added openshift-ovn-kubernetes ns

yjst2012 · yjst2012 · commit 6fde8531f2bb · 2025-03-04T16:25:45.000+13:00
diff --git a/go.mod b/go.mod
@@ -40,6 +40,7 @@ require (
 	github.com/go-test/deep v1.1.0
 	github.com/gofrs/uuid v4.4.0+incompatible
 	github.com/golang-jwt/jwt/v4 v4.5.1
+	github.com/golang/mock v1.6.0
 	github.com/google/gnostic v0.5.7-v3refs
 	github.com/google/go-cmp v0.6.0
 	github.com/google/uuid v1.6.0
diff --git a/go.sum b/go.sum
@@ -314,6 +314,8 @@ github.com/golang/glog v1.2.1 h1:OptwRhECazUx5ix5TTWC3EZhsZEHWcYWY4FQHTIubm4=
 github.com/golang/glog v1.2.1/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
+github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/library/common.rego b/pkg/operator/controllers/guardrails/policies/gktemplates-src/library/common.rego
@@ -59,17 +59,14 @@ is_priv_namespace(ns) = true {
 exempted_user = {
   "system:kube-controller-manager",
   "system:kube-scheduler",
-  "system:admin" # comment out temporarily for testing in console
+  "system:admin"
 }
 
 exempted_groups = {
   # "system:cluster-admins", # dont allow kube:admin
-  "system:nodes", # eg, "username": "system:node:jeff-test-cluster-pcnp4-master-2"
-  "system:serviceaccounts", # to allow all system service account?
-  # "system:serviceaccounts:openshift-monitoring", # monitoring operator
-  # "system:serviceaccounts:openshift-network-operator", # network operator
-  # "system:serviceaccounts:openshift-machine-config-operator", # machine-config-operator, however the request provide correct sa name
-  "system:masters" # system:admin
+  "system:nodes",
+  "system:serviceaccounts", # allow all system service accounts
+  "system:masters"
 }
 privileged_ns = {
   # Kubernetes specific namespaces
@@ -116,7 +113,8 @@ privileged_ns = {
   "openshift-multus",
   "openshift-network-operator",
   "openshift-oauth-apiserver",
+  "openshift-ovn-kubernetes",
+  "openshift-sdn",
   "openshift-service-ca",
-  "openshift-service-ca-operator",
-  "openshift-sdn"
+  "openshift-service-ca-operator"
 }
diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-delete-pull-secret.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-delete-pull-secret.yaml
@@ -87,17 +87,14 @@ spec:
           exempted_user = {
             "system:kube-controller-manager",
             "system:kube-scheduler",
-            "system:admin" # comment out temporarily for testing in console
+            "system:admin"
           }
 
           exempted_groups = {
             # "system:cluster-admins", # dont allow kube:admin
-            "system:nodes", # eg, "username": "system:node:jeff-test-cluster-pcnp4-master-2"
-            "system:serviceaccounts", # to allow all system service account?
-            # "system:serviceaccounts:openshift-monitoring", # monitoring operator
-            # "system:serviceaccounts:openshift-network-operator", # network operator
-            # "system:serviceaccounts:openshift-machine-config-operator", # machine-config-operator, however the request provide correct sa name
-            "system:masters" # system:admin
+            "system:nodes",
+            "system:serviceaccounts", # allow all system service accounts
+            "system:masters"
           }
           privileged_ns = {
             # Kubernetes specific namespaces
@@ -144,7 +141,8 @@ spec:
             "openshift-multus",
             "openshift-network-operator",
             "openshift-oauth-apiserver",
+            "openshift-ovn-kubernetes",
+            "openshift-sdn",
             "openshift-service-ca",
-            "openshift-service-ca-operator",
-            "openshift-sdn"
+            "openshift-service-ca-operator"
           }
diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-machine-config.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-machine-config.yaml
@@ -92,17 +92,14 @@ spec:
           exempted_user = {
             "system:kube-controller-manager",
             "system:kube-scheduler",
-            "system:admin" # comment out temporarily for testing in console
+            "system:admin"
           }
 
