From 47512fde591b5b4c457afe480db5f5e3099cd36e Mon Sep 17 00:00:00 2001 From: ymmt Date: Wed, 27 Sep 2023 06:45:09 +0000 Subject: [PATCH] Make admin privileges configurable Fix #82. With this change, we stop granting the below permission to the accurate controller. ```yaml - apiGroups: - '*' resources: - '*' verbs: - get - list - watch ``` Also, we make the ClusterRole admin optional. The Helm chart now takes optional ClusterRoles to be granted. --- Makefile | 3 +++ README.md | 6 ++++- charts/accurate/README.md | 27 ++++++++++--------- .../accurate/templates/additional-rbac.yaml | 21 +++++++++++++-- .../templates/generated/generated.yaml | 18 ------------- charts/accurate/values.yaml | 5 ++++ config/rbac/role_binding.yaml | 13 --------- e2e/values.yaml | 2 ++ 8 files changed, 48 insertions(+), 47 deletions(-) diff --git a/Makefile b/Makefile index 60a91c5..7513d62 100644 --- a/Makefile +++ b/Makefile @@ -10,6 +10,9 @@ SUDO = sudo SHELL = /bin/bash .SHELLFLAGS = -e -o pipefail -c +PATH := $(shell aqua root-dir)/bin:$(PATH)" +export PATH + CRD_OPTIONS = "crd:crdVersions=v1,maxDescLen=220" # for Go diff --git a/README.md b/README.md index f135184..a7f3d4d 100644 --- a/README.md +++ b/README.md @@ -49,7 +49,11 @@ Run and try Accurate on a [kind (Kubernetes-In-Docker)][kind] cluster as follows 3. Install [aqua][]. - https://aquaproj.github.io/docs/tutorial-basics/quick-start + ```console + $ go install github.com/aquaproj/aqua/v2/cmd/aqua@latest + ``` + + cf. https://aquaproj.github.io/docs/install 4. Go to `e2e` directory, setup shell variables, and execute `make start`. diff --git a/charts/accurate/README.md b/charts/accurate/README.md index 04a5a48..9b48a2f 100644 --- a/charts/accurate/README.md +++ b/charts/accurate/README.md @@ -39,19 +39,20 @@ $ helm install --create-namespace --namespace accurate accurate -f values.yaml a ## Values -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| controller.additionalRBAC.rules | list | `[]` | Specify the RBAC rules to be added to the controller. ClusterRole and ClusterRoleBinding are created with the names `{{ release name }}-additional-resources`. The rules defined here will be used for the ClusterRole rules. | -| controller.config.annotationKeys | list | `[]` | Annotations to be propagated to sub-namespaces. It is also possible to specify a glob pattern that can be interpreted by Go's "path.Match" func. | -| controller.config.labelKeys | list | `[]` | Labels to be propagated to sub-namespaces. It is also possible to specify a glob pattern that can be interpreted by Go's "path.Match" func. | -| controller.config.watches | list | `[{"group":"rbac.authorization.k8s.io","kind":"Role","version":"v1"},{"group":"rbac.authorization.k8s.io","kind":"RoleBinding","version":"v1"},{"kind":"Secret","version":"v1"}]` | List of GVK for namespace-scoped resources that can be propagated. Any namespace-scoped resource is allowed. | -| controller.extraArgs | list | `[]` | Optional additional arguments. | -| controller.replicas | int | `2` | Specify the number of replicas of the controller Pod. | -| controller.resources | object | `{"requests":{"cpu":"100m","memory":"20Mi"}}` | Specify resources. | -| controller.terminationGracePeriodSeconds | int | `10` | Specify terminationGracePeriodSeconds. | -| image.pullPolicy | string | `nil` | Accurate image pullPolicy. | -| image.repository | string | `"ghcr.io/cybozu-go/accurate"` | Accurate image repository to use. | -| image.tag | string | `{{ .Chart.AppVersion }}` | Accurate image tag to use. | +| Key | Type | Default | Description | +| ---------------------------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| controller.additionalRBAC.rules | list | `[]` | Specify the RBAC rules to be added to the controller. ClusterRole and ClusterRoleBinding are created with the names `{{ release name }}-additional-resources`. The rules defined here will be used for the ClusterRole rules. | +| controller.additionalRBAC.clusterRoles | list | `[]` | Specify additional ClusterRoles to be granted to the accurate controller. "admin" is recommended to allow the controller to manage common namespace-scoped resources. | +| controller.config.annotationKeys | list | `[]` | Annotations to be propagated to sub-namespaces. It is also possible