Skip to content

Commit

Permalink
Audit RBAC rules
Browse files Browse the repository at this point in the history 
It removes all no required RBAC rules and verbs. The used process has
been a black box approach, i.e., remove all rules, deploy the operator,
run functest, collect forbidden operations, add the missing rules/verbs
and repeat.

To ensure a better coverage, Tier 2 tests have also been run.

Signed-off-by: Javier Cano Cano <jcanocan@redhat.com>
  • Loading branch information
@jcanocan
jcanocan committed Jul 4, 2023
1 parent 56183a5 commit 9759ddf
Show file tree
Hide file tree
Showing 11 changed files with 32 additions and 217 deletions.
98 changes: 3 additions & 95 deletions config/rbac/role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,17 +59,14 @@ rules:
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
Expand All @@ -81,7 +78,6 @@ rules:
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
Expand Down Expand Up @@ -146,20 +142,15 @@ rules:
- infrastructures
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
- serviceaccounts
- services
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
Expand All @@ -171,7 +162,6 @@ rules:
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
Expand Down Expand Up @@ -201,22 +191,18 @@ rules:
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
- services
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
Expand All @@ -226,9 +212,7 @@ rules:
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
Expand All @@ -238,9 +222,7 @@ rules:
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
Expand Down Expand Up @@ -282,13 +264,9 @@ rules:
resources:
- prometheusrules
- servicemonitors
- services
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
Expand All @@ -299,9 +277,7 @@ rules:
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
Expand All @@ -312,9 +288,7 @@ rules:
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
Expand All @@ -326,9 +300,7 @@ rules:
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
Expand All @@ -338,23 +310,18 @@ rules:
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- rbac.authorization.k8s.io/v1
- rbac.authorization.k8s.io
resources:
- role
- rolebinding
- serviceaccount
- rolebindings
- roles
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
Expand All @@ -364,57 +331,15 @@ rules:
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ssp.kubevirt.io
resources:
- kubevirtcommontemplatesbundles
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ssp.kubevirt.io
resources:
- kubevirtmetricsaggregations
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ssp.kubevirt.io
resources:
- kubevirttemplatevalidators
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ssp.kubevirt.io
resources:
- ssps
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
Expand All @@ -428,8 +353,6 @@ rules:
resources:
- ssps/status
verbs:
- get
- patch
- update
- apiGroups:
- subresources.kubevirt.io
Expand All @@ -439,27 +362,14 @@ rules:
- virtualmachines/stop
verbs:
- update
- apiGroups:
- tekton.dev
resources:
- clustertasks
- tasks
verbs:
- delete
- get
- list
- patch
- update
- apiGroups:
- tekton.dev
resources:
- pipelines
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
Expand All @@ -469,9 +379,7 @@ rules:
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
Expand Down
2 changes: 1 addition & 1 deletion controllers/setup.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ import (
)

// Need to watch CRDs
// +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;list;watch
// +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=list;watch

func CreateAndStartReconciler(ctx context.Context, mgr controllerruntime.Manager) error {
mgrCtx, cancel := context.WithCancel(ctx)
Expand Down
9 changes: 3 additions & 6 deletions controllers/ssp_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,14 +94,11 @@ func NewSspReconciler(client client.Client, uncachedReader client.Reader, infras

var _ reconcile.Reconciler = &sspReconciler{}

// +kubebuilder:rbac:groups=ssp.kubevirt.io,resources=ssps,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=ssp.kubevirt.io,resources=ssps/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=ssp.kubevirt.io,resources=ssps,verbs=list;watch;update
// +kubebuilder:rbac:groups=ssp.kubevirt.io,resources=ssps/status,verbs=update
// +kubebuilder:rbac:groups=ssp.kubevirt.io,resources=ssps/finalizers,verbs=update
// +kubebuilder:rbac:groups=config.openshift.io,resources=infrastructures;clusterversions,verbs=get;list;watch
// +kubebuilder:rbac:groups=config.openshift.io,resources=infrastructures;clusterversions,verbs=get
// +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=list
// +kubebuilder:rbac:groups=ssp.kubevirt.io,resources=kubevirtcommontemplatesbundles,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=ssp.kubevirt.io,resources=kubevirtmetricsaggregations,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=ssp.kubevirt.io,resources=kubevirttemplatevalidators,verbs=get;list;watch;create;update;patch;delete

func (r *sspReconciler) setupController(mgr ctrl.Manager) error {
eventHandlerHook := func(request ctrl.Request, obj client.Object) {
Expand Down
Loading

0 comments on commit 9759ddf

Please sign in to comment.