fix: check RBAC to watched resources on startup

cybozu-go · Jun 10, 2024 · 76d5e49 · 76d5e49
1 parent dcb4795
commit 76d5e49
Show file tree

Hide file tree

Showing 6 changed files with 41 additions and 5 deletions.
diff --git a/charts/accurate/MIGRATION.md b/charts/accurate/MIGRATION.md
@@ -114,7 +114,6 @@ controller:
           - list
           - watch
           - create
-          - update
           - patch
           - delete
 <snip>

diff --git a/charts/accurate/values.yaml b/charts/accurate/values.yaml
@@ -101,7 +101,6 @@ controller:
           - list
           - watch
           - create
-          - update
           - patch
           - delete
     # controller.additionalRBAC.clusterRoles -- Specify additional ClusterRoles to be granted

diff --git a/cmd/accurate-controller/sub/run.go b/cmd/accurate-controller/sub/run.go
@@ -89,9 +89,14 @@ func subMain(ns, addr string, port int) error {
 		return fmt.Errorf("unable to start manager: %w", err)
 	}
 
+	ctx := ctrl.SetupSignalHandler()
+
 	if err := cfg.Validate(mgr.GetRESTMapper()); err != nil {
 		return fmt.Errorf("invalid configurations: %w", err)
 	}
+	if err := cfg.ValidateRBAC(ctx, mgr); err != nil {
+		return fmt.Errorf("when validating RBAC to support configuration: %w", err)
+	}
 
 	watched := make([]*unstructured.Unstructured, len(cfg.Watches))
 	for i := range cfg.Watches {
@@ -104,7 +109,6 @@ func subMain(ns, addr string, port int) error {
 		})
 	}
 
-	ctx := ctrl.SetupSignalHandler()
 	dec := admission.NewDecoder(scheme)
 
 	// Namespace reconciler & webhook

diff --git a/docs/config.md b/docs/config.md
@@ -162,7 +162,6 @@ controller:
           - list
           - watch
           - create
-          - update
           - patch
           - delete
 <snip>

diff --git a/e2e/values.yaml b/e2e/values.yaml
@@ -54,7 +54,6 @@ controller:
           - list
           - watch
           - create
-          - update
           - patch
           - delete
     clusterRoles:

diff --git a/pkg/config/types.go b/pkg/config/types.go
@@ -1,14 +1,18 @@
 package config
 
 import (
+	"context"
 	"fmt"
 	"path"
 	"regexp"
 	"strings"
 
+	authv1 "k8s.io/api/authorization/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/errors"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
 	"sigs.k8s.io/yaml"
 
 	"github.com/cybozu-go/accurate/pkg/constants"
@@ -99,6 +103,38 @@ func (c *Config) Validate(mapper meta.RESTMapper) error {
 	return nil
 }
 
+// ValidateRBAC validates that the manager has RBAC permissions to support configuration
+func (c *Config) ValidateRBAC(ctx context.Context, mgr manager.Manager) error {
+	var errList []error
+
+	mapper := mgr.GetRESTMapper()
+	client := mgr.GetClient()
+	for _, gvk := range c.Watches {
+		mapping, err := mapper.RESTMapping(schema.GroupKind{Group: gvk.Group, Kind: gvk.Kind}, gvk.Version)
+		if err != nil {
+			return fmt.Errorf("error mapping GVK %s: %w", gvk.String(), err)
+		}
+
+		selfCheck := &authv1.SelfSubjectAccessReview{}
+		selfCheck.Spec.ResourceAttributes = &authv1.ResourceAttributes{
+			Group:    mapping.Resource.Group,
+			Version:  mapping.Resource.Version,
+			Resource: mapping.Resource.Resource,
+		}
+		for _, verb := range []string{"get", "list", "watch", "create", "patch", "delete"} {
+			selfCheck.Spec.ResourceAttributes.Verb = verb
+			if err := client.Create(ctx, selfCheck); err != nil {
+				return fmt.Errorf("error creating SelfSubjectAccessReview: %w", err)
+			}
+			if !selfCheck.Status.Allowed {
+				errList = append(errList, fmt.Errorf("missing permission to %s %s", verb, mapping.Resource.String()))
+			}
+		}
+	}
+
+	return errors.NewAggregate(errList)
+}
+
 // Load loads configurations.
 func (c *Config) Load(data []byte) error {
 	return yaml.Unmarshal(data, c, yaml.DisallowUnknownFields)