Restrict operator ClusterRole*, ServiceAccount permissions

These were added for network-plugin syncer removal so retrict the delete permissions to the networkplugin-syncer resource names. Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
submariner-io · May 6, 2024 · 7c5eb0f · 7c5eb0f
1 parent 9d5ba43
commit 7c5eb0f
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 13 deletions.
diff --git a/config/rbac/submariner-operator/cluster_role.yaml b/config/rbac/submariner-operator/cluster_role.yaml
@@ -76,5 +76,8 @@ rules:
       # Temporarily needed for network-plugin syncer removal
       - clusterroles
       - clusterrolebindings
+    resourceNames:
+      - ocp-submariner-networkplugin-syncer
+      - submariner-networkplugin-syncer
     verbs:
       - delete
diff --git a/config/rbac/submariner-operator/role.yaml b/config/rbac/submariner-operator/role.yaml
@@ -19,6 +19,8 @@ rules:
     resources:
       # Temporarily needed for network-plugin syncer removal
       - serviceaccounts
+    resourceNames:
+      - submariner-networkplugin-syncer
     verbs:
       - delete
   - apiGroups:

diff --git a/controllers/submariner/migration_test.go b/controllers/submariner/migration_test.go
@@ -55,12 +55,24 @@ var _ = Describe("Migration tests", func() {
 							Name:      submariner.NetworkPluginSyncerComponent,
 						},
 					},
+					&rbacv1.ClusterRole{
+						ObjectMeta: metav1.ObjectMeta{
+							Namespace: t.Namespace,
+							Name:      "ocp-submariner-networkplugin-syncer",
+						},
+					},
 					&rbacv1.ClusterRoleBinding{
 						ObjectMeta: metav1.ObjectMeta{
 							Namespace: t.Namespace,
 							Name:      submariner.NetworkPluginSyncerComponent,
 						},
 					},
+					&rbacv1.ClusterRoleBinding{
+						ObjectMeta: metav1.ObjectMeta{
+							Namespace: t.Namespace,
+							Name:      "ocp-submariner-networkplugin-syncer",
+						},
+					},
 					&corev1.ServiceAccount{
 						ObjectMeta: metav1.ObjectMeta{
 							Namespace: t.Namespace,
@@ -83,6 +95,18 @@ var _ = Describe("Migration tests", func() {
 					},
 				})
 
+				t.AssertNoResource(&rbacv1.ClusterRole{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "ocp-submariner-networkplugin-syncer",
+					},
+				})
+
+				t.AssertNoResource(&rbacv1.ClusterRoleBinding{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "ocp-submariner-networkplugin-syncer",
+					},
+				})
+
 				t.AssertNoResource(&corev1.ServiceAccount{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: submariner.NetworkPluginSyncerComponent,

diff --git a/controllers/submariner/np_syncer_resources.go b/controllers/submariner/np_syncer_resources.go
@@ -43,7 +43,6 @@ func (r *Reconciler) removeNetworkPluginSyncerDeployment(ctx context.Context, in
 
 	deleteAll := func(objs ...client.Object) error {
 		for _, obj := range objs {
-			obj.SetName(NetworkPluginSyncerComponent)
 			obj.SetNamespace(instance.Namespace)
 
 			err := r.config.ScopedClient.Delete(ctx, obj)
@@ -59,38 +58,32 @@ func (r *Reconciler) removeNetworkPluginSyncerDeployment(ctx context.Context, in
 	return deleteAll(
 		&appsv1.Deployment{
 			ObjectMeta: metav1.ObjectMeta{
-				Namespace: instance.Namespace,
-				Name:      NetworkPluginSyncerComponent,
+				Name: NetworkPluginSyncerComponent,
 			},
 		},
 		&rbacv1.ClusterRole{
 			ObjectMeta: metav1.ObjectMeta{
-				Namespace: instance.Namespace,
-				Name:      NetworkPluginSyncerComponent,
+				Name: NetworkPluginSyncerComponent,
 			},
 		},
 		&rbacv1.ClusterRoleBinding{
 			ObjectMeta: metav1.ObjectMeta{
-				Namespace: instance.Namespace,
-				Name:      NetworkPluginSyncerComponent,
+				Name: NetworkPluginSyncerComponent,
 			},
 		},
 		&rbacv1.ClusterRole{
 			ObjectMeta: metav1.ObjectMeta{
-				Namespace: instance.Namespace,
-				Name:      "ocp-submariner-networkplugin-syncer",
+				Name: "ocp-submariner-networkplugin-syncer",
 			},
 		},
 		&rbacv1.ClusterRoleBinding{
 			ObjectMeta: metav1.ObjectMeta{
-				Namespace: instance.Namespace,
-				Name:      "ocp-submariner-networkplugin-syncer",
+				Name: "ocp-submariner-networkplugin-syncer",
 			},
 		},
 		&corev1.ServiceAccount{
 			ObjectMeta: metav1.ObjectMeta{
-				Namespace: instance.Namespace,
-				Name:      NetworkPluginSyncerComponent,
+				Name: NetworkPluginSyncerComponent,
 			},
 		},
 	)

diff --git a/pkg/embeddedyamls/yamls.go b/pkg/embeddedyamls/yamls.go
@@ -2610,6 +2610,8 @@ rules:
     resources:
       # Temporarily needed for network-plugin syncer removal
       - serviceaccounts
+    resourceNames:
+      - submariner-networkplugin-syncer
     verbs:
       - delete
   - apiGroups:
@@ -2757,6 +2759,9 @@ rules:
       # Temporarily needed for network-plugin syncer removal
       - clusterroles
       - clusterrolebindings
+    resourceNames:
+      - ocp-submariner-networkplugin-syncer
+      - submariner-networkplugin-syncer
     verbs:
       - delete
 `