Handle SCC annotations in namespaces

Several annotations relating to SCCs are automatically populated on
namespaces by OpenShift when they are empty. Previously, applying
annotations to a namespace via a mustonlyhave policy was then causing
those values to be removed and then be set again, interfering with
workloads in that namespace. Now these annotations are specially handled
to avoid this. SCC annotations set explicitly in the policy will still
be checked correctly.

Refs:
 - https://issues.redhat.com/browse/ACM-12507

Signed-off-by: Justin Kulikauskas <[email protected]>
(cherry picked from commit 1027df9)

Author: JustinKuli

controllers/configurationpolicy_controller.go

@@ -2488,9 +2488,14 @@ func handleSingleKey(
 	}
 
 	if key == "metadata" {
-		// filter out autogenerated annotations that have caused compare issues in the past
+		isNamespace := desiredObj.GroupVersionKind() == namespaceGVK
+
+		// metadata has some special cases that need to be considered
 		mergedValue, existingValue = fmtMetadataForCompare(
-			mergedValue.(map[string]interface{}), existingValue.(map[string]interface{}))
+			mergedValue.(map[string]interface{}),
+			existingValue.(map[string]interface{}),
+			isNamespace,
+		)
 	}
 
 	if key == "stringData" && existingObj.GetKind() == "Secret" {

controllers/configurationpolicy_utils.go

@@ -394,36 +394,49 @@ func formatMetadata(metadata map[string]interface{}) (formatted map[string]inter
 }
 
 func fmtMetadataForCompare(
-	metadataTemp, metadataExisting map[string]interface{},
-) (formatted, formattedExisting map[string]interface{}) {
-	mdTemp := map[string]interface{}{}
-	mdExisting := map[string]interface{}{}
+	merged, existing map[string]interface{}, keepSCC bool,
+) (formattedMerged, formattedExisting map[string]interface{}) {
+	formattedMerged = formatMetadata(merged)
+	formattedExisting = formatMetadata(existing)
 
-	if labelsTemp, ok := metadataTemp["labels"]; ok {
-		mdTemp["labels"] = labelsTemp
+	if _, mergedHasLabels := formattedMerged["labels"]; !mergedHasLabels {
+		delete(formattedExisting, "labels")
+	}
 
-		if labelsExisting, ok := metadataExisting["labels"]; ok {
-			mdExisting["labels"] = labelsExisting
-		}
+	if _, mergedHasAnnos := formattedMerged["annotations"]; !mergedHasAnnos {
+		delete(formattedExisting, "annotations")
+
+		return formattedMerged, formattedExisting
 	}
 
-	if annosTemp, ok := metadataTemp["annotations"]; ok {
-		if annos, ok := annosTemp.(map[string]interface{}); ok {
-			mdTemp["annotations"] = filterUnwantedAnnotations(annos)
-		} else {
-			mdTemp["annotations"] = annosTemp
+	if !keepSCC {
+		return formattedMerged, formattedExisting
+	}
+
+	existingAnnos, ok := formattedExisting["annotations"].(map[string]interface{})
+	if !ok {
+		return formattedMerged, formattedExisting
+	}
+
+	mergedAnnos, ok := formattedMerged["annotations"].(map[string]interface{})
+	if !ok {
+		return formattedMerged, formattedExisting
+	}
+
+	// Copy existing SCC annotations to the merged metadata
+	for key, val := range existingAnnos {
+		if !strings.HasPrefix(key, "openshift.io/sa.scc.") {
+			continue
 		}
 
-		if annosExisting, ok := metadataExisting["annotations"]; ok {
-			if annos, ok := annosExisting.(map[string]interface{}); ok {
-				mdExisting["annotations"] = filterUnwantedAnnotations(annos)
-			} else {
-				mdExisting["annotations"] = annosExisting
-			}
+		if _, alreadyDefined := mergedAnnos[key]; !alreadyDefined {
+			mergedAnnos[key] = val
 		}
 	}
 
