+
 	return nil
 }
 
@@ -102,6 +106,10 @@ func (src *RKE2ConfigTemplate) ConvertTo(dstRaw conversion.Hub) error {
 		dst.Spec.Template.Spec.AgentConfig.AirGappedChecksum = restored.Spec.Template.Spec.AgentConfig.AirGappedChecksum
 	}
 
+	if restored.Spec.Template.Spec.AgentConfig.PodSecurityAdmissionConfigFile != "" {
+		dst.Spec.Template.Spec.AgentConfig.PodSecurityAdmissionConfigFile = restored.Spec.Template.Spec.AgentConfig.PodSecurityAdmissionConfigFile
+	}
+
 	return nil
 }
 

diff --git a/bootstrap/api/v1alpha1/zz_generated.conversion.go b/bootstrap/api/v1alpha1/zz_generated.conversion.go
diff --git a/bootstrap/api/v1beta1/rke2config_types.go b/bootstrap/api/v1beta1/rke2config_types.go
@@ -106,6 +106,11 @@ type RKE2AgentConfig struct {
 	//+optional
 	CISProfile CISProfile `json:"cisProfile,omitempty"`
 
+	// PodSecurityPolicyConfigFile contains the path to the PodSecurityPolicy configuration file. The file can be passed through
+	// spec.Files field.
+	//+optional
+	PodSecurityAdmissionConfigFile string `json:"podSecurityAdmissionConfigFile,omitempty"`
+
 	// ResolvConf is a reference to a ConfigMap containing resolv.conf content for the node.
 	//+optional
 	ResolvConf *corev1.ObjectReference `json:"resolvConf,omitempty"`

diff --git a/bootstrap/config/crd/bases/bootstrap.cluster.x-k8s.io_rke2configs.yaml b/bootstrap/config/crd/bases/bootstrap.cluster.x-k8s.io_rke2configs.yaml
@@ -834,6 +834,11 @@ spec:
                           type: string
                         type: array
                     type: object
+                  podSecurityAdmissionConfigFile:
+                    description: |-
+                      PodSecurityPolicyConfigFile contains the path to the PodSecurityPolicy configuration file. The file can be passed through
+                      spec.Files field.
+                    type: string
                   protectKernelDefaults:
                     description: |-
                       ProtectKernelDefaults defines Kernel tuning behavior. If true, error if kernel tunables are different than kubelet defaults.

diff --git a/bootstrap/config/crd/bases/bootstrap.cluster.x-k8s.io_rke2configtemplates.yaml b/bootstrap/config/crd/bases/bootstrap.cluster.x-k8s.io_rke2configtemplates.yaml
@@ -817,6 +817,11 @@ spec:
                                   type: string
                                 type: array
                             type: object
+                          podSecurityAdmissionConfigFile:
+                            description: |-
+                              PodSecurityPolicyConfigFile contains the path to the PodSecurityPolicy configuration file. The file can be passed through
+                              spec.Files field.
+                            type: string
                           protectKernelDefaults:
                             description: |-
                               ProtectKernelDefaults defines Kernel tuning behavior. If true, error if kernel tunables are different than kubelet defaults.

diff --git a/controlplane/api/v1alpha1/conversion.go b/controlplane/api/v1alpha1/conversion.go
@@ -22,8 +22,8 @@ import (
 	apiconversion "k8s.io/apimachinery/pkg/conversion"
 	utilconversion "sigs.k8s.io/cluster-api/util/conversion"
 
-	bootstrapv1beta1 "github.com/rancher/cluster-api-provider-rke2/bootstrap/api/v1beta1"
 	bootstrapv1alpha1 "github.com/rancher/cluster-api-provider-rke2/bootstrap/api/v1alpha1"
+	bootstrapv1beta1 "github.com/rancher/cluster-api-provider-rke2/bootstrap/api/v1beta1"
 	controlplanev1 "github.com/rancher/cluster-api-provider-rke2/controlplane/api/v1beta1"
 	"sigs.k8s.io/controller-runtime/pkg/conversion"
 )
@@ -53,6 +53,10 @@ func (src *RKE2ControlPlane) ConvertTo(dstRaw conversion.Hub) error {
 		dst.Spec.AgentConfig.AirGappedChecksum = restored.Spec.AgentConfig.AirGappedChecksum
 	}
 
+	if restored.Spec.AgentConfig.PodSecurityAdmissionConfigFile != "" {
+		dst.Spec.AgentConfig.PodSecurityAdmissionConfigFile = restored.Spec.AgentConfig.PodSecurityAdmissionConfigFile
+	}
+
 	dst.Spec.MachineTemplate = restored.Spec.MachineTemplate
 	dst.Status = restored.Status
 
