Bug 1918351: Gather SAP configuration (SCC & ClusterRoleBinding)

docs/gathered-data.md

@@ -363,6 +363,18 @@ See: docs/insights-archive-sample/config/pdbs
 Id in config: pdbs
 
 
+## SAPConfig
+
+collects selected security context constraints
+and cluster role bindings from clusters running a SAP payload.
+
+Relevant OpenShift API docs:
+  - https://pkg.go.dev/github.com/openshift/client-go/authorization/clientset/versioned/typed/authorization/v1
+  - https://pkg.go.dev/github.com/openshift/client-go/security/clientset/versioned/typed/security/v1
+
+Location in archive: config/securitycontentconstraint/, config/clusterrolebinding/
+
+
 ## ServiceAccounts
 
 collects ServiceAccount stats

docs/insights-archive-sample/config/clusterrolebinding/system_openshift_scc_anyuid.json

@@ -0,0 +1 @@
+{"metadata":{"name":"system:openshift:scc:anyuid","selfLink":"/apis/authorization.openshift.io/v1/clusterrolebindings/system%3Aopenshift%3Ascc%3Aanyuid","uid":"9eafc254-58ec-412d-a891-9188cdba7e29","resourceVersion":"20953938","creationTimestamp":"2020-11-02T13:00:04Z","managedFields":[{"manager":"oc","operation":"Update","apiVersion":"rbac.authorization.k8s.io/v1","time":"2020-11-12T14:34:12Z","fieldsType":"FieldsV1","fieldsV1":{"f:roleRef":{"f:apiGroup":{},"f:kind":{},"f:name":{}},"f:subjects":{}}}]},"userNames":["system:serviceaccount:iptablestest:iptablestest"],"groupNames":["system:serviceaccounts:sdi"],"subjects":[{"kind":"SystemGroup","name":"system:serviceaccounts:sdi"},{"kind":"ServiceAccount","namespace":"iptablestest","name":"iptablestest"}],"roleRef":{"name":"system:openshift:scc:anyuid"}}

docs/insights-archive-sample/config/clusterrolebinding/system_openshift_scc_privileged.json

@@ -0,0 +1 @@
+{"metadata":{"name":"system:openshift:scc:privileged","selfLink":"/apis/authorization.openshift.io/v1/clusterrolebindings/system%3Aopenshift%3Ascc%3Aprivileged","uid":"6cc7c36c-e401-4c85-9546-55cbfc2d8c90","resourceVersion":"40739306","creationTimestamp":"2020-11-02T13:00:05Z","managedFields":[{"manager":"oc","operation":"Update","apiVersion":"rbac.authorization.k8s.io/v1","time":"2020-11-26T12:54:07Z","fieldsType":"FieldsV1","fieldsV1":{"f:roleRef":{"f:apiGroup":{},"f:kind":{},"f:name":{}},"f:subjects":{}}}]},"userNames":["system:serviceaccount:sdi:sdi-elasticsearch","system:serviceaccount:sdi:sdi-fluentd","system:serviceaccount:sdi:default","system:serviceaccount:sdi:vora-vflow-server","system:serviceaccount:sdi:vora-vsystem-sdi","system:serviceaccount:sdi:vora-vsystem-sdi-vrep","system:serviceaccount:sdi:mlf-deployment-api"],"groupNames":null,"subjects":[{"kind":"ServiceAccount","namespace":"sdi","name":"sdi-elasticsearch"},{"kind":"ServiceAccount","namespace":"sdi","name":"sdi-fluentd"},{"kind":"ServiceAccount","namespace":"sdi","name":"default"},{"kind":"ServiceAccount","namespace":"sdi","name":"vora-vflow-server"},{"kind":"ServiceAccount","namespace":"sdi","name":"vora-vsystem-sdi"},{"kind":"ServiceAccount","namespace":"sdi","name":"vora-vsystem-sdi-vrep"},{"kind":"ServiceAccount","namespace":"sdi","name":"mlf-deployment-api"}],"roleRef":{"name":"system:openshift:scc:privileged"}}

docs/insights-archive-sample/config/securitycontextconstraint/anyuid.json

@@ -0,0 +1 @@
+{"metadata":{"name":"anyuid","selfLink":"/apis/security.openshift.io/v1/securitycontextconstraints/anyuid","uid":"2b1305bf-fe0a-4696-b192-1e75875869e2","resourceVersion":"1301","generation":1,"creationTimestamp":"2020-10-29T14:27:29Z","annotations":{"include.release.openshift.io/self-managed-high-availability":"true","kubernetes.io/description":"anyuid provides all features of the restricted SCC but allows users to run with any UID and any GID.","release.openshift.io/create-only":"true"},"managedFields":[{"manager":"cluster-version-operator","operation":"Update","apiVersion":"security.openshift.io/v1","time":"2020-10-29T14:27:29Z","fieldsType":"FieldsV1","fieldsV1":{"f:allowHostDirVolumePlugin":{},"f:allowHostIPC":{},"f:allowHostNetwork":{},"f:allowHostPID":{},"f:allowHostPorts":{},"f:allowPrivilegeEscalation":{},"f:allowPrivilegedContainer":{},"f:allowedCapabilities":{},"f:defaultAddCapabilities":{},"f:fsGroup":{".":{},"f:type":{}},"f:groups":{},"f:metadata":{"f:annotations":{".":{},"f:include.release.openshift.io/self-managed-high-availability":{},"f:kubernetes.io/description":{},"f:release.openshift.io/create-only":{}}},"f:priority":{},"f:readOnlyRootFilesystem":{},"f:requiredDropCapabilities":{},"f:runAsUser":{".":{},"f:type":{}},"f:seLinuxContext":{".":{},"f:type":{}},"f:supplementalGroups":{".":{},"f:type":{}},"f:users":{},"f:volumes":{}}}]},"priority":10,"allowPrivilegedContainer":false,"defaultAddCapabilities":null,"requiredDropCapabilities":["MKNOD"],"allowedCapabilities":null,"allowHostDirVolumePlugin":false,"volumes":["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"],"allowHostNetwork":false,"allowHostPorts":false,"allowHostPID":false,"allowHostIPC":false,"allowPrivilegeEscalation":true,"seLinuxContext":{"type":"MustRunAs"},"runAsUser":{"type":"RunAsAny"},"supplementalGroups":{"type":"RunAsAny"},"fsGroup":{"type":"RunAsAny"},"readOnlyRootFilesystem":false,"users":[],"groups":["system:cluster-admins"]}

