feat: add finalizer to WorkloadPolicy

Add a finalizer to WorkloadPolicy, prevent the deletion of policies are
still in use by Pods.

Signed-off-by: Kyle Dong <kyle.dong@suse.com>

Author: kyledong-suse

api/v1alpha1/workloadpolicy_types.go

@@ -14,6 +14,10 @@ const (
 
 	DeployedState = "Deployed"
 	ErrorState    = "Error"
+
+	// WorkloadPolicyFinalizer is added to WorkloadPolicy resources to ensure
+	// they are not deleted while still in use by Pods.
+	WorkloadPolicyFinalizer = "workloadpolicy.security.rancher.io/finalizer"
 )
 
 // todo!: we should support `AllowedPrefixes`.

charts/runtime-enforcer/templates/operator/role.yaml

@@ -4,6 +4,14 @@ kind: ClusterRole
 metadata:
   name: {{ include "runtime-enforcer.fullname" . }}-operator
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - apps
   resources:

charts/runtime-enforcer/templates/operator/webhook.yaml

@@ -33,3 +33,23 @@ webhooks:
     expression: '!has(object.spec.selector) || object.spec.selector.size() == 0'
   - name: no-owner-reference-uid
     expression: '!has(object.metadata.ownerReferences) || object.metadata.ownerReferences.size() == 0 || object.metadata.ownerReferences[0].uid.size() == 0'
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: {{ include "runtime-enforcer.fullname" . }}-mutating-webhook
+      namespace: {{ .Release.Namespace }}
+      path: /mutate-security-rancher-io-v1alpha1-workloadpolicy
+  failurePolicy: Fail
+  name: workloadpolicies.rancher.io
+  rules:
+  - apiGroups:
+    - security.rancher.io
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - workloadpolicies
+  sideEffects: None

cmd/operator/main.go

@@ -93,6 +93,13 @@ func SetupControllers(logger logr.Logger,
 ) error {
 	var err error
 
+	if err = (&controller.WorkloadPolicyReconciler{
+		Client: mgr.GetClient(),
+		Scheme: mgr.GetScheme(),
+	}).SetupWithManager(mgr); err != nil {
+		return fmt.Errorf("unable to create WorkloadPolicyReconciler controller: %w", err)
+	}
+
 	if err = (&controller.WorkloadPolicyProposalReconciler{
 		Client: mgr.GetClient(),
 		Scheme: mgr.GetScheme(),
@@ -250,7 +257,16 @@ func main() {
 		WithDefaulter(&controller.ProposalWebhook{Client: mgr.GetClient()}).
 		Complete()
 	if err != nil {
-		setupLog.Error(err, "unable to create a webhook")
+		setupLog.Error(err, "unable to create WorkloadPolicyProposal webhook")
+		os.Exit(1)
+	}
+
+	err = builder.WebhookManagedBy(mgr).
+		For(&securityv1alpha1.WorkloadPolicy{}).
+		WithDefaulter(&controller.PolicyWebhook{}).
+		Complete()
+	if err != nil {
+		setupLog.Error(err, "unable to create WorkloadPolicy webhook")
 		os.Exit(1)
 	}
 

internal/controller/workloadpolicy_controller.go

@@ -0,0 +1,144 @@
+package controller
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/builder"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
+
+	"github.com/neuvector/runtime-enforcer/api/v1alpha1"
+	"github.com/neuvector/runtime-enforcer/internal/policygenerator"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const (
+	PolicyDeletionRequeueDelay = 90 * time.Second
+)
+
+// WorkloadPolicyReconciler reconciles a WorkloadPolicy object.
+type WorkloadPolicyReconciler struct {
+	client.Client
+
+	Scheme *runtime.Scheme
+}
+
+// +kubebuilder:rbac:groups=security.rancher.io,resources=workloadpolicies,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=security.rancher.io,resources=workloadpolicies/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=security.rancher.io,resources=workloadpolicies/finalizers,verbs=update
+// +kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch
+
+func (r *WorkloadPolicyReconciler) Reconcile(
+	ctx context.Context,
+	req ctrl.Request,
+) (ctrl.Result, error) {
+	policy := &v1alpha1.WorkloadPolicy{}
+	if err := r.Get(ctx, req.NamespacedName, policy); err != nil {
+		if errors.IsNotFound(err) {
+			return ctrl.Result{}, nil
+		}
+		return ctrl.Result{}, fmt.Errorf("failed to get WorkloadPolicy '%s/%s': %w", req.Namespace, req.Name, err)
+	}
+
+	// Check if the policy is being deleted
+	if !policy.DeletionTimestamp.IsZero() {
+		return r.handleDeletion(ctx, policy)
+	}
+
+	return ctrl.Result{}, nil
+}
+
+func (r *WorkloadPolicyReconciler) handleDeletion(
+	ctx context.Context,
+	policy *v1alpha1.WorkloadPolicy,
+) (ctrl.Result, error) {
+	logger := log.FromContext(ctx)
+
+	if controllerutil.ContainsFinalizer(policy, v1alpha1.WorkloadPolicyFinalizer) {
+		// Check if any pods are using this policy
+		// Note, this uses a PartialObjectMetadataList because the Pod cache
+		// is configured to only store metadata
+		podList := &metav1.PartialObjectMetadataList{}
+		podList.SetGroupVersionKind(schema.GroupVersionKind{
+			Group:   "",
+			Version: "v1",
+			Kind:    "PodList",
+		})
+
+		var err error
+		err = r.List(ctx, podList,
+			client.InNamespace(policy.Namespace),
+			client.MatchingLabels{policygenerator.PolicyLabelKey: policy.Name},
+		)
+		if err != nil {
+			logger.Error(err, "Failed to list pods using policy")
+			return ctrl.Result{}, fmt.Errorf("failed to list pods using policy: %w", err)
+		}
+
+		if len(podList.Items) > 0 {
+			logger.Info("Cannot remove finalizer: policy still in use by pods",
+				"policy", policy.Name,
+				"podCount", len(podList.Items))
+			// Requeue to check again later
+			return ctrl.Result{RequeueAfter: PolicyDeletionRequeueDelay}, nil
+		}
+
+		// No pods using this policy, safe to remove finalizer
+		original := policy.DeepCopy()
+		controllerutil.RemoveFinalizer(policy, v1alpha1.WorkloadPolicyFinalizer)
+		if err = r.Patch(ctx, policy, client.MergeFrom(original)); err != nil {
+			logger.Error(err, "Failed to remove finalizer")
+			return ctrl.Result{}, fmt.Errorf(
+				"failed to remove finalizer from WorkloadPolicy '%s/%s': %w",
+				policy.Namespace, policy.Name, err,
+			)
+		}
+		logger.Info("Removed finalizer from WorkloadPolicy", "policy", policy.Name)
+	}
+	return ctrl.Result{}, nil
+}
+
+// SetupWithManager sets up the controller with the Manager.
+func (r *WorkloadPolicyReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	err := ctrl.NewControllerManagedBy(mgr).
+		For(&v1alpha1.WorkloadPolicy{}).
+		Watches(
+			&corev1.Pod{},
+			handler.EnqueueRequestsFromMapFunc(r.findPoliciesForPod),
+			builder.OnlyMetadata,
+			builder.WithPredicates(predicate.LabelChangedPredicate{}),
+		).
+		Named("workloadpolicy").
+		Complete(r)
+	if err != nil {
+		return fmt.Errorf("unable to set up WorkloadPolicy controller: %w", err)
+	}
+	return nil
+}
+
+// findPoliciesForPod maps a Pod to the WorkloadPolicy(s) it references.
+func (r *WorkloadPolicyReconciler) findPoliciesForPod(_ context.Context, pod client.Object) []ctrl.Request {
+	policyName, ok := pod.GetLabels()[policygenerator.PolicyLabelKey]
+	if !ok {
+		return nil
+	}
+
+	return []ctrl.Request{
+		{
+			NamespacedName: client.ObjectKey{
+				Name:      policyName,
+				Namespace: pod.GetNamespace(),
+			},
+		},
+	}
+}

