diff --git a/api/spod/v1alpha1/spod_types.go b/api/spod/v1alpha1/spod_types.go index 387c512730..e4322339ad 100644 --- a/api/spod/v1alpha1/spod_types.go +++ b/api/spod/v1alpha1/spod_types.go @@ -295,6 +295,11 @@ type SPODSpec struct { // +optional // +kubebuilder:default="system-node-critical" PriorityClassName string `json:"priorityClassName,omitempty"` + + // DisableOCIArtifactSignatureVerification can be used to disable OCI + // artifact signature verification. + // +optional + DisableOCIArtifactSignatureVerification bool `json:"disableOciArtifactSignatureVerification"` } // SPODState defines the state that the spod is in. diff --git a/bundle/manifests/security-profiles-operator.x-k8s.io_securityprofilesoperatordaemons.yaml b/bundle/manifests/security-profiles-operator.x-k8s.io_securityprofilesoperatordaemons.yaml index bd52a52aae..add1f2d594 100644 --- a/bundle/manifests/security-profiles-operator.x-k8s.io_securityprofilesoperatordaemons.yaml +++ b/bundle/manifests/security-profiles-operator.x-k8s.io_securityprofilesoperatordaemons.yaml @@ -933,6 +933,10 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object + disableOciArtifactSignatureVerification: + description: DisableOCIArtifactSignatureVerification can be used to + disable OCI artifact signature verification. + type: boolean enableAppArmor: description: tells the operator whether or not to enable AppArmor support for this SPOD instance. diff --git a/cmd/spoc/main.go b/cmd/spoc/main.go index 5259f19f9e..55b46957be 100644 --- a/cmd/spoc/main.go +++ b/cmd/spoc/main.go @@ -161,6 +161,12 @@ func main() { Aliases: []string{"p"}, Usage: "the platform to be used in format: os[/arch][/variant][:os_version]", }, + &cli.BoolFlag{ + Name: puller.FlagDisableSignatureVerification, + Aliases: []string{"s"}, + EnvVars: []string{"DISABLE_SIGNATURE_VERIFICATION"}, + Usage: "disable signature verification", + }, }, }, ) diff --git a/deploy/base-crds/crds/securityprofilesoperatordaemon.yaml b/deploy/base-crds/crds/securityprofilesoperatordaemon.yaml index eba18d6ab7..ca3b35f678 100644 --- a/deploy/base-crds/crds/securityprofilesoperatordaemon.yaml +++ b/deploy/base-crds/crds/securityprofilesoperatordaemon.yaml @@ -930,6 +930,10 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object + disableOciArtifactSignatureVerification: + description: DisableOCIArtifactSignatureVerification can be used to + disable OCI artifact signature verification. + type: boolean enableAppArmor: description: tells the operator whether or not to enable AppArmor support for this SPOD instance. diff --git a/deploy/helm/crds/crds.yaml b/deploy/helm/crds/crds.yaml index e6d9329cde..892e23e566 100644 --- a/deploy/helm/crds/crds.yaml +++ b/deploy/helm/crds/crds.yaml @@ -1506,6 +1506,10 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object + disableOciArtifactSignatureVerification: + description: DisableOCIArtifactSignatureVerification can be used to + disable OCI artifact signature verification. + type: boolean enableAppArmor: description: tells the operator whether or not to enable AppArmor support for this SPOD instance. diff --git a/deploy/namespace-operator.yaml b/deploy/namespace-operator.yaml index dff4bae741..3c9af1fd7c 100644 --- a/deploy/namespace-operator.yaml +++ b/deploy/namespace-operator.yaml @@ -1506,6 +1506,10 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object + disableOciArtifactSignatureVerification: + description: DisableOCIArtifactSignatureVerification can be used to + disable OCI artifact signature verification. + type: boolean enableAppArmor: description: tells the operator whether or not to enable AppArmor support for this SPOD instance. diff --git