           exempted_groups = {
             # "system:cluster-admins", # dont allow kube:admin
-            "system:nodes", # eg, "username": "system:node:jeff-test-cluster-pcnp4-master-2"
-            "system:serviceaccounts", # to allow all system service account?
-            # "system:serviceaccounts:openshift-monitoring", # monitoring operator
-            # "system:serviceaccounts:openshift-network-operator", # network operator
-            # "system:serviceaccounts:openshift-machine-config-operator", # machine-config-operator, however the request provide correct sa name
-            "system:masters" # system:admin
+            "system:nodes",
+            "system:serviceaccounts", # allow all system service accounts
+            "system:masters"
           }
           privileged_ns = {
             # Kubernetes specific namespaces
@@ -149,7 +146,8 @@ spec:
             "openshift-multus",
             "openshift-network-operator",
             "openshift-oauth-apiserver",
+            "openshift-ovn-kubernetes",
+            "openshift-sdn",
             "openshift-service-ca",
-            "openshift-service-ca-operator",
-            "openshift-sdn"
+            "openshift-service-ca-operator"
           }
diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-master-toleration-taints.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-master-toleration-taints.yaml
@@ -111,17 +111,14 @@ spec:
           exempted_user = {
             "system:kube-controller-manager",
             "system:kube-scheduler",
-            "system:admin" # comment out temporarily for testing in console
+            "system:admin"
           }
 
           exempted_groups = {
             # "system:cluster-admins", # dont allow kube:admin
-            "system:nodes", # eg, "username": "system:node:jeff-test-cluster-pcnp4-master-2"
-            "system:serviceaccounts", # to allow all system service account?
-            # "system:serviceaccounts:openshift-monitoring", # monitoring operator
-            # "system:serviceaccounts:openshift-network-operator", # network operator
-            # "system:serviceaccounts:openshift-machine-config-operator", # machine-config-operator, however the request provide correct sa name
-            "system:masters" # system:admin
+            "system:nodes",
+            "system:serviceaccounts", # allow all system service accounts
+            "system:masters"
           }
           privileged_ns = {
             # Kubernetes specific namespaces
@@ -168,7 +165,8 @@ spec:
             "openshift-multus",
             "openshift-network-operator",
             "openshift-oauth-apiserver",
+            "openshift-ovn-kubernetes",
+            "openshift-sdn",
             "openshift-service-ca",
-            "openshift-service-ca-operator",
-            "openshift-sdn"
+            "openshift-service-ca-operator"
           }
diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-privileged-namespace.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-privileged-namespace.yaml
@@ -109,17 +109,14 @@ spec:
           exempted_user = {
             "system:kube-controller-manager",
             "system:kube-scheduler",
-            "system:admin" # comment out temporarily for testing in console
+            "system:admin"
           }
 
           exempted_groups = {
             # "system:cluster-admins", # dont allow kube:admin
-            "system:nodes", # eg, "username": "system:node:jeff-test-cluster-pcnp4-master-2"
-            "system:serviceaccounts", # to allow all system service account?
-            # "system:serviceaccounts:openshift-monitoring", # monitoring operator
-            # "system:serviceaccounts:openshift-network-operator", # network operator
-            # "system:serviceaccounts:openshift-machine-config-operator", # machine-config-operator, however the request provide correct sa name
-            "system:masters" # system:admin
+            "system:nodes",
+            "system:serviceaccounts", # allow all system service accounts
+            "system:masters"
           }
           privileged_ns = {
             # Kubernetes specific namespaces
@@ -166,7 +163,8 @@ spec:
             "openshift-multus",
             "openshift-network-operator",
             "openshift-oauth-apiserver",
+            "openshift-ovn-kubernetes",
+            "openshift-sdn",
             "openshift-service-ca",
-            "openshift-service-ca-operator",
-            "openshift-sdn"
+            "openshift-service-ca-operator"
           }
diff --git a/vendor/modules.txt b/vendor/modules.txt
@@ -691,6 +691,9 @@ github.com/golang-jwt/jwt/v5
 # github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
 ## explicit
 github.com/golang/groupcache/lru
+# github.com/golang/mock v1.6.0
+## explicit; go 1.11
+github.com/golang/mock/mockgen/model
 # github.com/golang/protobuf v1.5.4
 ## explicit; go 1.17
 github.com/golang/protobuf/jsonpb
