From 029a5ff23e116d251b2b6eea802d8d85aeef9f57 Mon Sep 17 00:00:00 2001 From: MICHAEL FRUCHTMAN Date: Tue, 3 Mar 2026 13:08:11 -0800 Subject: [PATCH 1/7] backup SCC of pod Signed-off-by: MICHAEL FRUCHTMAN --- go.mod | 1 + velero-plugins/clients/clients.go | 30 +++++ velero-plugins/common/types.go | 5 + velero-plugins/pod/backup.go | 47 +++++++- velero-plugins/pod/backup_test.go | 142 ++++++++++++++++++++++++ velero-plugins/serviceaccount/backup.go | 26 +---- 6 files changed, 225 insertions(+), 26 deletions(-) create mode 100644 velero-plugins/pod/backup_test.go diff --git a/go.mod b/go.mod index cf689922..bc865de7 100644 --- a/go.mod +++ b/go.mod @@ -163,6 +163,7 @@ require ( github.com/containerd/errdefs v0.1.0 // indirect github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f // indirect github.com/distribution/reference v0.6.0 // indirect + github.com/evanphx/json-patch v5.6.0+incompatible // indirect github.com/evanphx/json-patch/v5 v5.8.0 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/go-jose/go-jose/v4 v4.0.2 // indirect diff --git a/velero-plugins/clients/clients.go b/velero-plugins/clients/clients.go index 0e700286..51908aa3 100644 --- a/velero-plugins/clients/clients.go +++ b/velero-plugins/clients/clients.go @@ -7,6 +7,7 @@ import ( imagev1 "github.com/openshift/client-go/image/clientset/versioned/typed/image/v1" ocpirconfigv1 "github.com/openshift/client-go/imageregistry/clientset/versioned/typed/imageregistry/v1" routev1 "github.com/openshift/client-go/route/clientset/versioned/typed/route/v1" + security "github.com/openshift/client-go/security/clientset/versioned/typed/security/v1" "k8s.io/client-go/discovery" appsv1 "k8s.io/client-go/kubernetes/typed/apps/v1" corev1 "k8s.io/client-go/kubernetes/typed/core/v1" @@ -41,6 +42,10 @@ var routeClientError error var buildClient *buildv1.BuildV1Client var buildClientError error +// SCC client +var securityClient security.SecurityV1Interface +var securityClientError error + var inClusterConfig *rest.Config func SetInClusterConfig(config *rest.Config) { @@ -245,6 +250,30 @@ func newOCPImageRegistryConfigClient() (*ocpirconfigv1.ImageregistryV1Client, er return client, nil } +// this setup allows for fake client overrides in unit tests +var SecurityClient = getSecurityClient + +// SecurityClient returns an openshift SecurityV1Client +func getSecurityClient() (security.SecurityV1Interface, error) { + if securityClient == nil && securityClientError == nil { + securityClient, securityClientError = newSecurityClient() + } + return securityClient, securityClientError +} + +func newSecurityClient() (security.SecurityV1Interface, error) { + config, err := GetInClusterConfig() + if err != nil { + return nil, err + } + client, err := security.NewForConfig(config) + if err != nil { + return nil, err + } + + return client, nil +} + func init() { coreClient, coreClientError = nil, nil imageClient, imageClientError = nil, nil @@ -253,4 +282,5 @@ func init() { buildClient, buildClientError = nil, nil ocpAppsClient, ocpAppsClientError = nil, nil appsClient, appsClientError = nil, nil + securityClient, securityClientError = nil, nil } diff --git a/velero-plugins/common/types.go b/velero-plugins/common/types.go index 4128c465..4a2b3c49 100644 --- a/velero-plugins/common/types.go +++ b/velero-plugins/common/types.go @@ -85,6 +85,11 @@ const ( PVOriginalReclaimPolicy string = "migration.openshift.io/orig-reclaim-policy" // Original PersistentVolumeReclaimPolicy ) +// SCC related annotations +const ( + SCCPodAnnotation string = "openshift.io/scc" // SCC annotation on pods +) + // DC-related labels/annotations const ( DCPodDeploymentLabel string = "deployment" // identifies