Merge pull request #19610 from nak3/diag-scc

diagnostics: Support oc adm diagnostics securitycontextconstraints
openshift · Jul 13, 2018 · a8ae00e · a8ae00e
2 parents ee1e9b7 + f8e2742
commit a8ae00e
Show file tree

Hide file tree

Showing 7 changed files with 204 additions and 0 deletions.
diff --git a/contrib/completions/bash/oc b/contrib/completions/bash/oc
diff --git a/contrib/completions/zsh/oc b/contrib/completions/zsh/oc
diff --git a/docs/man/man1/.files_generated_oc b/docs/man/man1/.files_generated_oc
diff --git a/docs/man/man1/oc-adm-diagnostics-securitycontextconstraints.1 b/docs/man/man1/oc-adm-diagnostics-securitycontextconstraints.1
diff --git a/docs/man/man1/oc-ex-diagnostics-securitycontextconstraints.1 b/docs/man/man1/oc-ex-diagnostics-securitycontextconstraints.1
diff --git a/pkg/oc/admin/diagnostics/cluster.go b/pkg/oc/admin/diagnostics/cluster.go
@@ -37,6 +37,7 @@ func availableClusterDiagnostics() types.DiagnosticList {
 		&clustdiags.ClusterRouter{},
 		&clustdiags.ClusterRoles{},
 		&clustdiags.ClusterRoleBindings{},
+		&clustdiags.SCC{},
 		&clustdiags.MasterNode{},
 		&clustdiags.MetricsApiProxy{},
 		&clustdiags.NodeDefinitions{},
@@ -132,6 +133,8 @@ func (o DiagnosticsOptions) buildClusterDiagnostics(rawConfig *clientcmdapi.Conf
 			d = &clustdiags.ClusterRoles{ClusterRolesClient: kubeClient.RbacV1().ClusterRoles(), SARClient: kclusterClient.Authorization()}
 		case clustdiags.ClusterRoleBindingsName:
 			d = &clustdiags.ClusterRoleBindings{ClusterRoleBindingsClient: kubeClient.RbacV1().ClusterRoleBindings(), SARClient: kclusterClient.Authorization()}
+		case clustdiags.SccName:
+			d = &clustdiags.SCC{SCCClient: securityClient.Security().SecurityContextConstraints(), SARClient: kclusterClient.Authorization()}
 		case clustdiags.MetricsApiProxyName:
 			d = &clustdiags.MetricsApiProxy{KubeClient: kclusterClient}
 		case clustdiags.ServiceExternalIPsName:

diff --git a/pkg/oc/admin/diagnostics/diagnostics/cluster/scc.go b/pkg/oc/admin/diagnostics/diagnostics/cluster/scc.go
@@ -0,0 +1,95 @@
+package cluster
+
+import (
+	"fmt"
+	"io/ioutil"
+
+	kerrs "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/kubernetes/pkg/apis/authorization"
+	authorizationtypedclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion"
+
+	"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"
+	"github.com/openshift/origin/pkg/oc/admin/diagnostics/diagnostics/types"
+	"github.com/openshift/origin/pkg/oc/admin/diagnostics/diagnostics/util"
+	policycmd "github.com/openshift/origin/pkg/oc/admin/policy"
+	securityapi "github.com/openshift/origin/pkg/security/apis/security"
+	securitytypedclient "github.com/openshift/origin/pkg/security/generated/internalclientset/typed/security/internalversion"
+)
+
+// SCC is a Diagnostic to check that the default securitycontextconstraints are present and contain the expected permissions.
+type SCC struct {
+	SCCClient securitytypedclient.SecurityContextConstraintsInterface
+	SARClient authorizationtypedclient.SelfSubjectAccessReviewsGetter
+}
+
+const SccName = "SecurityContextConstraints"
+
+func (d *SCC) Name() string {
+	return SccName
+}
+
+func (d *SCC) Description() string {
+	return "Check that the default SecurityContextConstraints are present and contain the expected permissions"
+}
+
+func (d *SCC) Requirements() (client bool, host bool) {
+	return true, false
+}
+
+func (d *SCC) CanRun() (bool, error) {
+	if d.SARClient == nil {
+		return false, fmt.Errorf("must have client.SubjectAccessReviews")
+	}
+
+	return util.UserCan(d.SARClient, &authorization.ResourceAttributes{
+		Verb:     "list",
+		Group:    securityapi.GroupName,
+		Resource: "securitycontextconstraints",
+	})
+}
+
+func (d *SCC) Check() types.DiagnosticResult {
+	r := types.NewDiagnosticResult(SccName)
+	reconcileOptions := &policycmd.ReconcileSCCOptions{
+		Confirmed:      false,
+		Union:          true,
+		Out:            ioutil.Discard,
+		SCCClient:      d.SCCClient,
+		InfraNamespace: bootstrappolicy.DefaultOpenShiftInfraNamespace,
+	}
+
+	changedSCCs, err := reconcileOptions.ChangedSCCs()
+	if err != nil {
+		r.Error("CSD1000", err, fmt.Sprintf("Error inspecting SCCs: %v", err))
+		return r
+	}
+	changedSCCNames := map[string]bool{}
+	for _, changedSCC := range changedSCCs {
+		_, err := d.SCCClient.Get(changedSCC.Name, metav1.GetOptions{})
+		if kerrs.IsNotFound(err) {
+			r.Error("CSD1001", nil, fmt.Sprintf("scc/%s is missing.\n\nUse the `oc adm policy reconcile-sccs` command to recreate sccs.", changedSCC.Name))
+			continue
+		}
+		if err != nil {
+			r.Error("CSD1002", err, fmt.Sprintf("Unable to get scc/%s: %v", changedSCC.Name, err))
+			continue
+		}
+		r.Warn("CSD1003", nil, fmt.Sprintf("scc/%s will be reconciled. Use the `oc adm policy reconcile-sccs` command to check sccs.", changedSCC.Name))
+		changedSCCNames[changedSCC.Name] = true
+	}
+
+	// Including non-additive SCCs, but output messages with debug level.
+	reconcileOptions.Union = false
+	changedSCCs, err = reconcileOptions.ChangedSCCs()
+	if err != nil {
+		r.Error("CSD1000", err, fmt.Sprintf("Error inspecting SCCs: %v", err))
+		return r
+	}
+	for _, changedSCC := range changedSCCs {
+		if !changedSCCNames[changedSCC.Name] {
+			r.Debug("CSD1004", fmt.Sprintf("scc/%s does not match defaults. Use the `oc adm policy reconcile-sccs --additive-only=false` command to check sccs.", changedSCC.Name))
+		}
+	}
+	return r
+}