From 35604b007a3b9eebb194d27ae0d975c2a07dc973 Mon Sep 17 00:00:00 2001 From: Feng Xiang Date: Wed, 11 Oct 2023 09:46:05 -0400 Subject: [PATCH] ACM-7887 Add clusterroles and clusterrolebindings RBAC for ClusterCurator (#533) * Add clusterroles and clusterrolebindings RBAC for ClusterCurator Signed-off-by: fxiang1 * Add permissions for namespace Signed-off-by: fxiang1 * Fix privilege escalation Signed-off-by: fxiang1 --------- Signed-off-by: fxiang1 --- bundle.Dockerfile | 2 +- ...icluster-engine.clusterserviceversion.yaml | 21 ++++++++++++++++--- bundle/metadata/annotations.yaml | 2 +- config/rbac/role.yaml | 17 ++++++++++++++- .../cluster-curator-clusterrole.yaml | 16 ++++++++++++-- pkg/templates/rbac_gen.go | 11 ++++++---- 6 files changed, 57 insertions(+), 12 deletions(-) diff --git a/bundle.Dockerfile b/bundle.Dockerfile index 94a0342e1..9d90cea7c 100644 --- a/bundle.Dockerfile +++ b/bundle.Dockerfile @@ -7,7 +7,7 @@ LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ LABEL operators.operatorframework.io.bundle.package.v1=multicluster-engine LABEL operators.operatorframework.io.bundle.channels.v1=stable LABEL operators.operatorframework.io.bundle.channel.default.v1=stable -LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.29.0 +LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.32.0 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v3 diff --git a/bundle/manifests/multicluster-engine.clusterserviceversion.yaml b/bundle/manifests/multicluster-engine.clusterserviceversion.yaml index 07fd9a758..b95db3baf 100644 --- a/bundle/manifests/multicluster-engine.clusterserviceversion.yaml +++ b/bundle/manifests/multicluster-engine.clusterserviceversion.yaml @@ -14,8 +14,8 @@ metadata: } ] capabilities: Basic Install - createdAt: "2023-09-26T20:15:34Z" - operators.operatorframework.io/builder: operator-sdk-v1.29.0 + createdAt: "2023-10-10T19:29:32Z" + operators.operatorframework.io/builder: operator-sdk-v1.32.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 name: multicluster-engine.v0.0.1 namespace: placeholder @@ -267,6 +267,7 @@ spec: resources: - namespaces verbs: + - create - delete - get - list @@ -496,6 +497,9 @@ spec: - "" - rbac.authorization.k8s.io resources: + - clusterrolebindings + - clusterroles + - namespaces - rolebindings - roles verbs: @@ -1271,6 +1275,7 @@ spec: - cluster.open-cluster-management.io resources: - clustercurators + - clustercurators/status verbs: - create - delete @@ -1283,7 +1288,7 @@ spec: - cluster.open-cluster-management.io resources: - clustercurators - - clustercurators/status + - managedclusters verbs: - create - delete @@ -1478,6 +1483,12 @@ spec: - get - list - watch + - apiGroups: + - config.openshift.io + resources: + - dnses + verbs: + - get - apiGroups: - config.openshift.io resources: @@ -1815,7 +1826,11 @@ spec: - hostedclusters - nodepools verbs: + - delete + - get - list + - patch + - update - watch - apiGroups: - imageregistry.open-cluster-management.io diff --git a/bundle/metadata/annotations.yaml b/bundle/metadata/annotations.yaml index 5ae757b77..3ec1af610 100644 --- a/bundle/metadata/annotations.yaml +++ b/bundle/metadata/annotations.yaml @@ -6,7 +6,7 @@ annotations: operators.operatorframework.io.bundle.package.v1: multicluster-engine operators.operatorframework.io.bundle.channels.v1: stable operators.operatorframework.io.bundle.channel.default.v1: stable - operators.operatorframework.io.metrics.builder: operator-sdk-v1.29.0 + operators.operatorframework.io.metrics.builder: operator-sdk-v1.32.0 operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v3 diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index ec044677c..7a8601d58 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -198,6 +198,7 @@ rules: resources: - namespaces verbs: + - create - delete - get - list @@ -427,6 +428,9 @@ rules: - "" - rbac.authorization.k8s.io