Fix apache#1199: add optional permission for creating events

deploy/operator-role-binding-events.yaml

@@ -0,0 +1,30 @@
+# ---------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ---------------------------------------------------------------------------
+
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: camel-k-operator-events
+  labels:
+    app: "camel-k"
+subjects:
+- kind: ServiceAccount
+  name: camel-k-operator
+roleRef:
+  kind: Role
+  name: camel-k-operator-events
+  apiGroup: rbac.authorization.k8s.io

deploy/operator-role-events.yaml

@@ -0,0 +1,33 @@
+# ---------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ---------------------------------------------------------------------------
+
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: camel-k-operator-events
+  labels:
+    app: "camel-k"
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - get
+  - list
+  - watch

deploy/operator-role-kubernetes.yaml

@@ -66,7 +66,6 @@ rules:
   resources:
   - events
   verbs:
-  - create
   - get
   - list
   - watch

deploy/operator-role-openshift.yaml

@@ -66,7 +66,6 @@ rules:
   resources:
   - events
   verbs:
-  - create
   - get
   - list
   - watch

helm/camel-k/templates/operator-role.yaml

@@ -67,6 +67,7 @@ rules:
   resources:
   - events
   verbs:
+  - create
   - get
   - list
   - watch

pkg/cmd/operator/operator.go

@@ -27,10 +27,12 @@ import (
 	"time"
 
 	"github.com/apache/camel-k/pkg/client"
+	"github.com/apache/camel-k/pkg/util/kubernetes"
 	"github.com/operator-framework/operator-sdk/pkg/k8sutil"
 	"github.com/operator-framework/operator-sdk/pkg/leader"
 	"github.com/operator-framework/operator-sdk/pkg/ready"
 	sdkVersion "github.com/operator-framework/operator-sdk/version"
+	corev1 "k8s.io/api/core/v1"
 	typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
 	"k8s.io/client-go/tools/record"
 
@@ -109,9 +111,18 @@ func Run() {
 		log.Error(err, "cannot initialize client")
 		os.Exit(1)
 	}
-	eventBroadcaster := record.NewBroadcaster()
-	//eventBroadcaster.StartLogging(camellog.WithName("events").Infof)
-	eventBroadcaster.StartRecordingToSink(&typedcorev1.EventSinkImpl{Interface: c.CoreV1().Events(namespace)})
+
+	// Configure event broadcaster
+	var eventBroadcaster record.EventBroadcaster
+	if ok, err := kubernetes.CheckPermission(c, corev1.GroupName, "events", namespace, "", "create"); err != nil {
+		log.Error(err, "cannot check permissions for configuring event broadcaster")
+	} else if !ok {
+		log.Info("Event broadcasting to Kubernetes is disabled because of missing permissions to create events")
+	} else {
+		eventBroadcaster = record.NewBroadcaster()
+		//eventBroadcaster.StartLogging(camellog.WithName("events").Infof)
+		eventBroadcaster.StartRecordingToSink(&typedcorev1.EventSinkImpl{Interface: c.CoreV1().Events(namespace)})
+	}
 
 	// Create a new Cmd to provide shared dependencies and start components
 	mgr, err := manager.New(cfg, manager.Options{

pkg/install/operator.go

@@ -20,6 +20,7 @@ package install
 import (
 	"context"
 	"errors"
+	"fmt"
 	"strings"
 
 	appsv1 "k8s.io/api/apps/v1"
@@ -124,6 +125,11 @@ func OperatorOrCollect(ctx context.Context, c client.Client, cfg OperatorConfigu
 	if isKnative {
 		return installKnative(ctx, c, cfg.Namespace, customizer, collection, force)
 	}
+
+	if errevt := installEvents(ctx, c, cfg.Namespace, customizer, collection); errevt != nil {
+		fmt.Println("Warning: the operator will not be able to publish Kubernetes events. Try installing as cluster-admin to allow it to generate events.")
+	}
+
 	return nil
 }
 
@@ -152,6 +158,13 @@ func installKnative(ctx context.Context, c client.Client, namespace string, cust
 	)
 }
 
+func installEvents(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection) error {
+	return ResourcesOrCollect(ctx, c, namespace, collection, customizer,
+		"operator-role-events.yaml",
+		"operator-role-binding-events.yaml",
+	)
+}
+
 // Platform installs the platform custom resource
 // nolint: lll
 func Platform(ctx context.Context, c client.Client, clusterType string, namespace string, registry v1.IntegrationPlatformRegistrySpec) (*v1.IntegrationPlatform, error) {

