From 8491bbdcc4f848d6481de2471e3261017497328d Mon Sep 17 00:00:00 2001 From: hasbro17 Date: Thu, 26 Apr 2018 16:38:03 -0700 Subject: [PATCH] generator: restrict default RBAC rules --- pkg/generator/deploy_tmpl.go | 21 ++++++++++++++++ pkg/generator/gen_deploy.go | 8 ++++-- pkg/generator/generator.go | 6 ++--- pkg/generator/generator_test.go | 43 ++++++++++++++++++++++++--------- 4 files changed, 62 insertions(+), 16 deletions(-) diff --git a/pkg/generator/deploy_tmpl.go b/pkg/generator/deploy_tmpl.go index 645dc89f1c8..712dc745f3c 100644 --- a/pkg/generator/deploy_tmpl.go +++ b/pkg/generator/deploy_tmpl.go @@ -56,9 +56,30 @@ metadata: name: {{.ProjectName}} rules: - apiGroups: + - {{.GroupName}} + resources: + - "*" + verbs: - "*" +- apiGroups: + - "" resources: + - pods + - services + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + verbs: - "*" +- apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets verbs: - "*" diff --git a/pkg/generator/gen_deploy.go b/pkg/generator/gen_deploy.go index b56cd139469..4c1122a79fd 100644 --- a/pkg/generator/gen_deploy.go +++ b/pkg/generator/gen_deploy.go @@ -66,17 +66,21 @@ func renderOperatorYaml(w io.Writer, kind, apiVersion, projectName, image string // when pairing with rbacYamlTmpl template. type RBACYaml struct { ProjectName string + GroupName string } // renderRBACYaml generates deploy/rbac.yaml. -func renderRBACYaml(w io.Writer, projectName string) error { +func renderRBACYaml(w io.Writer, projectName, groupName string) error { t := template.New(rbacTmplName) t, err := t.Parse(rbacYamlTmpl) if err != nil { return fmt.Errorf("failed to parse rbac yaml template: %v", err) } - r := RBACYaml{ProjectName: projectName} + r := RBACYaml{ + ProjectName: projectName, + GroupName: groupName, + } return t.Execute(w, r) } diff --git a/pkg/generator/generator.go b/pkg/generator/generator.go index b38e02cb89e..5b21b08602b 100644 --- a/pkg/generator/generator.go +++ b/pkg/generator/generator.go @@ -163,9 +163,9 @@ func (g *Generator) renderDeploy() error { return renderDeployFiles(dp, g.projectName, g.apiVersion, g.kind) } -func renderRBAC(deployDir, projectName string) error { +func renderRBAC(deployDir, projectName, groupName string) error { buf := &bytes.Buffer{} - if err := renderRBACYaml(buf, projectName); err != nil { + if err := renderRBACYaml(buf, projectName, groupName); err != nil { return err } return writeFileAndPrint(filepath.Join(deployDir, rbacYaml), buf.Bytes(), defaultFileMode) @@ -173,7 +173,7 @@ func renderRBAC(deployDir, projectName string) error { func renderDeployFiles(deployDir, projectName, apiVersion, kind string) error { buf := &bytes.Buffer{} - if err := renderRBACYaml(buf, projectName); err != nil { + if err := renderRBACYaml(buf, projectName, groupName(apiVersion)); err != nil { return err } if err := writeFileAndPrint(filepath.Join(deployDir, rbacYaml), buf.Bytes(), defaultFileMode); err != nil { diff --git a/pkg/generator/generator_test.go b/pkg/generator/generator_test.go index 43cb43594df..960bce7bfcd 100644 --- a/pkg/generator/generator_test.go +++ b/pkg/generator/generator_test.go @@ -21,12 +21,13 @@ import ( const ( // test constants for app-operator - appRepoPath = "github.com/example-inc/app-operator" - appKind = "App" - appApiDirName = "app" - appAPIVersion = appGroupName + "/" + appVersion - appVersion = "v1alpha1" - appGroupName = "app.example.com" + appRepoPath = "github.com/example-inc/app-operator" + appKind = "AppService" + appApiDirName = "app" + appAPIVersion = appGroupName + "/" + appVersion + appVersion = "v1alpha1" + appGroupName = "app.example.com" + appProjectName = "app-operator" ) const mainExp = `package main @@ -50,7 +51,7 @@ func printVersion() { func main() { printVersion() - sdk.Watch("app.example.com/v1alpha1", "App", "default", 5) + sdk.Watch("app.example.com/v1alpha1", "AppService", "default", 5) sdk.Handle(stub.NewHandler()) sdk.Run(context.TODO()) } @@ -120,7 +121,7 @@ func newbusyBoxPod(cr *v1alpha1.App) *v1.Pod { *metav1.NewControllerRef(cr, schema.GroupVersionKind{ Group: v1alpha1.SchemeGroupVersion.Group, Version: v1alpha1.SchemeGroupVersion.Version, - Kind: "App", + Kind: "AppService", }), }, Labels: labels, @@ -421,9 +422,30 @@ metadata: name: app-operator rules: - apiGroups: + - app.example.com + resources: + - "*" + verbs: - "*" +- apiGroups: + - "" resources: + - pods + - services + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + verbs: - "*" +- apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets verbs: - "*" @@ -444,8 +466,7 @@ roleRef: func TestGenDeploy(t *testing.T) { buf := &bytes.Buffer{} - projectName := "app-operator" - if err := renderOperatorYaml(buf, "AppService", "app.example.com/v1alpha1", projectName, "quay.io/coreos/operator-sdk-dev:app-operator"); err != nil { + if err := renderOperatorYaml(buf, appKind, appAPIVersion, appProjectName, "quay.io/coreos/operator-sdk-dev:app-operator"); err != nil { t.Error(err) } if operatorYamlExp != buf.String() { @@ -453,7 +474,7 @@ func TestGenDeploy(t *testing.T) { } buf = &bytes.Buffer{} - if err := renderRBACYaml(buf, projectName); err != nil { + if err := renderRBACYaml(buf, appProjectName, appGroupName); err != nil { t.Error(err) } if rbacYamlExp != buf.String() {