associated RC diff --git a/velero-plugins/pod/backup.go b/velero-plugins/pod/backup.go index 02ae1a48..18af7555 100644 --- a/velero-plugins/pod/backup.go +++ b/velero-plugins/pod/backup.go @@ -1,14 +1,19 @@ package pod import ( + "context" "encoding/json" + "github.com/konveyor/openshift-velero-plugin/velero-plugins/clients" "github.com/konveyor/openshift-velero-plugin/velero-plugins/common" "github.com/sirupsen/logrus" v1 "github.com/vmware-tanzu/velero/pkg/apis/velero/v1" "github.com/vmware-tanzu/velero/pkg/plugin/velero" corev1API "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" ) // BackupPlugin is a backup item action plugin for Velero @@ -27,6 +32,8 @@ func (p *BackupPlugin) AppliesTo() (velero.ResourceSelector, error) { func (p *BackupPlugin) Execute(item runtime.Unstructured, backup *v1.Backup) (runtime.Unstructured, []velero.ResourceIdentifier, error) { p.Log.Info("[pod-backup] Entering Pod backup plugin") + var additionalItems []velero.ResourceIdentifier + var err error = nil pod := corev1API.Pod{} itemMarshal, _ := json.Marshal(item) json.Unmarshal(itemMarshal, &pod) @@ -39,9 +46,47 @@ func (p *BackupPlugin) Execute(item runtime.Unstructured, backup *v1.Backup) (ru annotations[common.DCIncludesDMFix] = "true" pod.Annotations = annotations + if sccName, exists := pod.Annotations[common.SCCPodAnnotation]; exists { + p.Log.Infof("[pod-backup] Pod %s has SCC annotation with value: %s", pod.Name, sccName) + + sccIdentifier, localerr := p.addSCC(sccName) + if localerr == nil { + additionalItems = append(additionalItems, sccIdentifier) + } else { + // continuing backup despite error, SCCs can be deleted after Pod creation + if errors.IsNotFound(localerr) { + p.Log.Warnf("[pod-backup] SCC %s for pod %s not found: %s", sccName, pod.Name, localerr.Error()) + } else { + p.Log.Errorf("[pod-backup] Error adding SCC %s for pod %s: %s", sccName, pod.Name, localerr.Error()) + // error will go out of scope otherwise + err = localerr + } + } + } + var out map[string]interface{} objrec, _ := json.Marshal(pod) json.Unmarshal(objrec, &out) item.SetUnstructuredContent(out) - return item, nil, nil + return item, additionalItems, err +} + +func (p *BackupPlugin) addSCC(sccName string) (velero.ResourceIdentifier, error) { + securityClient, err := clients.SecurityClient() + if err != nil { + return velero.ResourceIdentifier{}, err + } + + scc, err := securityClient.SecurityContextConstraints().Get(context.Background(), sccName, metav1.GetOptions{}) + if err != nil { + return velero.ResourceIdentifier{}, err + } + // resource plural can be retrieved from the openshift api but more trouble than it is worth + return velero.ResourceIdentifier{ + GroupResource: schema.GroupResource{ + Group: scc.GroupVersionKind().Group, + Resource: "securitycontextconstraints", + }, + Name: scc.Name, + }, nil } diff --git a/velero-plugins/pod/backup_test.go b/velero-plugins/pod/backup_test.go new file mode 100644 index 00000000..f5042e2d --- /dev/null +++ b/velero-plugins/pod/backup_test.go @@ -0,0 +1,142 @@ +package pod + +import ( + "context" + "testing" + + "github.com/konveyor/openshift-velero-plugin/velero-plugins/clients" + "github.com/konveyor/openshift-velero-plugin/velero-plugins/common" + securityv1 "github.com/openshift/api/security/v1" + fakeSecurityClient "github.com/openshift/client-go/security/clientset/versioned/fake" + security "github.com/openshift/client-go/security/clientset/versioned/typed/security/v1" + "github.com/sirupsen/logrus" + "github.com/stretchr/testify/assert" + velerov1 "github.com/vmware-tanzu/velero/pkg/apis/velero/v1" + "github.com/vmware-tanzu/velero/pkg/plugin/velero" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" + ktesting "k8s.io/client-go/testing" +) + +type ErrorType string + +const ( + NotFoundError ErrorType = "NotFound" + AccessDenied ErrorType = "AccessDenied" + NoError ErrorType = "NoError" +) + +func getNewSecurityClient(errorType ErrorType, objects ...