refactor: background controller permissions (#8083)

* fix: reduce background controller permissions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * debug Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-31 03:45:17 +00:00 · 2023-08-23 14:29:56 +02:00 · 2023-08-23 14:29:56 +02:00 · 87728f1771
commit 87728f1771
parent 2d434c6f97
6 changed files with 120 additions and 80 deletions
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@ -408,6 +408,7 @@ The chart values are organised per component.
 | backgroundController.rbac.create | bool | `true` | Create RBAC resources |
 | backgroundController.rbac.serviceAccount.name | string | `nil` | Service account name |
 | backgroundController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
+| backgroundController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. |
 | backgroundController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role |
 | backgroundController.image.registry | string | `"ghcr.io"` | Image registry |
 | backgroundController.image.repository | string | `"kyverno/background-controller"` | Image repository |
--- a/charts/kyverno/templates/admission-controller/clusterrole.yaml
+++ b/charts/kyverno/templates/admission-controller/clusterrole.yaml
@ -39,8 +39,8 @@ rules:
      - rolebindings
      - clusterrolebindings
    verbs:
-      - watch
      - list
+      - watch
  - apiGroups:
      - kyverno.io
    resources:
--- a/charts/kyverno/templates/background-controller/clusterrole.yaml
+++ b/charts/kyverno/templates/background-controller/clusterrole.yaml
@ -18,17 +18,11 @@ metadata:
  labels:
    {{- include "kyverno.background-controller.labels" . | nindent 4 }}
 rules:
-  - apiGroups:
-      - '*'
-    resources:
-      - '*'
-    verbs:
-      - get
-      - list
-      - watch
  - apiGroups:
      - kyverno.io
    resources:
+      - policies
+      - clusterpolicies
      - updaterequests
      - updaterequests/status
    verbs:
@ -40,6 +34,15 @@ rules:
      - update
      - watch
      - deletecollection
+  - apiGroups:
+      - ''
+    resources:
+      - namespaces
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
  - apiGroups:
      - ''
      - events.k8s.io
@ -47,41 +50,14 @@ rules:
      - events
    verbs:
      - create
-      - update
+      - get
+      - list
      - patch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses
-      - ingressclasses
-      - networkpolicies
-    verbs:
-      - create
      - update
-      - patch
-      - delete
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-      - secrets
-      - resourcequotas
-      - limitranges
-    verbs:
-      - create
-      - update
-      - patch
-      - delete
-  - apiGroups:
-      - rbac.authorization.k8s.io
-    resources:
-      - rolebindings
-      - roles
-    verbs:
-      - create
-      - update
-      - patch
-      - delete
+      - watch
+{{- with .Values.backgroundController.rbac.coreClusterRole.extraResources }}
+  {{- toYaml . | nindent 2 }}
+{{- end }}
 {{- with .Values.backgroundController.rbac.clusterRole.extraResources }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -960,6 +960,53 @@ backgroundController:
      annotations: {}
        # example.com/annotation: value

+    coreClusterRole:
+      # -- Extra resource permissions to add in the core cluster role.
+      # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`.
+      # @default -- See [values.yaml](values.yaml)
+      extraResources:
+        - apiGroups:
+            - '*'
+          resources:
+            - '*'
+          verbs:
+            - get
+            - list
+            - watch
+        - apiGroups:
+            - networking.k8s.io
+          resources:
+            - ingresses
+            - ingressclasses
+            - networkpolicies
+          verbs:
+            - create
+            - update
+            - patch
+            - delete
+        - apiGroups:
+            - rbac.authorization.k8s.io
+          resources:
+            - rolebindings
+            - roles
+          verbs:
+            - create
+            - update
+            - patch
+            - delete
+        - apiGroups:
+            - ''
+          resources:
+            - configmaps
+            - secrets
+            - resourcequotas
+            - limitranges
+          verbs:
+            - create
+            - update
+            - patch
+            - delete
+
    clusterRole:
      # -- Extra resource permissions to add in the cluster role
      extraResources: []
--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
@ -39931,8 +39931,8 @@ rules:
      - rolebindings
      - clusterrolebindings
    verbs:
-      - watch
      - list
+      - watch
  - apiGroups:
      - kyverno.io
    resources:
@ -40021,17 +40021,11 @@ metadata:
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
 rules:
-  - apiGroups:
-      - '*'
-    resources:
-      - '*'
-    verbs:
-      - get
-      - list
-      - watch
  - apiGroups:
      - kyverno.io
    resources:
+      - policies
+      - clusterpolicies
      - updaterequests
      - updaterequests/status
    verbs:
@ -40043,6 +40037,15 @@ rules:
      - update
      - watch
      - deletecollection
+  - apiGroups:
+      - ''
+    resources:
+      - namespaces
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
  - apiGroups:
      - ''
      - events.k8s.io
@ -40050,41 +40053,52 @@ rules:
      - events
    verbs:
      - create
-      - update
+      - get
+      - list
      - patch
+      - update
+      - watch
  - apiGroups:
-      - networking.k8s.io
+    - '*'
    resources:
-      - ingresses
-      - ingressclasses
-      - networkpolicies
+    - '*'
    verbs:
-      - create
-      - update
-      - patch
-      - delete
+    - get
+    - list
+    - watch
  - apiGroups:
-      - ""
+    - networking.k8s.io
    resources:
-      - configmaps
-      - secrets
-      - resourcequotas
-      - limitranges
+    - ingresses
+    - ingressclasses
+    - networkpolicies
    verbs:
-      - create
-      - update
-      - patch
-      - delete
+    - create
+    - update
+    - patch
+    - delete
  - apiGroups:
-      - rbac.authorization.k8s.io
+    - rbac.authorization.k8s.io
    resources:
-      - rolebindings
-      - roles
+    - rolebindings
+    - roles
    verbs:
-      - create
-      - update
-      - patch
-      - delete
+    - create
+    - update
+    - patch
+    - delete
+  - apiGroups:
+    - ""
+    resources:
+    - configmaps
+    - secrets
+    - resourcequotas
+    - limitranges
+    verbs:
+    - create
+    - update
+    - patch
+    - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
--- a/pkg/policy/generate/validate.go
+++ b/pkg/policy/generate/validate.go
@ -16,6 +16,7 @@ import (

