From 6fc4d4532f4ab0571c333f3152d0bf58eff2aa61 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Thu, 4 Apr 2024 12:00:13 -0300 Subject: [PATCH 1/2] fix(rbac): sync RBAC permissions with Helm charts. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updates the Kubebuilder directives to be in sync with the RBAC used in the Helm charts to install Kuberwanden. Signed-off-by: José Guilherme Vanz --- config/rbac/role.yaml | 49 ++++++++++++++------------ controllers/policyserver_controller.go | 8 ++--- 2 files changed, 30 insertions(+), 27 deletions(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index a0dfa514..a4ffc5a8 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -73,6 +73,32 @@ rules: - get - patch - update +- apiGroups: + - policies.kubewarden.io + resources: + - policyservers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - policies.kubewarden.io + resources: + - policyservers/finalizers + verbs: + - update +- apiGroups: + - policies.kubewarden.io + resources: + - policyservers/status + verbs: + - get + - patch + - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -132,29 +158,6 @@ rules: - get - list - watch -- apiGroups: - - policies.kubewarden.io - resources: - - policyservers - verbs: - - delete - - get - - list - - watch -- apiGroups: - - policies.kubewarden.io - resources: - - policyservers/finalizers - verbs: - - update -- apiGroups: - - policies.kubewarden.io - resources: - - policyservers/status - verbs: - - get - - patch - - update - apiGroups: - policy resources: diff --git a/controllers/policyserver_controller.go b/controllers/policyserver_controller.go index f49f68c0..3516beae 100644 --- a/controllers/policyserver_controller.go +++ b/controllers/policyserver_controller.go @@ -50,11 +50,11 @@ type PolicyServerReconciler struct { // We need access to these resources only inside of the namespace where the // controller is deployed. Here we assume it's being deployed inside of the // `kubewarden` namespace, this has to be parametrized in the helm chart -//+kubebuilder:rbac:namespace=kubewarden,groups=policies.kubewarden.io,resources=policyservers,verbs=get;list;watch;delete -//+kubebuilder:rbac:namespace=kubewarden,groups=policies.kubewarden.io,resources=policyservers/status,verbs=get;update;patch -//+kubebuilder:rbac:namespace=kubewarden,groups=policies.kubewarden.io,resources=policyservers/finalizers,verbs=update +//+kubebuilder:rbac:groups=policies.kubewarden.io,resources=policyservers,verbs=get;list;watch;delete;create;update;patch +//+kubebuilder:rbac:groups=policies.kubewarden.io,resources=policyservers/status,verbs=get;update;patch +//+kubebuilder:rbac:groups=policies.kubewarden.io,resources=policyservers/finalizers,verbs=update //+kubebuilder:rbac:namespace=kubewarden,groups=core,resources=secrets;services;configmaps,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:namespace=kubewarden,groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:namespace=kubewarden,groups=apps,resources=deployments,verbs=create;update;patch;delete;get;list;watch //+kubebuilder:rbac:namespace=kubewarden,groups=apps,resources=replicasets,verbs=get;list;watch //+kubebuilder:rbac:namespace=kubewarden,groups=core,resources=pods,verbs=get;list;watch //+kubebuilder:rbac:namespace=kubewarden,groups=policy,resources=poddisruptionbudgets,verbs=get;list;watch;create;update;patch;delete From aa6b27db9ddcf01d1efd8ccd6146bf2c07798ef7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Wed, 3 Apr 2024 16:08:15 -0300 Subject: [PATCH 2/2] feat: Tiltfile install Roles with rules defined in the controller. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updates the Tiltfile to change the Roles and ClusterRoles defined in the Helm charts to use the rules defined in the RBAC defined in the local directory. Therefore, when permissions are added,changed or removed, there is no need to copy the content to the Helm chart directory. Signed-off-by: José Guilherme Vanz --- Tiltfile | 28 ++++++++++++++++++- config/rbac/role.yaml | 9 ------ controllers/admissionpolicy_controller.go | 7 ++--- .../clusteradmissionpolicy_controller.go | 9 ++---- 4 files changed, 32 insertions(+), 21 deletions(-) diff --git a/Tiltfile b/Tiltfile index b947fa60..c8dbc691 100644 --- a/Tiltfile +++ b/Tiltfile @@ -21,6 +21,23 @@ namespace_create('kubewarden') # Install CRDs crd = kustomize('config/crd') k8s_yaml(crd) +roles = decode_yaml_stream(kustomize('config/rbac')) +cluster_rules = [] +namespace_rules = [] +roles_rules_mapping = { + "ClusterRole": {}, + "Role": {}, +} + +for role in roles: + if role.get('kind') == 'ClusterRole': + roles_rules_mapping["ClusterRole"][role.get('metadata').get('name')] = role.get('rules') + elif role.get('kind') == 'Role': + roles_rules_mapping["Role"][role.get('metadata').get('name')] = role.get('rules') + +if len(roles_rules_mapping["ClusterRole"]) == 0 or len(roles_rules_mapping["Role"]) == 0: + fail("Failed to load cluster and namespace roles") + # Install kubewarden-controller helm chart install = helm( @@ -38,7 +55,16 @@ for o in objects: o['spec']['template']['spec']['securityContext']['runAsNonRoot'] = False # Disable the leader election to speed up the startup time. o['spec']['template']['spec']['containers'][0]['args'].remove('--leader-elect') - break + + # Update the cluster and namespace roles used by the controller. This ensures + # that always we have the latest roles applied to the cluster. + if o.get('kind') == 'ClusterRole' and o.get('metadata').get('name') == 'kubewarden-controller-manager-cluster-role': + o['rules'] = roles_rules_mapping["ClusterRole"]["manager-role"] + if o.get('kind') == 'Role' and o.get('metadata').get('name') == 'kubewarden-controller-manager-namespaced-role': + o['rules'] = roles_rules_mapping["Role"]["manager-role"] + if o.get('kind') == 'Role' and o.get('metadata').get('name') == 'kubewarden-controller-leader-election-role': + o['rules'] = roles_rules_mapping["Role"]["leader-election-role"] + updated_install = encode_yaml_stream(objects) k8s_yaml(updated_install) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index a4ffc5a8..047a13f1 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -119,15 +119,6 @@ rules: - patch - update - watch -- apiGroups: - - apps - resources: - - deployments - - replicasets - verbs: - - get - - list - - watch - apiGroups: - apps resources: diff --git a/controllers/admissionpolicy_controller.go b/controllers/admissionpolicy_controller.go index 88ee9413..fe4685ef 100644 --- a/controllers/admissionpolicy_controller.go +++ b/controllers/admissionpolicy_controller.go @@ -46,11 +46,8 @@ import ( //+kubebuilder:rbac:groups=policies.kubewarden.io,resources=admissionpolicies/status,verbs=get;update;patch //+kubebuilder:rbac:groups=policies.kubewarden.io,resources=admissionpolicies/finalizers,verbs=update // -// We need access to these resources only inside of the namespace where the -// controller is deployed. Here we assume it's being deployed inside of the -// `kubewarden` namespace, this has to be parametrized in the helm chart -//+kubebuilder:rbac:namespace=kubewarden,groups=core,resources=pods,verbs=get;list;watch -//+kubebuilder:rbac:namespace=kubewarden,groups=apps,resources=replicasets;deployments,verbs=get;list;watch +// Some RBAC rules needed to access some resources used here are defined in the +// policyserver_controller.go file. // AdmissionPolicyReconciler reconciles an AdmissionPolicy object type AdmissionPolicyReconciler struct { diff --git a/controllers/clusteradmissionpolicy_controller.go b/controllers/clusteradmissionpolicy_controller.go index cf5d4c73..6fcc0194 100644 --- a/controllers/clusteradmissionpolicy_controller.go +++ b/controllers/clusteradmissionpolicy_controller.go @@ -45,12 +45,9 @@ import ( //+kubebuilder:rbac:groups=policies.kubewarden.io,resources=clusteradmissionpolicies,verbs=get;list;watch;delete //+kubebuilder:rbac:groups=policies.kubewarden.io,resources=clusteradmissionpolicies/status,verbs=get;update;patch //+kubebuilder:rbac:groups=policies.kubewarden.io,resources=clusteradmissionpolicies/finalizers,verbs=update -// -// We need access to these resources only inside of the namespace where the -// controller is deployed. Here we assume it's being deployed inside of the -// `kubewarden` namespace, this has to be parametrized in the helm chart -//+kubebuilder:rbac:namespace=kubewarden,groups=core,resources=pods,verbs=get;list;watch -//+kubebuilder:rbac:namespace=kubewarden,groups=apps,resources=replicasets;deployments,verbs=get;list;watch + +// Some RBAC rules needed to access some resources used here are defined in the +// policyserver_controller.go file. // ClusterAdmissionPolicyReconciler reconciles a ClusterAdmissionPolicy object type ClusterAdmissionPolicyReconciler struct {