internal/controller/workloadpolicy_controller_test.go

@@ -0,0 +1,162 @@
+package controller_test
+
+import (
+	"context"
+
+	"github.com/neuvector/runtime-enforcer/api/v1alpha1"
+	"github.com/neuvector/runtime-enforcer/internal/controller"
+	"github.com/neuvector/runtime-enforcer/internal/policygenerator"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+)
+
+var _ = Describe("WorkloadPolicy Controller", func() {
+	Context("When reconciling a resource", func() {
+		const policyName = "test-policy"
+		const testNamespace = "default"
+
+		ctx = context.Background()
+
+		typeNamespacedName := types.NamespacedName{
+			Name:      policyName,
+			Namespace: testNamespace,
+		}
+		policy := &v1alpha1.WorkloadPolicy{}
+
+		BeforeEach(func() {
+			By("Creating a new WorkloadPolicy that is ")
+			err := k8sClient.Get(ctx, typeNamespacedName, policy)
+			if err != nil && errors.IsNotFound(err) {
+				resource :=
+					&v1alpha1.WorkloadPolicy{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:       policyName,
+							Namespace:  testNamespace,
+							Finalizers: []string{v1alpha1.WorkloadPolicyFinalizer},
+						},
+						Spec: v1alpha1.WorkloadPolicySpec{
+							Mode: "monitor",
+							RulesByContainer: map[string]*v1alpha1.WorkloadPolicyRules{
+								"main": {
+									Executables: v1alpha1.WorkloadPolicyExecutables{
+										Allowed: []string{"/usr/bin/sleep"},
+									},
+								},
+							},
+							Severity: 10,
+							Tags: []string{
+								"tag",
+							},
+							Message: "TEST_RULE",
+						},
+					}
+				Expect(k8sClient.Create(ctx, resource)).To(Succeed())
+			}
+		})
+
+		AfterEach(func() {
+			resource := &v1alpha1.WorkloadPolicy{}
+			err := k8sClient.Get(ctx, typeNamespacedName, resource)
+			if errors.IsNotFound(err) {
+				// Resource already deleted, nothing to clean up
+				return
+			}
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Cleanup the specific resource instance WorkloadPolicy")
+			Expect(k8sClient.Delete(ctx, resource)).To(Succeed())
+		})
+
+		It("Should delete a WorkloadPolicy that is not referenced by any Pod", func() {
+			By("Deleting the created WorkloadPolicy")
+			policy = &v1alpha1.WorkloadPolicy{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      policyName,
+					Namespace: testNamespace,
+				},
+			}
+			Expect(k8sClient.Delete(ctx, policy)).To(Succeed())
+
+			By("Reconciling the created resource")
+			controllerReconciler := &controller.WorkloadPolicyReconciler{
+				Client: k8sClient,
+				Scheme: k8sClient.Scheme(),
+			}
+
+			_, err := controllerReconciler.Reconcile(ctx, reconcile.Request{
+				NamespacedName: typeNamespacedName,
+			})
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Verifying the WorkloadPolicy has been deleted")
+			err = k8sClient.Get(ctx, typeNamespacedName, policy)
+			Expect(errors.IsNotFound(err)).To(BeTrue())
+		})
+
+		It("Should not delete a WorkloadPolicy that is referenced by a Pod", func() {
+			By("Associating the WorkloadPolicy with a Pod")
+			podName := "test-pod"
+			pod := &corev1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      podName,
+					Namespace: testNamespace,
+					Labels: map[string]string{
+						policygenerator.PolicyLabelKey: policyName,
+					},
+				},
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{
+							Name:  "pause",
+							Image: "registry.k8s.io/pause",
+						},
+					},
+				},
+			}
+			Expect(k8sClient.Create(ctx, pod)).To(Succeed())
+
+			By("Deleting the referenced WorkloadPolicy")
+			policy = &v1alpha1.WorkloadPolicy{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      policyName,
+					Namespace: testNamespace,
+				},
+			}
+			Expect(k8sClient.Delete(ctx, policy)).To(Succeed())
+
+			By("Reconciling the deleted WorkloadPolicy")
+			controllerReconciler := &controller.WorkloadPolicyReconciler{
+				Client: k8sClient,
+				Scheme: k8sClient.Scheme(),
+			}
+
+			_, err := controllerReconciler.Reconcile(ctx, reconcile.Request{
+				NamespacedName: typeNamespacedName,
+			})
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Verifying the WorkloadPolicy has not been deleted")
+			err = k8sClient.Get(ctx, typeNamespacedName, policy)
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Cleaning up the created Pod")
+			Expect(k8sClient.Delete(ctx, pod)).To(Succeed())
+
+			By("Reconciling the WorkloadPolicy deletion again")
+			_, err = controllerReconciler.Reconcile(ctx, reconcile.Request{
+				NamespacedName: typeNamespacedName,
+			})
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Verifying the WorkloadPolicy has been deleted after Pod removal")
+			err = k8sClient.Get(ctx, typeNamespacedName, policy)
+			Expect(errors.IsNotFound(err)).To(BeTrue())
+		})
+	})
+
+})