From 571f95e8551ac94aa914ddfe9ec14adeb5453ad4 Mon Sep 17 00:00:00 2001 From: Andy Bursavich Date: Thu, 16 Jul 2020 19:45:14 -0700 Subject: [PATCH] rbac: limit access requested for leadership election --- cmd/configmapsecret-controller/main.go | 8 +++ magefile.go | 4 +- manifest/clusterrolebinding.yaml | 12 ---- manifest/customresourcedefinition.yaml | 62 +++++-------------- manifest/rolebindings.yaml | 27 ++++++++ manifest/{clusterrole.yaml => roles.yaml} | 40 +++++++++--- pkg/controllers/configmapsecret_controller.go | 4 -- 7 files changed, 83 insertions(+), 74 deletions(-) delete mode 100644 manifest/clusterrolebinding.yaml create mode 100644 manifest/rolebindings.yaml rename manifest/{clusterrole.yaml => roles.yaml} (68%) diff --git a/cmd/configmapsecret-controller/main.go b/cmd/configmapsecret-controller/main.go index 930011c..c7ac704 100644 --- a/cmd/configmapsecret-controller/main.go +++ b/cmd/configmapsecret-controller/main.go @@ -50,6 +50,14 @@ func init() { // +kubebuilder:scaffold:scheme } +// RBAC for leader election, scoped to the namespace used by default manifests (kube-system). +// +// N.B.: RBAC cannot use resourceNames with "list", "watch", "create", or "deletecollection" verbs. +// +// +kubebuilder:rbac:namespace=kube-system,groups=core,resources=configmaps,verbs=create +// +kubebuilder:rbac:namespace=kube-system,groups=core,resources=configmaps,verbs=get;update,resourceNames=configmapsecret-controller-leader +// +kubebuilder:rbac:namespace=kube-system,groups=core,resources=events,verbs=create;patch + func main() { var ( healthAddr string diff --git a/magefile.go b/magefile.go index 216545c..18ae15d 100644 --- a/magefile.go +++ b/magefile.go @@ -453,11 +453,11 @@ func generateCDRs() error { } func generateRBAC() error { - out, err := sh.Output("controller-gen", "rbac:roleName=configmapsecret-controller", "paths=./pkg/...", "output:stdout") + out, err := sh.Output("controller-gen", "rbac:roleName=configmapsecret-controller", "paths=./cmd/...;./pkg/...", "output:stdout") if err != nil { return err } - return writeFile("manifest/clusterrole.yaml", out) + return writeFile("manifest/roles.yaml", out) } func generateDocs() error { diff --git a/manifest/clusterrolebinding.yaml b/manifest/clusterrolebinding.yaml deleted file mode 100644 index e4aec96..0000000 --- a/manifest/clusterrolebinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: configmapsecret-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: configmapsecret-controller -subjects: -- kind: ServiceAccount - name: configmapsecret-controller - namespace: kube-system diff --git a/manifest/customresourcedefinition.yaml b/manifest/customresourcedefinition.yaml index 61b1a67..1276340 100644 --- a/manifest/customresourcedefinition.yaml +++ b/manifest/customresourcedefinition.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.2.4 + controller-gen.kubebuilder.io/version: v0.3.0 creationTimestamp: null name: configmapsecrets.secrets.mz.com spec: @@ -22,14 +22,10 @@ spec: description: ConfigMapSecret holds configuration data with embedded secrets. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: description: 'Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata' @@ -38,32 +34,18 @@ spec: description: 'Desired state of the ConfigMapSecret. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' properties: template: - description: 'Template that describes the config that will be rendered. - Variable references $(VAR_NAME) in template data are expanded using - the ConfigMapSecret''s variables. If a variable cannot be resolved, - the reference in the input data will be unchanged. The $(VAR_NAME) - syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped - references will never be expanded, regardless of whether the variable - exists or not.' + description: 'Template that describes the config that will be rendered. Variable references $(VAR_NAME) in template data are expanded using the ConfigMapSecret''s variables. If a variable cannot be resolved, the reference in the input data will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not.' properties: binaryData: additionalProperties: format: byte type: string - description: BinaryData contains the binary data. Each key must - consist of alphanumeric characters, '-', '_' or '.'. BinaryData - can contain byte sequences that are not in the UTF-8 range. The - keys stored in BinaryData must not overlap with the keys in the - Data field. + description: BinaryData contains the binary data. Each key must consist of alphanumeric characters, '-', '_' or '.'. BinaryData can contain byte sequences that are not in the UTF-8 range. The keys stored in BinaryData must not overlap with the keys in the Data field. type: object data: additionalProperties: type: string - description: Data contains the configuration data. Each key must - consist of alphanumeric characters, '-', '_' or '.'. Values with - non-UTF-8 byte sequences must use the BinaryData field. The keys - stored in Data must not overlap with the keys in the BinaryData - field. + description: Data contains the configuration data. Each key must consist of alphanumeric characters, '-', '_' or '.'. Values with non-UTF-8 byte sequences must use the BinaryData field. The keys stored in Data must not overlap with the keys in the BinaryData field. type: object metadata: description: 'Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata' @@ -81,12 +63,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string optional: - description: Specify whether the ConfigMap or its key must - be defined + description: Specify whether the ConfigMap or its key must be defined type: boolean required: - key @@ -98,28 +78,19 @@ spec: description: SecretValue selects a value by its key in a Secret. properties: key: - description: The key of the secret to select from. Must be - a valid secret key. + description: The key of the secret to select from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string optional: - description: Specify whether the Secret or its key must be - defined + description: Specify whether the Secret or its key must be defined type: boolean required: - key type: object value: - description: 'Variable references $(VAR_NAME) are expanded using - the previous defined environment variables in the ConfigMapSecret. - If a variable cannot be resolved, the reference in the input - string will be unchanged. The $(VAR_NAME) syntax can be escaped - with a double $$, ie: $$(VAR_NAME). Escaped references will - never be expanded, regardless of whether the variable exists - or not. Defaults to "".' + description: 'Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the ConfigMapSecret. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' type: string required: - name @@ -130,14 +101,12 @@ spec: description: 'Observed state of the ConfigMapSecret. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' properties: conditions: - description: Represents the latest available observations of a ConfigMapSecret's - current state. + description: Represents the latest available observations of a ConfigMapSecret's current state. items: description: ConfigMapSecretCondition describes the state of a ConfigMapSecret. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. + description: Last time the condition transitioned from one status to another. format: date-time type: string lastUpdateTime: @@ -145,8 +114,7 @@ spec: format: date-time type: string message: - description: A human readable message indicating details about - the last update. + description: A human readable message indicating details about the last update. type: string reason: description: The reason for the last update. diff --git a/manifest/rolebindings.yaml b/manifest/rolebindings.yaml new file mode 100644 index 0000000..1798c9d --- /dev/null +++ b/manifest/rolebindings.yaml @@ -0,0 +1,27 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: configmapsecret-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: configmapsecret-controller +subjects: +- kind: ServiceAccount + name: configmapsecret-controller + namespace: kube-system + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: configmapsecret-controller + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: configmapsecret-controller +subjects: +- kind: ServiceAccount + name: configmapsecret-controller + namespace: kube-system diff --git a/manifest/clusterrole.yaml b/manifest/roles.yaml similarity index 68% rename from manifest/clusterrole.yaml rename to manifest/roles.yaml index 5af0b76..81eb682 100644 --- a/manifest/clusterrole.yaml +++ b/manifest/roles.yaml @@ -11,18 +11,9 @@ rules: resources: - configmaps verbs: - - create - get - list - - update - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - apiGroups: - "" resources: @@ -55,3 +46,34 @@ rules: - get - patch - update + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: configmapsecret-controller + namespace: kube-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - "" + resourceNames: + - configmapsecret-controller-leader + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/pkg/controllers/configmapsecret_controller.go b/pkg/controllers/configmapsecret_controller.go index cac96cd..5707ab3 100644 --- a/pkg/controllers/configmapsecret_controller.go +++ b/pkg/controllers/configmapsecret_controller.go @@ -149,10 +149,6 @@ func (r *ConfigMapSecret) setRefs(namespace, name string, secrets, configMaps ma r.configMaps.set(namespace, name, configMaps) } -// Leader election: -// +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;create;update -// +kubebuilder:rbac:groups=core,resources=events,verbs=create;patch - // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=secrets.mz.com,resources=configmapsecrets,verbs=get;list;watch;update;patch;delete