rbac: narrow permissions (#613)

* fix(rbac): narrow permissions Signed-off-by: Pedro Tôrres <[email protected]> * feat(rbac): generate manifests with kubebuilder Signed-off-by: Pedro Tôrres <[email protected]> --------- Signed-off-by: Pedro Tôrres <[email protected]> Signed-off-by: Pedro Tôrres <[email protected]>
kedacore · Mar 2, 2023 · 653ddb6 · 653ddb6
1 parent 3bd29c2
commit 653ddb6
Show file tree

Hide file tree

Showing 20 changed files with 210 additions and 57 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -22,6 +22,7 @@ This changelog keeps track of work items that have been completed and are ready
 ### Improvements
 
 - **General**: Automatically tag Docker image with commit SHA ([#567](https://github.com/kedacore/http-add-on/issues/567))
+- **RBAC**: Introduce fine-grained permissions per component and reduce required permissions ([#612](https://github.com/kedacore/http-add-on/issues/612))
 
 ### Fixes
 

diff --git a/Makefile b/Makefile
@@ -86,7 +86,9 @@ publish-multiarch: publish-operator-multiarch publish-interceptor-multiarch publ
 # Development
 
 manifests: controller-gen ## Generate ClusterRole and CustomResourceDefinition objects for core componenets.
-	$(CONTROLLER_GEN) crd:crdVersions=v1 rbac:roleName=keda-http-add-on paths="./..." output:crd:artifacts:config=config/crd/bases
+	$(CONTROLLER_GEN) crd:crdVersions=v1 rbac:roleName=keda-http-add-on paths="./operator/..." output:crd:artifacts:config=config/crd/bases
+	$(CONTROLLER_GEN) crd:crdVersions=v1 rbac:roleName=keda-http-add-on-scaler paths="./scaler/..." output:rbac:artifacts:config=config/scaler
+	$(CONTROLLER_GEN) crd:crdVersions=v1 rbac:roleName=keda-http-add-on-interceptor paths="./interceptor/..." output:rbac:artifacts:config=config/interceptor
 
 verify-manifests:
 	./hack/verify-manifests.sh

diff --git a/config/interceptor/interceptor.yaml b/config/interceptor/interceptor.yaml
@@ -26,7 +26,7 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
-      serviceAccountName: keda-http-add-on
+      serviceAccountName: keda-http-add-on-interceptor
       containers:
         - name: interceptor
           image: ghcr.io/kedacore/http-add-on-interceptor:latest

diff --git a/config/interceptor/kustomization.yaml b/config/interceptor/kustomization.yaml
@@ -2,6 +2,9 @@ resources:
 - interceptor.yaml
 - service-admin.yaml
 - service-proxy.yaml
+- role.yaml
+- role_binding.yaml
+- service_account.yaml
 
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

diff --git a/config/interceptor/role.yaml b/config/interceptor/role.yaml
@@ -0,0 +1,31 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: keda-http-add-on-interceptor
+rules:
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  name: keda-http-add-on-interceptor
+  namespace: keda
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
diff --git a/config/interceptor/role_binding.yaml b/config/interceptor/role_binding.yaml
@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: keda-http-add-on-interceptor
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: keda-http-add-on-interceptor
+subjects:
+- kind: ServiceAccount
+  name: keda-http-add-on-interceptor
+  namespace: keda
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: keda-http-add-on-interceptor
+  namespace: keda
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: keda-http-add-on-interceptor
+subjects:
+- kind: ServiceAccount
+  name: keda-http-add-on-interceptor
+  namespace: keda
diff --git a/config/interceptor/service_account.yaml b/config/interceptor/service_account.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: keda-http-add-on
+    app.kubernetes.io/version: latest
+    app.kubernetes.io/part-of: keda-http-add-on
+  name: keda-http-add-on-interceptor
+  namespace: keda
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -6,53 +6,23 @@ metadata:
   name: keda-http-add-on
 rules:
 - apiGroups:
-  - ""
-  resources:
-  - configmaps
-  - configmaps/status
-  - endpoint
-  - endpoints
-  - events
-  - pods
-  - services
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - watch
-- apiGroups:
-  - apps
-  resources:
-  - deployments
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - watch
-- apiGroups:
-  - coordination.k8s.io
+  - http.keda.sh
   resources:
-  - leases
+  - httpscaledobjects
   verbs:
   - create
   - delete
   - get
   - list
+  - patch
   - update
+  - watch
 - apiGroups:
   - http.keda.sh
   resources:
-  - httpscaledobjects
+  - httpscaledobjects/finalizers
   verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
   - update
-  - watch
 - apiGroups:
   - http.keda.sh
   resources:
@@ -73,16 +43,6 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - networking
-  resources:
-  - ingresses
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -96,4 +56,29 @@ rules:
   resources:
   - configmaps
   verbs:
-  - '*'
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
diff --git a/config/scaler/kustomization.yaml b/config/scaler/kustomization.yaml
@@ -1,6 +1,9 @@
 resources:
 - scaler.yaml
 - service.yaml
+- role.yaml
+- role_binding.yaml
+- service_account.yaml
 