a/deploy/openshift-dev.yaml b/deploy/openshift-dev.yaml index 90a49f7db4..fbf7ac539b 100644 --- a/deploy/openshift-dev.yaml +++ b/deploy/openshift-dev.yaml @@ -1724,6 +1724,10 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object + disableOciArtifactSignatureVerification: + description: DisableOCIArtifactSignatureVerification can be used to + disable OCI artifact signature verification. + type: boolean enableAppArmor: description: tells the operator whether or not to enable AppArmor support for this SPOD instance. diff --git a/deploy/openshift-downstream.yaml b/deploy/openshift-downstream.yaml index 04a1faf1c1..bb439f0ec2 100644 --- a/deploy/openshift-downstream.yaml +++ b/deploy/openshift-downstream.yaml @@ -1506,6 +1506,10 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object + disableOciArtifactSignatureVerification: + description: DisableOCIArtifactSignatureVerification can be used to + disable OCI artifact signature verification. + type: boolean enableAppArmor: description: tells the operator whether or not to enable AppArmor support for this SPOD instance. diff --git a/deploy/operator.yaml b/deploy/operator.yaml index c70203f7ff..41601ac1cb 100644 --- a/deploy/operator.yaml +++ b/deploy/operator.yaml @@ -1506,6 +1506,10 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object + disableOciArtifactSignatureVerification: + description: DisableOCIArtifactSignatureVerification can be used to + disable OCI artifact signature verification. + type: boolean enableAppArmor: description: tells the operator whether or not to enable AppArmor support for this SPOD instance. diff --git a/deploy/webhook-operator.yaml b/deploy/webhook-operator.yaml index 9def6df83b..7fdd5de3d2 100644 --- a/deploy/webhook-operator.yaml +++ b/deploy/webhook-operator.yaml @@ -1724,6 +1724,10 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object + disableOciArtifactSignatureVerification: + description: DisableOCIArtifactSignatureVerification can be used to + disable OCI artifact signature verification. + type: boolean enableAppArmor: description: tells the operator whether or not to enable AppArmor support for this SPOD instance. diff --git a/internal/pkg/artifact/artifact.go b/internal/pkg/artifact/artifact.go index 73aeea15e1..965a0b68c2 100644 --- a/internal/pkg/artifact/artifact.go +++ b/internal/pkg/artifact/artifact.go @@ -242,20 +242,23 @@ func (a *Artifact) Pull( c context.Context, from, username, password string, platform *v1.Platform, + disableSignatureVerification bool, ) (*PullResult, error) { ctx, cancel := context.WithTimeout(c, defaultTimeout) defer cancel() - a.logger.Info("Verifying signature") - const all = ".*" - v := verify.VerifyCommand{ - CertVerifyOptions: options.CertVerifyOptions{ - CertIdentityRegexp: all, - CertOidcIssuerRegexp: all, - }, - } - if err := a.VerifyCmd(ctx, v, from); err != nil { - return nil, fmt.Errorf("verify signature: %w", err) + if !disableSignatureVerification { + a.logger.Info("Verifying signature") + const all = ".*" + v := verify.VerifyCommand{ + CertVerifyOptions: options.CertVerifyOptions{ + CertIdentityRegexp: all, + CertOidcIssuerRegexp: all, + }, + } + if err := a.VerifyCmd(ctx, v, from); err != nil { + return nil, fmt.Errorf("verify signature: %w", err) + } } dir, err := a.MkdirTemp("", "pull-") diff --git a/internal/pkg/artifact/artifact_test.go b/internal/pkg/artifact/artifact_test.go index 2e7f8a0ea1..0fc652c229 100644 --- a/internal/pkg/artifact/artifact_test.go +++ b/internal/pkg/artifact/artifact_test.go @@ -394,7 +394,7 @@ func TestPull(t *testing.T) { sut := New(logr.Discard()) sut.impl = mock - res, err := sut.Pull(context.Background(), "", "foo", "bar", nil) + res, err := sut.Pull(context.Background(), "", "foo", "bar", nil, false) assert(res, err) }) } diff --git a/internal/pkg/cli/puller/consts.go b/internal/pkg/cli/puller/consts.go index 523da167cf..e7d8ca06a0 100644 --- a/internal/pkg/cli/puller/consts.go +++ b/internal/pkg/cli/puller/consts.go @@ -31,4 +31,8 @@ const ( // FlagPlatform is the flag for defining the platform. FlagPlatform string = "platform" + + // FlagDisableSignatureVerification is the flag for disabling the signature + // verification on pull. + FlagDisableSignatureVerification string = "disable-signature-verification" ) diff --git a/internal/pkg/cli/puller/impl.go b/internal/pkg/cli/puller/impl.go index 3eea8328c8..837130c144 100644 --- a/internal/pkg/cli/puller/impl.go +++ b/internal/pkg/cli/puller/impl.go @@ -32,12 +32,16 @@ type defaultImpl struct{} //go:generate go run github.com/maxbrunsfeld/counterfeiter/v6 -generate -header ../../../../hack/boilerplate/boilerplate.generatego.txt //counterfeiter:generate . impl type impl interface { - Pull(string, string, string, *v1.Platform) (*artifact.PullResult, error) + Pull(string, string, string, *v1.Platform, bool) (*artifact.PullResult, error) WriteFile(string, []byte, os.FileMode) error } -func (*defaultImpl) Pull(from, username, password string, platform *v1.Platform) (*artifact.PullResult, error) { - return artifact.New(logr.New(&cli.LogSink{})).Pull(context.Background(), from, username, password, platform) +func (*defaultImpl) Pull( + from, username, password string, platform *v1.Platform, disableSignatureVerification bool, +) (*artifact.PullResult, error) { + return artifact.New(logr.New(&cli.LogSink{})).Pull( + context.Background(), from, username, password, platform, disableSignatureVerification, + ) } func (*defaultImpl) WriteFile(name string, data []byte, perm os.FileMode) error { diff --git a/internal/pkg/cli/puller/options.go b/internal/pkg/cli/puller/options.go index 6feb1118cd..1f26ae6a9e 100644 --- a/internal/pkg/cli/puller/options.go +++ b/internal/pkg/cli/puller/options.go @@ -29,11 +29,12 @@ import ( // Options define all possible options for the puller. type Options struct { - pullFrom string - outputFile string - username string - password string - platform *v1.Platform + pullFrom string + outputFile string + username string + password string + platform *v1.Platform + disableSignatureVerification bool } // Default returns a default options instance. @@ -64,6 +65,10 @@ func FromContext(ctx *ucli.Context) (*Options, error) { options.username = ctx.String(FlagUsername) } + if ctx.IsSet(FlagDisableSignatureVerification) { + options.disableSignatureVerification = ctx.Bool(FlagDisableSignatureVerification) + } + options.password = os.Getenv(cli.EnvKeyPassword) platform, err := cli.ParsePlatform(ctx.String(FlagPlatform)) diff --git a/internal/pkg/cli/puller/options_test.go b/internal/pkg/cli/puller/options_test.go index 293a79f759..68c1eebc89 100644 --- a/internal/pkg/cli/puller/options_test.go +++ b/internal/pkg/cli/puller/options_test.go @@ -29,7 +29,7 @@ func TestFromContext(t *testing.T) { for _, tc := range []struct { name string prepare func(*flag.FlagSet) - assert func(error) + assert func(*Options, error) }{ { name: "success", @@ -38,8 +38,21 @@ func TestFromContext(t *testing.T) { require.Nil(t, set.Set(FlagUsername, "username")) require.Nil(t, set.Parse([]string{"echo"})) }, - assert: func(err error) { + assert: func(opts *Options, err error) { require.NoError(t, err) + require.False(t, opts.disableSignatureVerification) + }, + }, + { + name: "success with verify signature disabled", + prepare: func(set *flag.FlagSet) { + set.Bool(FlagDisableSignatureVerification, true, "") + require.Nil(t, set.Set(FlagDisableSignatureVerification, "true")) + require.Nil(t, set.Parse([]string{"echo"})) + }, + assert: func(opts *Options, err error) { + require.NoError(t, err) + require.True(t, opts.disableSignatureVerification) }, }, { @@ -48,7 +61,7 @@ func TestFromContext(t *testing.T) { set.String(FlagOutputFile, "", "") require.Nil(t, set.Set(FlagOutputFile, "")) }, - assert: func(err error) { + assert: func(_ *Options, err error) { require.Error(t, err) }, }, @@ -59,7 +72,18 @@ func TestFromContext(t *testing.T) { require.Nil(t, set.Set(FlagOutputFile, "")) require.Nil(t, set.Parse([]string{"echo"})) }, - assert: func(err error) { + assert: func(_ *Options, err error) { + require.Error(t, err) + }, + }, + { + name: "failure parse platform", + prepare: func(set *flag.FlagSet) { + set.String(FlagPlatform, "", "") + require.Nil(t, set.Set(FlagPlatform, "os//var")) + require.Nil(t, set.Parse([]string{"echo"})) + }, + assert: func(_ *Options, err error) { require.Error(t, err) }, }, @@ -76,8 +100,8 @@ func TestFromContext(t *testing.T) { app := cli.NewApp() ctx := cli.NewContext(app, set, nil) - _, err := FromContext(ctx) - assert(err) + opts, err := FromContext(ctx) + assert(opts, err) }) } } diff --git a/internal/pkg/cli/puller/puller.go b/internal/pkg/cli/puller/puller.go index 4b41830082..d07c1d7e4a 100644 --- a/internal/pkg/cli/puller/puller.go +++ b/internal/pkg/cli/puller/puller.go @@ -47,6 +47,7 @@ func (p *Puller) Run() error { p.options.username, p.options.password, p.options.platform, + p.options.disableSignatureVerification, ) if err != nil { return fmt.Errorf("pull profile: %w", err) diff --git a/internal/pkg/cli/puller/pullerfakes/fake_impl.go b/internal/pkg/cli/puller/pullerfakes/fake_impl.go index 07e707e48e..1565d10be3 100644 --- a/internal/pkg/cli/puller/pullerfakes/fake_impl.go +++ b/internal/pkg/cli/puller/pullerfakes/fake_impl.go @@ -26,13 +26,14 @@ import ( ) type FakeImpl struct { - PullStub func(string, string, string, *v1.Platform) (*artifact.PullResult, error) + PullStub func(string, string, string, *v1.Platform, bool) (*artifact.PullResult, error) pullMutex sync.RWMutex pullArgsForCall []struct { arg1 string arg2 string arg3 string arg4 *v1.Platform + arg5 bool } pullReturns struct { result1 *artifact.PullResult @@ -59,7 +60,7 @@ type FakeImpl struct { invocationsMutex sync.RWMutex } -func (fake *FakeImpl) Pull(arg1 string, arg2 string, arg3 string, arg4 *v1.Platform) (*artifact.PullResult, error) { +func (fake *FakeImpl) Pull(arg1 string, arg2 string, arg3 string, arg4 *v1.Platform, arg5 bool) (*artifact.PullResult, error) { fake.pullMutex.Lock() ret, specificReturn := fake.pullReturnsOnCall[len(fake.pullArgsForCall)] fake.pullArgsForCall = append(fake.pullArgsForCall, struct { @@ -67,13 +68,14 @@ func (fake *FakeImpl) Pull(arg1 string, arg2 string, arg3 string, arg4 *v1.Platf arg2 string arg3 string arg4 *v1.Platform - }{arg1, arg2, arg3, arg4}) + arg5 bool + }{arg1, arg2, arg3, arg4, arg5}) stub := fake.PullStub fakeReturns := fake.pullReturns - fake.recordInvocation("Pull", []interface{}{arg1, arg2, arg3, arg4}) + fake.recordInvocation("Pull", []interface{}{arg1, arg2, arg3, arg4, arg5}) fake.pullMutex.Unlock() if stub != nil { - return stub(arg1, arg2, arg3, arg4) + return stub(arg1, arg2, arg3, arg4, arg5) } if specificReturn { return ret.result1, ret.result2 @@ -87,17 +89,17 @@ func (fake *FakeImpl) PullCallCount() int { return len(fake.pullArgsForCall) } -func (fake *FakeImpl) PullCalls(stub func(string, string, string, *v1.Platform) (*artifact.PullResult, error)) { +func (fake *FakeImpl) PullCalls(stub func(string, string, string, *v1.Platform, bool) (*artifact.PullResult, error)) { fake.pullMutex.Lock() defer