sos/SOURCES/sos-bz2130209-ocp-add-labels-to-namespace.patch

From 765f5f283bdb4747b0069f2f5d3381134b4b9a95 Mon Sep 17 00:00:00 2001
From: Jake Hunsaker <jhunsake@redhat.com>
Date: Thu, 15 Sep 2022 12:36:42 -0400
Subject: [PATCH] [ocp] Add newly required labels to temp OCP namespace

Newer OCP versions have a more restrictive default deployment
configuration. As such, add the required labels to the temporary
namespace/project we use for collections.

Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
---
 sos/collector/clusters/ocp.py | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/sos/collector/clusters/ocp.py b/sos/collector/clusters/ocp.py
index 06301536f..92c4e04a2 100644
--- a/sos/collector/clusters/ocp.py
+++ b/sos/collector/clusters/ocp.py
@@ -114,12 +114,32 @@ class ocp(Cluster):
         self.log_info("Creating new temporary project '%s'" % self.project)
         ret = self.exec_primary_cmd("oc new-project %s" % self.project)
         if ret['status'] == 0:
+            self._label_sos_project()
             return True
 
         self.log_debug("Failed to create project: %s" % ret['output'])
         raise Exception("Failed to create temporary project for collection. "
                         "\nAborting...")
 
+    def _label_sos_project(self):
+        """Add pertinent labels to the temporary project we've created so that
+        our privileged containers can properly run.
+        """
+        labels = [
+            "security.openshift.io/scc.podSecurityLabelSync=false",
+            "pod-security.kubernetes.io/enforce=privileged"
+        ]
+        for label in labels:
+            ret = self.exec_primary_cmd(
+                self.fmt_oc_cmd(
+                    f"label namespace {self.project} {label} --overwrite"
+                )
+            )
+            if not ret['status'] == 0:
+                raise Exception(
+                    f"Error applying namespace labels: {ret['output']}"
+                )
+
     def cleanup(self):
         """Remove the project we created to execute within
         """
@@ -231,8 +251,9 @@ def get_nodes(self):
             for node_name, node in self.node_dict.items():
                 if roles:
                     for role in roles:
-                        if role == node['roles']:
+                        if role in node['roles']:
                             nodes.append(node_name)
+                            break
                 else:
                     nodes.append(node_name)
         else: