Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Adding new controller to make sure default serviceaccounts of system …
…namespaces have automountServiceAccountToken flag set to false
  • Loading branch information
prachidamle committed May 28, 2020
1 parent a6da5de commit d62a2ef
Show file tree
Hide file tree
Showing 4 changed files with 87 additions and 2 deletions.
2 changes: 2 additions & 0 deletions pkg/controllers/user/controllers.go
Expand Up @@ -27,6 +27,7 @@ import (
"github.com/rancher/rancher/pkg/controllers/user/noderemove"
"github.com/rancher/rancher/pkg/controllers/user/nodesyncer"
"github.com/rancher/rancher/pkg/controllers/user/nslabels"
"github.com/rancher/rancher/pkg/controllers/user/nsserviceaccount"
"github.com/rancher/rancher/pkg/controllers/user/pipeline"
"github.com/rancher/rancher/pkg/controllers/user/rbac"
"github.com/rancher/rancher/pkg/controllers/user/rbac/podsecuritypolicy"
Expand Down Expand Up @@ -73,6 +74,7 @@ func Register(ctx context.Context, cluster *config.UserContext, clusterRec *mana
certsexpiration.Register(ctx, cluster)
ingresshostgen.Register(ctx, cluster.UserOnlyContext())
windows.Register(ctx, clusterRec, cluster)
nsserviceaccount.Register(ctx, cluster)

// register controller for API
cluster.APIAggregation.APIServices("").Controller()
Expand Down
82 changes: 82 additions & 0 deletions pkg/controllers/user/nsserviceaccount/nssvcaccnt.go
@@ -0,0 +1,82 @@
package nsserviceaccount

import (
"context"
"strings"

"github.com/rancher/rancher/pkg/settings"
rv1 "github.com/rancher/types/apis/core/v1"
"github.com/rancher/types/config"
"github.com/sirupsen/logrus"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/runtime"
)

type namespaceSvcAccountHandler struct {
serviceAccountLister rv1.ServiceAccountLister
serviceAccounts rv1.ServiceAccountInterface
}

func Register(ctx context.Context, cluster *config.UserContext) {
logrus.Debugf("Registering namespaceSvcAccountHandler for checking default serviceaccount")
nsh := &namespaceSvcAccountHandler{
serviceAccountLister: cluster.Core.ServiceAccounts("").Controller().Lister(),
serviceAccounts: cluster.Core.ServiceAccounts(""),
}
cluster.Core.Namespaces("").AddHandler(ctx, "namespaceSvcAccountHandler", nsh.Sync)
}

func (nsh *namespaceSvcAccountHandler) Sync(key string, ns *corev1.Namespace) (runtime.Object, error) {
if ns == nil || ns.DeletionTimestamp != nil {
return nil, nil
}
logrus.Debugf("namespaceSvcAccountHandler: Sync namespace: key=%v", key)

//handle default svcAccount of system namespaces
if err := nsh.handleSystemNS(key); err != nil {
logrus.Errorf("namespaceSvcAccountHandler: Sync: error handling default ServiceAccount of namespace key=%v, err=%v", key, err)
}
return nil, nil
}

func (nsh *namespaceSvcAccountHandler) handleSystemNS(namespace string) error {
if namespace == "kube-system" || namespace == "default" || !nsh.isSystemNS(namespace) {
return nil
}
defSvcAccnt, err := nsh.serviceAccountLister.Get(namespace, "default")
if err != nil {
logrus.Errorf("namespaceSvcAccountHandler: error listing serviceaccount flag: Sync: key=%v, err=%+v", namespace, err)
return err
}

if defSvcAccnt.AutomountServiceAccountToken != nil && *defSvcAccnt.AutomountServiceAccountToken == false {
return nil
}

defSvcAccntCopy := defSvcAccnt.DeepCopy()
automountServiceAccountToken := false
defSvcAccntCopy.AutomountServiceAccountToken = &automountServiceAccountToken
logrus.Debugf("namespaceSvcAccountHandler: updating default serviceaccount key=%v", defSvcAccntCopy)
_, err = nsh.serviceAccounts.Update(defSvcAccntCopy)
if err != nil {
logrus.Errorf("namespaceSvcAccountHandler: error updating serviceaccnt flag: Sync: key=%v, err=%+v", namespace, err)
return err
}
return nil
}

func (nsh *namespaceSvcAccountHandler) isSystemNS(namespace string) bool {
systemNamespacesStr := settings.SystemNamespaces.Get()
if systemNamespacesStr == "" {
return false
}

systemNamespaces := make(map[string]bool)
splitted := strings.Split(systemNamespacesStr, ",")
for _, s := range splitted {
ns := strings.TrimSpace(s)
systemNamespaces[ns] = true
}

return systemNamespaces[namespace]
}
2 changes: 1 addition & 1 deletion pkg/settings/setting.go
Expand Up @@ -52,7 +52,7 @@ var (
ServerURL = NewSetting("server-url", "")
ServerVersion = NewSetting("server-version", "dev")
SystemDefaultRegistry = NewSetting("system-default-registry", "")
SystemNamespaces = NewSetting("system-namespaces", "kube-system,kube-public,cattle-system,cattle-alerting,cattle-logging,cattle-pipeline,cattle-prometheus,ingress-nginx,cattle-global-data,cattle-istio,kube-node-lease,cert-manager")
SystemNamespaces = NewSetting("system-namespaces", "kube-system,kube-public,cattle-system,cattle-alerting,cattle-logging,cattle-pipeline,cattle-prometheus,ingress-nginx,cattle-global-data,cattle-istio,kube-node-lease,cert-manager,cattle-global-nt,security-scan")
TelemetryOpt = NewSetting("telemetry-opt", "prompt")
TLSMinVersion = NewSetting("tls-min-version", "1.2")
TLSCiphers = NewSetting("tls-ciphers", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305")
Expand Down
3 changes: 2 additions & 1 deletion tests/integration/suite/test_system_project.py
Expand Up @@ -7,7 +7,8 @@
"kube-system",
"cattle-system",
"kube-public",
"cattle-global-data"])
"cattle-global-data",
"cattle-global-nt"])
loggingNamespace = "cattle-logging"


Expand Down

0 comments on commit d62a2ef

Please sign in to comment.