Merge pull request #1940 from rksharma95/conditional-rbac-rules

fix(operator): use rbac rules conditionally using flag
kubearmor · Jan 17, 2025 · 37f4ec5 · 37f4ec5
2 parents a82efe7 + 38f7f48
commit 37f4ec5
Show file tree

Hide file tree

Showing 15 changed files with 512 additions and 255 deletions.
diff --git a/deployments/helm/KubeArmorOperator/README.md b/deployments/helm/KubeArmorOperator/README.md
@@ -29,6 +29,7 @@ helm upgrade --install kubearmor-operator . -n kubearmor --create-namespace
 | kubearmorOperator.podSecurityContext | object | {} | pod security context |
 | kubearmorOperator.securityContext | object | {} | operator container security context |
 | kubearmorConfig | object | [values.yaml](values.yaml) | KubeArmor default configurations |
+| kubearmorOperator.annotateResource | bool | false | flag to control RBAC permissions conditionally, use `--annotateResource=<value>` arg as well to pass the same value to operator configuration |
 | autoDeploy | bool | false | Auto deploy KubeArmor with default configurations |
 
 The operator needs a `KubeArmorConfig` object in order to create resources related to KubeArmor. A default config is present in Helm `values.yaml` which can be overridden during Helm install. To install KubeArmor with default configuration use `--set autoDeploy=true` flag with helm install/upgrade command. It is possible to specify configuration even after KubeArmor resources have been installed by directly editing the created `KubeArmorConfig` CR.

diff --git a/deployments/helm/KubeArmorOperator/templates/clusterrole-binding-rbac.yaml b/deployments/helm/KubeArmorOperator/templates/clusterrole-binding-rbac.yaml
@@ -25,14 +25,13 @@ subjects:
   namespace: {{ .Release.Namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
+kind: ClusterRoleBinding
 metadata:
-  name: {{ .Values.kubearmorOperator.name }}-tls-secrets-rolebinding
-  namespace: {{.Release.Namespace}}
+  name: {{ .Values.kubearmorOperator.name }}-manage-controller-clusterrole-binding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ .Values.kubearmorOperator.name }}-tls-secrets-role
+  kind: ClusterRole
+  name: {{ .Values.kubearmorOperator.name }}-manage-controller-clusterrole
 subjects:
 - kind: ServiceAccount
   name: {{ .Values.kubearmorOperator.name }}
@@ -41,12 +40,12 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ .Values.kubearmorOperator.name }}-manage-controller-clusterrole-binding
+  name: {{ .Values.kubearmorOperator.name }}-manage-relay-clusterrole-binding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ .Values.kubearmorOperator.name }}-manage-controller-clusterrole
+  name: {{ .Values.kubearmorOperator.name }}-manage-relay-clusterrole
 subjects:
 - kind: ServiceAccount
   name: {{ .Values.kubearmorOperator.name }}
-  namespace: {{ .Release.Namespace }} 
+  namespace: {{ .Release.Namespace }}   
diff --git a/deployments/helm/KubeArmorOperator/templates/clusterrole-rbac.yaml b/deployments/helm/KubeArmorOperator/templates/clusterrole-rbac.yaml
@@ -12,34 +12,6 @@ rules:
   - watch
   - list
   - patch
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  verbs:
-  - list
-- apiGroups:
-  - ""
-  resources:
-  - serviceaccounts
-  - services
-  - configmaps
-  verbs:
-  - get
-  - create
-  - delete
-  - update
-- apiGroups:
-  - apps
-  resources:
-  - deployments
-  - daemonsets
-  verbs:
-  - list
-  - get
-  - create
-  - delete
-  - update
 - apiGroups:
   - admissionregistration.k8s.io
   resources:
@@ -48,17 +20,9 @@ rules:
   - get
   - create
   - delete
-- apiGroups:
-  - batch
-  verbs:
-  - create
-  resources:
-  - jobs
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
-  - roles
-  - rolebindings
   - clusterroles
   - clusterrolebindings
   verbs:
@@ -90,32 +54,31 @@ rules:
   - customresourcedefinitions
   verbs:
   - create
-- apiGroups:
-  - batch
-  resources:
-  - jobs
-  - cronjobs
-  verbs:
-  - get
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: {{ .Values.kubearmorOperator.name }}-manage-kubearmor-clusterrole
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+  - update
 - apiGroups:
   - ""
   resources:
   - pods
   - nodes
-  - namespaces
   - configmaps
   verbs:
   - get
-  - patch
   - list
   - watch
-  - update
 - apiGroups:
   - apps
   resources:
@@ -125,21 +88,25 @@ rules:
   - statefulsets
   verbs:
   - get
-  - patch
   - list
   - watch
+  {{- if .Values.kubearmorOperator.annotateResource }}
+  - patch
   - update
+  {{- end }}
 - apiGroups:
   - batch
   resources:
   - jobs
   - cronjobs
   verbs:
   - get
-  - patch
   - list
   - watch
+  {{- if .Values.kubearmorOperator.annotateResource }}
+  - patch
   - update
+  {{- end }}
 - apiGroups:
   - security.kubearmor.com
   resources:
@@ -160,14 +127,26 @@ rules:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
+metadata:
+  name: {{ .Values.kubearmorOperator.name }}-manage-relay-clusterrole
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
 metadata:
   name: {{ .Values.kubearmorOperator.name }}-manage-controller-clusterrole
 rules:
 - apiGroups:
   - ""
   resources:
   - pods
-  - configmaps
   verbs:
   - create
   - delete
@@ -180,10 +159,10 @@ rules:
   - ""
   resources:
   - nodes
-  verbs: 
-  - get 
-  - list 
-  - watch
+  verbs:
+  - get
+  - list
+  - watch   
 - apiGroups:
   - security.kubearmor.com
   resources:
@@ -208,94 +187,3 @@ rules:
   - get
   - patch
   - update
-- apiGroups:
-  - coordination.k8s.io
-  resources:
-  - leases
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-  - patch
-- apiGroups:
-  - authentication.k8s.io
-  resources:
-  - tokenreviews
-  verbs:
-  - create
-- apiGroups:
-  - authorization.k8s.io
-  resources:
-  - subjectaccessreviews
-  verbs:
-  - create
-- nonResourceURLs:
-  - /metrics
-  verbs:
-  - get
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ .Values.kubearmorOperator.name }}-manage-snitch-job
-  namespace: {{ .Release.Namespace }}
-rules:
-# to handle snitch mounts dynamically  
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - list
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  verbs:
-  - list  
-- apiGroups:
-  - batch
-  resources:
-  - jobs
-  verbs:
-  - get
-  - create
-  - delete  
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ .Values.kubearmorOperator.name }}-tls-secrets-role
-  namespace: {{ .Release.Namespace }}
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - update
-  - delete
-  resourceNames:
-  - {{ .Values.tlsSecrets.kubearmorCa }}
-  - {{ .Values.tlsSecrets.kubearmorClient }}
-  - {{ .Values.tlsSecrets.relayServer }}
-  - {{ .Values.tlsSecrets.controllerWebhook }}
-# cannot restric create by resource name, https://kubernetes.io/docs/reference/access-authn-authz/rbac/  
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - create
----
diff --git a/deployments/helm/KubeArmorOperator/templates/deployment.yaml b/deployments/helm/KubeArmorOperator/templates/deployment.yaml
@@ -45,14 +45,9 @@ spec:
         {{- end }}
         image: {{ include "operatorImage" . }}
         imagePullPolicy: {{ .Values.kubearmorOperator.imagePullPolicy }}
-
-        {{- $tag := (split ":" (include "operatorImage" .))._1 -}}
-        {{- if or (eq $tag "latest") (and (hasPrefix "v" $tag) (semverCompare "^1.4.0" $tag)) }}
-        # initDeploy flag is only supported from v1.4.0
         args:
         {{- if .Values.kubearmorOperator.args -}}
-        {{- toYaml .Values.kubearmorOperator.args | trim | nindent 8 }}
-        {{- end }}
+          {{- toYaml .Values.kubearmorOperator.args | trim | nindent 8 }}
         {{- end }}
         {{- with .Values.kubearmorOperator.securityContext }}
         securityContext:
@@ -62,6 +57,5 @@ spec:
         resources:
           {{- toYaml . | nindent 10 }}
         {{- end }}
-
       serviceAccountName: {{ .Values.kubearmorOperator.name }}