pkg/util/kubernetes/permission.go

@@ -0,0 +1,54 @@
+/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kubernetes
+
+import (
+	"github.com/apache/camel-k/pkg/client"
+	authorizationv1 "k8s.io/api/authorization/v1"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+)
+
+// CheckPermission can be used to check if the current user/service-account is allowed to execute a given operation
+// in the cluster.
+// E.g. checkPermission(client, olmv1alpha1.GroupName, "clusterserviceversions", namespace, "camel-k", "get")
+//
+// nolint:unparam
+func CheckPermission(client client.Client, group, resource, namespace, name, verb string) (bool, error) {
+	sarReview := &authorizationv1.SelfSubjectAccessReview{
+		Spec: authorizationv1.SelfSubjectAccessReviewSpec{
+			ResourceAttributes: &authorizationv1.ResourceAttributes{
+				Group:     group,
+				Resource:  resource,
+				Namespace: namespace,
+				Name:      name,
+				Verb:      verb,
+			},
+		},
+	}
+
+	sar, err := client.AuthorizationV1().SelfSubjectAccessReviews().Create(sarReview)
+	if err != nil {
+		if k8serrors.IsForbidden(err) {
+			return false, nil
+		}
+		return false, err
+	} else if !sar.Status.Allowed {
+		return false, nil
+	}
+	return true, nil
+}

pkg/util/olm/operator.go

@@ -27,8 +27,6 @@ import (
 	olmv1 "github.com/operator-framework/operator-lifecycle-manager/pkg/api/apis/operators/v1"
 	olmv1alpha1 "github.com/operator-framework/operator-lifecycle-manager/pkg/api/apis/operators/v1alpha1"
 	"github.com/pkg/errors"
-	authorizationv1 "k8s.io/api/authorization/v1"
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "sigs.k8s.io/controller-runtime/pkg/client"
 )
@@ -89,7 +87,7 @@ func IsOperatorInstalled(ctx context.Context, client client.Client, namespace st
 
 // HasPermissionToInstall checks if the current user/serviceaccount has the right permissions to install camel k via OLM
 func HasPermissionToInstall(ctx context.Context, client client.Client, namespace string, global bool, options Options) (bool, error) {
-	if ok, err := checkPermission(client, olmv1alpha1.GroupName, "clusterserviceversions", namespace, options.Package, "list"); err != nil {
+	if ok, err := kubernetes.CheckPermission(client, olmv1alpha1.GroupName, "clusterserviceversions", namespace, options.Package, "list"); err != nil {
 		return false, err
 	} else if !ok {
 		return false, nil
@@ -100,7 +98,7 @@ func HasPermissionToInstall(ctx context.Context, client client.Client, namespace
 		targetNamespace = options.GlobalNamespace
 	}
 
-	if ok, err := checkPermission(client, olmv1alpha1.GroupName, "subscriptions", targetNamespace, options.Package, "create"); err != nil {
+	if ok, err := kubernetes.CheckPermission(client, olmv1alpha1.GroupName, "subscriptions", targetNamespace, options.Package, "create"); err != nil {
 		return false, err
 	} else if !ok {
 		return false, nil
@@ -113,7 +111,7 @@ func HasPermissionToInstall(ctx context.Context, client client.Client, namespace
 	}
 
 	if !global {
-		if ok, err := checkPermission(client, olmv1.GroupName, "operatorgroups", namespace, options.Package, "list"); err != nil {
+		if ok, err := kubernetes.CheckPermission(client, olmv1.GroupName, "operatorgroups", namespace, options.Package, "list"); err != nil {
 			return false, err
 		} else if !ok {
 			return false, nil
@@ -124,7 +122,7 @@ func HasPermissionToInstall(ctx context.Context, client client.Client, namespace
 			return false, err
 		}
 		if group == nil {
-			if ok, err := checkPermission(client, olmv1.GroupName, "operatorgroups", namespace, options.Package, "create"); err != nil {
+			if ok, err := kubernetes.CheckPermission(client, olmv1.GroupName, "operatorgroups", namespace, options.Package, "create"); err != nil {
 				return false, err
 			} else if !ok {
 				return false, nil
@@ -135,32 +133,6 @@ func HasPermissionToInstall(ctx context.Context, client client.Client, namespace
 	return true, nil
 }
 
-// nolint:unparam
-func checkPermission(client client.Client, group, resource, namespace, name, verb string) (bool, error) {
-	sarReview := &authorizationv1.SelfSubjectAccessReview{
-		Spec: authorizationv1.SelfSubjectAccessReviewSpec{
-			ResourceAttributes: &authorizationv1.ResourceAttributes{
-				Group:     group,
-				Resource:  resource,
-				Namespace: namespace,
-				Name:      name,
-				Verb:      verb,
-			},
-		},
-	}
-
-	sar, err := client.AuthorizationV1().SelfSubjectAccessReviews().Create(sarReview)
-	if err != nil {
-		if k8serrors.IsForbidden(err) {
-			return false, nil
-		}
-		return false, err
-	} else if !sar.Status.Allowed {
-		return false, nil
-	}
-	return true, nil
-}
-
 // Install creates a subscription for the OLM package
 func Install(ctx context.Context, client client.Client, namespace string, global bool, options Options, collection *kubernetes.Collection) (bool, error) {
 	options = fillDefaults(options)