Skip to content

Commit

Permalink
RBAC: restrict SeedImage controller auth to fleet-default (#864)
Browse files Browse the repository at this point in the history 
* RBAC: restrict SeedImage controller auth to fleet-default

do not allow the seedimage-controller to operate on pods, services and
configmaps outside of the fleet-default namespace.

Fixes #457

Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>

* RBAC: move all rbac resources to rbac.yaml

Also have all of them collected and generated via kustomize

Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>

---------

Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
  • Loading branch information
@fgiudici
fgiudici authored Oct 7, 2024
1 parent 69d4bc1 commit de3c37d
Show file tree
Hide file tree
Showing 8 changed files with 190 additions and 58 deletions.
81 changes: 68 additions & 13 deletions ...operator-helm/templates/cluster_role.yaml → ...emental-operator-helm/templates/rbac.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
kind: Role
metadata:
name: '{{ .Release.Name }}'
namespace: fleet-default
rules:
- apiGroups:
- ""
Expand All @@ -18,14 +19,25 @@ rules:
- apiGroups:
- ""
resources:
- events
- pods
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- pods
- pods/status
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- create
- delete
Expand All @@ -37,13 +49,36 @@ rules:
- apiGroups:
- ""
resources:
- pods/log
- services/status
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: '{{ .Release.Name }}'
rules:
- apiGroups:
- ""
resources:
- pods/status
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- pods
verbs:
- create
- delete
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods/log
verbs:
- get
- apiGroups:
Expand Down Expand Up @@ -77,15 +112,7 @@ rules:
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- services/status
verbs:
- get
- apiGroups:
- cluster.x-k8s.io
resources:
Expand Down Expand Up @@ -293,3 +320,31 @@ rules:
- delete
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: '{{ .Release.Name }}'
namespace: fleet-default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: '{{ .Release.Name }}'
namespace: fleet-default
subjects:
- kind: ServiceAccount
name: '{{ .Release.Name }}'
namespace: '{{ .Release.Namespace }}'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: '{{ .Release.Name }}'
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: '{{ .Release.Name }}'
subjects:
- kind: ServiceAccount
name: '{{ .Release.Name }}'
namespace: '{{ .Release.Namespace }}'
2 changes: 1 addition & 1 deletion Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -266,7 +266,7 @@ build-crds: $(KUSTOMIZE)
$(KUSTOMIZE) build config/crd > .obs/chartfile/elemental-operator-crds-helm/templates/crds.yaml

build-rbac: $(KUSTOMIZE)
$(KUSTOMIZE) build config/rbac > .obs/chartfile/elemental-operator-helm/templates/cluster_role.yaml
$(KUSTOMIZE) build config/rbac > .obs/chartfile/elemental-operator-helm/templates/rbac.yaml

build-manifests: $(KUSTOMIZE) generate
$(MAKE) build-crds
Expand Down
8 changes: 4 additions & 4 deletions ...-helm/templates/cluster_role_binding.yaml → config/rbac/bases/cluster_role_binding.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ .Release.Name }}
name: manager-role
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ .Release.Name }}
name: manager-role
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}
namespace: {{.Release.Namespace}}
name: manager-role
namespace: manager-role-namespace

83 changes: 55 additions & 28 deletions config/rbac/bases/role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,18 +4,6 @@ kind: ClusterRole
metadata:
name: manager-role
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
Expand All @@ -32,21 +20,13 @@ rules:
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- pods/log
verbs:
- get
- apiGroups:
- ""
resources:
- pods/status
verbs:
- get
- apiGroups:
- ""
resources:
Expand Down Expand Up @@ -78,15 +58,7 @@ rules:
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- services/status
verbs:
- get
- apiGroups:
- cluster.x-k8s.io
resources:
Expand Down Expand Up @@ -294,3 +266,58 @@ rules:
- delete
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: manager-role
namespace: fleet-default
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- pods
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- pods/status
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- services/status
verbs:
- get
15 changes: 15 additions & 0 deletions config/rbac/bases/role_binding.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: manager-role
namespace: fleet-default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: manager-role
namespace: fleet-default
subjects:
- kind: ServiceAccount
name: manager-role
namespace: manager-role-namespace

40 changes: 33 additions & 7 deletions config/rbac/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,37 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- bases/role.yaml
- bases/role_binding.yaml
- bases/cluster_role_binding.yaml

patchesJson6902: ## this is used to patch role name so we can use in helm chart template
- target:
group: rbac.authorization.k8s.io
version: v1
kind: ClusterRole
name: manager-role
path: patches/name_in_role.yaml
patches:
- path: patches/name_in_role.yaml
target:
group: rbac.authorization.k8s.io
kind: ClusterRole
name: manager-role
version: v1
- path: patches/name_in_role.yaml
target:
group: rbac.authorization.k8s.io
kind: ClusterRoleBinding
name: manager-role
version: v1
- path: patches/name_in_role.yaml
target:
group: rbac.authorization.k8s.io
kind: Role
name: manager-role
version: v1
- path: patches/name_in_rolebinding.yaml
target:
group: rbac.authorization.k8s.io
kind: RoleBinding
name: manager-role
version: v1
- path: patches/name_in_rolebinding.yaml
target:
group: rbac.authorization.k8s.io
kind: ClusterRoleBinding
name: manager-role
version: v1
9 changes: 9 additions & 0 deletions config/rbac/patches/name_in_rolebinding.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
- op: replace
path: /metadata/name
value: "{{ .Release.Name }}"
- op: replace
path: /subjects/0/name
value: "{{ .Release.Name }}"
- op: replace
path: /subjects/0/namespace
value: "{{ .Release.Namespace }}"
10 changes: 5 additions & 5 deletions controllers/seedimage_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,11 +66,11 @@ const (
// +kubebuilder:rbac:groups=elemental.cattle.io,resources=machineregistrations,verbs=get;watch;list
// TODO: restrict access to resources to the required namespace only:
// https://github.com/rancher/elemental-operator/issues/457
// +kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups="",resources=pods/status,verbs=get
// +kubebuilder:rbac:groups="",resources=services,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups="",resources=services/status,verbs=get
// +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups="",namespace=fleet-default,resources=pods,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups="",namespace=fleet-default,resources=pods/status,verbs=get
// +kubebuilder:rbac:groups="",namespace=fleet-default,resources=services,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups="",namespace=fleet-default,resources=services/status,verbs=get
// +kubebuilder:rbac:groups="",namespace=fleet-default,resources=configmaps,verbs=get;list;watch;create;update;patch;delete

// TODO: extend SetupWithManager with "Watches" and "WithEventFilter"
func (r *SeedImageReconciler) SetupWithManager(mgr ctrl.Manager) error {
Expand Down

0 comments on commit de3c37d

Please sign in to comment.