*securityv1.SecurityContextConstraints) func() (security.SecurityV1Interface, error) { + // the fake client has a weird bug where if the object is added to NewSimpleClientSet the resource value is set wrong + // as a result the object will not be found + // [key 0]: schema.GroupVersionResource {Group: "security.openshift.io", Version: "v1", Resource: "securitycontextconstraintses"} <--- should be securitycontextconstraints + cs := fakeSecurityClient.NewSimpleClientset() + + // add error if enabled + switch errorType { + case NotFoundError: + cs.Fake.PrependReactor("get", "securitycontextconstraints", func(action ktesting.Action) (handled bool, ret runtime.Object, err error) { + return true, nil, errors.NewNotFound(schema.GroupResource{Group: "security.openshift.io", Resource: "securitycontextconstraints"}, "test-scc") + }) + case AccessDenied: + cs.Fake.PrependReactor("get", "securitycontextconstraints", func(action ktesting.Action) (handled bool, ret runtime.Object, err error) { + return true, nil, errors.NewForbidden(schema.GroupResource{Group: "security.openshift.io", Resource: "securitycontextconstraints"}, "test-scc", nil) + }) + case NoError: + // do nothing, client will return objects as normal + } + + return func() (security.SecurityV1Interface, error) { + client := cs.SecurityV1() + for _, object := range objects { + _, err := client.SecurityContextConstraints().Create(context.Background(), object, metav1.CreateOptions{}) + if err != nil { + return nil, err + } + } + return client, nil + } +} + +func TestExecute_AddsSCC(t *testing.T) { + + scc := &securityv1.SecurityContextConstraints{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-scc", + }, + } + + pod := corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-pod", + Namespace: "test-namespace", + Annotations: map[string]string{ + common.SCCPodAnnotation: "test-scc", + }, + }, + } + + objs := []*securityv1.SecurityContextConstraints{scc} + + podData, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&pod) + assert.NoError(t, err) + unstructuredPod := unstructured.Unstructured{Object: podData} + + tests := []struct { + name string + inducedErrorType ErrorType + expectedSccCount int + shouldErr bool + expectedIdentifiers []velero.ResourceIdentifier + }{ + { + name: "SCC exists and is added to additional items", + inducedErrorType: NoError, + expectedSccCount: 1, + shouldErr: false, + expectedIdentifiers: []velero.ResourceIdentifier{ + { + Name: "test-scc", + GroupResource: schema.GroupResource{ + Group: "security.openshift.io", + Resource: "securitycontextconstraints", + }, + }, + }, + }, + { + name: "SCC does not exist and error is handled", + inducedErrorType: NotFoundError, + expectedSccCount: 0, + shouldErr: false, + expectedIdentifiers: []velero.ResourceIdentifier{}, + }, + { + name: "error getting SCC for any other reason", + inducedErrorType: AccessDenied, + expectedSccCount: 0, + shouldErr: true, + expectedIdentifiers: []velero.ResourceIdentifier{}, + }, + } + + for _, test := range tests { + clients.SecurityClient = getNewSecurityClient(test.inducedErrorType, objs...) + + backupPlugin := &BackupPlugin{ + Log: logrus.WithField("plugin", "pod-backup-test"), + } + + _, items, err := backupPlugin.Execute(&unstructuredPod, &velerov1.Backup{}) + if test.shouldErr { + assert.Error(t, err, "Test %s errored when should not %v", test.name, err) + } else { + assert.NoError(t, err, "Test %s errored when should not %v", test.name, err) + } + assert.Len(t, items, test.expectedSccCount, "Expected %d additional items for the SCC", test.expectedSccCount) + } +} diff --git a/velero-plugins/serviceaccount/backup.go b/velero-plugins/serviceaccount/backup.go index d3dd1264..f6a5047c 100644 --- a/velero-plugins/serviceaccount/backup.go +++ b/velero-plugins/serviceaccount/backup.go @@ -83,7 +83,7 @@ func sccsForSA(log logrus.FieldLogger, item runtime.Unstructured, backup *v1.Bac // UpdateSCCMap fill scc map with service account as key and SCCs slice as value func (c *SCCCache) UpdateSCCMap() error { - sClient, err := SecurityClient() + sClient, err := clients.SecurityClient() if err != nil { return err } @@ -144,27 +144,3 @@ func addSaNameToMap(nsMap map[string][]apisecurity.SecurityContextConstraints, s nsMap[saName] = append(nsMap[saName], scc) } - -// This should be moved to clients package in future - -// SecurityClient returns an openshift AppsV1Client -func SecurityClient() (*security.SecurityV1Client, error) { - if securityClient == nil && securityClientError == nil { - securityClient, securityClientError = newSecurityClient() - } - return securityClient, securityClientError -} - -// This should be moved to clients package in future -func newSecurityClient() (*security.SecurityV1Client, error) { - config, err := clients.GetInClusterConfig() - if err != nil { - return nil, err - } - client, err := security.NewForConfig(config) - if err != nil { - return nil, err - } - - return client, nil -} From 6ace8d8a5a133f6656a9a596bf4396bafc446653 Mon Sep 17 00:00:00 2001 From: Michael Fruchtman Date: Tue, 3 Mar 2026 13:41:47 -0800 Subject: [PATCH 2/7] resolve remaining uncovered lines Signed-off-by: Michael Fruchtman --- velero-plugins/pod/backup_test.go | 67 +++++++++++++++++++++++++------ 1 file changed, 54 insertions(+), 13 deletions(-) diff --git a/velero-plugins/pod/backup_test.go b/velero-plugins/pod/backup_test.go index f5042e2d..8d319477 100644 --- a/velero-plugins/pod/backup_test.go +++ b/velero-plugins/pod/backup_test.go @@ -30,7 +30,7 @@ const ( NoError ErrorType = "NoError" ) -func getNewSecurityClient(errorType ErrorType, objects ...*securityv1.SecurityContextConstraints) func() (security.SecurityV1Interface, error) { +func getNewSecurityClient(errorType ErrorType, withSecurityClientError error, objects ...*securityv1.SecurityContextConstraints) func() (security.SecurityV1Interface, error) { // the fake client has a weird bug where if the object is added to NewSimpleClientSet the resource value is set wrong // as a result the object will not be found // [key 0]: schema.GroupVersionResource {Group: "security.openshift.io", Version: "v1", Resource: "securitycontextconstraintses"} <--- should be securitycontextconstraints @@ -53,16 +53,16 @@ func getNewSecurityClient(errorType ErrorType, objects ...*securityv1.SecurityCo return func() (security.SecurityV1Interface, error) { client := cs.SecurityV1() for _, object := range objects { - _, err := client.SecurityContextConstraints().Create(context.Background(), object, metav1.CreateOptions{}) - if err != nil { - return nil, err + _, localError := client.SecurityContextConstraints().Create(context.Background(), object, metav1.CreateOptions{}) + if localError != nil { + return nil, localError } } - return client, nil + return client, withSecurityClientError } } -func TestExecute_AddsSCC(t *testing.T) { +func TestExecute_BackupPod(t *testing.T) { scc := &securityv1.SecurityContextConstraints{ ObjectMeta: metav1.ObjectMeta{ @@ -80,18 +80,14 @@ func TestExecute_AddsSCC(t *testing.T) { }, } - objs := []*securityv1.SecurityContextConstraints{scc} - - podData, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&pod) - assert.NoError(t, err) - unstructuredPod := unstructured.Unstructured{Object: podData} - tests := []struct { name string + annotations map[string]string inducedErrorType ErrorType expectedSccCount int shouldErr bool expectedIdentifiers []velero.ResourceIdentifier + securityClientError error }{ { name: "SCC exists and is added to additional items", @@ -107,6 +103,9 @@ func TestExecute_AddsSCC(t *testing.T) { }, }, }, + annotations: map[string]string{ + common.SCCPodAnnotation: "test-scc", + }, }, { name: "SCC does not exist and error is handled", @@ -114,6 +113,9 @@ func TestExecute_AddsSCC(t *testing.T) { expectedSccCount: 0, shouldErr: false, expectedIdentifiers: []velero.ResourceIdentifier{}, + annotations: map[string]string{ + common.SCCPodAnnotation: "test-scc", + }, }, { name: "error getting SCC for any other reason", @@ -121,11 +123,40 @@ func TestExecute_AddsSCC(t *testing.T) { expectedSccCount: 0, shouldErr: true, expectedIdentifiers: []velero.ResourceIdentifier{}, + annotations: map[string]string{ + common.SCCPodAnnotation: "test-scc", + }, + }, + { + name: "pod has no annotations", + inducedErrorType: NoError, + expectedSccCount: 0, + shouldErr: false, + expectedIdentifiers: []velero.ResourceIdentifier{}, + annotations: nil, + }, + { + name: "security client initialize error", + inducedErrorType: NoError, + expectedSccCount: 0, + shouldErr: true, + expectedIdentifiers: []velero.ResourceIdentifier{}, + securityClientError: assert.AnError, + annotations: map[string]string{ + common.SCCPodAnnotation: "test-scc", + }, }, } for _, test := range tests { - clients.SecurityClient = getNewSecurityClient(test.inducedErrorType, objs...) + pod.Annotations = test.annotations + + objs := []*securityv1.SecurityContextConstraints{scc} + + podData, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&pod) + assert.NoError(t, err) + unstructuredPod := unstructured.Unstructured{Object: podData} + clients.SecurityClient = getNewSecurityClient(test.inducedErrorType, test.securityClientError, objs...) backupPlugin := &BackupPlugin{ Log: logrus.WithField("plugin", "pod-backup-test"), @@ -140,3 +171,13 @@ func TestExecute_AddsSCC(t *testing.T) { assert.Len(t, items, test.expectedSccCount, "Expected %d additional items for the SCC", test.expectedSccCount) } } + +func TestAppliesTo(t *testing.T) { + backupPlugin := &BackupPlugin{ + Log: logrus.WithField("plugin", "pod-backup-test"), + } + + resourceSelector, err := backupPlugin.AppliesTo() + assert.NoError(t, err) + assert.Contains(t, resourceSelector.IncludedResources, "pods", "Expected resource selector to include pods") +} From 99dde3c9ca7f0f90fab81424d73101019f0b684e Mon Sep 17 00:00:00 2001 From: Michael Fruchtman Date: Tue, 3 Mar 2026 15:39:19 -0800 Subject: [PATCH 3/7] empty group from gvk, check expected identifiers Signed-off-by: Michael Fruchtman --- velero-plugins/pod/backup.go | 2 +- velero-plugins/pod/backup_test.go | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/velero-plugins/pod/backup.go b/velero-plugins/pod/backup.go index 18af7555..ed4f2532 100644 --- a/velero-plugins/pod/backup.go +++ b/velero-plugins/pod/backup.go @@ -84,7 +84,7 @@ func (p *BackupPlugin) addSCC(sccName string) (velero.ResourceIdentifier, error) // resource plural can be retrieved from the openshift api but more trouble than it is worth return velero.ResourceIdentifier{ GroupResource: schema.GroupResource{ - Group: scc.GroupVersionKind().Group, + Group: "security.openshift.io", Resource: "securitycontextconstraints", }, Name: scc.Name, diff --git a/velero-plugins/pod/backup_test.go b/velero-plugins/pod/backup_test.go