@@ -125,6 +129,10 @@ func (src *RKE2ControlPlaneTemplate) ConvertTo(dstRaw conversion.Hub) error {
 		dst.Spec.Template.Spec.AgentConfig.AirGappedChecksum = restored.Spec.Template.Spec.AgentConfig.AirGappedChecksum
 	}
 
+	if restored.Spec.Template.Spec.AgentConfig.PodSecurityAdmissionConfigFile != "" {
+		dst.Spec.Template.Spec.AgentConfig.PodSecurityAdmissionConfigFile = restored.Spec.Template.Spec.AgentConfig.PodSecurityAdmissionConfigFile
+	}
+
 	dst.Spec.Template = restored.Spec.Template
 	dst.Status = restored.Status
 
@@ -206,9 +214,9 @@ func Convert_v1beta1_RKE2ControlPlaneStatus_To_v1alpha1_RKE2ControlPlaneTemplate
 }
 
 func Convert_v1beta1_RKE2ConfigSpec_To_v1alpha1_RKE2ConfigSpec(in *bootstrapv1beta1.RKE2ConfigSpec, out *bootstrapv1alpha1.RKE2ConfigSpec, s apiconversion.Scope) error {
-        return bootstrapv1alpha1.Convert_v1beta1_RKE2ConfigSpec_To_v1alpha1_RKE2ConfigSpec(in, out, s)
+	return bootstrapv1alpha1.Convert_v1beta1_RKE2ConfigSpec_To_v1alpha1_RKE2ConfigSpec(in, out, s)
 }
 
 func Convert_v1alpha1_RKE2ConfigSpec_To_v1beta1_RKE2ConfigSpec(in *bootstrapv1alpha1.RKE2ConfigSpec, out *bootstrapv1beta1.RKE2ConfigSpec, s apiconversion.Scope) error {
-        return bootstrapv1alpha1.Convert_v1alpha1_RKE2ConfigSpec_To_v1beta1_RKE2ConfigSpec(in, out, s)
+	return bootstrapv1alpha1.Convert_v1alpha1_RKE2ConfigSpec_To_v1beta1_RKE2ConfigSpec(in, out, s)
 }
diff --git a/controlplane/config/crd/bases/controlplane.cluster.x-k8s.io_rke2controlplanes.yaml b/controlplane/config/crd/bases/controlplane.cluster.x-k8s.io_rke2controlplanes.yaml
@@ -1479,6 +1479,11 @@ spec:
                           type: string
                         type: array
                     type: object
+                  podSecurityAdmissionConfigFile:
+                    description: |-
+                      PodSecurityPolicyConfigFile contains the path to the PodSecurityPolicy configuration file. The file can be passed through
+                      spec.Files field.
+                    type: string
                   protectKernelDefaults:
                     description: |-
                       ProtectKernelDefaults defines Kernel tuning behavior. If true, error if kernel tunables are different than kubelet defaults.

diff --git a/controlplane/config/crd/bases/controlplane.cluster.x-k8s.io_rke2controlplanetemplates.yaml b/controlplane/config/crd/bases/controlplane.cluster.x-k8s.io_rke2controlplanetemplates.yaml
@@ -309,6 +309,11 @@ spec:
                                   type: string
                                 type: array
                             type: object
+                          podSecurityAdmissionConfigFile:
+                            description: |-
+                              PodSecurityPolicyConfigFile contains the path to the PodSecurityPolicy configuration file. The file can be passed through
+                              spec.Files field.
+                            type: string
                           protectKernelDefaults:
                             description: |-
                               ProtectKernelDefaults defines Kernel tuning behavior. If true, error if kernel tunables are different than kubelet defaults.

diff --git a/pkg/rke2/config.go b/pkg/rke2/config.go
@@ -368,34 +368,34 @@ func newRKE2ServerConfig(opts ServerConfigOpts) (*ServerConfig, []bootstrapv1.Fi
 }
 
