Manage RoleBinding for rbac enabled cluster

stashed · Oct 10, 2017 · 054813d · 054813d
1 parent 3b2a281
commit 054813d
Show file tree

Hide file tree

Showing 19 changed files with 440 additions and 51 deletions.
diff --git a/chart/stash/templates/cluster-role.yaml b/chart/stash/templates/cluster-role.yaml
@@ -54,4 +54,9 @@ rules:
   resources:
   - pods
   verbs: ["list", delete"]
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  verbs: ["get", "create", "delete", "patch"]
 {{ end }}
diff --git a/chart/stash/templates/deployment.yaml b/chart/stash/templates/deployment.yaml
@@ -24,6 +24,7 @@ spec:
       - args:
         - run
         - --v=3
+        - --rbac={{ .Values.rbac.create }}
         image: {{ .Values.operator.image }}:{{ .Values.operator.tag }}
         imagePullPolicy: {{ .Values.operator.pullPolicy }}
         name: operator

diff --git a/docs/rbac.md b/docs/rbac.md
@@ -1,57 +1,23 @@
 # Configuring RBAC
 
-To use Stash in a cluster with RBAC enabled, [install Stash](/docs/install.md) with RBAC options.
+To use Stash in a cluster with RBAC enabled, [install Stash](/docs/install.md) with RBAC options. This creates a ClusterRole named `stash-sidecar`.
 
-Sidecar container added to workloads makes various calls to Kubernetes api. ServiceAccounts used with workloads should have the following roles:
+Sidecar container added to workloads makes various calls to Kubernetes api. ServiceAccounts used with Deployment, ReplicaSet, DaemonSet and ReplicationController workloads are automatically bound to `stash-sidecar` ClusterRole by Stash operator. Users should manually add the following RoleBinding to service accounts used with StatefulSet workloads to authorize these api calls.
 
-```yaml
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
-metadata:
-  name: stash-sidecar
-rules:
-- apiGroups:
-  - stash.appscode.com
-  resources: ["*"]
-  verbs: ["*"]
-- apiGroups:
-  - apps
-  resources:
-  - deployments
-  verbs: ["get"]
-- apiGroups:
-  - extensions
-  resources:
-  - daemonsets
-  - replicasets
-  verbs: ["get"]
-- apiGroups: [""]
-  resources:
-  - replicationcontrollers
-  - secrets
-  verbs: ["get"]
-- apiGroups: [""]
-  resources:
-  - events
-  verbs: ["create"]
-```
-
-Create `stash-sidecar` ClusterRole, if it is not already present.
-
-Now, create a RoleBinding for service account used to a workload.
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
-  name: workload-sa
+  name: <statefulset-name>-stash-sidecar
+  namespace: <statefulset-namespace>
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: stash-sidecar
 subjects:
 - kind: ServiceAccount
-  name: workload-sa
-  namespace: default
+  name: <statefulset-sa>
+  namespace: <statefulset-namespace>
 ```
 
 You can find full working examples [here](/docs/examples/workloads).

diff --git a/docs/reference/stash_run.md b/docs/reference/stash_run.md
@@ -18,6 +18,7 @@ stash run [flags]
   -h, --help                     help for run
       --kubeconfig string        Path to kubeconfig file with authorization information (the master location is set by the master flag).
       --master string            The address of the Kubernetes API server (overrides any value in kubeconfig)
+      --rbac                     Enable RBAC for operator
       --resync-period duration   If non-zero, will re-list this often. Otherwise, re-list will be delayed aslong as possible (until the upstream source closes the watch or times out. (default 5m0s)
       --scratch-dir emptyDir     Directory used to store temporary files. Use an emptyDir in Kubernetes. (default "/tmp")
 ```

diff --git a/glide.lock b/glide.lock
diff --git a/hack/deploy/with-rbac.yaml b/hack/deploy/with-rbac.yaml
@@ -48,6 +48,11 @@ rules:
   resources:
   - pods
   verbs: ["list", delete"]
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  verbs: ["get", "create", "delete", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
@@ -93,6 +98,7 @@ spec:
         args:
         - run
         - --v=3
+        - --rbac=true
         image: appscode/stash:0.5.0
         ports:
         - containerPort: 56790
@@ -151,18 +157,19 @@ rules:
   resources: ["*"]
   verbs: ["*"]
 - apiGroups:
-  - extensions
+  - apps
   resources:
   - deployments
+  verbs: ["get"]
+- apiGroups:
+  - extensions
+  resources:
   - daemonsets
   - replicasets
   verbs: ["get"]
 - apiGroups: [""]
   resources:
   - replicationcontrollers
-  verbs: ["*"]
-- apiGroups: [""]
-  resources:
   - secrets
   verbs: ["get"]
 - apiGroups: [""]

diff --git a/pkg/cmds/run.go b/pkg/cmds/run.go
@@ -87,6 +87,7 @@ func NewCmdRun(version string) *cobra.Command {
 	cmd.Flags().StringVar(&masterURL, "master", masterURL, "The address of the Kubernetes API server (overrides any value in kubeconfig)")
 	cmd.Flags().StringVar(&kubeconfigPath, "kubeconfig", kubeconfigPath, "Path to kubeconfig file with authorization information (the master location is set by the master flag).")
 	cmd.Flags().StringVar(&address, "address", address, "Address to listen on for web interface and telemetry.")
+	cmd.Flags().BoolVar(&opts.EnableRBAC, "rbac", opts.EnableRBAC, "Enable RBAC for operator")
 	cmd.Flags().StringVar(&scratchDir, "scratch-dir", scratchDir, "Directory used to store temporary files. Use an `emptyDir` in Kubernetes.")
 	cmd.Flags().DurationVar(&opts.ResyncPeriod, "resync-period", opts.ResyncPeriod, "If non-zero, will re-list this often. Otherwise, re-list will be delayed aslong as possible (until the upstream source closes the watch or times out.")
 

diff --git a/pkg/controller/config.go b/pkg/controller/config.go
@@ -5,6 +5,7 @@ import (
 )
 
 type Options struct {
+	EnableRBAC bool
 	SidecarImageTag string
 	ResyncPeriod    time.Duration
 	MaxNumRequeues  int

diff --git a/pkg/controller/daemonsets.go b/pkg/controller/daemonsets.go
@@ -155,6 +155,13 @@ func (c *StashController) EnsureDaemonSetSidecar(resource *extensions.DaemonSet,
 		return err
 	}
 
+	if c.options.EnableRBAC {
+		err := c.ensureRoleBinding(kutil.GetObjectReference(resource, extensions.SchemeGroupVersion), resource.Spec.Template.Spec.ServiceAccountName)
+		if err != nil {
+			return err
+		}
+	}
+
 	resource, err = ext_util.PatchDaemonSet(c.k8sClient, resource, func(obj *extensions.DaemonSet) *extensions.DaemonSet {
 		obj.Spec.Template.Spec.Containers = core_util.UpsertContainer(obj.Spec.Template.Spec.Containers, util.CreateSidecarContainer(new, c.options.SidecarImageTag, "DaemonSet/"+obj.Name))
 		obj.Spec.Template.Spec.Volumes = util.UpsertScratchVolume(obj.Spec.Template.Spec.Volumes)
@@ -191,6 +198,13 @@ func (c *StashController) EnsureDaemonSetSidecar(resource *extensions.DaemonSet,
 }
 
 func (c *StashController) EnsureDaemonSetSidecarDeleted(resource *extensions.DaemonSet, restic *api.Restic) (err error) {
+	if c.options.EnableRBAC {
+		err := c.ensureRoleBindingDeleted(resource.ObjectMeta)
+		if err != nil {
+			return err
+		}
+	}
+
 	resource, err = ext_util.PatchDaemonSet(c.k8sClient, resource, func(obj *extensions.DaemonSet) *extensions.DaemonSet {
 		obj.Spec.Template.Spec.Containers = core_util.EnsureContainerDeleted(obj.Spec.Template.Spec.Containers, util.StashContainer)
 		obj.Spec.Template.Spec.Volumes = util.EnsureVolumeDeleted(obj.Spec.Template.Spec.Volumes, util.ScratchDirVolumeName)

diff --git a/pkg/controller/deployment.go b/pkg/controller/deployment.go
@@ -155,6 +155,13 @@ func (c *StashController) EnsureDeploymentSidecar(resource *apps.Deployment, old
 		return err
 	}
 
+	if c.options.EnableRBAC {
+		err := c.ensureRoleBinding(kutil.GetObjectReference(resource, apps.SchemeGroupVersion), resource.Spec.Template.Spec.ServiceAccountName)
+		if err != nil {
+			return err
+		}
+	}
+
 	resource, err = apps_util.PatchDeployment(c.k8sClient, resource, func(obj *apps.Deployment) *apps.Deployment {
 		obj.Spec.Template.Spec.Containers = core_util.UpsertContainer(obj.Spec.Template.Spec.Containers, util.CreateSidecarContainer(new, c.options.SidecarImageTag, "Deployment/"+obj.Name))
 		obj.Spec.Template.Spec.Volumes = util.UpsertScratchVolume(obj.Spec.Template.Spec.Volumes)
@@ -191,6 +198,13 @@ func (c *StashController) EnsureDeploymentSidecar(resource *apps.Deployment, old
 }
 
