Get rid of implicit escalate/bind verbs on operator roles

https://kubernetes.io/docs/concepts/security/rbac-good-practices/#escalate-verb Signed-off-by: Alex Kalenyuk <akalenyu@redhat.com>
kubevirt · Aug 28, 2023 · 9054204 · 9054204
1 parent 381fe00
commit 9054204
Show file tree

Hide file tree

Showing 8 changed files with 89 additions and 30 deletions.
diff --git a/pkg/operator/controller/prometheus.go b/pkg/operator/controller/prometheus.go
@@ -36,11 +36,12 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/source"
 
-	"kubevirt.io/containerized-data-importer/pkg/monitoring"
-
 	"kubevirt.io/containerized-data-importer/pkg/common"
 	cc "kubevirt.io/containerized-data-importer/pkg/controller/common"
+	"kubevirt.io/containerized-data-importer/pkg/monitoring"
+	cdinamespaced "kubevirt.io/containerized-data-importer/pkg/operator/resources/namespaced"
 	"kubevirt.io/containerized-data-importer/pkg/util"
+
 	sdk "kubevirt.io/controller-lifecycle-operator-sdk/pkg/sdk"
 )
 
@@ -256,21 +257,7 @@ func newPrometheusRole(namespace string) *rbacv1.Role {
 				common.PrometheusLabelKey: common.PrometheusLabelValue,
 			},
 		},
-		Rules: []rbacv1.PolicyRule{
-			{
-				APIGroups: []string{
-					"",
-				},
-				Resources: []string{
-					"services",
-					"endpoints",
-					"pods",
-				},
-				Verbs: []string{
-					"get", "list", "watch",
-				},
-			},
-		},
+		Rules: cdinamespaced.GetPrometheusNamespacedRules(),
 	}
 }
 

diff --git a/pkg/operator/resources/namespaced/BUILD.bazel b/pkg/operator/resources/namespaced/BUILD.bazel
@@ -7,6 +7,7 @@ go_library(
         "controller.go",
         "cronjob.go",
         "factory.go",
+        "prometheus.go",
         "uploadproxy.go",
     ],
     importpath = "kubevirt.io/containerized-data-importer/pkg/operator/resources/namespaced",

diff --git a/pkg/operator/resources/namespaced/apiserver.go b/pkg/operator/resources/namespaced/apiserver.go
@@ -59,8 +59,8 @@ func createAPIServerRoleBinding() *rbacv1.RoleBinding {
 	return utils.ResourceBuilder.CreateRoleBinding(apiServerRessouceName, apiServerRessouceName, apiServerRessouceName, "")
 }
 
-func createAPIServerRole() *rbacv1.Role {
-	rules := []rbacv1.PolicyRule{
+func getAPIServerNamespacedRules() []rbacv1.PolicyRule {
+	return []rbacv1.PolicyRule{
 		{
 			APIGroups: []string{
 				"",
@@ -77,7 +77,10 @@ func createAPIServerRole() *rbacv1.Role {
 			},
 		},
 	}
-	return utils.ResourceBuilder.CreateRole(apiServerRessouceName, rules)
+}
+
+func createAPIServerRole() *rbacv1.Role {
+	return utils.ResourceBuilder.CreateRole(apiServerRessouceName, getAPIServerNamespacedRules())
 }
 
 func createAPIServerService() *corev1.Service {

diff --git a/pkg/operator/resources/namespaced/controller.go b/pkg/operator/resources/namespaced/controller.go
@@ -60,8 +60,8 @@ func createControllerRoleBinding() *rbacv1.RoleBinding {
 	return utils.ResourceBuilder.CreateRoleBinding(controllerResourceName, controllerResourceName, common.ControllerServiceAccountName, "")
 }
 
-func createControllerRole() *rbacv1.Role {
-	rules := []rbacv1.PolicyRule{
+func getControllerNamespacedRules() []rbacv1.PolicyRule {
+	return []rbacv1.PolicyRule{
 		{
 			APIGroups: []string{
 				"",
@@ -162,7 +162,10 @@ func createControllerRole() *rbacv1.Role {
 			},
 		},
 	}
-	return utils.ResourceBuilder.CreateRole(controllerResourceName, rules)
+}
+
+func createControllerRole() *rbacv1.Role {
+	return utils.ResourceBuilder.CreateRole(controllerResourceName, getControllerNamespacedRules())
 }
 
 func createControllerServiceAccount() *corev1.ServiceAccount {

diff --git a/pkg/operator/resources/namespaced/factory.go b/pkg/operator/resources/namespaced/factory.go
@@ -20,6 +20,7 @@ import (
 	"fmt"
 