-	return mdTemp, mdExisting
+	formattedMerged["annotations"] = mergedAnnos
+
+	return formattedMerged, formattedExisting
 }
 
 // Format name of resource with its namespace (if it has one)

test/e2e/case9_md_check_test.go

@@ -10,32 +10,32 @@ import (
 	"open-cluster-management.io/config-policy-controller/test/utils"
 )
 
-const (
-	case9ConfigPolicyNamePod           string = "policy-pod-c9-create"
-	case9ConfigPolicyNameAnno          string = "policy-pod-anno"
-	case9ConfigPolicyNameNoAnno        string = "policy-pod-no-anno"
-	case9ConfigPolicyNameLabelPatch    string = "policy-label-patch"
-	case9ConfigPolicyNameLabelCheck    string = "policy-label-check"
-	case9ConfigPolicyNameLabelAuto     string = "policy-label-check-auto"
-	case9ConfigPolicyNameNSCreate      string = "policy-c9-create-ns"
-	case9ConfigPolicyNameIgnoreLabels  string = "policy-ignore-labels"
-	case9MultiAnnoNSCreate             string = "policy-create-ns-multiple-annotations"
-	case9CheckNSMusthave               string = "policy-check-ns-mdcomptype-mh"
-	case9CheckNSMustonlyhave           string = "policy-check-ns-mdcomptype-moh"
-	case9PolicyYamlPod                 string = "../resources/case9_md_check/case9_pod_create.yaml"
-	case9PolicyYamlAnno                string = "../resources/case9_md_check/case9_annos.yaml"
-	case9PolicyYamlNoAnno              string = "../resources/case9_md_check/case9_no_annos.yaml"
-	case9PolicyYamlLabelPatch          string = "../resources/case9_md_check/case9_label_patch.yaml"
-	case9PolicyYamlLabelCheck          string = "../resources/case9_md_check/case9_label_check.yaml"
-	case9PolicyYamlLabelAuto           string = "../resources/case9_md_check/case9_label_check_auto.yaml"
-	case9PolicyYamlIgnoreLabels        string = "../resources/case9_md_check/case9_mustonlyhave_nolabels.yaml"
-	case9PolicyYamlNSCreate            string = "../resources/case9_md_check/case9_ns_create.yaml"
-	case9PolicyYamlMultiAnnoNSCreate   string = "../resources/case9_md_check/case9_multianno_ns_create.yaml"
-	case9PolicyYamlCheckNSMusthave     string = "../resources/case9_md_check/case9_checkns-md-mh.yaml"
-	case9PolicyYamlCheckNSMustonlyhave string = "../resources/case9_md_check/case9_checkns-md-moh.yaml"
-)
-
 var _ = Describe("Test pod obj template handling", func() {
+	const (
+		case9ConfigPolicyNamePod           string = "policy-pod-c9-create"
+		case9ConfigPolicyNameAnno          string = "policy-pod-anno"
+		case9ConfigPolicyNameNoAnno        string = "policy-pod-no-anno"
+		case9ConfigPolicyNameLabelPatch    string = "policy-label-patch"
+		case9ConfigPolicyNameLabelCheck    string = "policy-label-check"
+		case9ConfigPolicyNameLabelAuto     string = "policy-label-check-auto"
+		case9ConfigPolicyNameNSCreate      string = "policy-c9-create-ns"
+		case9ConfigPolicyNameIgnoreLabels  string = "policy-ignore-labels"
+		case9MultiAnnoNSCreate             string = "policy-create-ns-multiple-annotations"
+		case9CheckNSMusthave               string = "policy-check-ns-mdcomptype-mh"
+		case9CheckNSMustonlyhave           string = "policy-check-ns-mdcomptype-moh"
+		case9PolicyYamlPod                 string = "../resources/case9_md_check/case9_pod_create.yaml"
+		case9PolicyYamlAnno                string = "../resources/case9_md_check/case9_annos.yaml"
+		case9PolicyYamlNoAnno              string = "../resources/case9_md_check/case9_no_annos.yaml"