docs/insights-archive-sample/config/securitycontextconstraint/privileged.json

@@ -0,0 +1 @@
+{"metadata":{"name":"privileged","selfLink":"/apis/security.openshift.io/v1/securitycontextconstraints/privileged","uid":"8c98d901-ea31-4ad8-8616-f2d2185af2f7","resourceVersion":"40739187","generation":2,"creationTimestamp":"2020-10-29T14:27:37Z","annotations":{"include.release.openshift.io/self-managed-high-availability":"true","kubernetes.io/description":"privileged allows access to all privileged and host features and the ability to run as any user, any group, any fsGroup, and with any SELinux context.  WARNING: this is the most relaxed SCC and should be used only for cluster administration. Grant with caution.","release.openshift.io/create-only":"true"},"managedFields":[{"manager":"cluster-version-operator","operation":"Update","apiVersion":"security.openshift.io/v1","time":"2020-10-29T14:27:37Z","fieldsType":"FieldsV1","fieldsV1":{"f:allowHostDirVolumePlugin":{},"f:allowHostIPC":{},"f:allowHostNetwork":{},"f:allowHostPID":{},"f:allowHostPorts":{},"f:allowPrivilegeEscalation":{},"f:allowPrivilegedContainer":{},"f:allowedCapabilities":{},"f:allowedUnsafeSysctls":{},"f:defaultAddCapabilities":{},"f:fsGroup":{".":{},"f:type":{}},"f:groups":{},"f:metadata":{"f:annotations":{".":{},"f:include.release.openshift.io/self-managed-high-availability":{},"f:kubernetes.io/description":{},"f:release.openshift.io/create-only":{}}},"f:priority":{},"f:readOnlyRootFilesystem":{},"f:requiredDropCapabilities":{},"f:runAsUser":{".":{},"f:type":{}},"f:seLinuxContext":{".":{},"f:type":{}},"f:seccompProfiles":{},"f:supplementalGroups":{".":{},"f:type":{}},"f:volumes":{}}},{"manager":"kubectl-edit","operation":"Update","apiVersion":"security.openshift.io/v1","time":"2020-11-26T12:53:56Z","fieldsType":"FieldsV1","fieldsV1":{"f:users":{}}}]},"priority":null,"allowPrivilegedContainer":true,"defaultAddCapabilities":null,"requiredDropCapabilities":null,"allowedCapabilities":["*"],"allowHostDirVolumePlugin":true,"volumes":["*"],"allowHostNetwork":true,"allowHostPorts":true,"allowHostPID":true,"allowHostIPC":true,"allowPrivilegeEscalation":true,"seLinuxContext":{"type":"RunAsAny"},"runAsUser":{"type":"RunAsAny"},"supplementalGroups":{"type":"RunAsAny"},"fsGroup":{"type":"RunAsAny"},"readOnlyRootFilesystem":false,"users":["system:admin","system:serviceaccount:openshift-infra:build-controller","system:serviceaccount:sdi:mlf-deployment-api"],"groups":["system:cluster-admins","system:nodes","system:masters"],"seccompProfiles":["*"],"allowedUnsafeSysctls":["*"]}

manifests/03-clusterrole.yaml

@@ -168,6 +168,14 @@ rules:
     - operator.openshift.io
   resources:
     - "*"
+  verbs:
+    - get
+    - list
+    - watch
+- apiGroups:
+    - installers.datahub.sap.com
+  resources:
+    - "*"
   verbs:
     - get
     - list

pkg/gather/clusterconfig/0_gatherer.go

@@ -72,6 +72,7 @@ var gatherFunctions = map[string]gatherFunction{
 	"openshift_apiserver_operator_logs": GatherOpenShiftAPIServerOperatorLogs,
 	"openshift_sdn_logs":                GatherOpenshiftSDNLogs,
 	"openshift_sdn_controller_logs":     GatherOpenshiftSDNControllerLogs,
+	"sap_config":                        GatherSAPConfig,
 }
 
