Skip to content

Unpack job security updates #2805

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jun 22, 2022
Merged

Unpack job security updates #2805

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
226e0fd
Remove unneeded 'get' verb from bundle unpacker role
perdasilva Jun 19, 2022
b349543
Move bundle unpacker policy rule creation to its own method
perdasilva Jun 21, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 40 additions & 21 deletions pkg/controller/bundle/bundle_unpacker.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -435,7 +435,7 @@ func (c *ConfigMapUnpacker) UnpackBundle(lookup *operatorsv1alpha1.BundleLookup,
return
}

_, err = c.ensureRole(cmRef)
_, err = c.ensureRole(cmRef, c.getRolePolicyRules(cmRef))
if err != nil {
return
}
Expand Down Expand Up @@ -610,27 +610,13 @@ func (c *ConfigMapUnpacker) ensureJob(cmRef *corev1.ObjectReference, bundlePath
return
}

func (c *ConfigMapUnpacker) ensureRole(cmRef *corev1.ObjectReference) (role *rbacv1.Role, err error) {
func (c *ConfigMapUnpacker) ensureRole(cmRef *corev1.ObjectReference, policyRules []rbacv1.PolicyRule) (role *rbacv1.Role, err error) {
if cmRef == nil {
return nil, fmt.Errorf("configmap reference is nil")
}

rule := rbacv1.PolicyRule{
APIGroups: []string{
"",
},
Verbs: []string{
"create", "get", "update",
},
Resources: []string{
"configmaps",
},
ResourceNames: []string{
cmRef.Name,
},
}
fresh := &rbacv1.Role{
Rules: []rbacv1.PolicyRule{rule},
Rules: policyRules,
}
fresh.SetNamespace(cmRef.Namespace)
fresh.SetName(cmRef.Name)
Expand All @@ -646,19 +632,43 @@ func (c *ConfigMapUnpacker) ensureRole(cmRef *corev1.ObjectReference) (role *rba
}

// Add the policy rule if necessary
for _, existing := range role.Rules {
if equality.Semantic.DeepDerivative(rule, existing) {
return
var ruleDiff []rbacv1.PolicyRule
for _, proposed := range policyRules {
if !containsRule(role.Rules, proposed) {
ruleDiff = append(ruleDiff, proposed)
}
}

role = role.DeepCopy()
role.Rules = append(role.Rules, rule)
role.Rules = append(role.Rules, ruleDiff...)

role, err = c.client.RbacV1().Roles(role.GetNamespace()).Update(context.TODO(), role, metav1.UpdateOptions{})

return
}

// getRolePolicyRules returns the set of policy rules used by the role attached to the
// bundle unpacker service account. This method lends itself to easier downstream patching when additional
// policy rules are required, e.g. for Openshift SCC
func (c *ConfigMapUnpacker) getRolePolicyRules(cmRef *corev1.ObjectReference) []rbacv1.PolicyRule {
return []rbacv1.PolicyRule{
{
APIGroups: []string{
"",
},
Verbs: []string{
"get", "update",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to create the configmap to unpack the bundles?

Assuming that we are testing it on the ci and all is passing that seems that we do not need it.
Then, the changes shows fine for me

/approved
/lgtm

},
Resources: []string{
"configmaps",
},
ResourceNames: []string{
cmRef.Name,
},
},
}
}

func (c *ConfigMapUnpacker) ensureRoleBinding(cmRef *corev1.ObjectReference) (roleBinding *rbacv1.RoleBinding, err error) {
fresh := &rbacv1.RoleBinding{
Subjects: []rbacv1.Subject{
Expand Down Expand Up @@ -738,3 +748,12 @@ func getCondition(job *batchv1.Job, conditionType batchv1.JobConditionType) (con
}
return
}

func containsRule(rules []rbacv1.PolicyRule, rule rbacv1.PolicyRule) bool {
for _, r := range rules {
if equality.Semantic.DeepDerivative(r, rule) {
return true
}
}
return false
}
4 changes: 2 additions & 2 deletions pkg/controller/bundle/bundle_unpacker_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -353,7 +353,7 @@ func TestConfigMapUnpacker(t *testing.T) {
"",
},
Verbs: []string{
"create", "get", "update",
"get", "update",
},
Resources: []string{
"configmaps",
Expand Down Expand Up @@ -769,7 +769,7 @@ func TestConfigMapUnpacker(t *testing.T) {
"",
},
Verbs: []string{
"create", "get", "update",
"get", "update",
},
Resources: []string{
"configmaps",
Expand Down