From 765f5f283bdb4747b0069f2f5d3381134b4b9a95 Mon Sep 17 00:00:00 2001 From: Jake Hunsaker Date: Thu, 15 Sep 2022 12:36:42 -0400 Subject: [PATCH] [ocp] Add newly required labels to temp OCP namespace Newer OCP versions have a more restrictive default deployment configuration. As such, add the required labels to the temporary namespace/project we use for collections. Signed-off-by: Jake Hunsaker --- sos/collector/clusters/ocp.py | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/sos/collector/clusters/ocp.py b/sos/collector/clusters/ocp.py index 06301536f..92c4e04a2 100644 --- a/sos/collector/clusters/ocp.py +++ b/sos/collector/clusters/ocp.py @@ -114,12 +114,32 @@ class ocp(Cluster): self.log_info("Creating new temporary project '%s'" % self.project) ret = self.exec_primary_cmd("oc new-project %s" % self.project) if ret['status'] == 0: + self._label_sos_project() return True self.log_debug("Failed to create project: %s" % ret['output']) raise Exception("Failed to create temporary project for collection. " "\nAborting...") + def _label_sos_project(self): + """Add pertinent labels to the temporary project we've created so that + our privileged containers can properly run. + """ + labels = [ + "security.openshift.io/scc.podSecurityLabelSync=false", + "pod-security.kubernetes.io/enforce=privileged" + ] + for label in labels: + ret = self.exec_primary_cmd( + self.fmt_oc_cmd( + f"label namespace {self.project} {label} --overwrite" + ) + ) + if not ret['status'] == 0: + raise Exception( + f"Error applying namespace labels: {ret['output']}" + ) + def cleanup(self): """Remove the project we created to execute within """ @@ -231,8 +251,9 @@ def get_nodes(self): for node_name, node in self.node_dict.items(): if roles: for role in roles: - if role == node['roles']: + if role in node['roles']: nodes.append(node_name) + break else: nodes.append(node_name) else: