Merge pull request #2779 from sridhartigera/openshift-egw

Fix for EGW deployment in openshift 4.13

pkg/controller/installation/core_controller.go

@@ -1353,6 +1353,7 @@ func (r *ReconcileInstallation) Reconcile(ctx context.Context, request reconcile
 		Installation: &instance.Spec,
 		Terminating:  terminating,
 		UsePSP:       r.usePSP,
+		OpenShift:    instance.Spec.KubernetesProvider == operator.ProviderOpenShift,
 	}
 	components = append(components, render.CSI(&csiCfg))
 

pkg/render/csi.go

@@ -26,6 +26,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	operatorv1 "github.com/tigera/operator/api/v1"
+	"github.com/tigera/operator/pkg/common"
 	"github.com/tigera/operator/pkg/components"
 	"github.com/tigera/operator/pkg/ptr"
 	rcomp "github.com/tigera/operator/pkg/render/common/components"
@@ -46,6 +47,7 @@ type CSIConfiguration struct {
 	Installation *operatorv1.InstallationSpec
 	Terminating  bool
 	UsePSP       bool
+	OpenShift    bool
 }
 
 type csiComponent struct {
@@ -79,6 +81,18 @@ func (c *csiComponent) csiDriver() *v1.CSIDriver {
 		VolumeLifecycleModes: volumeLifecycleModes,
 	}
 
+	// Openshift 4.13, introduces CSI admission plugin. This
+	// admission plugin restricts the use of ephemeral volumes
+	// on pod admission. Adding csi-ephemeral-volume-profile to
+	// restricted lets pods use the CSI volume in namespaces which
+	// enforces restricted, baseline, privileged pod security profile.
+	// Additional information can be found here
+	// https://docs.openshift.com/container-platform/4.13/storage/container_storage_interface/ephemeral-storage-csi-inline.html
+	meta.Labels = common.MapExistsOrInitialize(meta.Labels)
+	if c.cfg.OpenShift {
+		meta.Labels["security.openshift.io/csi-ephemeral-volume-profile"] = "restricted"
+	}
+
 	return &v1.CSIDriver{
 		TypeMeta:   typeMeta,
 		ObjectMeta: meta,

pkg/render/csi_test.go

@@ -24,6 +24,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	policyv1beta1 "k8s.io/api/policy/v1beta1"
 	rbacv1 "k8s.io/api/rbac/v1"
+	storagev1 "k8s.io/api/storage/v1"
 
 	operatorv1 "github.com/tigera/operator/api/v1"
 	"github.com/tigera/operator/pkg/common"
@@ -296,4 +297,14 @@ var _ = Describe("CSI rendering tests", func() {
 		Expect(dsResource.(*appsv1.DaemonSet).Spec.Template.Spec.Containers[0].Image).To(ContainSubstring("-fips"))
 		Expect(dsResource.(*appsv1.DaemonSet).Spec.Template.Spec.Containers[1].Image).To(ContainSubstring("-fips"))
 	})
+
+	It("should render the labels when the provider is openshift", func() {
+		cfg.OpenShift = true
+		comp := render.CSI(&cfg)
+		Expect(comp.ResolveImages(nil)).To(BeNil())
+		createObjs, _ := comp.Objects()
+		dsResource := rtest.GetResource(createObjs, "csi.tigera.io", "", "storage", "v1", "CSIDriver")
+		Expect(dsResource.(*storagev1.CSIDriver).ObjectMeta.Labels["security.openshift.io/csi-ephemeral-volume-profile"]).To(Equal("restricted"))
+
+	})
 })