Merge pull request #200 from hasbro17/haseeb/restrict-rbac-rules

hasbro17 · web-flow · commit 1efc94a4a91d · 2018-04-27T12:39:14.000-07:00
generator: restrict default RBAC rules
diff --git a/pkg/generator/deploy_tmpl.go b/pkg/generator/deploy_tmpl.go
@@ -56,9 +56,30 @@ metadata:
   name: {{.ProjectName}}
 rules:
 - apiGroups:
+  - {{.GroupName}}
+  resources:
+  - "*"
+  verbs:
   - "*"
+- apiGroups:
+  - ""
   resources:
+  - pods
+  - services
+  - endpoints
+  - persistentvolumeclaims
+  - events
+  - configmaps
+  - secrets
+  verbs:
   - "*"
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - daemonsets
+  - replicasets
+  - statefulsets
   verbs:
   - "*"
 
diff --git a/pkg/generator/gen_deploy.go b/pkg/generator/gen_deploy.go
@@ -66,17 +66,21 @@ func renderOperatorYaml(w io.Writer, kind, apiVersion, projectName, image string
 // when pairing with rbacYamlTmpl template.
 type RBACYaml struct {
 	ProjectName string
+	GroupName   string
 }
 
 // renderRBACYaml generates deploy/rbac.yaml.
-func renderRBACYaml(w io.Writer, projectName string) error {
+func renderRBACYaml(w io.Writer, projectName, groupName string) error {
 	t := template.New(rbacTmplName)
 	t, err := t.Parse(rbacYamlTmpl)
 	if err != nil {
 		return fmt.Errorf("failed to parse rbac yaml template: %v", err)
 	}
 
-	r := RBACYaml{ProjectName: projectName}
+	r := RBACYaml{
+		ProjectName: projectName,
+		GroupName:   groupName,
+	}
 	return t.Execute(w, r)
 }
 
diff --git a/pkg/generator/generator.go b/pkg/generator/generator.go
@@ -167,17 +167,17 @@ func (g *Generator) renderDeploy() error {
 	return renderDeployFiles(dp, g.projectName, g.apiVersion, g.kind)
 }
 
-func renderRBAC(deployDir, projectName string) error {
+func renderRBAC(deployDir, projectName, groupName string) error {
 	buf := &bytes.Buffer{}
-	if err := renderRBACYaml(buf, projectName); err != nil {
+	if err := renderRBACYaml(buf, projectName, groupName); err != nil {
 		return err
 	}
 	return writeFileAndPrint(filepath.Join(deployDir, rbacYaml), buf.Bytes(), defaultFileMode)
 }
 
 func renderDeployFiles(deployDir, projectName, apiVersion, kind string) error {
 	buf := &bytes.Buffer{}
-	if err := renderRBACYaml(buf, projectName); err != nil {
+	if err := renderRBACYaml(buf, projectName, groupName(apiVersion)); err != nil {
 		return err
 	}
 	if err := writeFileAndPrint(filepath.Join(deployDir, rbacYaml), buf.Bytes(), defaultFileMode); err != nil {
diff --git a/pkg/generator/generator_test.go b/pkg/generator/generator_test.go
@@ -21,12 +21,13 @@ import (
 
 const (
 	// test constants for app-operator
-	appRepoPath   = "github.com/example-inc/app-operator"
-	appKind       = "App"
-	appApiDirName = "app"
-	appAPIVersion = appGroupName + "/" + appVersion
-	appVersion    = "v1alpha1"
-	appGroupName  = "app.example.com"
+	appRepoPath    = "github.com/example-inc/app-operator"
+	appKind        = "AppService"
+	appApiDirName  = "app"
+	appAPIVersion  = appGroupName + "/" + appVersion
+	appVersion     = "v1alpha1"
+	appGroupName   = "app.example.com"
+	appProjectName = "app-operator"
 )
 