 // New creates new Gatherer

pkg/gather/clusterconfig/sap_config.go

@@ -0,0 +1,109 @@
+package clusterconfig
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/kubernetes"
+	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
+
+	authclient "github.com/openshift/client-go/authorization/clientset/versioned/typed/authorization/v1"
+	securityv1client "github.com/openshift/client-go/security/clientset/versioned/typed/security/v1"
+
+	"github.com/openshift/insights-operator/pkg/record"
+)
+
+// GatherSAPConfig collects selected security context constraints
+// and cluster role bindings from clusters running a SAP payload.
+//
+// Relevant OpenShift API docs:
+//   - https://pkg.go.dev/github.com/openshift/client-go/authorization/clientset/versioned/typed/authorization/v1
+//   - https://pkg.go.dev/github.com/openshift/client-go/security/clientset/versioned/typed/security/v1
+//
+// Location in archive: config/securitycontentconstraint/, config/clusterrolebinding/
+func GatherSAPConfig(g *Gatherer, c chan<- gatherResult) {
+	gatherDynamicClient, err := dynamic.NewForConfig(g.gatherKubeConfig)
+	if err != nil {
+		c <- gatherResult{errors: []error{err}}
+		return
+	}
+	gatherKubeClient, err := kubernetes.NewForConfig(g.gatherProtoKubeConfig)
+	if err != nil {
+		c <- gatherResult{errors: []error{err}}
+		return
+	}
+	gatherSecurityClient, err := securityv1client.NewForConfig(g.gatherKubeConfig)
+	if err != nil {
+		c <- gatherResult{errors: []error{err}}
+		return
+	}
+	gatherAuthClient, err := authclient.NewForConfig(g.gatherKubeConfig)
+	if err != nil {
+		c <- gatherResult{errors: []error{err}}
+		return
+	}
+
+	records, errors := gatherSAPConfig(g.ctx, gatherDynamicClient, gatherKubeClient.CoreV1(), gatherSecurityClient, gatherAuthClient)
+	c <- gatherResult{records: records, errors: errors}
+}
+
+func gatherSAPConfig(ctx context.Context, dynamicClient dynamic.Interface, coreClient corev1client.CoreV1Interface, securityClient securityv1client.SecurityV1Interface, authClient authclient.AuthorizationV1Interface) ([]record.Record, []error) {
+	sccToGather := []string{"anyuid", "privileged"}
+	crbToGather := []string{"system:openshift:scc:anyuid", "system:openshift:scc:privileged"}
+
+	datahubsResource := schema.GroupVersionResource{Group: "installers.datahub.sap.com", Version: "v1alpha1", Resource: "datahubs"}
+
+	datahubsList, err := dynamicClient.Resource(datahubsResource).List(ctx, metav1.ListOptions{})
+	if errors.IsNotFound(err) {
+		return nil, nil
+	}
+	if err != nil {
+		return nil, []error{err}
+	}
+	// If no DataHubs resource exists on the cluster, skip this gathering.
+	// This may already be handled by the IsNotFound check, but it's better to be sure.
+	if len(datahubsList.Items) == 0 {
+		return nil, nil
+	}
+
+	records := []record.Record{}
+
+	for _, name := range sccToGather {
+		scc, err := securityClient.SecurityContextConstraints().Get(ctx, name, metav1.GetOptions{})
+		if errors.IsNotFound(err) {
+			continue
+		}
+		if err != nil {
+			return nil, []error{err}
+		}
+		records = append(records, record.Record{
+			Name: fmt.Sprintf("config/securitycontextconstraint/%s", scc.Name),
+			// It is not possible to use the generic OpenShift Anonymizer type here
+			// because the SCC and CRB resources returned by their respective clients
+			// are currently missing some properties (kind, apiVersion).
+			Item: record.JSONMarshaller{Object: scc},
+		})
+	}
+
+	for _, name := range crbToGather {
+		crb, err := authClient.ClusterRoleBindings().Get(ctx, name, metav1.GetOptions{})
+		if errors.IsNotFound(err) {
+			continue
+		}
+		if err != nil {
+			return nil, []error{err}
+		}
+		records = append(records, record.Record{
+			Name: fmt.Sprintf("config/clusterrolebinding/%s", strings.ReplaceAll(crb.Name, ":", "_")),
+			// See the note above on why it is not possible to use the generic Anonymizer type.
+			Item: record.JSONMarshaller{Object: crb},
+		})
+	}
+
+	return records, nil
+}