index 8d319477..8b9cd535 100644 --- a/velero-plugins/pod/backup_test.go +++ b/velero-plugins/pod/backup_test.go @@ -63,6 +63,10 @@ func getNewSecurityClient(errorType ErrorType, withSecurityClientError error, ob } func TestExecute_BackupPod(t *testing.T) { + originalSecurityClient := clients.SecurityClient + t.Cleanup(func() { + clients.SecurityClient = originalSecurityClient + }) scc := &securityv1.SecurityContextConstraints{ ObjectMeta: metav1.ObjectMeta{ @@ -168,7 +172,8 @@ func TestExecute_BackupPod(t *testing.T) { } else { assert.NoError(t, err, "Test %s errored when should not %v", test.name, err) } - assert.Len(t, items, test.expectedSccCount, "Expected %d additional items for the SCC", test.expectedSccCount) + assert.Len(t, items, test.expectedSccCount, "Test %s Expected %d additional items for the SCC", test.name, test.expectedSccCount) + assert.ElementsMatch(t, items, test.expectedIdentifiers, "Test %s expected additional items to match expected identifiers", test.name) } } From 0fc4d62c327e0aa8f5fe9dc995d3f7cabb67b8dc Mon Sep 17 00:00:00 2001 From: Michael Fruchtman Date: Tue, 3 Mar 2026 15:45:33 -0800 Subject: [PATCH 4/7] skip lookup if scc annotation is empty Signed-off-by: Michael Fruchtman --- velero-plugins/pod/backup.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/velero-plugins/pod/backup.go b/velero-plugins/pod/backup.go index ed4f2532..d5f4848f 100644 --- a/velero-plugins/pod/backup.go +++ b/velero-plugins/pod/backup.go @@ -46,7 +46,7 @@ func (p *BackupPlugin) Execute(item runtime.Unstructured, backup *v1.Backup) (ru annotations[common.DCIncludesDMFix] = "true" pod.Annotations = annotations - if sccName, exists := pod.Annotations[common.SCCPodAnnotation]; exists { + if sccName, exists := pod.Annotations[common.SCCPodAnnotation]; exists && len(sccName) > 0 { p.Log.Infof("[pod-backup] Pod %s has SCC annotation with value: %s", pod.Name, sccName) sccIdentifier, localerr := p.addSCC(sccName) From 7d5fe9a34238aa5aa52dda17a938bffb1b48d263 Mon Sep 17 00:00:00 2001 From: Michael Fruchtman Date: Tue, 3 Mar 2026 15:49:35 -0800 Subject: [PATCH 5/7] clarify test message Signed-off-by: Michael Fruchtman --- velero-plugins/pod/backup_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/velero-plugins/pod/backup_test.go b/velero-plugins/pod/backup_test.go index 8b9cd535..997b2a56 100644 --- a/velero-plugins/pod/backup_test.go +++ b/velero-plugins/pod/backup_test.go @@ -168,9 +168,9 @@ func TestExecute_BackupPod(t *testing.T) { _, items, err := backupPlugin.Execute(&unstructuredPod, &velerov1.Backup{}) if test.shouldErr { - assert.Error(t, err, "Test %s errored when should not %v", test.name, err) + assert.Error(t, err, "Test %s NOT errored when should %v", test.name, err) } else { - assert.NoError(t, err, "Test %s errored when should not %v", test.name, err) + assert.NoError(t, err, "Test %s errored when should succeed %v", test.name, err) } assert.Len(t, items, test.expectedSccCount, "Test %s Expected %d additional items for the SCC", test.name, test.expectedSccCount) assert.ElementsMatch(t, items, test.expectedIdentifiers, "Test %s expected additional items to match expected identifiers", test.name) From c8e73ece4a284880336e5d69510178c12261b9f7 Mon Sep 17 00:00:00 2001 From: Michael Fruchtman Date: Wed, 4 Mar 2026 09:57:11 -0800 Subject: [PATCH 6/7] fix nit error =nil, remove unused security client Signed-off-by: Michael Fruchtman --- velero-plugins/pod/backup.go | 2 +- velero-plugins/serviceaccount/backup.go | 5 ----- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/velero-plugins/pod/backup.go b/velero-plugins/pod/backup.go index d5f4848f..524eba00 100644 --- a/velero-plugins/pod/backup.go +++ b/velero-plugins/pod/backup.go @@ -33,7 +33,7 @@ func (p *BackupPlugin) Execute(item runtime.Unstructured, backup *v1.Backup) (ru p.Log.Info("[pod-backup] Entering Pod backup plugin") var additionalItems []velero.ResourceIdentifier - var err error = nil + var err error pod := corev1API.Pod{} itemMarshal, _ := json.Marshal(item) json.Unmarshal(itemMarshal, &pod) diff --git a/velero-plugins/serviceaccount/backup.go b/velero-plugins/serviceaccount/backup.go index f6a5047c..c6d0ff8a 100644 --- a/velero-plugins/serviceaccount/backup.go +++ b/velero-plugins/serviceaccount/backup.go @@ -8,7 +8,6 @@ import ( "github.com/konveyor/openshift-velero-plugin/velero-plugins/clients" apisecurity "github.com/openshift/api/security/v1" - security "github.com/openshift/client-go/security/clientset/versioned/typed/security/v1" "github.com/sirupsen/logrus" v1 "github.com/vmware-tanzu/velero/pkg/apis/velero/v1" "github.com/vmware-tanzu/velero/pkg/plugin/velero" @@ -37,10 +36,6 @@ func (p *BackupPlugin) AppliesTo() (velero.ResourceSelector, error) { }, nil } -// This should be moved to clients package in future -var securityClient *security.SecurityV1Client -var securityClientError error - // Execute copies local registry images into migration registry func (p *BackupPlugin) Execute(item runtime.Unstructured, backup *v1.Backup) (runtime.Unstructured, []velero.ResourceIdentifier, error) { p.Log.Info("[serviceaccount-backup] Entering ServiceAccount backup plugin") From d01f39672ec6908584f7317c45107c9f70306792 Mon Sep 17 00:00:00 2001 From: Michael Fruchtman Date: Wed, 4 Mar 2026 10:00:52 -0800 Subject: [PATCH 7/7] fix security client naming in clients doesn't match others Signed-off-by: Michael Fruchtman --- velero-plugins/clients/clients.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/velero-plugins/clients/clients.go b/velero-plugins/clients/clients.go index 51908aa3..b35aa94d 100644 --- a/velero-plugins/clients/clients.go +++ b/velero-plugins/clients/clients.go @@ -7,7 +7,7 @@ import ( imagev1 "github.com/openshift/client-go/image/clientset/versioned/typed/image/v1" ocpirconfigv1 "github.com/openshift/client-go/imageregistry/clientset/versioned/typed/imageregistry/v1" routev1 "github.com/openshift/client-go/route/clientset/versioned/typed/route/v1" - security "github.com/openshift/client-go/security/clientset/versioned/typed/security/v1" + securityv1 "github.com/openshift/client-go/security/clientset/versioned/typed/security/v1" "k8s.io/client-go/discovery" appsv1 "k8s.io/client-go/kubernetes/typed/apps/v1" corev1 "k8s.io/client-go/kubernetes/typed/core/v1" @@ -43,7 +43,7 @@ var buildClient *buildv1.BuildV1Client var buildClientError error // SCC client -var securityClient security.SecurityV1Interface +var securityClient securityv1.SecurityV1Interface var securityClientError error var inClusterConfig *rest.Config @@ -254,19 +254,19 @@ func newOCPImageRegistryConfigClient() (*ocpirconfigv1.ImageregistryV1Client, er var SecurityClient = getSecurityClient // SecurityClient returns an openshift SecurityV1Client -func getSecurityClient() (security.SecurityV1Interface, error) { +func getSecurityClient() (securityv1.SecurityV1Interface, error) { if securityClient == nil && securityClientError == nil { securityClient, securityClientError = newSecurityClient() } return securityClient, securityClientError } -func newSecurityClient() (security.SecurityV1Interface, error) { +func newSecurityClient() (securityv1.SecurityV1Interface, error) { config, err := GetInClusterConfig() if err != nil { return nil, err } - client, err := security.NewForConfig(config) + client, err := securityv1.NewForConfig(config) if err != nil { return nil, err }