 	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -97,3 +98,12 @@ func assignNamspaceIfMissing(resource client.Object, namespace string) {
 		obj.SetNamespace(namespace)
 	}
 }
+
+// GetRolePolicyRules returns all namespaced PolicyRules
+func GetRolePolicyRules() []rbacv1.PolicyRule {
+	result := getAPIServerNamespacedRules()
+	result = append(result, getControllerNamespacedRules()...)
+	result = append(result, getUploadProxyNamespacedRules()...)
+	result = append(result, GetPrometheusNamespacedRules()...)
+	return result
+}
diff --git a/pkg/operator/resources/namespaced/prometheus.go b/pkg/operator/resources/namespaced/prometheus.go
@@ -0,0 +1,40 @@
+/*
+Copyright 2018 The CDI Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package namespaced
+
+import (
+	rbacv1 "k8s.io/api/rbac/v1"
+)
+
+// GetPrometheusNamespacedRules returns the policy rules needed for CDI alerting setup
+func GetPrometheusNamespacedRules() []rbacv1.PolicyRule {
+	return []rbacv1.PolicyRule{
+		{
+			APIGroups: []string{
+				"",
+			},
+			Resources: []string{
+				"services",
+				"endpoints",
+				"pods",
+			},
+			Verbs: []string{
+				"get", "list", "watch",
+			},
+		},
+	}
+}
diff --git a/pkg/operator/resources/namespaced/uploadproxy.go b/pkg/operator/resources/namespaced/uploadproxy.go
@@ -67,8 +67,8 @@ func createUploadProxyRoleBinding() *rbacv1.RoleBinding {
 	return utils.ResourceBuilder.CreateRoleBinding(uploadProxyResourceName, uploadProxyResourceName, uploadProxyResourceName, "")
 }
 
-func createUploadProxyRole() *rbacv1.Role {
-	rules := []rbacv1.PolicyRule{
+func getUploadProxyNamespacedRules() []rbacv1.PolicyRule {
+	return []rbacv1.PolicyRule{
 		{
 			APIGroups: []string{
 				"",
@@ -81,7 +81,10 @@ func createUploadProxyRole() *rbacv1.Role {
 			},
 		},
 	}
-	return utils.ResourceBuilder.CreateRole(uploadProxyResourceName, rules)
+}
+
+func createUploadProxyRole() *rbacv1.Role {
+	return utils.ResourceBuilder.CreateRole(uploadProxyResourceName, getUploadProxyNamespacedRules())
 }
 
 func createUploadProxyDeployment(image, verbosity, pullPolicy string, imagePullSecrets []corev1.LocalObjectReference, priorityClassName string, infraNodePlacement *sdkapi.NodePlacement) *appsv1.Deployment {

diff --git a/pkg/operator/resources/operator/operator.go b/pkg/operator/resources/operator/operator.go
@@ -33,7 +33,8 @@ import (
 	k8syaml "k8s.io/apimachinery/pkg/util/yaml"
 
 	"kubevirt.io/containerized-data-importer/pkg/operator/resources"
-	cluster "kubevirt.io/containerized-data-importer/pkg/operator/resources/cluster"
+	cdicluster "kubevirt.io/containerized-data-importer/pkg/operator/resources/cluster"
+	cdinamespaced "kubevirt.io/containerized-data-importer/pkg/operator/resources/namespaced"
 	utils "kubevirt.io/containerized-data-importer/pkg/operator/resources/utils"
 )
 
@@ -54,7 +55,12 @@ func getClusterPolicyRules() []rbacv1.PolicyRule {
 				"clusterroles",
 			},
 			Verbs: []string{
-				"*",
+				"get",
+				"list",
+				"watch",
+				"create",
+				"update",
+				"delete",
 			},
 		},
 		{
@@ -168,7 +174,7 @@ func getClusterPolicyRules() []rbacv1.PolicyRule {
 			},
 		},
 	}
-	rules = append(rules, cluster.GetClusterRolePolicyRules()...)
+	rules = append(rules, cdicluster.GetClusterRolePolicyRules()...)
 	return rules
 }
 
@@ -198,7 +204,12 @@ func getNamespacedPolicyRules() []rbacv1.PolicyRule {
 				"roles",
 			},
 			Verbs: []string{
-				"*",
+				"get",
+				"list",
+				"watch",
+				"create",
+				"update",
+				"delete",
 			},
 		},
 		{
@@ -300,6 +311,7 @@ func getNamespacedPolicyRules() []rbacv1.PolicyRule {
 			},
 		},
 	}
+	rules = append(rules, cdinamespaced.GetRolePolicyRules()...)
 	return rules
 }