Implement user impersonation

.github/workflows/e2e.yaml

@@ -74,6 +74,21 @@ jobs:
           kubectl -n impersonation wait kustomizations/podinfo --for=condition=ready --timeout=4m
           kubectl -n impersonation delete kustomizations/podinfo
           until kubectl -n impersonation get deploy/podinfo 2>&1 | grep NotFound ; do sleep 2; done
+      - name: Run user impersonation tests
+        run: |
+          kubectl -n kustomize-system apply -f ./config/testdata/user-impersonation/new-rbac.yaml
+          kubectl -n kustomize-system patch deploy/kustomize-controller -p "$(cat ./config/testdata/user-impersonation/patch.yaml)"
+          kubectl -n tenant-a apply -f ./config/testdata/user-impersonation/use-test.yaml
+          kubectl -n tenant-a wait kustomizations/podinfo --for=condition=ready --timeout=4m
+          kubectl -n tenant-a  delete kustomizations/podinfo --wait
+          kubectl -n tenant-b apply -f ./config/testdata/user-impersonation/sa-test.yaml
+          kubectl -n tenant-b wait kustomizations/podinfo --for=condition=ready --timeout=4m
+          kubectl -n tenant-b  delete kustomizations/podinfo --wait
+          kubectl -n tenant-d apply -f ./config/testdata/user-impersonation/token-imp.yaml
+          kubectl -n tenant-d wait kustomizations/podinfo --for=condition=ready --timeout=4m
+          kubectl -n tenant-d  delete kustomizations/podinfo --wait
+          kubectl -n tenant-c apply -f ./config/testdata/user-impersonation/fail-sa-test.yaml
+          until kubectl -n tenant-c get kustomization podinfo -oyaml | grep "Error from server (Forbidden)" ; do sleep 2; done
       - name: Logs
         run: |
           kubectl -n kustomize-system logs deploy/source-controller

Makefile

@@ -26,6 +26,10 @@ manager: generate fmt vet
 run: generate fmt vet manifests
 	go run ./main.go --metrics-addr=:8089
 
+# Run against the configured Kubernetes cluster in ~/.kube/config with flux user enabled
+run-enable-user: generate fmt vet manifests
+	go run ./main.go --metrics-addr=:8089 --user-impersonation
+
 # Download the CRDs the controller depends on
 download-crd-deps:
 	curl -s https://raw.githubusercontent.com/fluxcd/source-controller/${SOURCE_VER}/config/crd/bases/source.toolkit.fluxcd.io_gitrepositories.yaml > config/crd/bases/gitrepositories.yaml

api/v1beta1/kustomization_types.go

@@ -138,6 +138,21 @@ type KustomizationSpec struct {
 	// +kubebuilder:default:=false
 	// +optional
 	Force bool `json:"force,omitempty"`
+
+	// Principal provides details on how the controller should
+	// carry out impersonation during garbage collections, health-check
+	// and applies
+	Principal *Principal `json:"principal,omitempty"`
+}
+
+type Principal struct {
+	// Kind specifies the kind of object to be impersonated
+	// The kind could be 'User' or 'ServiceAccount'
+	// +kubebuilder:validation:Enum=ServiceAccount;User
+	Kind string `json:"kind"`
+
+	// The name of the object to be impersonated
+	Name string `json:"name"`
 }
 
 // Decryption defines how decryption is handled for Kubernetes manifests.

config/crd/bases/kustomize.toolkit.fluxcd.io_kustomizations.yaml

@@ -297,6 +297,25 @@ spec:
                       type: object
                     type: array
                 type: object
+              principal:
+                description: Principal provides details on how the controller should
+                  carry out impersonation during garbage collections, health-check
+                  and applies
+                properties:
+                  kind:
+                    description: Kind specifies the kind of object to be impersonated
+                      The kind could be 'User' or 'ServiceAccount'
+                    enum:
+                    - ServiceAccount
+                    - User
+                    type: string
+                  name:
+                    description: The name of the object to be impersonated
+                    type: string
+                required:
+                - kind
+                - name
+                type: object
               prune:
                 description: Prune enables garbage collection.
                 type: boolean

config/testdata/user-impersonation/fail-sa-test.yaml

@@ -0,0 +1,84 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tenant-c
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tenant-c
+  namespace: tenant-c
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: tenant-c-admin
+  namespace: tenant-c
+rules:
+  - apiGroups: ['apps']
+    resources: ['deployments']
+    verbs: ['*']
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: tenant-c-admin
+  namespace: tenant-c
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: tenant-c-admin
+subjects:
+  - kind: ServiceAccount
+    name: tenant-c
+    namespace: tenant-c
+---
+# permissions for flux:users groups shouldn't work with serviceaccount
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: flux-users
+  namespace: tenant-c
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: Group
+    name: flux:users
+    apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+  name: podinfo
+  namespace: tenant-c
+spec:
+  interval: 5m
+  url: https://github.com/stefanprodan/podinfo
+  ref:
+    tag: "5.0.3"
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
+kind: Kustomization
+metadata:
+  name: podinfo
+  namespace: tenant-c
+spec:
+  targetNamespace: tenant-c
+  principal:
+    kind: ServiceAccount
+    name: tenant-c
+  interval: 5m
+  path: "./kustomize"
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: podinfo
+    namespace: tenant-c
+  validation: client
+  timeout: 2m
+  healthChecks:
+    - kind: Deployment
+      name: podinfo
+      namespace: tenant-c

config/testdata/user-impersonation/new-rbac.yaml

@@ -0,0 +1,135 @@
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: user-impersonation
+  namespace: kustomize-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: user-impersonation-role
+rules:
+  - apiGroups:
+    - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps/status
+    verbs:
+      - get
+      - update
+      - patch
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+  - apiGroups:
+      - "coordination.k8s.io"
+    resources:
+      - leases
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+      - serviceaccounts
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - kustomize.toolkit.fluxcd.io
+    resources:
+      - kustomizations
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - kustomize.toolkit.fluxcd.io
+    resources:
+      - kustomizations/finalizers
+    verbs:
+      - create
+      - delete
+      - get
+      - patch
+      - update
+  - apiGroups:
+      - kustomize.toolkit.fluxcd.io
+    resources:
+      - kustomizations/status
+    verbs:
+      - get
+      - patch
+      - update
+  - apiGroups:
+      - source.toolkit.fluxcd.io
+    resources:
+      - buckets
+      - gitrepositories
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - source.toolkit.fluxcd.io
+    resources:
+      - buckets/status
+      - gitrepositories/status
+    verbs:
+      - get
+  - apiGroups:
+    - ""
+    resources:
+      - groups
+      - users
+      - serviceaccounts
+    verbs:
+      - impersonate
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: user-impersonation
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: user-impersonation-role
+subjects:
+  - kind: ServiceAccount
+    name: user-impersonation
+    namespace: kustomize-system

config/testdata/user-impersonation/patch.yaml

@@ -0,0 +1,12 @@
+spec:
+  template:
+    spec:
+      containers:
+        - name: manager
+          args:
+          - --watch-all-namespaces=true
+          - --log-level=info
+          - --log-encoding=json
+          - --enable-leader-election
+          - --user-impersonation
+      serviceAccountName: user-impersonation