From bddd4beb97acc13a3633e0f9ff39ea657ec689cc Mon Sep 17 00:00:00 2001 From: dbinnal-px Date: Fri, 22 Nov 2024 03:26:16 +0000 Subject: [PATCH] fix nfs backup failure with latest changes for anyuid support --- pkg/drivers/nfsbackup/nfsbackup.go | 6 ---- pkg/drivers/nfscsirestore/nfscsirestore.go | 6 ---- pkg/drivers/nfsrestore/nfsrestore.go | 6 ---- pkg/drivers/utils/common.go | 10 +++--- pkg/drivers/utils/utils.go | 37 ++++++++++++---------- 5 files changed, 25 insertions(+), 40 deletions(-) diff --git a/pkg/drivers/nfsbackup/nfsbackup.go b/pkg/drivers/nfsbackup/nfsbackup.go index ecb07432..d55e8f88 100644 --- a/pkg/drivers/nfsbackup/nfsbackup.go +++ b/pkg/drivers/nfsbackup/nfsbackup.go @@ -146,12 +146,6 @@ func buildJob( return nil, fmt.Errorf(errMsg) } - if err := utils.SetupRoleBindingForSCC(jobOptions.RestoreExportName, jobOptions.Namespace, jobOptions.SourcePVCName); err != nil { - errMsg := fmt.Sprintf("error creating role binding %s/%s: %v", jobOptions.Namespace, jobOptions.RestoreExportName, err) - logrus.Errorf("%s: %v", funct, errMsg) - return nil, fmt.Errorf(errMsg) - } - resources, err := utils.NFSResourceRequirements(jobOptions.JobConfigMap, jobOptions.JobConfigMapNs) if err != nil { return nil, err diff --git a/pkg/drivers/nfscsirestore/nfscsirestore.go b/pkg/drivers/nfscsirestore/nfscsirestore.go index 0954b51f..604815bf 100644 --- a/pkg/drivers/nfscsirestore/nfscsirestore.go +++ b/pkg/drivers/nfscsirestore/nfscsirestore.go @@ -147,12 +147,6 @@ func buildJob( return nil, fmt.Errorf(errMsg) } - if err := utils.SetupRoleBindingForSCC(jobName, jobOptions.Namespace, jobOptions.DestinationPVCName); err != nil { - errMsg := fmt.Sprintf("error creating role binding %s/%s: %v", jobOptions.Namespace, jobName, err) - logrus.Errorf("%s: %v", funct, errMsg) - return nil, fmt.Errorf(errMsg) - } - resources, err := utils.NFSResourceRequirements(jobOptions.JobConfigMap, jobOptions.JobConfigMapNs) if err != nil { return nil, err diff --git a/pkg/drivers/nfsrestore/nfsrestore.go b/pkg/drivers/nfsrestore/nfsrestore.go index f52777fe..9a2a10c5 100644 --- a/pkg/drivers/nfsrestore/nfsrestore.go +++ b/pkg/drivers/nfsrestore/nfsrestore.go @@ -147,12 +147,6 @@ func buildJob( return nil, fmt.Errorf(errMsg) } - if err := utils.SetupRoleBindingForSCC(jobOptions.RestoreExportName, jobOptions.Namespace, jobOptions.DestinationPVCName); err != nil { - errMsg := fmt.Sprintf("error creating role binding %s/%s: %v", jobOptions.Namespace, jobOptions.RestoreExportName, err) - logrus.Errorf("%s: %v", funct, errMsg) - return nil, fmt.Errorf(errMsg) - } - resources, err := utils.NFSResourceRequirements(jobOptions.JobConfigMap, jobOptions.JobConfigMapNs) if err != nil { return nil, err diff --git a/pkg/drivers/utils/common.go b/pkg/drivers/utils/common.go index 4897b251..10081f5e 100644 --- a/pkg/drivers/utils/common.go +++ b/pkg/drivers/utils/common.go @@ -144,17 +144,17 @@ func SetupRoleBindingForSCC(name, namespace, pvcName string) error { return fmt.Errorf("failed to check if cluster is OCP: %v", err) } - provisionerName, err := GetProvisionerNameFromPvc(pvcName, namespace) - if err != nil { - return fmt.Errorf("failed to get provisioner name from pvc: %v", err) - } - provisionersListToUseAnyUid, err := GetArrayConfigValue(KdmpConfigmapName, KdmpConfigmapNamespace, provisionersToUseAnyUid) if err != nil { logrus.Errorf("failed to extract provisioners list from configmap: %v", err) return err } + if len(provisionersListToUseAnyUid) > 0 { + provisionerName, err := GetProvisionerNameFromPvc(pvcName, namespace) + if err != nil { + return fmt.Errorf("failed to get provisioner name from pvc: %v", err) + } if isOCP && contains(provisionersListToUseAnyUid, provisionerName) { failed, err := addRoleBindingForScc(name, namespace, AnyUidClusterRoleName) if failed { diff --git a/pkg/drivers/utils/utils.go b/pkg/drivers/utils/utils.go index 97410623..53c218af 100644 --- a/pkg/drivers/utils/utils.go +++ b/pkg/drivers/utils/utils.go @@ -1054,7 +1054,7 @@ func AddSecurityContextToJob(job *batchv1.Job, podUserId, podGroupId, pvcName, p return nil, err } - // If PROVISIONERS_TO_USE_ANYUID is set in kdmp-config, then add rolebinding for anyuid SCC + // If PROVISIONERS_TO_USE_ANYUID is set in kdmp-config, then add anyuid SCC to the job pod provisionersListToUseAnyUid, err := GetArrayConfigValue(KdmpConfigmapName, KdmpConfigmapNamespace, provisionersToUseAnyUid) if err != nil { errMsg := fmt.Sprintf("failed to extract provisioners list from configmap: %v", err) @@ -1062,24 +1062,27 @@ func AddSecurityContextToJob(job *batchv1.Job, podUserId, podGroupId, pvcName, p return nil, fmt.Errorf(errMsg) } - // Get provisioner name from the pvcName, pvcNamespace - provisionerName, err := GetProvisionerNameFromPvc(pvcName, pvcNamespace) - if err != nil { - errMsg := fmt.Sprintf("failed to get provisionerName name for pvc [%s/%s]: %v", pvcNamespace, pvcName, err) - logrus.Errorf(errMsg) - return nil, fmt.Errorf(errMsg) - } - if len(provisionersListToUseAnyUid) > 0 { - if isOcp && contains(provisionersListToUseAnyUid, provisionerName) { - logrus.Infof("PROVISIONERS_TO_USE_ANYUID is set to use, running the job %v with anyuid SCC", job.Name) - // Add the annotation to force the pod to adopt anyuid scc in OCP - // It may not work if the pod's SA doesn't have permission to use anyuid SCC - if job.Spec.Template.Annotations == nil { - job.Spec.Template.Annotations = make(map[string]string) + // In case of nfs backup, nfs restore job pods since they are invoked for resources backup, we don't send any pvcName + if pvcName != "" && pvcNamespace != "" { + // Get provisioner name from the pvcName, pvcNamespace + provisionerName, err := GetProvisionerNameFromPvc(pvcName, pvcNamespace) + if err != nil { + errMsg := fmt.Sprintf("failed to get provisionerName name for pvc [%s/%s]: %v", pvcNamespace, pvcName, err) + logrus.Errorf(errMsg) + return nil, fmt.Errorf(errMsg) + } + + if isOcp && contains(provisionersListToUseAnyUid, provisionerName) { + logrus.Infof("PROVISIONERS_TO_USE_ANYUID is set to use, running the job %v with anyuid SCC", job.Name) + // Add the annotation to force the pod to adopt anyuid scc in OCP + // It may not work if the pod's SA doesn't have permission to use anyuid SCC + if job.Spec.Template.Annotations == nil { + job.Spec.Template.Annotations = make(map[string]string) + } + job.Spec.Template.Annotations["openshift.io/required-scc"] = "anyuid" + return job, nil } - job.Spec.Template.Annotations["openshift.io/required-scc"] = "anyuid" - return job, nil } }