fake.pullMutex.Unlock() fake.PullStub = stub } -func (fake *FakeImpl) PullArgsForCall(i int) (string, string, string, *v1.Platform) { +func (fake *FakeImpl) PullArgsForCall(i int) (string, string, string, *v1.Platform, bool) { fake.pullMutex.RLock() defer fake.pullMutex.RUnlock() argsForCall := fake.pullArgsForCall[i] - return argsForCall.arg1, argsForCall.arg2, argsForCall.arg3, argsForCall.arg4 + return argsForCall.arg1, argsForCall.arg2, argsForCall.arg3, argsForCall.arg4, argsForCall.arg5 } func (fake *FakeImpl) PullReturns(result1 *artifact.PullResult, result2 error) { diff --git a/internal/pkg/daemon/seccompprofile/impl.go b/internal/pkg/daemon/seccompprofile/impl.go index 6a23882d51..47d6b04eb8 100644 --- a/internal/pkg/daemon/seccompprofile/impl.go +++ b/internal/pkg/daemon/seccompprofile/impl.go @@ -26,7 +26,9 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" seccompprofileapi "sigs.k8s.io/security-profiles-operator/api/seccompprofile/v1beta1" + spodv1alpha1 "sigs.k8s.io/security-profiles-operator/api/spod/v1alpha1" "sigs.k8s.io/security-profiles-operator/internal/pkg/artifact" + "sigs.k8s.io/security-profiles-operator/internal/pkg/daemon/common" "sigs.k8s.io/security-profiles-operator/internal/pkg/daemon/metrics" ) @@ -35,7 +37,7 @@ type defaultImpl struct{} //go:generate go run github.com/maxbrunsfeld/counterfeiter/v6 -generate -header ../../../../hack/boilerplate/boilerplate.generatego.txt //counterfeiter:generate . impl type impl interface { - Pull(context.Context, logr.Logger, string, string, string, *v1.Platform) (*artifact.PullResult, error) + Pull(context.Context, logr.Logger, string, string, string, *v1.Platform, bool) (*artifact.PullResult, error) PullResultType(*artifact.PullResult) artifact.PullResultType PullResultSeccompProfile(*artifact.PullResult) *seccompprofileapi.SeccompProfile ClientGetProfile( @@ -43,12 +45,17 @@ type impl interface { ) (*seccompprofileapi.SeccompProfile, error) IncSeccompProfileError(*metrics.Metrics, string) RecordEvent(record.EventRecorder, runtime.Object, string, string, string) + GetSPOD(context.Context, client.Client) (*spodv1alpha1.SecurityProfilesOperatorDaemon, error) } func (*defaultImpl) Pull( - ctx context.Context, l logr.Logger, from, _, _ string, platform *v1.Platform, + ctx context.Context, + l logr.Logger, + from, username, password string, + platform *v1.Platform, + disableSignatureVerification bool, ) (*artifact.PullResult, error) { - return artifact.New(l).Pull(ctx, from, "", "", platform) + return artifact.New(l).Pull(ctx, from, username, password, platform, disableSignatureVerification) } func (*defaultImpl) PullResultType(res *artifact.PullResult) artifact.PullResultType { @@ -76,3 +83,9 @@ func (*defaultImpl) RecordEvent( ) { r.Event(object, eventtype, reason, message) } + +func (*defaultImpl) GetSPOD( + ctx context.Context, cli client.Client, +) (*spodv1alpha1.SecurityProfilesOperatorDaemon, error) { + return common.GetSPOD(ctx, cli) +} diff --git a/internal/pkg/daemon/seccompprofile/seccompprofile.go b/internal/pkg/daemon/seccompprofile/seccompprofile.go index bd7eeac8e4..9cbdac38ff 100644 --- a/internal/pkg/daemon/seccompprofile/seccompprofile.go +++ b/internal/pkg/daemon/seccompprofile/seccompprofile.go @@ -51,7 +51,6 @@ import ( "sigs.k8s.io/security-profiles-operator/internal/pkg/artifact" "sigs.k8s.io/security-profiles-operator/internal/pkg/config" "sigs.k8s.io/security-profiles-operator/internal/pkg/controller" - "sigs.k8s.io/security-profiles-operator/internal/pkg/daemon/common" "sigs.k8s.io/security-profiles-operator/internal/pkg/daemon/metrics" "sigs.k8s.io/security-profiles-operator/internal/pkg/nodestatus" "sigs.k8s.io/security-profiles-operator/internal/pkg/util" @@ -59,7 +58,7 @@ import ( const ( // default reconcile timeout. - reconcileTimeout = 1 * time.Minute + reconcileTimeout = 5 * time.Minute wait = 10 * time.Second @@ -363,11 +362,16 @@ func (r *Reconciler) resolveSyscallsForProfile( l.Info("Using cached base profile", "baseProfile", from) baseProfile = item.Value() } else { + spod, err := r.GetSPOD(ctx, r.client) + if err != nil { + return nil, fmt.Errorf("retrieving the SPOD configuration: %w", err) + } + l.Info("Pulling base profile: " + from) res, err := r.Pull(ctx, l, from, "", "", &v1.Platform{ Architecture: runtime.GOARCH, OS: runtime.GOOS, - }) + }, spod.Spec.DisableOCIArtifactSignatureVerification) if err != nil { l.Error(err, "cannot pull base profile "+baseProfileName) r.IncSeccompProfileError(r.metrics, reasonCannotPullProfile) @@ -571,7 +575,7 @@ func (r *Reconciler) handleDeletion(sp *seccompprofileapi.SeccompProfile) error } func (r *Reconciler) validateProfile(ctx context.Context, profile *seccompprofileapi.SeccompProfile) error { - spod, err := common.GetSPOD(ctx, r.client) + spod, err := r.GetSPOD(ctx, r.client) if err != nil { return fmt.Errorf("retrieving the SPOD configuration: %w", err) } diff --git a/internal/pkg/daemon/seccompprofile/seccompprofile_test.go b/internal/pkg/daemon/seccompprofile/seccompprofile_test.go index 3159fe3910..62332c8aa9 100644 --- a/internal/pkg/daemon/seccompprofile/seccompprofile_test.go +++ b/internal/pkg/daemon/seccompprofile/seccompprofile_test.go @@ -758,6 +758,8 @@ func TestResolveSyscallsForProfile(t *testing.T) { t.Parallel() mock := &seccompprofilefakes.FakeImpl{} + mock.GetSPODReturns(&spodapi.SecurityProfilesOperatorDaemon{}, nil) + sp := prepare(mock) sut, ok := NewController().(*Reconciler) diff --git a/internal/pkg/daemon/seccompprofile/seccompprofilefakes/fake_impl.go b/internal/pkg/daemon/seccompprofile/seccompprofilefakes/fake_impl.go index d417f2d4e7..ab475fcf05 100644 --- a/internal/pkg/daemon/seccompprofile/seccompprofilefakes/fake_impl.go +++ b/internal/pkg/daemon/seccompprofile/seccompprofilefakes/fake_impl.go @@ -28,6 +28,7 @@ import ( "k8s.io/client-go/tools/record" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/security-profiles-operator/api/seccompprofile/v1beta1" + "sigs.k8s.io/security-profiles-operator/api/spod/v1alpha1" "sigs.k8s.io/security-profiles-operator/internal/pkg/artifact" "sigs.k8s.io/security-profiles-operator/internal/pkg/daemon/metrics" ) @@ -49,13 +50,27 @@ type FakeImpl struct { result1 *v1beta1.SeccompProfile result2 error } + GetSPODStub func(context.Context, client.Client) (*v1alpha1.SecurityProfilesOperatorDaemon, error) + getSPODMutex sync.RWMutex + getSPODArgsForCall []struct { + arg1 context.Context + arg2 client.Client + } + getSPODReturns struct { + result1 *v1alpha1.SecurityProfilesOperatorDaemon + result2 error + } + getSPODReturnsOnCall map[int]struct { + result1 *v1alpha1.SecurityProfilesOperatorDaemon + result2 error + } IncSeccompProfileErrorStub func(*metrics.Metrics, string) incSeccompProfileErrorMutex sync.RWMutex incSeccompProfileErrorArgsForCall []struct { arg1 *metrics.Metrics arg2 string } - PullStub func(context.Context, logr.Logger, string, string, string, *v1.Platform) (*artifact.PullResult, error) + PullStub func(context.Context, logr.Logger, string, string, string, *v1.Platform, bool) (*artifact.PullResult, error) pullMutex sync.RWMutex pullArgsForCall []struct { arg1 context.Context @@ -64,6 +79,7 @@ type FakeImpl struct { arg4 string arg5 string arg6 *v1.Platform + arg7 bool } pullReturns struct { result1 *artifact.PullResult @@ -175,6 +191,71 @@ func (fake *FakeImpl) ClientGetProfileReturnsOnCall(i int, result1 *v1beta1.Secc }{result1, result2} } +func (fake *FakeImpl) GetSPOD(arg1 context.Context, arg2 client.Client) (*v1alpha1.SecurityProfilesOperatorDaemon, error) { + fake.getSPODMutex.Lock() + ret, specificReturn := fake.getSPODReturnsOnCall[len(fake.getSPODArgsForCall)] + fake.getSPODArgsForCall = append(fake.getSPODArgsForCall, struct { + arg1 context.Context + arg2 client.Client + }{arg1, arg2}) + stub := fake.GetSPODStub + fakeReturns := fake.getSPODReturns + fake.recordInvocation("GetSPOD", []interface{}{arg1, arg2}) + fake.getSPODMutex.Unlock() + if stub != nil { + return stub(arg1, arg2) + } + if specificReturn { + return ret.result1, ret.result2 + } + return fakeReturns.result1, fakeReturns.result2 +} + +func (fake *FakeImpl) GetSPODCallCount() int { + fake.getSPODMutex.RLock() + defer fake.getSPODMutex.RUnlock() + return len(fake.getSPODArgsForCall) +} + +func (fake *FakeImpl) GetSPODCalls(stub func(context.Context, client.Client) (*v1alpha1.SecurityProfilesOperatorDaemon, error)) { + fake.getSPODMutex.Lock() + defer fake.getSPODMutex.Unlock() + fake.GetSPODStub = stub +} + +func (fake *FakeImpl) GetSPODArgsForCall(i int) (context.Context, client.Client) { + fake.getSPODMutex.RLock() + defer fake.getSPODMutex.RUnlock() + argsForCall := fake.getSPODArgsForCall[i] + return argsForCall.arg1, argsForCall.arg2 +} + +func (fake *FakeImpl) GetSPODReturns(result1 *v1alpha1.SecurityProfilesOperatorDaemon, result2 error) { + fake.getSPODMutex.Lock() + defer fake.getSPODMutex.Unlock() + fake.GetSPODStub = nil + fake.getSPODReturns = struct { + result1 *v1alpha1.SecurityProfilesOperatorDaemon + result2 error + }{result1, result2} +} + +func (fake *FakeImpl) GetSPODReturnsOnCall(i int, result1 *v1alpha1.SecurityProfilesOperatorDaemon, result2 error) { + fake.getSPODMutex.Lock() + defer fake.getSPODMutex.Unlock() + fake.GetSPODStub = nil + if fake.getSPODReturnsOnCall == nil { + fake.getSPODReturnsOnCall = make(map[int]struct { + result1 *v1alpha1.SecurityProfilesOperatorDaemon + result2 error + }) + } + fake.getSPODReturnsOnCall[i] = struct { + result1 *v1alpha1.SecurityProfilesOperatorDaemon + result2 error + }{result1, result2} +} + func (fake *FakeImpl) IncSeccompProfileError(arg1 *metrics.Metrics, arg2 string) { fake.incSeccompProfileErrorMutex.Lock() fake.incSeccompProfileErrorArgsForCall = append(fake.incSeccompProfileErrorArgsForCall, struct { @@ -208,7 +289,7 @@ func (fake *FakeImpl) IncSeccompProfileErrorArgsForCall(i int) (*metrics.Metrics return argsForCall.arg1, argsForCall.arg2 } -func (fake *FakeImpl) Pull(arg1 context.Context, arg2 logr.Logger, arg3 string, arg4 string, arg5 string, arg6 *v1.Platform) (*artifact.PullResult, error) { +func (fake *FakeImpl) Pull(arg1 context.Context, arg2 logr.Logger, arg3 string, arg4 string, arg5 string, arg6 *v1.Platform, arg7 bool) (*artifact.PullResult, error) { fake.pullMutex.Lock() ret, specificReturn := fake.pullReturnsOnCall[len(fake.pullArgsForCall)] fake.pullArgsForCall = append(fake.pullArgsForCall, struct { @@ -218,13 +299,14 @@ func (fake *FakeImpl) Pull(arg1 context.Context, arg2 logr.Logger, arg3 string, arg4 string arg5 string arg6 *v1.Platform - }{arg1, arg2, arg3, arg4, arg5, arg6}) + arg7 bool + }{arg1, arg2, arg3, arg4, arg5, arg6, arg7}) stub := fake.PullStub fakeReturns := fake.pullReturns - fake.recordInvocation("Pull", []interface{}{arg1, arg2, arg3, arg4, arg5, arg6}) + fake.recordInvocation("Pull", []interface{}{arg1, arg2, arg3, arg4, arg5, arg6, arg7}) fake.pullMutex.Unlock() if stub != nil { - return stub(arg1, arg2, arg3, arg4, arg5, arg6) + return stub(arg1, arg2, arg3, arg4, arg5, arg6, arg7) } if