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

diff --git a/config/scaler/role.yaml b/config/scaler/role.yaml
@@ -0,0 +1,39 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: keda-http-add-on-scaler
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  name: keda-http-add-on-scaler
+  namespace: keda
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
diff --git a/config/scaler/role_binding.yaml b/config/scaler/role_binding.yaml
@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: keda-http-add-on-scaler
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: keda-http-add-on-scaler
+subjects:
+- kind: ServiceAccount
+  name: keda-http-add-on-scaler
+  namespace: keda
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: keda-http-add-on-scaler
+  namespace: keda
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: keda-http-add-on-scaler
+subjects:
+- kind: ServiceAccount
+  name: keda-http-add-on-scaler
+  namespace: keda
diff --git a/config/scaler/scaler.yaml b/config/scaler/scaler.yaml
@@ -26,7 +26,7 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
-      serviceAccountName: keda-http-add-on
+      serviceAccountName: keda-http-add-on-scaler
       containers:
         - name: external-scaler
           image: ghcr.io/kedacore/http-add-on-scaler:latest

diff --git a/config/scaler/service_account.yaml b/config/scaler/service_account.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: keda-http-add-on
+    app.kubernetes.io/version: latest
+    app.kubernetes.io/part-of: keda-http-add-on
+  name: keda-http-add-on-scaler
+  namespace: keda
diff --git a/interceptor/main.go b/interceptor/main.go
@@ -28,6 +28,9 @@ func init() {
 	rand.Seed(time.Now().UnixNano())
 }
 
+// +kubebuilder:rbac:groups="",namespace=keda,resources=configmaps,verbs=get;list;watch
+// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch
+
 func main() {
 	lggr, err := pkglog.NewZapr()
 	if err != nil {
@@ -90,6 +93,7 @@ func main() {
 		lggr,
 		cl,
 		servingCfg.ConfigMapCacheRsyncPeriod,
+		servingCfg.CurrentNamespace,
 	)
 
 	lggr.Info(

diff --git a/operator/controllers/app.go b/operator/controllers/app.go
@@ -15,8 +15,6 @@ import (
 	"github.com/kedacore/http-add-on/pkg/routing"
 )
 
-// +kubebuilder:rbac:groups="",namespace=keda,resources=configmaps,verbs="*"
-
 func removeApplicationResources(
 	ctx context.Context,
 	logger logr.Logger,

diff --git a/operator/controllers/httpscaledobject_controller.go b/operator/controllers/httpscaledobject_controller.go
@@ -45,13 +45,10 @@ type HTTPScaledObjectReconciler struct {
 	RoutingTable         *routing.Table
 }
 
-// +kubebuilder:rbac:groups=keda.sh,resources=scaledobjects,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=http.keda.sh,resources=httpscaledobjects,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=http.keda.sh,resources=httpscaledobjects/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups="",resources=pods;services;configmaps;configmaps/status;events;endpoints;endpoint,verbs=get;list;watch;create;delete
-// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;delete
-// +kubebuilder:rbac:groups=networking,resources=ingresses,verbs=get;list;watch;create;delete
-// +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;create;update;delete
+// +kubebuilder:rbac:groups=http.keda.sh,resources=httpscaledobjects/finalizers,verbs=update
+// +kubebuilder:rbac:groups=keda.sh,resources=scaledobjects,verbs=get;list;watch;create;update;patch;delete
 
 // Reconcile reconciles a newly created, deleted, or otherwise changed
 // HTTPScaledObject

diff --git a/operator/main.go b/operator/main.go
@@ -26,11 +26,13 @@ import (
 	"github.com/go-logr/logr"
 	kedav1alpha1 "github.com/kedacore/keda/v2/apis/keda/v1alpha1"
 	"golang.org/x/sync/errgroup"
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 
 	httpv1alpha1 "github.com/kedacore/http-add-on/operator/api/v1alpha1"
@@ -56,6 +58,10 @@ func init() {
 	// +kubebuilder:scaffold:scheme
 }
 
+// +kubebuilder:rbac:groups="",namespace=keda,resources=events,verbs=create;patch
+// +kubebuilder:rbac:groups="",namespace=keda,resources=configmaps,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=coordination.k8s.io,namespace=keda,resources=leases,verbs=get;list;watch;create;update;patch;delete
+
 func main() {
 	ctx := ctrl.SetupSignalHandler()
 	ctrl.SetLogger(zap.New(zap.UseDevMode(true)))
@@ -117,6 +123,12 @@ func main() {
 		LeaderElectionID:   "f8508ff1.keda.sh",
 		// will be empty to indicate all namespaces
 		Namespace: baseConfig.WatchNamespace,
+		// TODO(pedrotorres): remove this when we stop relying on ConfigMaps for the routing table
+		// workaround for using the same K8s client for both the routing table and the HTTPScaledObject
+		// this was already broken if the operator was running only for a single namespace
+		ClientDisableCacheFor: []client.Object{
+			&corev1.ConfigMap{},
+		},
 	})
 	if err != nil {
 		setupLog.Error(err, "unable to start manager")