diff --git a/pkg/KubeArmorOperator/common/defaults.go b/pkg/KubeArmorOperator/common/defaults.go index 7048434f8b..828bc1ba56 100644 --- a/pkg/KubeArmorOperator/common/defaults.go +++ b/pkg/KubeArmorOperator/common/defaults.go @@ -41,24 +41,23 @@ const ( var OperatigConfigCrd *opv1.KubeArmorConfig var ( - EnforcerLabel string = "kubearmor.io/enforcer" - RuntimeLabel string = "kubearmor.io/runtime" - RuntimeStorageLabel string = "kubearmor.io/runtime-storage" - SocketLabel string = "kubearmor.io/socket" - RandLabel string = "kubearmor.io/rand" - OsLabel string = "kubernetes.io/os" - ArchLabel string = "kubernetes.io/arch" - BTFLabel string = "kubearmor.io/btf" - DeletAction string = "DELETE" - AddAction string = "ADD" - Namespace string = "kube-system" - Privileged bool = false - HostPID bool = false - SnitchImage string = "kubearmor/kubearmor-snitch" - SnitchImageTag string = "latest" - KubeArmorServiceAccountName string = "kubearmor" - KubeArmorClusterRoleBindingName string = KubeArmorServiceAccountName - KubeArmorSnitchRoleName string = "kubearmor-snitch" + EnforcerLabel string = "kubearmor.io/enforcer" + RuntimeLabel string = "kubearmor.io/runtime" + RuntimeStorageLabel string = "kubearmor.io/runtime-storage" + SocketLabel string = "kubearmor.io/socket" + RandLabel string = "kubearmor.io/rand" + OsLabel string = "kubernetes.io/os" + ArchLabel string = "kubernetes.io/arch" + BTFLabel string = "kubearmor.io/btf" + DeletAction string = "DELETE" + AddAction string = "ADD" + Namespace string = "kube-system" + Privileged bool = false + HostPID bool = false + SnitchName string = "kubearmor-snitch" + SnitchImage string = "kubearmor/kubearmor-snitch" + SnitchImageTag string = "latest" + KubeArmorSnitchRoleName string = "kubearmor-snitch" // KubeArmorConfigMapName string = "kubearmor-config" @@ -71,14 +70,19 @@ var ( ConfigDefaultNetworkPosture string = "defaultNetworkPosture" // Images + KubeArmorName string = "kubearmor" KubeArmorImage string = "kubearmor/kubearmor:stable" KubeArmorImagePullPolicy string = "Always" + KubeArmorInitName string = "kubearmor-init" KubeArmorInitImage string = "kubearmor/kubearmor-init:stable" KubeArmorInitImagePullPolicy string = "Always" + KubeArmorRelayName string = "kubearmor-relay" KubeArmorRelayImage string = "kubearmor/kubearmor-relay-server:latest" KubeArmorRelayImagePullPolicy string = "Always" + KubeArmorControllerName string = "kubearmor-controller" KubeArmorControllerImage string = "kubearmor/kubearmor-controller:latest" KubeArmorControllerImagePullPolicy string = "Always" + KubeRbacProxyName string = "kube-rbac-proxy" KubeRbacProxyImage string = "gcr.io/kubebuilder/kube-rbac-proxy:v0.12.0" KubeRbacProxyImagePullPolicy string = "Always" ) @@ -285,11 +289,41 @@ func GetOperatorNamespace() string { return ns } -func GetSnitchImage() string { - if image := os.Getenv("SNITCH_IMAGE"); image != "" { - return image +func GetApplicationImage(app string) string { + // RELATED_IMAGE_* env variables will be present in case of redhat certified operator + switch app { + case KubeArmorName: + if image := os.Getenv("RELATED_IMAGE_KUBEARMOR"); image != "" { + return image + } + return KubeArmorImage + case KubeArmorInitName: + if image := os.Getenv("RELATED_IMAGE_KUBEARMOR_INIT"); image != "" { + return image + } + return KubeArmorInitImage + case KubeArmorRelayName: + if image := os.Getenv("RELATED_IMAGE_KUBEARMOR_RELAY_SERVER"); image != "" { + return image + } + return KubeArmorRelayImage + case KubeArmorControllerName: + if image := os.Getenv("RELATED_IMAGE_KUBEARMOR_CONTROLLER"); image != "" { + return image + } + return KubeArmorControllerImage + case KubeRbacProxyName: + if image := os.Getenv("RELATED_IMAGE_KUBE_RBAC_PROXY"); image != "" { + return image + } + return KubeRbacProxyImage + case SnitchName: + if image := os.Getenv("RELATED_IMAGE_KUBEARMOR_SNITCH"); image != "" { + return image + } + return SnitchImage + ":" + SnitchImageTag } - return SnitchImage + ":" + SnitchImageTag + return "" } func IsCertifiedOperator() bool { @@ -311,7 +345,6 @@ func CopyStrMap(src map[string]string) map[string]string { func init() { Namespace = GetOperatorNamespace() if IsCertifiedOperator() { - KubeArmorImage = "kubearmor/kubearmor-ubi:stable" HostPID = true } } diff --git a/pkg/KubeArmorOperator/internal/controller/cluster.go b/pkg/KubeArmorOperator/internal/controller/cluster.go index a588bbde61..994c36ea91 100644 --- a/pkg/KubeArmorOperator/internal/controller/cluster.go +++ b/pkg/KubeArmorOperator/internal/controller/cluster.go @@ -331,9 +331,9 @@ func (clusterWatcher *ClusterWatcher) UpdateKubeArmorImages(images []string) err res = err } else { for _, ds := range dsList.Items { - ds.Spec.Template.Spec.Containers[0].Image = common.KubeArmorImage + ds.Spec.Template.Spec.Containers[0].Image = common.GetApplicationImage(common.KubeArmorName) ds.Spec.Template.Spec.Containers[0].ImagePullPolicy = corev1.PullPolicy(common.KubeArmorInitImagePullPolicy) - ds.Spec.Template.Spec.InitContainers[0].Image = common.KubeArmorInitImage + ds.Spec.Template.Spec.InitContainers[0].Image = common.GetApplicationImage(common.KubeArmorInitName) ds.Spec.Template.Spec.InitContainers[0].ImagePullPolicy = corev1.PullPolicy(common.KubeArmorInitImagePullPolicy) _, err = clusterWatcher.Client.AppsV1().DaemonSets(common.Namespace).Update(context.Background(), &ds, v1.UpdateOptions{}) if err != nil { @@ -350,7 +350,7 @@ func (clusterWatcher *ClusterWatcher) UpdateKubeArmorImages(images []string) err clusterWatcher.Log.Warnf("Cannot get deployment=%s error=%s", deployments.RelayDeploymentName, err.Error()) res = err } else { - relay.Spec.Template.Spec.Containers[0].Image = common.KubeArmorRelayImage + relay.Spec.Template.Spec.Containers[0].Image = common.GetApplicationImage(common.KubeArmorRelayName) relay.Spec.Template.Spec.Containers[0].ImagePullPolicy = corev1.PullPolicy(common.KubeArmorRelayImagePullPolicy) _, err = clusterWatcher.Client.AppsV1().Deployments(common.Namespace).Update(context.Background(), relay, v1.UpdateOptions{}) if err != nil { @@ -370,10 +370,10 @@ func (clusterWatcher *ClusterWatcher) UpdateKubeArmorImages(images []string) err containers := &controller.Spec.Template.Spec.Containers for i, container := range *containers { if container.Name == "manager" { - (*containers)[i].Image = common.KubeArmorControllerImage + (*containers)[i].Image = common.GetApplicationImage(common.KubeArmorControllerName) (*containers)[i].ImagePullPolicy = corev1.PullPolicy(common.KubeArmorControllerImagePullPolicy) } else { - (*containers)[i].Image = common.KubeRbacProxyImage + (*containers)[i].Image = common.GetApplicationImage(common.KubeRbacProxyName) } } _, err = clusterWatcher.Client.AppsV1().Deployments(common.Namespace).Update(context.Background(), controller, v1.UpdateOptions{}) diff --git a/pkg/KubeArmorOperator/internal/controller/resources.go b/pkg/KubeArmorOperator/internal/controller/resources.go index 3fe0264c49..c6b79741c0 100644 --- a/pkg/KubeArmorOperator/internal/controller/resources.go +++ b/pkg/KubeArmorOperator/internal/controller/resources.go @@ -72,9 +72,9 @@ func generateDaemonset(name, enforcer, runtime, socket, runtimeStorage, btfPrese daemonset.Spec.Template.Spec.Containers[0].VolumeMounts = volMnts daemonset.Spec.Template.Spec.Containers[0].Args = append(daemonset.Spec.Template.Spec.Containers[0].Args, "-criSocket=unix:///"+strings.ReplaceAll(socket, "_", "/")) // update images - daemonset.Spec.Template.Spec.Containers[0].Image = common.KubeArmorImage + daemonset.Spec.Template.Spec.Containers[0].Image = common.GetApplicationImage(common.KubeArmorName) daemonset.Spec.Template.Spec.Containers[0].ImagePullPolicy = corev1.PullPolicy(common.KubeArmorImagePullPolicy) - daemonset.Spec.Template.Spec.InitContainers[0].Image = common.KubeArmorInitImage + daemonset.Spec.Template.Spec.InitContainers[0].Image = common.GetApplicationImage(common.KubeArmorInitName) daemonset.Spec.Template.Spec.InitContainers[0].ImagePullPolicy = corev1.PullPolicy(common.KubeArmorInitImagePullPolicy) daemonset = addOwnership(daemonset).(*appsv1.DaemonSet) @@ -207,7 +207,7 @@ func deploySnitch(nodename string, runtime string) *batchv1.Job { Containers: []corev1.Container{ { Name: "snitch", - Image: common.GetSnitchImage(), + Image: common.GetApplicationImage(common.SnitchName), Args: []string{ "--nodename=$(NODE_NAME)", "--pathprefix=" + PathPrefix, @@ -409,14 +409,14 @@ func (clusterWatcher *ClusterWatcher) WatchRequiredResources() { containers := &controller.Spec.Template.Spec.Containers for i, container := range *containers { if container.Name == "manager" { - (*containers)[i].Image = common.KubeArmorControllerImage + (*containers)[i].Image = common.GetApplicationImage(common.KubeArmorControllerName) (*containers)[i].ImagePullPolicy = corev1.PullPolicy(common.KubeArmorControllerImagePullPolicy) } else { - (*containers)[i].Image = common.KubeRbacProxyImage + (*containers)[i].Image = common.GetApplicationImage(common.KubeRbacProxyName) (*containers)[i].ImagePullPolicy = corev1.PullPolicy(common.KubeRbacProxyImagePullPolicy) } } - relayServer.Spec.Template.Spec.Containers[0].Image = common.KubeArmorRelayImage + relayServer.Spec.Template.Spec.Containers[0].Image = common.GetApplicationImage(common.KubeArmorRelayName) relayServer.Spec.Template.Spec.Containers[0].ImagePullPolicy = corev1.PullPolicy(common.KubeArmorRelayImagePullPolicy) deploys := []*appsv1.Deployment{ addOwnership(controller).(*appsv1.Deployment),