specificReturn { return ret.result1, ret.result2 @@ -238,17 +320,17 @@ func (fake *FakeImpl) PullCallCount() int { return len(fake.pullArgsForCall) } -func (fake *FakeImpl) PullCalls(stub func(context.Context, logr.Logger, string, string, string, *v1.Platform) (*artifact.PullResult, error)) { +func (fake *FakeImpl) PullCalls(stub func(context.Context, logr.Logger, string, string, string, *v1.Platform, bool) (*artifact.PullResult, error)) { fake.pullMutex.Lock() defer fake.pullMutex.Unlock() fake.PullStub = stub } -func (fake *FakeImpl) PullArgsForCall(i int) (context.Context, logr.Logger, string, string, string, *v1.Platform) { +func (fake *FakeImpl) PullArgsForCall(i int) (context.Context, logr.Logger, string, string, string, *v1.Platform, bool) { fake.pullMutex.RLock() defer fake.pullMutex.RUnlock() argsForCall := fake.pullArgsForCall[i] - return argsForCall.arg1, argsForCall.arg2, argsForCall.arg3, argsForCall.arg4, argsForCall.arg5, argsForCall.arg6 + return argsForCall.arg1, argsForCall.arg2, argsForCall.arg3, argsForCall.arg4, argsForCall.arg5, argsForCall.arg6, argsForCall.arg7 } func (fake *FakeImpl) PullReturns(result1 *artifact.PullResult, result2 error) { @@ -440,6 +522,8 @@ func (fake *FakeImpl) Invocations() map[string][][]interface{} { defer fake.invocationsMutex.RUnlock() fake.clientGetProfileMutex.RLock() defer fake.clientGetProfileMutex.RUnlock() + fake.getSPODMutex.RLock() + defer fake.getSPODMutex.RUnlock() fake.incSeccompProfileErrorMutex.RLock() defer fake.incSeccompProfileErrorMutex.RUnlock() fake.pullMutex.RLock() diff --git a/internal/pkg/manager/spod/bindata/spod.go b/internal/pkg/manager/spod/bindata/spod.go index 917e251bde..b2599b9f9b 100644 --- a/internal/pkg/manager/spod/bindata/spod.go +++ b/internal/pkg/manager/spod/bindata/spod.go @@ -111,6 +111,7 @@ var DefaultSPOD = &spodv1alpha1.SecurityProfilesOperatorDaemon{ Effect: corev1.TaintEffectNoExecute, }, }, + DisableOCIArtifactSignatureVerification: false, }, } @@ -369,7 +370,7 @@ semodule -i /opt/spo-profiles/selinuxrecording.cil }, }, { - Name: "OPERATOR_NAMESPACE", + Name: config.OperatorNamespaceEnvKey, ValueFrom: &corev1.EnvVarSource{ FieldRef: &corev1.ObjectFieldSelector{ FieldPath: "metadata.namespace", diff --git a/internal/pkg/manager/spod/bindata/webhook.go b/internal/pkg/manager/spod/bindata/webhook.go index 2c779f10e3..1e2c4a2224 100644 --- a/internal/pkg/manager/spod/bindata/webhook.go +++ b/internal/pkg/manager/spod/bindata/webhook.go @@ -341,7 +341,7 @@ var webhookDeployment = &appsv1.Deployment{ }, Env: []corev1.EnvVar{ { - Name: "OPERATOR_NAMESPACE", + Name: config.OperatorNamespaceEnvKey, ValueFrom: &corev1.EnvVarSource{ FieldRef: &corev1.ObjectFieldSelector{ FieldPath: "metadata.namespace", diff --git a/test/tc_base_profiles_oci_test.go b/test/tc_base_profiles_oci_test.go index c93e5b496c..476afe6c2e 100644 --- a/test/tc_base_profiles_oci_test.go +++ b/test/tc_base_profiles_oci_test.go @@ -26,6 +26,14 @@ import ( func (e *e2e) testCaseBaseProfileOCI([]string) { e.seccompOnlyTestCase() + e.kubectlOperatorNS( + "patch", "spod", "spod", + "-p", `{"spec":{"disableOciArtifactSignatureVerification": true}}`, + "--type=merge", + ) + time.Sleep(defaultWaitTime) + e.waitInOperatorNSFor("condition=ready", "spod", "spod") + baseProfileName := "oci://ghcr.io/security-profiles/" if clusterType == clusterTypeVanilla && e.containerRuntime != containerRuntimeDocker { @@ -84,6 +92,8 @@ spec: e.logf("Waiting for profile to be reconciled") e.waitFor("condition=ready", "sp", "hello") + e.kubectlOperatorNS("logs", "-l", "name=spod") + e.logf("Creating hello-world pod") helloPodFile, err := os.CreateTemp("", "hello-pod*.yaml") e.Nil(err)