Merge pull request from GHSA-93xx-cvmc-9w3v

* Fix rbacs and limit CSI Plugin's node related access

Signed-off-by: trafalgarzzz <[email protected]>

* Update change log and chart version

Signed-off-by: trafalgarzzz <[email protected]>

* Fix fluid.namespace template rendering

Signed-off-by: trafalgarzzz <[email protected]>

* Remove leader election for fluid webhook

Signed-off-by: trafalgarzzz <[email protected]>

---------

Signed-off-by: trafalgarzzz <[email protected]>

Author: TrafalgarZZZ

charts/fluid/fluid/CHANGELOG.md

@@ -54,3 +54,4 @@
 
 ### 0.9.0
 * Support pass image pull secrets from fluid charts to alluxioruntime controller
+* Fix components rbacs and set Fluid CSI Plugin with node-authorized kube-client

charts/fluid/fluid/Chart.yaml

@@ -18,7 +18,7 @@ version: 0.8.6
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: 0.8.5-00f609e
+appVersion: 0.8.6-2131f34
 home: https://github.com/fluid-cloudnative/fluid
 keywords:
   - category:data

charts/fluid/fluid/templates/csi/daemonset.yaml

@@ -104,8 +104,16 @@ spec:
           - name: fluid-src-dir
             mountPath: {{ .Values.runtime.mountRoot | quote }}
             mountPropagation: "Bidirectional"
-          - name: host-etc-dir
-            mountPath: /host-etc
+          - name: kubelet-kube-config
+            mountPath: /etc/kubernetes/kubelet.conf
+            readOnly: true
+          - name: kubelet-cert-dir
+            mountPath: {{ .Values.csi.kubelet.certDir | quote }}
+            readOnly: true
+          - name: updatedb-conf
+            mountPath: /host-etc/updatedb.conf
+          - name: updatedb-conf-bak
+            mountPath: /host-etc/updatedb.conf.bak
       volumes:
         - name: kubelet-dir
           hostPath:
@@ -124,6 +132,18 @@ spec:
             type: DirectoryOrCreate
           name: fluid-src-dir
         - hostPath:
-            path: /etc
+            path: {{ .Values.csi.kubelet.kubeConfigFile | quote }}
+            type: File
+          name: kubelet-kube-config
+        - hostPath:
+            path: {{ .Values.csi.kubelet.certDir | quote }}
             type: Directory
-          name: host-etc-dir
+          name: kubelet-cert-dir
+        - hostPath:
+            path: /etc/updatedb.conf
+            type: FileOrCreate
+          name: updatedb-conf
+        - hostPath:
+            path: /etc/updatedb.conf.backup
+            type: FileOrCreate
+          name: updatedb-conf-bak

charts/fluid/fluid/templates/role/csi/rbac.yaml

@@ -37,13 +37,7 @@ rules:
     verbs: ["get"]
   - apiGroups: [""]
     resources: ["events"]
-    verbs: ["get", "list", "watch", "create", "update", "patch"]
-  - apiGroups: [""]
-    resources: ["nodes"]
-    verbs: ["get", "patch"]
-  - apiGroups: [""]
-    resources: ["nodes/proxy"]
-    verbs: ["*"]
+    verbs: ["create", "patch"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

charts/fluid/fluid/templates/role/webhook/rabc.yaml

@@ -1,16 +1,59 @@
 {{ if .Values.webhook.enabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: fluid-webhook
+  namespace: fluid-system
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - update
+    resourceNames:
+      - fluid-webhook-certs
+  # resourceNames won't protect create verb, so individually specify it for readability
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: fluid-webhook-rolebinding
+  namespace: fluid-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: fluid-webhook
+subjects:
+  - kind: ServiceAccount
+    name: fluid-webhook
+    namespace: fluid-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: fluid-webhook
 rules:
+  # Can only list and watch secret `mutatingwebhookconfiguration` with a metadata.name field selector
+  # See https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources
   - apiGroups:
       - admissionregistration.k8s.io
     resources:
-      - validatingwebhookconfigurations
       - mutatingwebhookconfigurations
+    resourceNames:
+      - fluid-pod-admission-webhook
     verbs:
-      - '*'
+      - get
+      - patch
+      - list
+      - watch
   - apiGroups:
       - data.fluid.io
     resources:
@@ -36,9 +79,7 @@ rules:
   - apiGroups:
       - ""
     resources:
-      - secrets
       - configmaps
-      - events
     verbs:
       - get
       - create
@@ -54,12 +95,6 @@ rules:
       - get
       - list
       - watch
-  - apiGroups:
-      - coordination.k8s.io
-    resources:
-      - leases
-    verbs:
-      - '*'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/fluid/fluid/templates/webhook/webhook.yaml

