Support for multitenancy in intree Kubernetes

This change fixes a security issue where the pvc user could maliciously use the secret located in a namespace they cannot access. Instead this patch changes the model to the CSI model which is based on using the StorageClass as the source of truth on the location of the sercret which contains the authentication token. Signed-off-by: Luis Pabón <luis@portworx.com>
libopenstorage · Apr 22, 2020 · 5ba9691 · 5ba9691
1 parent cf684c8
commit 5ba9691
Show file tree

Hide file tree

Showing 16 changed files with 1,917 additions and 243 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -7,6 +7,12 @@ go:
   - 1.13.x
 install:
   - go get -u github.com/vbatts/git-validation
+  - curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl
+  - chmod +x kubectl
+  - mv kubectl ${GOPATH}/bin
+  - curl -Lo ./kind https://github.com/kubernetes-sigs/kind/releases/download/v0.7.0/kind-$(uname)-amd64
+  - chmod +x ./kind
+  - mv ./kind ${GOPATH}/bin
 script:
   - git-validation -run DCO,short-subject
   - if [[ $(go version) == *"1.13"* ]]; then
@@ -15,11 +21,8 @@ script:
   - make docker-proto
   - git diff $(find . -name "*.pb.*go" -o -name "api.swagger.json" | grep -v vendor) | wc -l | grep "^0"
   - git grep -rw GPL vendor | grep LICENSE | egrep -v "yaml.v2" | wc -l | grep "^0"
-  - make sdk-check-version
-  - make install
-  - make vet
+  - make install verify
   - bash hack/docker-integration-test.sh
-  - make docker-test
   - if [ "${TRAVIS_PULL_REQUEST}" == "false" ]; then
       echo "${DOCKER_PASS}" | docker login -u "${DOCKER_USER}" --password-stdin;
       make push-mock-sdk-server;

diff --git a/Makefile b/Makefile
@@ -82,6 +82,8 @@ OSDSANITY:=cmd/osd-sanity/osd-sanity
 	clean \
 	generate \
 	generate-mockfiles \
+	e2e \
+	verify \
 	sdk-check-version
 
 
@@ -157,7 +159,7 @@ build: packr
 	go build -tags "$(TAGS)" $(BUILDFLAGS) $(PKGS)
 
 install: packr $(OSDSANITY)-install
-	go install -tags "$(TAGS)" $(PKGS)
+	go install -gcflags="all=-N -l" -tags "$(TAGS)" $(PKGS)
 	go install github.com/libopenstorage/openstorage/cmd/osd-token-generator
 
 $(OSDSANITY):
@@ -412,3 +414,9 @@ mockgen:
 	mockgen -destination=api/mock/mock_volume.go -package=mock github.com/libopenstorage/openstorage/api OpenStorageVolumeServer,OpenStorageVolumeClient
 	mockgen -destination=api/mock/mock_fstrim.go -package=mock github.com/libopenstorage/openstorage/api OpenStorageFilesystemTrimServer,OpenStorageFilesystemTrimClient
 	mockgen -destination=api/mock/mock_fscheck.go -package=mock github.com/libopenstorage/openstorage/api OpenStorageFilesystemCheckServer,OpenStorageFilesystemCheckClient
+	mockgen -destination=api/server/mock/mock_schedops_k8s.go -package=mock github.com/portworx/sched-ops/k8s/core Ops
+
+e2e: docker-build-osd
+	cd test && ./run.bash
+
+verify: vet sdk-check-version docker-test e2e
diff --git a/api/api.go b/api/api.go
@@ -169,6 +169,19 @@ const (
 	AutoAggregation = math.MaxUint32
 )
 
+// The main goal of the following label keys is for the Kubernetes intree middleware
+// to keep track of the source location of the PVC with labels that cannot be modified
+// by the owner of the volume, but only by the storage administrator.
+const (
+	// KubernetesPvcNameKey is a label on the openstorage volume
+	// which tracks the source PVC for the volume.
+	KubernetesPvcNameKey = "openstorage.io/pvc-name"
+
+	// KubernetesPvcNamespaceKey is a label on the openstorage volume
+	// which tracks the source PVC namespace for the volume
+	KubernetesPvcNamespaceKey = "openstorage.io/pvc-namespace"
+)
+
 // Node describes the state of a node.
 // It includes the current physical state (CPU, memory, storage, network usage) as
 // well as the containers running on the system.
@@ -1204,4 +1217,6 @@ func (v *Volume) IsAttached() bool {
 type TokenSecretContext struct {
 	SecretName      string
 	SecretNamespace string
+	PvcName         string
+	PvcNamespace    string
 }