 type rke2AgentConfig struct {
-	ContainerRuntimeEndpoint      string            `json:"container-runtime-endpoint,omitempty"`
-	CloudProviderConfig           string            `json:"cloud-provider-config,omitempty"`
-	CloudProviderName             string            `json:"cloud-provider-name,omitempty"`
-	DataDir                       string            `json:"data-dir,omitempty"`
-	ImageCredentialProviderConfig string            `json:"image-credential-provider-config,omitempty"`
-	ImageCredentialProviderBinDir string            `json:"image-credential-provider-bin-dir,omitempty"`
-	KubeProxyArgs                 []string          `json:"kube-proxy-arg,omitempty"`
-	KubeProxyExtraEnv             map[string]string `json:"kube-proxy-extra-env,omitempty"`
-	KubeProxyExtraMounts          map[string]string `json:"kube-proxy-extra-mount,omitempty"`
-	KubeProxyImage                string            `json:"kube-proxy-image,omitempty"`
-	KubeletArgs                   []string          `json:"kubelet-arg,omitempty"`
-	KubeletPath                   string            `json:"kubelet-path,omitempty"`
-	LbServerPort                  int               `json:"lb-server-port,omitempty"`
-	NodeLabels                    []string          `json:"node-label,omitempty"`
-	NodeTaints                    []string          `json:"node-taint,omitempty"`
-	Profile                       string            `json:"profile,omitempty"`
-	ProtectKernelDefaults         bool              `json:"protect-kernel-defaults,omitempty"`
-	ResolvConf                    string            `json:"resolv-conf,omitempty"`
-	RuntimeImage                  string            `json:"runtime-image,omitempty"`
-	Selinux                       bool              `json:"selinux,omitempty"`
-	Server                        string            `json:"server,omitempty"`
-	Snapshotter                   string            `json:"snapshotter,omitempty"`
-	Token                         string            `json:"token,omitempty"`
+	ContainerRuntimeEndpoint       string            `json:"container-runtime-endpoint,omitempty"`
+	CloudProviderConfig            string            `json:"cloud-provider-config,omitempty"`
+	CloudProviderName              string            `json:"cloud-provider-name,omitempty"`
+	DataDir                        string            `json:"data-dir,omitempty"`
+	ImageCredentialProviderConfig  string            `json:"image-credential-provider-config,omitempty"`
+	ImageCredentialProviderBinDir  string            `json:"image-credential-provider-bin-dir,omitempty"`
+	KubeProxyArgs                  []string          `json:"kube-proxy-arg,omitempty"`
+	KubeProxyExtraEnv              map[string]string `json:"kube-proxy-extra-env,omitempty"`
+	KubeProxyExtraMounts           map[string]string `json:"kube-proxy-extra-mount,omitempty"`
+	KubeProxyImage                 string            `json:"kube-proxy-image,omitempty"`
+	KubeletArgs                    []string          `json:"kubelet-arg,omitempty"`
+	KubeletPath                    string            `json:"kubelet-path,omitempty"`
+	LbServerPort                   int               `json:"lb-server-port,omitempty"`
+	NodeLabels                     []string          `json:"node-label,omitempty"`
+	NodeTaints                     []string          `json:"node-taint,omitempty"`
+	Profile                        string            `json:"profile,omitempty"`
+	ProtectKernelDefaults          bool              `json:"protect-kernel-defaults,omitempty"`
+	PodSecurityAdmissionConfigFile string            `json:"pod-security-admission-config-file,omitempty"` // new flag, not present in the RKE2 docs yet
+	ResolvConf                     string            `json:"resolv-conf,omitempty"`
+	RuntimeImage                   string            `json:"runtime-image,omitempty"`
+	Selinux                        bool              `json:"selinux,omitempty"`
+	Server                         string            `json:"server,omitempty"`
+	Snapshotter                    string            `json:"snapshotter,omitempty"`
+	Token                          string            `json:"token,omitempty"`
 
 	// We don't expose these in the API
-	PauseImage                     string `json:"pause-image,omitempty"`
-	PodSecurityAdmissionConfigFile string `json:"pod-security-admission-config-file,omitempty"` // new flag, not present in the RKE2 docs yet
-	PrivateRegistry                string `json:"private-registry,omitempty"`
+	PauseImage      string `json:"pause-image,omitempty"`
+	PrivateRegistry string `json:"private-registry,omitempty"`
 
 	NodeExternalIp string `json:"node-external-ip,omitempty"`
 	NodeIp         string `json:"node-ip,omitempty"`
@@ -501,6 +501,7 @@ func newRKE2AgentConfig(opts AgentConfigOpts) (*rke2AgentConfig, []bootstrapv1.F
 	rke2AgentConfig.NodeLabels = opts.AgentConfig.NodeLabels
 	rke2AgentConfig.NodeTaints = opts.AgentConfig.NodeTaints
 	rke2AgentConfig.ProtectKernelDefaults = opts.AgentConfig.ProtectKernelDefaults
+	rke2AgentConfig.PodSecurityAdmissionConfigFile = opts.AgentConfig.PodSecurityAdmissionConfigFile
 
 	if opts.AgentConfig.ResolvConf != nil {
 		resolvConfCM := &corev1.ConfigMap{}