Merge pull request #469 from deckhouse/upmeter-agent-rbac

Limit agent serviceaccount to access only required resources

modules/300-prometheus/templates/prometheus/rbac-to-us.yaml

@@ -28,3 +28,6 @@ subjects:
   name: ingress-nginx:auth
 - kind: Group
   name: prometheus:auth
+- kind: ServiceAccount
+  name: upmeter-agent
+  namespace: d8-upmeter

modules/300-prometheus/templates/trickster/rbac-to-us.yaml

@@ -26,6 +26,9 @@ subjects:
   name: ingress-nginx:auth
 - kind: Group
   name: prometheus:auth
+- kind: ServiceAccount
+  name: upmeter-agent
+  namespace: d8-upmeter
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role

modules/500-upmeter/images/upmeter/cmd/upmeter/main.go

@@ -122,19 +122,6 @@ func main() {
 	})
 
 	kingpin.MustParse(app.Parse(os.Args[1:]))
-
-	// switch kingpin.Parse() {
-	// case serverCommand.FullCommand():
-	//
-	// 	parseKubeArgs(serverCommand, kubeConf)
-	// 	parseServerArgs(serverCommand, serverConf)
-	// 	parseLoggerArgs(serverCommand, loggerConf)
-	//
-	// case agentCommand.FullCommand():
-	// 	parseAgentArgs(agentCommand, agentConf)
-	// default:
-	// 	kingpin.Usage()
-	// }
 }
 
 // shutdown waits for SIGINT or SIGTERM and runs a callback function.

modules/500-upmeter/images/upmeter/pkg/probe/checker/d8_clusterconfiguration.go

@@ -212,7 +212,7 @@ func (c *setInitedValueChecker) update(obj *unstructured.Unstructured, value str
 
 	opts := metav1.UpdateOptions{FieldManager: c.fieldManager}
 	if _, err := c.dynamicClient.Update(obj, opts); err != nil {
-		return check.ErrFail("cannot patch UpmeterHookProbe object %q with new inited value: %v", c.name, err)
+		return check.ErrFail("cannot update UpmeterHookProbe object %q with new inited value: %v", c.name, err)
 	}
 
 	return nil

modules/500-upmeter/images/upmeter/pkg/probe/checker/http.go

@@ -88,15 +88,17 @@ func doRequest(client *http.Client, req *http.Request) ([]byte, check.Error) {
 	}
 	defer resp.Body.Close()
 
-	if resp.StatusCode != http.StatusOK {
-		return nil, check.ErrFail("got HTTP status %q", resp.Status)
-	}
-
 	body, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, check.ErrFail("cannot read response body: %v", err)
 	}
 
+	if resp.StatusCode != http.StatusOK {
+		return nil, check.ErrFail(
+			"HTTP: %s %s returned status %d: %q",
+			req.Method, req.URL.String(), resp.StatusCode, body)
+	}
+
 	return body, nil
 }
 

modules/500-upmeter/templates/upmeter-agent/daemonset.yaml

@@ -100,9 +100,11 @@ spec:
               fieldRef:
                 fieldPath: spec.nodeName
           - name: UPMETER_DISABLED_PROBES
-            value: {{ .Values.upmeter.internal.disabledProbes | join "," | quote }}
+            value: '{{ .Values.upmeter.internal.disabledProbes | join "," }}'
           - name: UPMETER_CLUSTER_DOMAIN
             value: {{ .Values.global.discovery.clusterDomain | quote }}
+          - name: LOG_TYPE
+            value: "json"
           resources:
             requests:
 {{- include "helm_lib_module_ephemeral_storage_only_logs" . | indent 14 }}

modules/500-upmeter/templates/upmeter-agent/rbac-for-us.yaml

@@ -12,16 +12,32 @@ metadata:
   name: d8:{{ .Chart.Name }}:upmeter-agent
 {{ include "helm_lib_module_labels" (list . (dict "app" .Chart.Name)) | indent 2 }}
 rules:
-  - apiGroups:
-      - "*"
+  # Control-plane
+  - apiGroups: [ "" ]
     resources:
-      - "*"
+      - namespaces
     verbs:
-      - "*"
-  - nonResourceURLs:
-      - "*"
-    verbs:
-      - "*"
+      - get
+      - list
+      - create
+      - delete
+  # - In monitoring, we check daemonset availability based on available nodes
+  # - In various probes, we check pods readiness
+  - apiGroups: [ "" ]
+    resources: [ "nodes", "pods" ]
+    verbs: [ "get", "list" ]
+  # Deckhouse hooks checked via the CR change sync
+  - apiGroups: [ "deckhouse.io" ]
+    resources: [ "upmeterhookprobes" ]
+    verbs: [ "*" ]
+  # Metrics Adapter API
+  - apiGroups: [ "custom.metrics.k8s.io" ]
+    resources: [ "metrics" ]
+    verbs: [ "get" ]
+  # Metrics-sources probe, node-exporter
+  - apiGroups: [ "apps" ]
+    resources: [ "daemonsets" ]
+    verbs: [ "get" ]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -33,6 +49,33 @@ roleRef:
   kind: ClusterRole
   name: d8:{{ .Chart.Name }}:upmeter-agent
 subjects:
-- kind: ServiceAccount
+  - kind: ServiceAccount
+    name: upmeter-agent
+    namespace: d8-{{ .Chart.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: upmeter-agent
+  namespace: d8-{{ .Chart.Name }}
+{{ include "helm_lib_module_labels" (list . (dict "app" .Chart.Name)) | indent 2 }}
+rules:
+  # Fetching smoke-mini; creating configmaps, deployments, pods
+  - apiGroups: [ "*" ]
+    resources: [ "*" ]
+    verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
   name: upmeter-agent
   namespace: d8-{{ .Chart.Name }}
+{{ include "helm_lib_module_labels" (list . (dict "app" .Chart.Name)) | indent 2 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: upmeter-agent
+subjects:
+  - kind: ServiceAccount
+    name: upmeter-agent
+    namespace: d8-{{ .Chart.Name }}

modules/500-upmeter/templates/upmeter/statefulset.yaml

@@ -95,6 +95,8 @@ spec:
             value: "8091"
           - name: LOG_LEVEL
             value: "info"
+          - name: LOG_TYPE
+            value: "json"
         volumeMounts:
           - mountPath: /db
             name: data