to specify a glob pattern that can be interpreted by Go's "path.Match" func. | +| controller.config.labelKeys | list | `[]` | Labels to be propagated to sub-namespaces. It is also possible to specify a glob pattern that can be interpreted by Go's "path.Match" func. | +| controller.config.watches | list | `[{"group":"rbac.authorization.k8s.io","kind":"Role","version":"v1"},{"group":"rbac.authorization.k8s.io","kind":"RoleBinding","version":"v1"},{"kind":"Secret","version":"v1"}]` | List of GVK for namespace-scoped resources that can be propagated. Any namespace-scoped resource is allowed. | +| controller.extraArgs | list | `[]` | Optional additional arguments. | +| controller.replicas | int | `2` | Specify the number of replicas of the controller Pod. | +| controller.resources | object | `{"requests":{"cpu":"100m","memory":"20Mi"}}` | Specify resources. | +| controller.terminationGracePeriodSeconds | int | `10` | Specify terminationGracePeriodSeconds. | +| image.pullPolicy | string | `nil` | Accurate image pullPolicy. | +| image.repository | string | `"ghcr.io/cybozu-go/accurate"` | Accurate image repository to use. | +| image.tag | string | `{{ .Chart.AppVersion }}` | Accurate image tag to use. | ## Generate Manifests diff --git a/charts/accurate/templates/additional-rbac.yaml b/charts/accurate/templates/additional-rbac.yaml index 079f55d..880abc1 100644 --- a/charts/accurate/templates/additional-rbac.yaml +++ b/charts/accurate/templates/additional-rbac.yaml @@ -1,4 +1,4 @@ -{{ if .Values.controller.additionalRBAC.rules }} +{{- if .Values.controller.additionalRBAC.rules }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -19,4 +19,21 @@ subjects: name: {{ template "accurate.fullname" . }}-controller-manager namespace: {{ .Release.Namespace }} --- -{{ end }} +{{- end }} +{{- if .Values.controller.additionalRBAC.clusterRoles }} +{{- range .Values.controller.additionalRBAC.clusterRoles }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "accurate.fullname" . }}-manager-{{ . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ . }} +subjects: +- kind: ServiceAccount + name: {{ template "accurate.fullname" . }}-controller-manager + namespace: {{ .Release.Namespace }} +--- +{{- end }} +{{- end }} diff --git a/charts/accurate/templates/generated/generated.yaml b/charts/accurate/templates/generated/generated.yaml index 4cb0ff7..cabf87d 100644 --- a/charts/accurate/templates/generated/generated.yaml +++ b/charts/accurate/templates/generated/generated.yaml @@ -187,24 +187,6 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/managed-by: '{{ .Release.Service }}' - app.kubernetes.io/name: '{{ include "accurate.name" . }}' - app.kubernetes.io/version: '{{ .Chart.AppVersion }}' - helm.sh/chart: '{{ include "accurate.chart" . }}' - name: '{{ template "accurate.fullname" . }}-manager-admin' -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: admin -subjects: - - kind: ServiceAccount - name: '{{ template "accurate.fullname" . }}-controller-manager' - namespace: '{{ .Release.Namespace }}' ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/managed-by: '{{ .Release.Service }}' diff --git a/charts/accurate/values.yaml b/charts/accurate/values.yaml index 2c7d394..f01e24c 100644 --- a/charts/accurate/values.yaml +++ b/charts/accurate/values.yaml @@ -102,3 +102,8 @@ controller: - update - patch - delete + # controller.additionalRBAC.clusterRoles -- Specify additional ClusterRoles to be granted + # to the accurate controller. "admin" is recommended to allow the controller to manage + # common namespace-scoped resources. + clusterRoles: + - admin diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml index 3cacad5..2070ede 100644 --- a/config/rbac/role_binding.yaml +++ b/config/rbac/role_binding.yaml @@ -10,16 +10,3 @@ subjects: - kind: ServiceAccount name: controller-manager namespace: system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: manager-admin -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: admin -subjects: -- kind: ServiceAccount - name: controller-manager - namespace: system diff --git a/e2e/values.yaml b/e2e/values.yaml index 6307dde..18baa78 100644 --- a/e2e/values.yaml +++ b/e2e/values.yaml @@ -56,3 +56,5 @@ controller: - update - patch - delete + clusterRoles: + - admin