From 8a361e0978570610b6adb5f4590e6e59b978f6b9 Mon Sep 17 00:00:00 2001 From: Matous Jobanek Date: Mon, 15 May 2023 19:07:34 +0200 Subject: [PATCH 1/2] fix: limit usage of * in RBAC --- .../rbac/appstudio_api_permissions_role.yaml | 36 +++++++++++++++++++ ...appstudio_api_permissions_rolebinding.yaml | 12 +++++++ config/rbac/edit_role_binding.yaml | 12 +++++++ config/rbac/kustomization.yaml | 4 +++ .../memberstatus/memberstatus_controller.go | 2 +- .../nstemplateset/nstemplateset_controller.go | 5 ++- 6 files changed, 67 insertions(+), 4 deletions(-) create mode 100644 config/rbac/appstudio_api_permissions_role.yaml create mode 100644 config/rbac/appstudio_api_permissions_rolebinding.yaml create mode 100644 config/rbac/edit_role_binding.yaml diff --git a/config/rbac/appstudio_api_permissions_role.yaml b/config/rbac/appstudio_api_permissions_role.yaml new file mode 100644 index 00000000..fa09c0d4 --- /dev/null +++ b/config/rbac/appstudio_api_permissions_role.yaml @@ -0,0 +1,36 @@ +# permissions to scale Camel K resources. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: appstudio-api-permissions +rules: +- apiGroups: + - appstudio.redhat.com + - tekton.dev + - jvmbuildservice.io + resources: + - "*" + verbs: + # TODO fix after changing the ADR and associated appstudio teemplates + - "*" +- apiGroups: + - managed-gitops.redhat.com + - results.tekton.dev + resources: + - "*" + verbs: + - get + - list + - watch + - update + - patch + - delete + - create +- apiGroups: + - "" + resources: + - secrets + - configmaps + verbs: + # TODO fix after changing the ADR and associated appstudio teemplates + - "*" diff --git a/config/rbac/appstudio_api_permissions_rolebinding.yaml b/config/rbac/appstudio_api_permissions_rolebinding.yaml new file mode 100644 index 00000000..037c8a00 --- /dev/null +++ b/config/rbac/appstudio_api_permissions_rolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: appstudio-api-permissions +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: appstudio-api-permissions +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/config/rbac/edit_role_binding.yaml b/config/rbac/edit_role_binding.yaml new file mode 100644 index 00000000..8a22b409 --- /dev/null +++ b/config/rbac/edit_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: edit-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: edit +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index c939e918..32ba69cd 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -7,6 +7,7 @@ resources: - service_account.yaml - role.yaml - role_binding.yaml +- edit_role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml - camel_k_role.yaml @@ -20,3 +21,6 @@ resources: - auth_proxy_role.yaml - auth_proxy_role_binding.yaml - auth_proxy_client_clusterrole.yaml +# Extra permissions for AppStudio tiers +- appstudio_api_permissions_role.yaml +- appstudio_api_permissions_rolebinding.yaml diff --git a/controllers/memberstatus/memberstatus_controller.go b/controllers/memberstatus/memberstatus_controller.go index c3661f7d..6d5ca302 100644 --- a/controllers/memberstatus/memberstatus_controller.go +++ b/controllers/memberstatus/memberstatus_controller.go @@ -68,7 +68,7 @@ type Reconciler struct { //+kubebuilder:rbac:groups=toolchain.dev.openshift.com,resources=memberstatuses/finalizers,verbs=update //+kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch -//+kubebuilder:rbac:groups=metrics.k8s.io,resources=*,verbs=get;list;watch +//+kubebuilder:rbac:groups=metrics.k8s.io,resources=nodes,verbs=get;list;watch //+kubebuilder:rbac:groups=route.openshift.io,resources=routes,verbs=get;list;watch // Reconcile reads the state of toolchain member cluster components and updates the MemberStatus resource with information useful for observation or troubleshooting diff --git a/controllers/nstemplateset/nstemplateset_controller.go b/controllers/nstemplateset/nstemplateset_controller.go index 2c4587e5..9ce8b83a 100644 --- a/controllers/nstemplateset/nstemplateset_controller.go +++ b/controllers/nstemplateset/nstemplateset_controller.go @@ -89,9 +89,8 @@ type Reconciler struct { //+kubebuilder:rbac:groups=toolchain.dev.openshift.com,resources=nstemplatesets/status,verbs=get;update;patch //+kubebuilder:rbac:groups=toolchain.dev.openshift.com,resources=nstemplatesets/finalizers,verbs=update -//+kubebuilder:rbac:groups="",resources=namespaces;limitranges,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups="",resources=namespaces;resourcequotas,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups=rbac.authorization.k8s.io;authorization.openshift.io,resources=rolebindings;roles;clusterroles;clusterrolebindings,verbs=* +//+kubebuilder:rbac:groups="",resources=namespaces;limitranges;resourcequotas;pods/exec,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=rbac.authorization.k8s.io;authorization.openshift.io,resources=rolebindings;roles;clusterroles;clusterrolebindings,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=quota.openshift.io,resources=clusterresourcequotas,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=networking.k8s.io,resources=networkpolicies,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=appstudio.redhat.com,resources=environments,verbs=get;list;watch;create;update;delete From f8fbda0544b61eba8fb6abca84cc38b0488660b8 Mon Sep 17 00:00:00 2001 From: Matous Jobanek Date: Tue, 16 May 2023 12:10:20 +0200 Subject: [PATCH 2/2] comment --- config/rbac/appstudio_api_permissions_role.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/rbac/appstudio_api_permissions_role.yaml b/config/rbac/appstudio_api_permissions_role.yaml index fa09c0d4..5ae07c3e 100644 --- a/config/rbac/appstudio_api_permissions_role.yaml +++ b/config/rbac/appstudio_api_permissions_role.yaml @@ -1,4 +1,4 @@ -# permissions to scale Camel K resources. +# permissions needed to apply appstudio templates. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: