mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

refactor: background controller permissions (#8083)

Browse source 
* fix: reduce background controller permissions

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* debug

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* codegen

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-08-23 14:29:56 +02:00 committed by GitHub
parent 2d434c6f97
commit 87728f1771
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 120 additions and 80 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
charts/kyverno/README.md
View file

@ -408,6 +408,7 @@ The chart values are organised per component.
| backgroundController.rbac.create | bool | `true` | Create RBAC resources | | backgroundController.rbac.create | bool | `true` | Create RBAC resources |
| backgroundController.rbac.serviceAccount.name | string | `nil` | Service account name | | backgroundController.rbac.serviceAccount.name | string | `nil` | Service account name |
| backgroundController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | | backgroundController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
| backgroundController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. |
| backgroundController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role | | backgroundController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role |
| backgroundController.image.registry | string | `"ghcr.io"` | Image registry | | backgroundController.image.registry | string | `"ghcr.io"` | Image registry |
| backgroundController.image.repository | string | `"kyverno/background-controller"` | Image repository | | backgroundController.image.repository | string | `"kyverno/background-controller"` | Image repository |

2
charts/kyverno/templates/admission-controller/clusterrole.yaml
View file

@ -39,8 +39,8 @@ rules:
- rolebindings - rolebindings
- clusterrolebindings - clusterrolebindings
verbs: verbs:
- watch
- list - list
- watch
- apiGroups: - apiGroups:
- kyverno.io - kyverno.io
resources: resources:

58
charts/kyverno/templates/background-controller/clusterrole.yaml
View file

@ -18,17 +18,11 @@ metadata:
labels: labels:
{{- include "kyverno.background-controller.labels" . | nindent 4 }} {{- include "kyverno.background-controller.labels" . | nindent 4 }}
rules: rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups: - apiGroups:
- kyverno.io - kyverno.io
resources: resources:
- policies
- clusterpolicies
- updaterequests - updaterequests
- updaterequests/status - updaterequests/status
verbs: verbs:
@ -40,6 +34,15 @@ rules:
- update - update
- watch - watch
- deletecollection - deletecollection
- apiGroups:
- ''
resources:
- namespaces
- configmaps
verbs:
- get
- list
- watch
- apiGroups: - apiGroups:
- '' - ''
- events.k8s.io - events.k8s.io
@ -47,41 +50,14 @@ rules:
- events - events
verbs: verbs:
- create - create
- update - get
- list
- patch - patch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingressclasses
- networkpolicies
verbs:
- create
- update - update
- patch - watch
- delete {{- with .Values.backgroundController.rbac.coreClusterRole.extraResources }}
- apiGroups: {{- toYaml . | nindent 2 }}
- "" {{- end }}
resources:
- configmaps
- secrets
- resourcequotas
- limitranges
verbs:
- create
- update
- patch
- delete
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- create
- update
- patch
- delete
{{- with .Values.backgroundController.rbac.clusterRole.extraResources }} {{- with .Values.backgroundController.rbac.clusterRole.extraResources }}
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1

47
charts/kyverno/values.yaml
View file

@ -960,6 +960,53 @@ backgroundController:
annotations: {} annotations: {}
# example.com/annotation: value # example.com/annotation: value
coreClusterRole:
# -- Extra resource permissions to add in the core cluster role.
# This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`.
# @default -- See [values.yaml](values.yaml)
extraResources:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingressclasses
- networkpolicies
verbs:
- create
- update
- patch
- delete
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- create
- update
- patch
- delete
- apiGroups:
- ''
resources:
- configmaps
- secrets
- resourcequotas
- limitranges
verbs:
- create
- update
- patch
- delete
clusterRole: clusterRole:
# -- Extra resource permissions to add in the cluster role # -- Extra resource permissions to add in the cluster role
extraResources: [] extraResources: []