+		case9PolicyYamlLabelPatch          string = "../resources/case9_md_check/case9_label_patch.yaml"
+		case9PolicyYamlLabelCheck          string = "../resources/case9_md_check/case9_label_check.yaml"
+		case9PolicyYamlLabelAuto           string = "../resources/case9_md_check/case9_label_check_auto.yaml"
+		case9PolicyYamlIgnoreLabels        string = "../resources/case9_md_check/case9_mustonlyhave_nolabels.yaml"
+		case9PolicyYamlNSCreate            string = "../resources/case9_md_check/case9_ns_create.yaml"
+		case9PolicyYamlMultiAnnoNSCreate   string = "../resources/case9_md_check/case9_multianno_ns_create.yaml"
+		case9PolicyYamlCheckNSMusthave     string = "../resources/case9_md_check/case9_checkns-md-mh.yaml"
+		case9PolicyYamlCheckNSMustonlyhave string = "../resources/case9_md_check/case9_checkns-md-moh.yaml"
+	)
+
 	Describe("Create a pod policy on managed cluster in ns:"+testNamespace, Ordered, func() {
 		It("should create a policy properly on the managed cluster", func() {
 			By("Creating " + case9ConfigPolicyNamePod + " on managed")
@@ -128,6 +128,30 @@ var _ = Describe("Test pod obj template handling", func() {
 				utils.CheckComplianceStatus(g, managedPlc, "Compliant")
 			}, defaultTimeoutSeconds, 1).Should(Succeed())
 		})
+		It("should not remove scc namespace annotations even in mustonlyhave mode", func() {
+			By("Checking the current annotations")
+			obj := utils.GetWithTimeout(clientManagedDynamic, gvrNS,
+				"case9-test", "", true, defaultTimeoutSeconds)
+			Expect(obj.GetAnnotations()).To(HaveKeyWithValue("foo.bar/baz", "hello world"))
+			Expect(obj.GetAnnotations()).To(HaveKeyWithValue("openshift.io/sa.scc.policy", "keep"))
+
+			By("Patching the annotations on the namespace")
+			utils.Kubectl("patch", "namespace", "case9-test", "-o=yaml", "--type=merge",
+				`-p={"metadata":{"annotations":{`+
+					`"openshift.io/sa.scc.test": "example",`+
+					`"openshift.io/sa.scc.policy": "example",`+
+					`"foo.bar/baz": "incorrect"}}}`)
+
+			By("Verifying the annotations in the policy are updated, and the new SCC annotation is kept")
+			Eventually(func(g Gomega) {
+				utils.Kubectl("get", "namespace", "case9-test", "-o=yaml")
+				obj := utils.GetWithTimeout(clientManagedDynamic, gvrNS,
+					"case9-test", "", true, defaultTimeoutSeconds)
+				g.Expect(obj.GetAnnotations()).To(HaveKeyWithValue("foo.bar/baz", "hello world"))
+				g.Expect(obj.GetAnnotations()).To(HaveKeyWithValue("openshift.io/sa.scc.test", "example"))
+				g.Expect(obj.GetAnnotations()).To(HaveKeyWithValue("openshift.io/sa.scc.policy", "keep"))
+			}, defaultTimeoutSeconds, 1).Should(Succeed())
+		})
 		It("should ignore labels and annotations if none are specified in the template", func() {
 			By("Creating " + case9ConfigPolicyNameIgnoreLabels + " on managed")
 			utils.Kubectl("apply", "-f", case9PolicyYamlIgnoreLabels, "-n", testNamespace)

test/resources/case9_md_check/case9_ns_create.yaml

@@ -15,8 +15,12 @@ spec:
       - default
   object-templates:
     - complianceType: musthave
+      metadataComplianceType: mustonlyhave
       objectDefinition:
         kind: Namespace
         apiVersion: v1
         metadata:
           name: case9-test
+          annotations:
+            foo.bar/baz: hello world
+            openshift.io/sa.scc.policy: keep