 // Generate provides implementation to validate 'generate' rule
 type Generate struct {
+	user string
 	// rule to hold 'generate' rule specifications
 	rule kyvernov1.Generation
 	// authCheck to check access for operations
@ -27,6 +28,7 @@ type Generate struct {
 // NewGenerateFactory returns a new instance of Generate validation checker
 func NewGenerateFactory(client dclient.Interface, rule kyvernov1.Generation, user string, log logr.Logger) *Generate {
 	g := Generate{
+		user:      user,
 		rule:      rule,
 		authCheck: NewAuth(client, user, log),
 		log:       log,
@ -112,7 +114,7 @@ func (g *Generate) canIGenerate(ctx context.Context, gvk, namespace, subresource
 			return err
 		}
 		if !ok {
-			return fmt.Errorf("kyverno does not have permissions to 'create' resource %s/%s/%s. Grant proper permissions to the background controller", gvk, subresource, namespace)
+			return fmt.Errorf("%s does not have permissions to 'create' resource %s/%s/%s. Grant proper permissions to the background controller", g.user, gvk, subresource, namespace)
 		}

 		ok, err = authCheck.CanIUpdate(ctx, gvk, namespace, subresource)
@ -120,7 +122,7 @@ func (g *Generate) canIGenerate(ctx context.Context, gvk, namespace, subresource
 			return err
 		}
 		if !ok {
-			return fmt.Errorf("kyverno does not have permissions to 'update' resource %s/%s/%s. Grant proper permissions to the background controller", gvk, subresource, namespace)
+			return fmt.Errorf("%s does not have permissions to 'update' resource %s/%s/%s. Grant proper permissions to the background controller", g.user, gvk, subresource, namespace)
 		}

 		ok, err = authCheck.CanIGet(ctx, gvk, namespace, subresource)
@ -128,7 +130,7 @@ func (g *Generate) canIGenerate(ctx context.Context, gvk, namespace, subresource
 			return err
 		}
 		if !ok {
-			return fmt.Errorf("kyverno does not have permissions to 'get' resource %s/%s/%s. Grant proper permissions to the background controller", gvk, subresource, namespace)
+			return fmt.Errorf("%s does not have permissions to 'get' resource %s/%s/%s. Grant proper permissions to the background controller", g.user, gvk, subresource, namespace)
 		}

 		ok, err = authCheck.CanIDelete(ctx, gvk, namespace, subresource)
@ -136,7 +138,7 @@ func (g *Generate) canIGenerate(ctx context.Context, gvk, namespace, subresource
 			return err
 		}
 		if !ok {
-			return fmt.Errorf("kyverno does not have permissions to 'delete' resource %s/%s/%s. Grant proper permissions to the background controller", gvk, subresource, namespace)
+			return fmt.Errorf("%s does not have permissions to 'delete' resource %s/%s/%s. Grant proper permissions to the background controller", g.user, gvk, subresource, namespace)
 		}
 	} else {
 		g.log.V(2).Info("resource Kind uses variables, so cannot be resolved. Skipping Auth Checks.")