pkg/gather/clusterconfig/sap_config_test.go

@@ -0,0 +1,101 @@
+package clusterconfig
+
+import (
+	"context"
+	"testing"
+
+	authv1 "github.com/openshift/api/authorization/v1"
+	securityv1 "github.com/openshift/api/security/v1"
+	authfake "github.com/openshift/client-go/authorization/clientset/versioned/fake"
+	securityfake "github.com/openshift/client-go/security/clientset/versioned/fake"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/runtime/serializer/yaml"
+	dynamicfake "k8s.io/client-go/dynamic/fake"
+	kubefake "k8s.io/client-go/kubernetes/fake"
+)
+
+func TestSAPConfig(t *testing.T) {
+	// Initialize the fake dynamic client.
+	var datahubYAML = `apiVersion: installers.datahub.sap.com/v1alpha1
+kind: DataHub
+metadata:
+    name: example-datahub
+    namespace: example-namespace
+`
+
+	datahubsResource := schema.GroupVersionResource{Group: "installers.datahub.sap.com", Version: "v1alpha1", Resource: "datahubs"}
+	datahubsClient := dynamicfake.NewSimpleDynamicClientWithCustomListKinds(runtime.NewScheme(), map[schema.GroupVersionResource]string{
+		datahubsResource: "DataHubsList",
+	})
+
+	decUnstructured := yaml.NewDecodingSerializer(unstructured.UnstructuredJSONScheme)
+	testDatahub := &unstructured.Unstructured{}
+
+	_, _, err := decUnstructured.Decode([]byte(datahubYAML), nil, testDatahub)
+	if err != nil {
+		t.Fatal("unable to decode datahub YAML", err)
+	}
+
+	// Initialize the remaining K8s/OS fake clients.
+	coreClient := kubefake.NewSimpleClientset()
+	authClient := authfake.NewSimpleClientset()
+	securityClient := securityfake.NewSimpleClientset()
+
+	// Security Context Constraints.
+	securityClient.SecurityV1().SecurityContextConstraints().Create(
+		context.Background(),
+		&securityv1.SecurityContextConstraints{ObjectMeta: metav1.ObjectMeta{Name: "anyuid"}},
+		metav1.CreateOptions{},
+	)
+	securityClient.SecurityV1().SecurityContextConstraints().Create(
+		context.Background(),
+		&securityv1.SecurityContextConstraints{ObjectMeta: metav1.ObjectMeta{Name: "privileged"}},
+		metav1.CreateOptions{},
+	)
+	// This SCC should not be collected.
+	securityClient.SecurityV1().SecurityContextConstraints().Create(
+		context.Background(),
+		&securityv1.SecurityContextConstraints{ObjectMeta: metav1.ObjectMeta{Name: "ignored"}},
+		metav1.CreateOptions{},
+	)
+
+	// Cluster Role Bindings.
+	authClient.AuthorizationV1().ClusterRoleBindings().Create(
+		context.Background(),
+		&authv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "system:openshift:scc:anyuid"}},
+		metav1.CreateOptions{},
+	)
+	authClient.AuthorizationV1().ClusterRoleBindings().Create(
+		context.Background(),
+		&authv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "system:openshift:scc:privileged"}},
+		metav1.CreateOptions{},
+	)
+	// This CRB should not be collected.
+	authClient.AuthorizationV1().ClusterRoleBindings().Create(
+		context.Background(),
+		&authv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "system:openshift:scc:ignored"}},
+		metav1.CreateOptions{},
+	)
+
+	records, errs := gatherSAPConfig(context.Background(), datahubsClient, coreClient.CoreV1(), securityClient.SecurityV1(), authClient.AuthorizationV1())
+	if len(errs) > 0 {
+		t.Fatalf("unexpected errors: %#v", errs)
+	}
+	if len(records) != 0 {
+		t.Fatalf("unexpected number or records in the first run: %d", len(records))
+	}
+
+	// Create the DataHubs resource and now the SCCs and CRBs should be gathered.
+	datahubsClient.Resource(datahubsResource).Namespace("example-namespace").Create(context.Background(), testDatahub, metav1.CreateOptions{})
+
+	records, errs = gatherSAPConfig(context.Background(), datahubsClient, coreClient.CoreV1(), securityClient.SecurityV1(), authClient.AuthorizationV1())
+	if len(errs) > 0 {
+		t.Fatalf("unexpected errors: %#v", errs)
+	}
+	if len(records) != 4 {
+		t.Fatalf("unexpected number or records in the second run: %d", len(records))
+	}
+}