From 2a2e995bda6c681b0047bf9931e9984d5ef872f4 Mon Sep 17 00:00:00 2001
From: Jian Qiu <jqiu@redhat.com>
Date: Wed, 29 Nov 2023 17:57:59 +0800
Subject: [PATCH] Reduce permission for cluster manager and klusterlet

Signed-off-by: Jian Qiu <jqiu@redhat.com>
---
 .../config/rbac/cluster_role.yaml             |  5 ++++-
 ...cluster-manager.clusterserviceversion.yaml |  9 ++++++--
 .../klusterlet/config/rbac/cluster_role.yaml  | 13 ++++++++++-
 .../klusterlet.clusterserviceversion.yaml     | 22 +++++++++++++++++--
 ...ter-manager-addon-manager-clusterrole.yaml |  5 ++++-
 ...er-manifestworkreplicaset-clusterrole.yaml |  5 ++++-
 ...cluster-manager-placement-clusterrole.yaml |  5 ++++-
 ...ster-manager-registration-clusterrole.yaml |  5 ++++-
 .../klusterlet-registration-role.yaml         |  3 +++
 .../management/klusterlet-work-role.yaml      |  6 +++++
 pkg/operator/operators/klusterlet/options.go  |  6 ++---
 11 files changed, 71 insertions(+), 13 deletions(-)