 func (c *StashController) EnsureDeploymentSidecarDeleted(resource *apps.Deployment, restic *api.Restic) (err error) {
+	if c.options.EnableRBAC {
+		err := c.ensureRoleBindingDeleted(resource.ObjectMeta)
+		if err != nil {
+			return err
+		}
+	}
+
 	resource, err = apps_util.PatchDeployment(c.k8sClient, resource, func(obj *apps.Deployment) *apps.Deployment {
 		obj.Spec.Template.Spec.Containers = core_util.EnsureContainerDeleted(obj.Spec.Template.Spec.Containers, util.StashContainer)
 		obj.Spec.Template.Spec.Volumes = util.EnsureVolumeDeleted(obj.Spec.Template.Spec.Volumes, util.ScratchDirVolumeName)

diff --git a/pkg/controller/rbac.go b/pkg/controller/rbac.go
@@ -0,0 +1,74 @@
+package controller
+
+import (
+	"github.com/appscode/go/log"
+	"github.com/appscode/go/types"
+	rbac_util "github.com/appscode/kutil/rbac/v1beta1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	apiv1 "k8s.io/client-go/pkg/api/v1"
+	rbac "k8s.io/client-go/pkg/apis/rbac/v1beta1"
+)
+
+const (
+	sidecarClusterRole = "stash-sidecar"
+)
+
+func (c *StashController) getRoleBindingName(name string) string {
+	return name + "-" + sidecarClusterRole
+}
+
+func (c *StashController) ensureOwnerReference(rb metav1.ObjectMeta, resource *apiv1.ObjectReference) metav1.ObjectMeta {
+	fi := -1
+	for i, ref := range rb.OwnerReferences {
+		if ref.Kind == ref.Kind && ref.Name == ref.Name {
+			fi = i
+			break
+		}
+	}
+	if fi == -1 {
+		rb.OwnerReferences = append(rb.OwnerReferences, metav1.OwnerReference{})
+		fi = len(rb.OwnerReferences) - 1
+	}
+	rb.OwnerReferences[fi].APIVersion = resource.APIVersion
+	rb.OwnerReferences[fi].Kind = resource.Kind
+	rb.OwnerReferences[fi].Name = resource.Name
+	rb.OwnerReferences[fi].UID = resource.UID
+	rb.OwnerReferences[fi].BlockOwnerDeletion = types.TrueP()
+	return rb
+}
+
+func (c *StashController) ensureRoleBinding(resource *apiv1.ObjectReference, sa string) error {
+	meta := metav1.ObjectMeta{
+		Namespace: resource.Namespace,
+		Name:      c.getRoleBindingName(resource.Name),
+	}
+	_, err := rbac_util.CreateOrPatchRoleBinding(c.k8sClient, meta, func(in *rbac.RoleBinding) *rbac.RoleBinding {
+		in.ObjectMeta = c.ensureOwnerReference(in.ObjectMeta, resource)
+
+		if in.Annotations == nil {
+			in.Annotations = map[string]string{}
+		}
+
+		in.RoleRef = rbac.RoleRef{
+			APIGroup: rbac.GroupName,
+			Kind:     "ClusterRole",
+			Name:     sidecarClusterRole,
+		}
+		in.Subjects = []rbac.Subject{
+			{
+				Kind:      "ServiceAccount",
+				Name:      sa,
+				Namespace: resource.Namespace,
+			},
+		}
+		return in
+	})
+	return err
+}
+
+func (c *StashController) ensureRoleBindingDeleted(resource metav1.ObjectMeta) error {
+	log.Infof("Deleting RoleBinding %s/%s", resource.Namespace, c.getRoleBindingName(resource.Name))
+	return c.k8sClient.RbacV1beta1().
+		RoleBindings(resource.Namespace).
+		Delete(c.getRoleBindingName(resource.Name), &metav1.DeleteOptions{})
+}
diff --git a/pkg/controller/rcs.go b/pkg/controller/rcs.go
@@ -153,6 +153,13 @@ func (c *StashController) EnsureReplicationControllerSidecar(resource *apiv1.Rep
 		return err
 	}
 
+	if c.options.EnableRBAC {
+		err := c.ensureRoleBinding(kutil.GetObjectReference(resource, apiv1.SchemeGroupVersion), resource.Spec.Template.Spec.ServiceAccountName)
+		if err != nil {
+			return err
+		}
+	}
+
 	resource, err = core_util.PatchRC(c.k8sClient, resource, func(obj *apiv1.ReplicationController) *apiv1.ReplicationController {
 		obj.Spec.Template.Spec.Containers = core_util.UpsertContainer(obj.Spec.Template.Spec.Containers, util.CreateSidecarContainer(new, c.options.SidecarImageTag, "rc/"+obj.Name))
 		obj.Spec.Template.Spec.Volumes = util.UpsertScratchVolume(obj.Spec.Template.Spec.Volumes)
@@ -189,6 +196,13 @@ func (c *StashController) EnsureReplicationControllerSidecar(resource *apiv1.Rep
 }
 