@@ -16,6 +16,8 @@ spec:
       labels:
         control-plane: fluid-webhook
     spec:
+      tolerations:
+        - operator: Exists
       {{- with .Values.image.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -29,7 +31,6 @@ spec:
           - --development=false
           - --full-go-profile=false
           - --pprof-addr=:6060
-          - --enable-leader-election
         env:
           - name: MY_POD_NAMESPACE
             valueFrom:

charts/fluid/fluid/values.yaml

@@ -4,15 +4,15 @@
 
 workdir: /tmp
 crdUpgrade:
-  image: fluidcloudnative/fluid-crd-upgrader:v0.8.5-00f609e
+  image: fluidcloudnative/fluid-crd-upgrader:v0.8.6-2131f34
 
 image:
   imagePullSecrets: []
 
 dataset:
   replicas: 1
   controller:
-    image: fluidcloudnative/dataset-controller:v0.8.5-00f609e
+    image: fluidcloudnative/dataset-controller:v0.8.6-2131f34
 
 csi:
   featureGates: "FuseRecovery=false"
@@ -21,8 +21,10 @@ csi:
   registrar:
     image: registry.aliyuncs.com/acs/csi-node-driver-registrar:v2.3.0-038aeb6-aliyun
   plugins:
-    image: fluidcloudnative/fluid-csi:v0.8.5-00f609e
+    image: fluidcloudnative/fluid-csi:v0.8.6-2131f34
   kubelet:
+    kubeConfigFile: /etc/kubernetes/kubelet.conf
+    certDir: /var/lib/kubelet/pki
     rootDir: /var/lib/kubelet
   pruneFs: fuse.alluxio-fuse,fuse.jindofs-fuse,fuse.juicefs,fuse.goosefs-fuse,ossfs
 
@@ -37,9 +39,9 @@ runtime:
     portAllocatePolicy: random
     enabled: false
     init:
-      image: fluidcloudnative/init-users:v0.8.5-00f609e
+      image: fluidcloudnative/init-users:v0.8.6-2131f34
     controller:
-      image: fluidcloudnative/alluxioruntime-controller:v0.8.5-00f609e
+      image: fluidcloudnative/alluxioruntime-controller:v0.8.6-2131f34
     runtime:
       # image: fluidcloudnative/alluxio:release-2.7.3-SNAPSHOT-a7154f1
       image: fluidcloudnative/alluxio:release-2.8.1-SNAPSHOT-0433ade
@@ -59,21 +61,21 @@ runtime:
     fuse:
       image: registry.cn-shanghai.aliyuncs.com/jindofs/jindo-fuse:4.5.1
     controller:
-      image: fluidcloudnative/jindoruntime-controller:v0.8.5-00f609e
+      image: fluidcloudnative/jindoruntime-controller:v0.8.6-2131f34
     init:
       portCheck:
         enabled: false
-      image: fluidcloudnative/init-users:v0.8.5-00f609e
+      image: fluidcloudnative/init-users:v0.8.6-2131f34
   goosefs:
     replicas: 1
     runtimeWorkers: 3
     portRange: 26000-32000
     portAllocatePolicy: random
     enabled: false
     init:
-      image: fluidcloudnative/init-users:v0.8.5-00f609e
+      image: fluidcloudnative/init-users:v0.8.6-2131f34
     controller:
-      image: fluidcloudnative/goosefsruntime-controller:v0.8.5-00f609e
+      image: fluidcloudnative/goosefsruntime-controller:v0.8.6-2131f34
     runtime:
       image: ccr.ccs.tencentyun.com/qcloud/goosefs:v1.2.0
     fuse:
@@ -82,18 +84,18 @@ runtime:
     replicas: 1
     enabled: false
     controller:
-      image: fluidcloudnative/juicefsruntime-controller:v0.8.5-00f609e
+      image: fluidcloudnative/juicefsruntime-controller:v0.8.6-2131f34
     fuse:
       image: juicedata/juicefs-fuse:v1.0.0-4.8.0
 
 webhook:
   enabled: true
-  image: fluidcloudnative/fluid-webhook:v0.8.5-00f609e
+  image: fluidcloudnative/fluid-webhook:v0.8.6-2131f34
   replicas: 1
   reinvocationPolicy: Never
 
 fluidapp:
   enabled: true
   replicas: 1
   controller:
-    image: fluidcloudnative/application-controller:v0.8.5-00f609e
+    image: fluidcloudnative/application-controller:v0.8.6-2131f34

cmd/csi/app/csi.go

@@ -39,12 +39,13 @@ import (
 )
 
 var (
-	endpoint    string
-	nodeID      string
-	metricsAddr string
-	pprofAddr   string
-	pruneFs     []string
-	prunePath   string
+	endpoint              string
+	nodeID                string
+	metricsAddr           string
+	pprofAddr             string
+	pruneFs               []string
+	prunePath             string
+	kubeletKubeConfigPath string
 )
 
 var scheme = runtime.NewScheme()
@@ -81,6 +82,7 @@ func init() {
 	startCmd.Flags().StringVarP(&prunePath, "prune-path", "", "/runtime-mnt", "Prune path to add in /etc/updatedb.conf")
 	startCmd.Flags().StringVarP(&metricsAddr, "metrics-addr", "", ":8080", "The address the metrics endpoint binds to.")
 	startCmd.Flags().StringVarP(&pprofAddr, "pprof-addr", "", "", "The address for pprof to use while exporting profiling results")
+	startCmd.Flags().StringVarP(&kubeletKubeConfigPath, "kubelet-kube-config", "", "/etc/kubernetes/kubelet.conf", "The file path to kubelet kube config")
 	utilfeature.DefaultMutableFeatureGate.AddFlag(startCmd.Flags())
 	startCmd.Flags().AddGoFlagSet(flag.CommandLine)
 }
@@ -109,10 +111,11 @@ func handle() {
 	}
 
 	config := config.Config{
-		NodeId:    nodeID,
-		Endpoint:  endpoint,
-		PruneFs:   pruneFs,
-		PrunePath: prunePath,
+		NodeId:            nodeID,
+		Endpoint:          endpoint,
+		PruneFs:           pruneFs,
+		PrunePath:         prunePath,
+		KubeletConfigPath: kubeletKubeConfigPath,
 	}
 
 	if err = csi.SetupWithManager(mgr, config); err != nil {

pkg/csi/config/config.go

@@ -17,8 +17,9 @@ limitations under the License.
 package config
 
 type Config struct {
-	NodeId    string
-	Endpoint  string
-	PruneFs   []string
-	PrunePath string
+	NodeId            string
+	Endpoint          string
+	PruneFs           []string
+	PrunePath         string
+	KubeletConfigPath string
 }

pkg/csi/plugins/driver.go

@@ -20,9 +20,11 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
+
+	"k8s.io/client-go/kubernetes"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
-	"strings"
 
 	"github.com/container-storage-interface/spec/lib/go/csi"
 	"github.com/fluid-cloudnative/fluid/pkg/utils"
@@ -36,15 +38,16 @@ const (
 )
 
 type driver struct {
-	client           client.Client
-	apiReader        client.Reader
-	csiDriver        *csicommon.CSIDriver
-	nodeId, endpoint string
+	client               client.Client
+	apiReader            client.Reader
+	nodeAuthorizedClient *kubernetes.Clientset
+	csiDriver            *csicommon.CSIDriver
+	nodeId, endpoint     string
 }
 
 var _ manager.Runnable = &driver{}
 
-func NewDriver(nodeID, endpoint string, client client.Client, apiReader client.Reader) *driver {
+func NewDriver(nodeID, endpoint string, client client.Client, apiReader client.Reader, nodeAuthorizedClient *kubernetes.Clientset) *driver {
 	glog.Infof("Driver: %v version: %v", driverName, version)
 
 	proto, addr := utils.SplitSchemaAddr(endpoint)
@@ -66,11 +69,12 @@ func NewDriver(nodeID, endpoint string, client client.Client, apiReader client.R
 	csiDriver.AddVolumeCapabilityAccessModes([]csi.VolumeCapability_AccessMode_Mode{csi.VolumeCapability_AccessMode_MULTI_NODE_MULTI_WRITER})
 
 	return &driver{
-		nodeId:    nodeID,
-		endpoint:  endpoint,
-		csiDriver: csiDriver,
-		client:    client,
-		apiReader: apiReader,
+		nodeId:               nodeID,
+		endpoint:             endpoint,
+		csiDriver:            csiDriver,
+		client:               client,
+		nodeAuthorizedClient: nodeAuthorizedClient,
+		apiReader:            apiReader,
 	}
 }
 
@@ -82,10 +86,11 @@ func (d *driver) newControllerServer() *controllerServer {
 
 func (d *driver) newNodeServer() *nodeServer {
 	return &nodeServer{
-		nodeId:            d.nodeId,
-		DefaultNodeServer: csicommon.NewDefaultNodeServer(d.csiDriver),
-		client:            d.client,
-		apiReader:         d.apiReader,
+		nodeId:               d.nodeId,
+		DefaultNodeServer:    csicommon.NewDefaultNodeServer(d.csiDriver),
+		client:               d.client,
+		apiReader:            d.apiReader,
+		nodeAuthorizedClient: d.nodeAuthorizedClient,
 	}
 }