82
config/install-latest-testing.yaml
View file

@ -39931,8 +39931,8 @@ rules:
- rolebindings - rolebindings
- clusterrolebindings - clusterrolebindings
verbs: verbs:
- watch
- list - list
- watch
- apiGroups: - apiGroups:
- kyverno.io - kyverno.io
resources: resources:
@ -40021,17 +40021,11 @@ metadata:
app.kubernetes.io/part-of: kyverno app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest app.kubernetes.io/version: latest
rules: rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups: - apiGroups:
- kyverno.io - kyverno.io
resources: resources:
- policies
- clusterpolicies
- updaterequests - updaterequests
- updaterequests/status - updaterequests/status
verbs: verbs:
@ -40043,6 +40037,15 @@ rules:
- update - update
- watch - watch
- deletecollection - deletecollection
- apiGroups:
- ''
resources:
- namespaces
- configmaps
verbs:
- get
- list
- watch
- apiGroups: - apiGroups:
- '' - ''
- events.k8s.io - events.k8s.io
@ -40050,41 +40053,52 @@ rules:
- events - events
verbs: verbs:
- create - create
- update - get
- list
- patch - patch
- update
- watch
- apiGroups: - apiGroups:
- networking.k8s.io - '*'
resources: resources:
- ingresses - '*'
- ingressclasses
- networkpolicies
verbs: verbs:
- create - get
- update - list
- patch - watch
- delete
- apiGroups: - apiGroups:
- "" - networking.k8s.io
resources: resources:
- configmaps - ingresses
- secrets - ingressclasses
- resourcequotas - networkpolicies
- limitranges
verbs: verbs:
- create - create
- update - update
- patch - patch
- delete - delete
- apiGroups: - apiGroups:
- rbac.authorization.k8s.io - rbac.authorization.k8s.io
resources: resources:
- rolebindings - rolebindings
- roles - roles
verbs: verbs:
- create - create
- update - update
- patch - patch
- delete - delete
- apiGroups:
- ""
resources:
- configmaps
- secrets
- resourcequotas
- limitranges
verbs:
- create
- update
- patch
- delete
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole

10
pkg/policy/generate/validate.go
View file

@ -16,6 +16,7 @@ import (
// Generate provides implementation to validate 'generate' rule // Generate provides implementation to validate 'generate' rule
type Generate struct { type Generate struct {
user string
// rule to hold 'generate' rule specifications // rule to hold 'generate' rule specifications
rule kyvernov1.Generation rule kyvernov1.Generation
// authCheck to check access for operations // authCheck to check access for operations
@ -27,6 +28,7 @@ type Generate struct {
// NewGenerateFactory returns a new instance of Generate validation checker // NewGenerateFactory returns a new instance of Generate validation checker
func NewGenerateFactory(client dclient.Interface, rule kyvernov1.Generation, user string, log logr.Logger) *Generate { func NewGenerateFactory(client dclient.Interface, rule kyvernov1.Generation, user string, log logr.Logger) *Generate {
g := Generate{ g := Generate{
user: user,
rule: rule, rule: rule,
authCheck: NewAuth(client, user, log), authCheck: NewAuth(client, user, log),
log: log, log: log,
@ -112,7 +114,7 @@ func (g *Generate) canIGenerate(ctx context.Context, gvk, namespace, subresource
return err return err
} }
if !ok { if !ok {
return fmt.Errorf("kyverno does not have permissions to 'create' resource %s/%s/%s. Grant proper permissions to the background controller", gvk, subresource, namespace) return fmt.Errorf("%s does not have permissions to 'create' resource %s/%s/%s. Grant proper permissions to the background controller", g.user, gvk, subresource, namespace)
} }
ok, err = authCheck.CanIUpdate(ctx, gvk, namespace, subresource) ok, err = authCheck.CanIUpdate(ctx, gvk, namespace, subresource)
@ -120,7 +122,7 @@ func (g *Generate) canIGenerate(ctx context.Context, gvk, namespace, subresource
return err return err
} }
if !ok { if !ok {
return fmt.Errorf("kyverno does not have permissions to 'update' resource %s/%s/%s. Grant proper permissions to the background controller", gvk, subresource, namespace) return fmt.Errorf("%s does not have permissions to 'update' resource %s/%s/%s. Grant proper permissions to the background controller", g.user, gvk, subresource, namespace)
} }
ok, err = authCheck.CanIGet(ctx, gvk, namespace, subresource) ok, err = authCheck.CanIGet(ctx, gvk, namespace, subresource)
@ -128,7 +130,7 @@ func (g *Generate) canIGenerate(ctx context.Context, gvk, namespace, subresource
return err return err
} }
if !ok { if !ok {
return fmt.Errorf("kyverno does not have permissions to 'get' resource %s/%s/%s. Grant proper permissions to the background controller", gvk, subresource, namespace) return fmt.Errorf("%s does not have permissions to 'get' resource %s/%s/%s. Grant proper permissions to the background controller", g.user, gvk, subresource, namespace)
} }
ok, err = authCheck.CanIDelete(ctx, gvk, namespace, subresource) ok, err = authCheck.CanIDelete(ctx, gvk, namespace, subresource)
@ -136,7 +138,7 @@ func (g *Generate) canIGenerate(ctx context.Context, gvk, namespace, subresource
return err return err
} }
if !ok { if !ok {
return fmt.Errorf("kyverno does not have permissions to 'delete' resource %s/%s/%s. Grant proper permissions to the background controller", gvk, subresource, namespace) return fmt.Errorf("%s does not have permissions to 'delete' resource %s/%s/%s. Grant proper permissions to the background controller", g.user, gvk, subresource, namespace)
} }
} else { } else {
g.log.V(2).Info("resource Kind uses variables, so cannot be resolved. Skipping Auth Checks.") g.log.V(2).Info("resource Kind uses variables, so cannot be resolved. Skipping Auth Checks.")