 func (c *StashController) EnsureReplicationControllerSidecarDeleted(resource *apiv1.ReplicationController, restic *api.Restic) (err error) {
+	if c.options.EnableRBAC {
+		err := c.ensureRoleBindingDeleted(resource.ObjectMeta)
+		if err != nil {
+			return err
+		}
+	}
+
 	resource, err = core_util.PatchRC(c.k8sClient, resource, func(obj *apiv1.ReplicationController) *apiv1.ReplicationController {
 		obj.Spec.Template.Spec.Containers = core_util.EnsureContainerDeleted(obj.Spec.Template.Spec.Containers, util.StashContainer)
 		obj.Spec.Template.Spec.Volumes = util.EnsureVolumeDeleted(obj.Spec.Template.Spec.Volumes, util.ScratchDirVolumeName)

diff --git a/pkg/controller/replicasets.go b/pkg/controller/replicasets.go
@@ -160,6 +160,13 @@ func (c *StashController) EnsureReplicaSetSidecar(resource *extensions.ReplicaSe
 		return err
 	}
 
+	if c.options.EnableRBAC {
+		err := c.ensureRoleBinding(kutil.GetObjectReference(resource, extensions.SchemeGroupVersion), resource.Spec.Template.Spec.ServiceAccountName)
+		if err != nil {
+			return err
+		}
+	}
+
 	resource, err = ext_util.PatchReplicaSet(c.k8sClient, resource, func(obj *extensions.ReplicaSet) *extensions.ReplicaSet {
 		obj.Spec.Template.Spec.Containers = core_util.UpsertContainer(obj.Spec.Template.Spec.Containers, util.CreateSidecarContainer(new, c.options.SidecarImageTag, "ReplicaSet/"+obj.Name))
 		obj.Spec.Template.Spec.Volumes = util.UpsertScratchVolume(obj.Spec.Template.Spec.Volumes)
@@ -196,6 +203,13 @@ func (c *StashController) EnsureReplicaSetSidecar(resource *extensions.ReplicaSe
 }
 
 func (c *StashController) EnsureReplicaSetSidecarDeleted(resource *extensions.ReplicaSet, restic *api.Restic) (err error) {
+	if c.options.EnableRBAC {
+		err := c.ensureRoleBindingDeleted(resource.ObjectMeta)
+		if err != nil {
+			return err
+		}
+	}
+
 	resource, err = ext_util.PatchReplicaSet(c.k8sClient, resource, func(obj *extensions.ReplicaSet) *extensions.ReplicaSet {
 		obj.Spec.Template.Spec.Containers = core_util.EnsureContainerDeleted(obj.Spec.Template.Spec.Containers, util.StashContainer)
 		obj.Spec.Template.Spec.Volumes = util.EnsureVolumeDeleted(obj.Spec.Template.Spec.Volumes, util.ScratchDirVolumeName)

diff --git a/pkg/controller/statefulsets.go b/pkg/controller/statefulsets.go
@@ -155,6 +155,13 @@ func (c *StashController) EnsureStatefulSetSidecar(resource *apps.StatefulSet, o
 		return
 	}
 
+	if c.options.EnableRBAC {
+		err := c.ensureRoleBinding(kutil.GetObjectReference(resource, apps.SchemeGroupVersion), resource.Spec.Template.Spec.ServiceAccountName)
+		if err != nil {
+			return err
+		}
+	}
+
 	resource, err = apps_util.PatchStatefulSet(c.k8sClient, resource, func(obj *apps.StatefulSet) *apps.StatefulSet {
 		obj.Spec.Template.Spec.Containers = core_util.UpsertContainer(obj.Spec.Template.Spec.Containers, util.CreateSidecarContainer(new, c.options.SidecarImageTag, "StatefulSet/"+obj.Name))
 		obj.Spec.Template.Spec.Volumes = util.UpsertScratchVolume(obj.Spec.Template.Spec.Volumes)
@@ -191,6 +198,13 @@ func (c *StashController) EnsureStatefulSetSidecar(resource *apps.StatefulSet, o
 }
 
 func (c *StashController) EnsureStatefulSetSidecarDeleted(resource *apps.StatefulSet, restic *api.Restic) (err error) {
+	if c.options.EnableRBAC {
+		err := c.ensureRoleBindingDeleted(resource.ObjectMeta)
+		if err != nil {
+			return err
+		}
+	}
+
 	resource, err = apps_util.PatchStatefulSet(c.k8sClient, resource, func(obj *apps.StatefulSet) *apps.StatefulSet {
 		obj.Spec.Template.Spec.Containers = core_util.EnsureContainerDeleted(obj.Spec.Template.Spec.Containers, util.StashContainer)
 		obj.Spec.Template.Spec.Volumes = util.EnsureVolumeDeleted(obj.Spec.Template.Spec.Volumes, util.ScratchDirVolumeName)