 const mainExp = `package main
@@ -50,7 +51,7 @@ func printVersion() {
 
 func main() {
 	printVersion()
-	sdk.Watch("app.example.com/v1alpha1", "App", "default", 5)
+	sdk.Watch("app.example.com/v1alpha1", "AppService", "default", 5)
 	sdk.Handle(stub.NewHandler())
 	sdk.Run(context.TODO())
 }
@@ -120,7 +121,7 @@ func newbusyBoxPod(cr *v1alpha1.App) *v1.Pod {
 				*metav1.NewControllerRef(cr, schema.GroupVersionKind{
 					Group:   v1alpha1.SchemeGroupVersion.Group,
 					Version: v1alpha1.SchemeGroupVersion.Version,
-					Kind:    "App",
+					Kind:    "AppService",
 				}),
 			},
 			Labels: labels,
@@ -421,9 +422,30 @@ metadata:
   name: app-operator
 rules:
 - apiGroups:
+  - app.example.com
+  resources:
+  - "*"
+  verbs:
   - "*"
+- apiGroups:
+  - ""
   resources:
+  - pods
+  - services
+  - endpoints
+  - persistentvolumeclaims
+  - events
+  - configmaps
+  - secrets
+  verbs:
   - "*"
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - daemonsets
+  - replicasets
+  - statefulsets
   verbs:
   - "*"
 
@@ -444,16 +466,15 @@ roleRef:
 
 func TestGenDeploy(t *testing.T) {
 	buf := &bytes.Buffer{}
-	projectName := "app-operator"
-	if err := renderOperatorYaml(buf, "AppService", "app.example.com/v1alpha1", projectName, "quay.io/coreos/operator-sdk-dev:app-operator"); err != nil {
+	if err := renderOperatorYaml(buf, appKind, appAPIVersion, appProjectName, "quay.io/coreos/operator-sdk-dev:app-operator"); err != nil {
 		t.Error(err)
 	}
 	if operatorYamlExp != buf.String() {
 		t.Errorf("want %v, got %v", operatorYamlExp, buf.String())
 	}
 
 	buf = &bytes.Buffer{}
-	if err := renderRBACYaml(buf, projectName); err != nil {
+	if err := renderRBACYaml(buf, appProjectName, appGroupName); err != nil {
 		t.Error(err)
 	}
 	if rbacYamlExp != buf.String() {

Original file line number	Diff line number	Diff line change
`@@ -167,17 +167,17 @@ func (g *Generator) renderDeploy() error {`
`167`	`167`	`return renderDeployFiles(dp, g.projectName, g.apiVersion, g.kind)`
`168`	`168`	`}`
`169`	`169`
`170`		`-func renderRBAC(deployDir, projectName string) error {`
	`170`	`+func renderRBAC(deployDir, projectName, groupName string) error {`
`171`	`171`	`buf := &bytes.Buffer{}`
`172`		`- if err := renderRBACYaml(buf, projectName); err != nil {`
	`172`	`+ if err := renderRBACYaml(buf, projectName, groupName); err != nil {`
`173`	`173`	`return err`
`174`	`174`	`}`
`175`	`175`	`return writeFileAndPrint(filepath.Join(deployDir, rbacYaml), buf.Bytes(), defaultFileMode)`
`176`	`176`	`}`
`177`	`177`
`178`	`178`	`func renderDeployFiles(deployDir, projectName, apiVersion, kind string) error {`
`179`	`179`	`buf := &bytes.Buffer{}`
`180`		`- if err := renderRBACYaml(buf, projectName); err != nil {`
	`180`	`+ if err := renderRBACYaml(buf, projectName, groupName(apiVersion)); err != nil {`
`181`	`181`	`return err`
`182`	`182`	`}`
`183`	`183`	`if err := writeFileAndPrint(filepath.Join(deployDir, rbacYaml), buf.Bytes(), defaultFileMode); err != nil {`