resources: + - clusterrolebindings + - clusterroles + - namespaces - rolebindings - roles verbs: @@ -1202,6 +1206,7 @@ rules: - cluster.open-cluster-management.io resources: - clustercurators + - clustercurators/status verbs: - create - delete @@ -1214,7 +1219,7 @@ rules: - cluster.open-cluster-management.io resources: - clustercurators - - clustercurators/status + - managedclusters verbs: - create - delete @@ -1409,6 +1414,12 @@ rules: - get - list - watch +- apiGroups: + - config.openshift.io + resources: + - dnses + verbs: + - get - apiGroups: - config.openshift.io resources: @@ -1746,7 +1757,11 @@ rules: - hostedclusters - nodepools verbs: + - delete + - get - list + - patch + - update - watch - apiGroups: - imageregistry.open-cluster-management.io diff --git a/pkg/templates/charts/toggle/cluster-lifecycle/templates/cluster-curator-clusterrole.yaml b/pkg/templates/charts/toggle/cluster-lifecycle/templates/cluster-curator-clusterrole.yaml index 3c435eaf9..159edaf60 100644 --- a/pkg/templates/charts/toggle/cluster-lifecycle/templates/cluster-curator-clusterrole.yaml +++ b/pkg/templates/charts/toggle/cluster-lifecycle/templates/cluster-curator-clusterrole.yaml @@ -14,7 +14,7 @@ rules: verbs: ["get"] - apiGroups: ["rbac.authorization.k8s.io",""] - resources: ["roles","rolebindings"] + resources: ["roles","rolebindings", "clusterroles", "clusterrolebindings", "namespaces"] verbs: ["create","get"] - apiGroups: ["hive.openshift.io"] @@ -48,6 +48,7 @@ rules: - cluster.open-cluster-management.io resources: - clustercurators + - managedclusters verbs: - create - delete @@ -99,4 +100,15 @@ rules: verbs: - get - create - - update \ No newline at end of file + - update +- apiGroups: + - hypershift.openshift.io + resources: + - hostedclusters + - nodepools + verbs: + - get + - patch + - delete + - update + - list diff --git a/pkg/templates/rbac_gen.go b/pkg/templates/rbac_gen.go index 5d05f076d..9428c0c03 100644 --- a/pkg/templates/rbac_gen.go +++ b/pkg/templates/rbac_gen.go @@ -30,8 +30,8 @@ package main //+kubebuilder:rbac:groups="",resources=events,verbs=create;patch //+kubebuilder:rbac:groups="",resources=events,verbs=create;patch //+kubebuilder:rbac:groups="",resources=events,verbs=create;patch +//+kubebuilder:rbac:groups="",resources=namespaces,verbs=create;get;list;watch //+kubebuilder:rbac:groups="",resources=namespaces,verbs=delete -//+kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch //+kubebuilder:rbac:groups="",resources=namespaces;secrets;pods;pods/portforward,verbs=* //+kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch //+kubebuilder:rbac:groups="",resources=nodes;pods;endpoints;services;secrets,verbs=get;watch;list @@ -170,8 +170,8 @@ package main //+kubebuilder:rbac:groups=certificates.k8s.io,resources=signers,verbs=approve;sign //+kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=addonplacementscores/status,verbs=create;delete;get;list;patch;update;watch //+kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=addonplacementscores;addonplacementscores/status,verbs=create;delete;deletecollection;get;list;patch;update;watch -//+kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=clustercurators,verbs=create;delete;get;list;patch;update;watch //+kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=clustercurators/status,verbs=get;patch;update +//+kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=clustercurators;managedclusters,verbs=create;delete;get;list;patch;update;watch //+kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=managedclusters,verbs=get;create;update //+kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=managedclusters,verbs=get;list;create;delete;watch;update;patch //+kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=managedclusters,verbs=get;list;watch @@ -190,6 +190,7 @@ package main //+kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=managedclustersets/join,verbs=create //+kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=managedclustersets/join,verbs=create //+kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=managedclustersets/join,verbs=create +//+kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=managedclustersets/join,verbs=create //+kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=managedclustersets;placementdecisions,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=managedclustersets;placementdecisions;placementdecisions/status,verbs=get;list;watch;update //+kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=placements/finalizers,verbs=update @@ -200,6 +201,7 @@ package main //+kubebuilder:rbac:groups=config.openshift.io,resources=clusterversions,verbs=get //+kubebuilder:rbac:groups=config.openshift.io,resources=clusterversions,verbs=get;list //+kubebuilder:rbac:groups=config.openshift.io,resources=clusterversions,verbs=get;list;watch +//+kubebuilder:rbac:groups=config.openshift.io,resources=dnses,verbs=get //+kubebuilder:rbac:groups=config.openshift.io,resources=infrastructures,verbs=get //+kubebuilder:rbac:groups=config.openshift.io,resources=infrastructures,verbs=get;list;watch //+kubebuilder:rbac:groups=config.openshift.io,resources=infrastructures,verbs=get;list;watch @@ -249,11 +251,12 @@ package main //+kubebuilder:rbac:groups=hive.openshift.io,resources=clusterdeployments;clusterpools;clusterclaims;machinepools,verbs=get;list;watch //+kubebuilder:rbac:groups=hive.openshift.io,resources=clusterdeployments;clusterpools;clusterclaims;machinepools,verbs=get;list;watch;update //+kubebuilder:rbac:groups=hive.openshift.io,resources=clusterdeployments;syncsets;selectorsyncsets,verbs=create;delete;get;list;patch;update;watch -//+kubebuilder:rbac:groups=hive.openshift.io,resources=clusterimagesets,verbs=get;list;watch +//+kubebuilder:rbac:groups=hive.openshift.io,resources=clusterimagesets,verbs=create;get;list;watch //+kubebuilder:rbac:groups=hive.openshift.io,resources=clusterimagesets,verbs=get;list;watch //+kubebuilder:rbac:groups=hive.openshift.io,resources=clusterimagesets,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=hiveinternal.openshift.io,resources=*,verbs=* //+kubebuilder:rbac:groups=hiveinternal.openshift.io,resources=clustersyncs,verbs=get;list;watch +//+kubebuilder:rbac:groups=hypershift.openshift.io,resources=hostedclusters;nodepools,verbs=get;patch;delete;update;list //+kubebuilder:rbac:groups=hypershift.openshift.io,resources=hostedclusters;nodepools,verbs=list;watch //+kubebuilder:rbac:groups=imageregistry.open-cluster-management.io,resources=managedclusterimageregistries;managedclusterimageregistries,verbs=get;list;watch //+kubebuilder:rbac:groups=imageregistry.open-cluster-management.io,resources=managedclusterimageregistries;managedclusterimageregistries/status,verbs=get;list;watch;update @@ -299,7 +302,7 @@ package main //+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles;rolebindings,verbs=get;list;watch;create;update;delete //+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles;rolebindings,verbs=get;list;watch;create;update;patch //+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles;rolebindings;clusterroles;clusterrolebindings,verbs=get;list;watch;create;update;delete -//+kubebuilder:rbac:groups=rbac.authorization.k8s.io;"",resources=roles;rolebindings,verbs=create;get +//+kubebuilder:rbac:groups=rbac.authorization.k8s.io;"",resources=roles;rolebindings;clusterroles;clusterrolebindings;namespaces,verbs=create;get //+kubebuilder:rbac:groups=register.open-cluster-management.io,resources=managedclusters/accept,verbs=update //+kubebuilder:rbac:groups=register.open-cluster-management.io,resources=managedclusters/accept,verbs=update //+kubebuilder:rbac:groups=register.open-cluster-management.io,resources=managedclusters/clientcertificates,verbs=renew