diff --git a/deploy/cluster-manager/config/rbac/cluster_role.yaml b/deploy/cluster-manager/config/rbac/cluster_role.yaml
index 0dd555e0e..ce37bcd7a 100644
--- a/deploy/cluster-manager/config/rbac/cluster_role.yaml
+++ b/deploy/cluster-manager/config/rbac/cluster_role.yaml
@@ -5,8 +5,11 @@ metadata:
 rules:
 # Allow the registration-operator to create workload
 - apiGroups: [""]
-  resources: ["configmaps", "namespaces", "serviceaccounts", "services", "pods"]
+  resources: ["configmaps", "namespaces", "serviceaccounts", "services"]
   verbs: ["create", "get", "list", "update", "watch", "patch", "delete", "deletecollection"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get"]
 - apiGroups: [""]
   resources: ["secrets"]
   verbs: ["get", "list", "watch", "update", "patch", "delete"]
diff --git a/deploy/cluster-manager/olm-catalog/cluster-manager/manifests/cluster-manager.clusterserviceversion.yaml b/deploy/cluster-manager/olm-catalog/cluster-manager/manifests/cluster-manager.clusterserviceversion.yaml
index 84dc7fdb6..4df082f86 100644
--- a/deploy/cluster-manager/olm-catalog/cluster-manager/manifests/cluster-manager.clusterserviceversion.yaml
+++ b/deploy/cluster-manager/olm-catalog/cluster-manager/manifests/cluster-manager.clusterserviceversion.yaml
@@ -59,7 +59,7 @@ metadata:
     categories: Integration & Delivery,OpenShift Optional
     certified: "false"
     containerImage: quay.io/open-cluster-management/registration-operator:latest
-    createdAt: "2023-11-28T10:34:20Z"
+    createdAt: "2023-11-30T07:06:56Z"
     description: Manages the installation and upgrade of the ClusterManager.
     operators.operatorframework.io/builder: operator-sdk-v1.32.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
@@ -118,7 +118,6 @@ spec:
           - namespaces
           - serviceaccounts
           - services
-          - pods
           verbs:
           - create
           - get
@@ -128,6 +127,12 @@ spec:
           - patch
           - delete
           - deletecollection
+        - apiGroups:
+          - ""
+          resources:
+          - pods
+          verbs:
+          - get
         - apiGroups:
           - ""
           resourceNames:
diff --git a/deploy/klusterlet/config/rbac/cluster_role.yaml b/deploy/klusterlet/config/rbac/cluster_role.yaml
index d19345cbc..39a228a4e 100644
--- a/deploy/klusterlet/config/rbac/cluster_role.yaml
+++ b/deploy/klusterlet/config/rbac/cluster_role.yaml
@@ -5,8 +5,19 @@ metadata:
 rules:
 # Allow the registration-operator to create workload
 - apiGroups: [""]
-  resources: ["secrets", "configmaps", "serviceaccounts"]
+  resources: ["configmaps", "serviceaccounts"]
   verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create", "update", "get", "list", "watch", "delete"]
+  resourceNames:
+    - "open-cluster-management-image-pull-credentials"
+    - "bootstrap-hub-kubeconfig"
+    - "hub-kubeconfig-secret"
+    - "external-managed-kubeconfig"
+    - "external-managed-kubeconfig-work"
+    - "external-managed-kubeconfig-registration"
+    - "external-managed-kubeconfig-agent"
 # get pods and replicasets is for event creation
 - apiGroups: [""]
   resources: ["pods"]
diff --git a/deploy/klusterlet/olm-catalog/klusterlet/manifests/klusterlet.clusterserviceversion.yaml b/deploy/klusterlet/olm-catalog/klusterlet/manifests/klusterlet.clusterserviceversion.yaml
index 2195c15e1..f8748c4d9 100644
--- a/deploy/klusterlet/olm-catalog/klusterlet/manifests/klusterlet.clusterserviceversion.yaml
+++ b/deploy/klusterlet/olm-catalog/klusterlet/manifests/klusterlet.clusterserviceversion.yaml
@@ -31,7 +31,7 @@ metadata:
     categories: Integration & Delivery,OpenShift Optional
     certified: "false"
     containerImage: quay.io/open-cluster-management/registration-operator:latest
-    createdAt: "2023-11-28T10:34:20Z"
+    createdAt: "2023-11-30T07:06:57Z"
     description: Manages the installation and upgrade of the Klusterlet.
     operators.operatorframework.io/builder: operator-sdk-v1.32.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
@@ -93,7 +93,6 @@ spec:
         - apiGroups:
           - ""
           resources:
-          - secrets
           - configmaps
           - serviceaccounts
           verbs:
@@ -104,6 +103,25 @@ spec:
           - watch
           - patch
           - delete
+        - apiGroups:
+          - ""
+          resourceNames:
+          - open-cluster-management-image-pull-credentials
+          - bootstrap-hub-kubeconfig
+          - hub-kubeconfig-secret
+          - external-managed-kubeconfig
+          - external-managed-kubeconfig-work
+          - external-managed-kubeconfig-registration
+          - external-managed-kubeconfig-agent
+          resources:
+          - secrets
+          verbs:
+          - create
+          - update
+          - get
+          - list
+          - watch
+          - delete
         - apiGroups:
           - ""
           resources:
diff --git a/manifests/cluster-manager/hub/cluster-manager-addon-manager-clusterrole.yaml b/manifests/cluster-manager/hub/cluster-manager-addon-manager-clusterrole.yaml
index 65083f3a6..e26254a94 100644
--- a/manifests/cluster-manager/hub/cluster-manager-addon-manager-clusterrole.yaml
+++ b/manifests/cluster-manager/hub/cluster-manager-addon-manager-clusterrole.yaml
@@ -5,8 +5,11 @@ metadata:
 rules:
 # Allow controller to get/list/watch/create/delete configmaps/events
 - apiGroups: [""]
-  resources: ["configmaps", "events", "pods"]
+  resources: ["configmaps", "events"]
   verbs: ["get", "list", "watch", "create", "update", "delete", "deletecollection", "patch"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get"]
 - apiGroups: ["apps"]
   resources: ["replicasets"]
   verbs: ["get"] 
diff --git a/manifests/cluster-manager/hub/cluster-manager-manifestworkreplicaset-clusterrole.yaml b/manifests/cluster-manager/hub/cluster-manager-manifestworkreplicaset-clusterrole.yaml
index b139188d5..1b117d551 100644
--- a/manifests/cluster-manager/hub/cluster-manager-manifestworkreplicaset-clusterrole.yaml
+++ b/manifests/cluster-manager/hub/cluster-manager-manifestworkreplicaset-clusterrole.yaml
@@ -4,8 +4,11 @@ metadata:
   name: open-cluster-management:{{ .ClusterManagerName }}-work:controller
 rules:
 - apiGroups: [ "" ]
-  resources: [ "configmaps", "pods"]
+  resources: [ "configmaps"]
   verbs: [ "get", "list", "watch"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get"]
 # Allow create subjectaccessreviews
 - apiGroups: ["authorization.k8s.io"]
   resources: ["subjectaccessreviews"]
diff --git a/manifests/cluster-manager/hub/cluster-manager-placement-clusterrole.yaml b/manifests/cluster-manager/hub/cluster-manager-placement-clusterrole.yaml
index b976b11df..6004ccb64 100644
--- a/manifests/cluster-manager/hub/cluster-manager-placement-clusterrole.yaml
+++ b/manifests/cluster-manager/hub/cluster-manager-placement-clusterrole.yaml
@@ -5,8 +5,11 @@ metadata:
 rules:
 # Allow controller to get/list/watch/create/delete configmaps
 - apiGroups: [""]
-  resources: ["configmaps", "pods"]
+  resources: ["configmaps"]
   verbs: ["get", "list", "watch", "create", "delete", "update"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get"]
 - apiGroups: ["apps"]
   resources: ["replicasets"]
   verbs: ["get"] 
diff --git a/manifests/cluster-manager/hub/cluster-manager-registration-clusterrole.yaml b/manifests/cluster-manager/hub/cluster-manager-registration-clusterrole.yaml
index 5d83728c5..283beab69 100644
--- a/manifests/cluster-manager/hub/cluster-manager-registration-clusterrole.yaml
+++ b/manifests/cluster-manager/hub/cluster-manager-registration-clusterrole.yaml
@@ -12,8 +12,11 @@ rules:
   verbs: ["update"]
 # Allow hub to get/list/watch/create/delete namespace and service account
 - apiGroups: [""]
-  resources: ["namespaces", "serviceaccounts", "configmaps", "pods"]
+  resources: ["namespaces", "serviceaccounts", "configmaps"]
   verbs: ["get", "list", "watch", "create", "delete", "update"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get"]
 - apiGroups: ["", "events.k8s.io"]
   resources: ["events"]
   verbs: ["create", "patch", "update"]
diff --git a/manifests/klusterlet/management/klusterlet-registration-role.yaml b/manifests/klusterlet/management/klusterlet-registration-role.yaml
index 4e02f0342..321d8f918 100644
--- a/manifests/klusterlet/management/klusterlet-registration-role.yaml
+++ b/manifests/klusterlet/management/klusterlet-registration-role.yaml
@@ -13,6 +13,9 @@ rules:
 - apiGroups: [""]
   resources: ["pods"]
   verbs: ["get"]
+- apiGroups: ["apps"]
+  resources: ["replicasets"]
+  verbs: ["get"]
 - apiGroups: ["coordination.k8s.io"]
   resources: ["leases"]
   verbs: ["create", "get", "list", "update", "watch", "patch"]
diff --git a/manifests/klusterlet/management/klusterlet-work-role.yaml b/manifests/klusterlet/management/klusterlet-work-role.yaml
index 7ec0bbddb..193b346e1 100644
--- a/manifests/klusterlet/management/klusterlet-work-role.yaml
+++ b/manifests/klusterlet/management/klusterlet-work-role.yaml
@@ -16,3 +16,9 @@ rules:
 - apiGroups: ["", "events.k8s.io"]
   resources: ["events"]
   verbs: ["create", "patch", "update"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get"]
+- apiGroups: ["apps"]
+  resources: ["replicasets"]
+  verbs: ["get"]
diff --git a/pkg/operator/operators/klusterlet/options.go b/pkg/operator/operators/klusterlet/options.go
index e0aff02af..58fd960f8 100644
--- a/pkg/operator/operators/klusterlet/options.go
+++ b/pkg/operator/operators/klusterlet/options.go
@@ -2,7 +2,7 @@ package klusterlet
 
 import (
 	"context"
-	"io/ioutil"
+	"os"
 	"time"
 
 	"github.com/openshift/library-go/pkg/controller/controllercmd"
@@ -65,7 +65,7 @@ func (o *Options) RunKlusterletOperator(ctx context.Context, controllerContext *
 
 	hubConfigSecretInformer := newOneTermInformer(helpers.HubKubeConfig)
 	bootstrapConfigSecretInformer := newOneTermInformer(helpers.BootstrapHubKubeConfig)
-	externalConfigSecretInformer := newOneTermInformer(helpers.WorkWebhookSecret)
+	externalConfigSecretInformer := newOneTermInformer(helpers.ExternalManagedKubeConfig)
 
 	secretInformers := map[string]corev1informers.SecretInformer{
 		helpers.HubKubeConfig:             hubConfigSecretInformer.Core().V1().Secrets(),
@@ -92,7 +92,7 @@ func (o *Options) RunKlusterletOperator(ctx context.Context, controllerContext *
 
 	// Read component namespace
 	operatorNamespace := defaultComponentNamespace
-	nsBytes, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace")
+	nsBytes, err := os.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace")
 	if err == nil {
 		operatorNamespace = string(nsBytes)
 	}