pb-7265: Enable job status to check for pod security violation

- checked job's event for a filedCreate reason and specifically for violating
  pod security standard.
- the check is added for all the kdmp & nfs related job pods.

Signed-off-by: Lalatendu Das <[email protected]>

pkg/controllers/resourceexport/reconcile.go

@@ -38,14 +38,6 @@ type updateResourceExportFields struct {
 	LargeResourceEnabled  bool
 }
 
-func getAnnotationValue(re *kdmpapi.ResourceExport, key string) string {
-	var val string
-	if _, ok := re.Annotations[key]; ok {
-		val = re.Annotations[key]
-	}
-	return val
-}
-
 func (c *Controller) process(ctx context.Context, in *kdmpapi.ResourceExport) (bool, error) {
 	funct := "resourceExport.process"
 	if in == nil {

pkg/drivers/kopiabackup/kopiabackup.go

@@ -208,6 +208,14 @@ func (d Driver) JobStatus(id string) (*drivers.JobStatus, error) {
 
 	}
 
+	// Check whether job has violated the pod security standard
+	psaViolated := utils.IsJobPodSecurityFailed(job, namespace)
+	if psaViolated {
+		utils.DisplayJobpodLogandEvents(job.Name, job.Namespace)
+		errMsg := fmt.Sprintf("job [%v/%v] failed to meet the pod security standard, please check job pod's description for more detail", namespace, name)
+		return utils.ToJobStatus(0, errMsg, batchv1.JobFailed), nil
+	}
+
 	// Check whether mount point failure
 	mountFailed := utils.IsJobPodMountFailed(job, namespace)
 	if mountFailed {

pkg/drivers/kopiarestore/kopiarestore.go

@@ -116,6 +116,15 @@ func (d Driver) JobStatus(id string) (*drivers.JobStatus, error) {
 	if err != nil {
 		return nil, err
 	}
+
+	// Check whether job has violated the pod security standard
+	psaViolated := utils.IsJobPodSecurityFailed(job, namespace)
+	if psaViolated {
+		utils.DisplayJobpodLogandEvents(job.Name, job.Namespace)
+		errMsg := fmt.Sprintf("job [%v/%v] failed to meet the pod security standard, please check job pod's description for more detail", namespace, name)
+		return utils.ToJobStatus(0, errMsg, batchv1.JobFailed), nil
+	}
+
 	// Check whether mount point failure
 	mountFailed := utils.IsJobPodMountFailed(job, namespace)
 	if mountFailed {

pkg/drivers/nfsbackup/nfsbackup.go

@@ -82,6 +82,13 @@ func (d Driver) JobStatus(id string) (*drivers.JobStatus, error) {
 		logrus.Errorf("%s: %v", fn, errMsg)
 		return nil, fmt.Errorf(errMsg)
 	}
+	// Check whether job has violated the pod security standard
+	psaViolated := utils.IsJobPodSecurityFailed(job, namespace)
+	if psaViolated {
+		utils.DisplayJobpodLogandEvents(job.Name, job.Namespace)
+		errMsg := fmt.Sprintf("job [%v/%v] failed to meet the pod security standard, please check job pod's description for more detail", namespace, name)
+		return utils.ToJobStatus(0, errMsg, batchv1.JobFailed), nil
+	}
 
 	// Check whether mount point failure
 	mountFailed := utils.IsJobPodMountFailed(job, namespace)

pkg/drivers/nfscsirestore/nfscsirestore.go

@@ -80,6 +80,15 @@ func (d Driver) JobStatus(id string) (*drivers.JobStatus, error) {
 		logrus.Errorf("%s: %v", fn, errMsg)
 		return nil, fmt.Errorf(errMsg)
 	}
+
+	// Check whether job has violated the pod security standard
+	psaViolated := utils.IsJobPodSecurityFailed(job, namespace)
+	if psaViolated {
+		utils.DisplayJobpodLogandEvents(job.Name, job.Namespace)
+		errMsg := fmt.Sprintf("job [%v/%v] failed to meet the pod security standard, please check job pod's description for more detail", namespace, name)
+		return utils.ToJobStatus(0, errMsg, batchv1.JobFailed), nil
+	}
+
 	// Check for mount point failure
 	mountFailed := utils.IsJobPodMountFailed(job, namespace)
 	if mountFailed {

pkg/drivers/nfsrestore/nfsrestore.go

@@ -83,6 +83,14 @@ func (d Driver) JobStatus(id string) (*drivers.JobStatus, error) {
 		logrus.Errorf("%s: %v", fn, errMsg)
 		return nil, fmt.Errorf(errMsg)
 	}
+	// Check whether job has violated the pod security standard
+	psaViolated := utils.IsJobPodSecurityFailed(job, namespace)
+	if psaViolated {
+		utils.DisplayJobpodLogandEvents(job.Name, job.Namespace)
+		errMsg := fmt.Sprintf("job [%v/%v] failed to meet the pod security standard, please check job pod's description for more detail", namespace, name)
+		return utils.ToJobStatus(0, errMsg, batchv1.JobFailed), nil
+	}
+
 	// Check for mount point failure
 	mountFailed := utils.IsJobPodMountFailed(job, namespace)
 	if mountFailed {

pkg/drivers/utils/utils.go

@@ -889,6 +889,29 @@ func IsJobPodMountFailed(job *batchv1.Job, namespace string) bool {
 	return false
 }
 
+// Check if a job has failed because of podSecurity violation
+func IsJobPodSecurityFailed(job *batchv1.Job, namespace string) bool {
+	fn := "IsJobPodSecurityFailed"
+
+	opts := metav1.ListOptions{
+		FieldSelector: "involvedObject.name=" + string(job.Name),
+	}
+	events, err := core.Instance().ListEvents(namespace, opts)
+	if err != nil {
+		errMsg := fmt.Sprintf("failed to fetch events for job [%s/%s]: %v", namespace, job.Name, err)
+		logrus.Debugf("%s: %v", fn, errMsg)
+		return false
+	}
+	// if the job event reason is Failedcreate due to fobidden podSecurity violation
+	// then return true
+	for _, event := range events.Items {
+		if event.Reason == "FailedCreate" && strings.Contains(event.Message, "violates PodSecurity") {
+			return true
+		}
+	}
+	return false
+}
+
 // DisplayJobpodLogandEvents - Prints the Job pod description, log and events
 func DisplayJobpodLogandEvents(jobName string, namespace string) {
 	// Get job from the namespace
@@ -976,7 +999,7 @@ func GetShortUID(uid string) string {
 }
 
 // Add container security Context to job pod if the PSA is enabled.
-// if static uids like kdmpJobUid or kdmpJobGid is used that means
+// If static uids like kdmpJobUid or kdmpJobGid is used that means
 // these are dummy UIDs used for backing up resources to backuplocation
 // which doesn't need specific UID specific permission.
 func AddSecurityContextToJob(job *batchv1.Job, podUserId, podGroupId string) (*batchv1.Job, error) {