rbac: limit access requested for leadership election

machinezone · Jul 17, 2020 · 571f95e · 571f95e
1 parent e3c5acc
commit 571f95e
Show file tree

Hide file tree

Showing 7 changed files with 83 additions and 74 deletions.
diff --git a/cmd/configmapsecret-controller/main.go b/cmd/configmapsecret-controller/main.go
@@ -50,6 +50,14 @@ func init() {
 	// +kubebuilder:scaffold:scheme
 }
 
+// RBAC for leader election, scoped to the namespace used by default manifests (kube-system).
+//
+// N.B.: RBAC cannot use resourceNames with "list", "watch", "create", or "deletecollection" verbs.
+//
+// +kubebuilder:rbac:namespace=kube-system,groups=core,resources=configmaps,verbs=create
+// +kubebuilder:rbac:namespace=kube-system,groups=core,resources=configmaps,verbs=get;update,resourceNames=configmapsecret-controller-leader
+// +kubebuilder:rbac:namespace=kube-system,groups=core,resources=events,verbs=create;patch
+
 func main() {
 	var (
 		healthAddr     string

diff --git a/magefile.go b/magefile.go
@@ -453,11 +453,11 @@ func generateCDRs() error {
 }
 
 func generateRBAC() error {
-	out, err := sh.Output("controller-gen", "rbac:roleName=configmapsecret-controller", "paths=./pkg/...", "output:stdout")
+	out, err := sh.Output("controller-gen", "rbac:roleName=configmapsecret-controller", "paths=./cmd/...;./pkg/...", "output:stdout")
 	if err != nil {
 		return err
 	}
-	return writeFile("manifest/clusterrole.yaml", out)
+	return writeFile("manifest/roles.yaml", out)
 }
 
 func generateDocs() error {

diff --git a/manifest/clusterrolebinding.yaml b/manifest/clusterrolebinding.yaml
diff --git a/manifest/customresourcedefinition.yaml b/manifest/customresourcedefinition.yaml
@@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.2.4
+    controller-gen.kubebuilder.io/version: v0.3.0
   creationTimestamp: null
   name: configmapsecrets.secrets.mz.com
 spec:
@@ -22,14 +22,10 @@ spec:
       description: ConfigMapSecret holds configuration data with embedded secrets.
       properties:
         apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
           type: string
         kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
           type: string
         metadata:
           description: 'Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata'
@@ -38,32 +34,18 @@ spec:
           description: 'Desired state of the ConfigMapSecret. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
           properties:
             template:
-              description: 'Template that describes the config that will be rendered.
-                Variable references $(VAR_NAME) in template data are expanded using
-                the ConfigMapSecret''s variables. If a variable cannot be resolved,
-                the reference in the input data will be unchanged. The $(VAR_NAME)
-                syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped
-                references will never be expanded, regardless of whether the variable
-                exists or not.'
+              description: 'Template that describes the config that will be rendered. Variable references $(VAR_NAME) in template data are expanded using the ConfigMapSecret''s variables. If a variable cannot be resolved, the reference in the input data will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not.'
               properties:
                 binaryData:
                   additionalProperties:
                     format: byte
                     type: string
-                  description: BinaryData contains the binary data. Each key must
-                    consist of alphanumeric characters, '-', '_' or '.'. BinaryData
-                    can contain byte sequences that are not in the UTF-8 range. The
-                    keys stored in BinaryData must not overlap with the keys in the
-                    Data field.
+                  description: BinaryData contains the binary data. Each key must consist of alphanumeric characters, '-', '_' or '.'. BinaryData can contain byte sequences that are not in the UTF-8 range. The keys stored in BinaryData must not overlap with the keys in the Data field.
                   type: object
                 data:
                   additionalProperties:
                     type: string
-                  description: Data contains the configuration data. Each key must
-                    consist of alphanumeric characters, '-', '_' or '.'. Values with
-                    non-UTF-8 byte sequences must use the BinaryData field. The keys
-                    stored in Data must not overlap with the keys in the BinaryData
-                    field.
+                  description: Data contains the configuration data. Each key must consist of alphanumeric characters, '-', '_' or '.'. Values with non-UTF-8 byte sequences must use the BinaryData field. The keys stored in Data must not overlap with the keys in the BinaryData field.
                   type: object
                 metadata:
                   description: 'Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata'
@@ -81,12 +63,10 @@ spec:
                         description: The key to select.
                         type: string
                       name:
-                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                          TODO: Add other useful fields. apiVersion, kind, uid?'
+                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
                         type: string
                       optional:
-                        description: Specify whether the ConfigMap or its key must
-                          be defined
+                        description: Specify whether the ConfigMap or its key must be defined
                         type: boolean
                     required:
                     - key
@@ -98,28 +78,19 @@ spec:
                     description: SecretValue selects a value by its key in a Secret.
                     properties:
                       key:
-                        description: The key of the secret to select from.  Must be
-                          a valid secret key.
+                        description: The key of the secret to select from.  Must be a valid secret key.
                         type: string
                       name:
-                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                          TODO: Add other useful fields. apiVersion, kind, uid?'
+                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
                         type: string
                       optional:
-                        description: Specify whether the Secret or its key must be
-                          defined
+                        description: Specify whether the Secret or its key must be defined
                         type: boolean
                     required:
                     - key
                     type: object
                   value:
-                    description: 'Variable references $(VAR_NAME) are expanded using
-                      the previous defined environment variables in the ConfigMapSecret.
-                      If a variable cannot be resolved, the reference in the input
-                      string will be unchanged. The $(VAR_NAME) syntax can be escaped
-                      with a double $$, ie: $$(VAR_NAME). Escaped references will
-                      never be expanded, regardless of whether the variable exists
-                      or not. Defaults to "".'
+                    description: 'Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the ConfigMapSecret. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".'
                     type: string
                 required:
                 - name
@@ -130,23 +101,20 @@ spec:
           description: 'Observed state of the ConfigMapSecret. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
           properties:
             conditions:
-              description: Represents the latest available observations of a ConfigMapSecret's
-                current state.
+              description: Represents the latest available observations of a ConfigMapSecret's current state.
               items:
                 description: ConfigMapSecretCondition describes the state of a ConfigMapSecret.
                 properties:
                   lastTransitionTime:
-                    description: Last time the condition transitioned from one status
-                      to another.
+                    description: Last time the condition transitioned from one status to another.
                     format: date-time
                     type: string
                   lastUpdateTime:
                     description: The last time the condition was updated.
                     format: date-time
                     type: string
                   message:
-                    description: A human readable message indicating details about
-                      the last update.
+                    description: A human readable message indicating details about the last update.
                     type: string
                   reason:
                     description: The reason for the last update.

diff --git a/manifest/rolebindings.yaml b/manifest/rolebindings.yaml
@@ -0,0 +1,27 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: configmapsecret-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: configmapsecret-controller
+subjects:
+- kind: ServiceAccount
+  name: configmapsecret-controller
+  namespace: kube-system
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: configmapsecret-controller
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: configmapsecret-controller
+subjects:
+- kind: ServiceAccount
+  name: configmapsecret-controller
+  namespace: kube-system
diff --git a/manifest/clusterrole.yaml → manifest/roles.yaml b/manifest/clusterrole.yaml → manifest/roles.yaml
@@ -11,18 +11,9 @@ rules:
   resources:
   - configmaps
   verbs:
-  - create
   - get
   - list
-  - update
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-  - patch
 - apiGroups:
   - ""
   resources:
@@ -55,3 +46,34 @@ rules:
   - get
   - patch
   - update
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  name: configmapsecret-controller
+  namespace: kube-system
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resourceNames:
+  - configmapsecret-controller-leader
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
diff --git a/pkg/controllers/configmapsecret_controller.go b/pkg/controllers/configmapsecret_controller.go
@@ -149,10 +149,6 @@ func (r *ConfigMapSecret) setRefs(namespace, name string, secrets, configMaps ma
 	r.configMaps.set(namespace, name, configMaps)
 }
 
-// Leader election:
-// +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;create;update
-// +kubebuilder:rbac:groups=core,resources=events,verbs=create;patch
-
 // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch
 // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=secrets.mz.com,resources=configmapsecrets,verbs=get;list;watch;update;patch;delete