From b568d48e3b2873e91f8adb0da67c2ecd90308c88 Mon Sep 17 00:00:00 2001 From: Christian Schwede Date: Tue, 16 Apr 2024 20:44:09 +0200 Subject: [PATCH 1/4] Do not use privileged SCC for ServiceAccount As the name implies, the privileged SCC grants a lot of permissions, many of them not necessary to run Swift. This patch switches to the nonroot-v2 SCC, which is sufficient to run pods as the Swift user. --- config/rbac/role.yaml | 3 +-- controllers/swift_controller.go | 4 ++-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 0f8fe922..8f23c0d5 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -273,8 +273,7 @@ rules: - apiGroups: - security.openshift.io resourceNames: - - anyuid - - privileged + - nonroot-v2 resources: - securitycontextconstraints verbs: diff --git a/controllers/swift_controller.go b/controllers/swift_controller.go index 6138a7f1..491c354a 100644 --- a/controllers/swift_controller.go +++ b/controllers/swift_controller.go @@ -60,7 +60,7 @@ type SwiftReconciler struct { // +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update // +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update // service account permissions that are needed to grant permission to the above -// +kubebuilder:rbac:groups="security.openshift.io",resourceNames=anyuid;privileged,resources=securitycontextconstraints,verbs=use +// +kubebuilder:rbac:groups="security.openshift.io",resourceNames=nonroot-v2,resources=securitycontextconstraints,verbs=use // +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch // Reconcile is part of the main kubernetes reconciliation loop which aims to @@ -172,7 +172,7 @@ func (r *SwiftReconciler) reconcileNormal(ctx context.Context, instance *swiftv1 rbacRules := []rbacv1.PolicyRule{ { APIGroups: []string{"security.openshift.io"}, - ResourceNames: []string{"anyuid", "privileged"}, + ResourceNames: []string{"nonroot-v2"}, Resources: []string{"securitycontextconstraints"}, Verbs: []string{"use"}, }, From 6031039f35f4915786ff6c7fc74b48940ad82423 Mon Sep 17 00:00:00 2001 From: Christian Schwede Date: Tue, 16 Apr 2024 20:44:10 +0200 Subject: [PATCH 2/4] Limit ServiceAccount permissions to swift-ring-files ConfigMap The ServiceAccount only needs permissions to create, get, and update the "swift-ring-files" ConfigMap. Create can't be restricted by resource name[1], but a create does not overwrite an existing ConfigMap. Overall this change limits reads and modifications to the swift-ring-files ConfigMap therefore. [1] https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources --- controllers/swift_controller.go | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/controllers/swift_controller.go b/controllers/swift_controller.go index 491c354a..ec3dd1b1 100644 --- a/controllers/swift_controller.go +++ b/controllers/swift_controller.go @@ -176,20 +176,16 @@ func (r *SwiftReconciler) reconcileNormal(ctx context.Context, instance *swiftv1 Resources: []string{"securitycontextconstraints"}, Verbs: []string{"use"}, }, - { - APIGroups: []string{""}, - Resources: []string{"pods"}, - Verbs: []string{"create", "get", "list", "watch", "update", "patch", "delete"}, - }, { APIGroups: []string{""}, Resources: []string{"configmaps"}, - Verbs: []string{"create", "get", "update", "delete"}, + Verbs: []string{"create"}, }, { - APIGroups: []string{""}, - Resources: []string{"persistentvolumeclaims"}, - Verbs: []string{"get", "list", "watch"}, + APIGroups: []string{""}, + Resources: []string{"configmaps"}, + ResourceNames: []string{"swift-ring-files"}, + Verbs: []string{"get", "update"}, }, } rbacResult, err := common_rbac.ReconcileRbac(ctx, helper, instance, rbacRules) From a987062f29fafb629996b0ea0131fa1e99a54a6e Mon Sep 17 00:00:00 2001 From: Christian Schwede Date: Tue, 16 Apr 2024 20:44:11 +0200 Subject: [PATCH 3/4] Limit scope of Pod RBAC permissions The swift-operator does not create, update or delete pods directly; all of these actions are done either by StatefulSets, Deployments or Jobs. It only lists and retrieves information about the NetworkAttachments to create DNS entries. --- config/rbac/role.yaml | 5 ----- controllers/swift_controller.go | 1 - controllers/swiftstorage_controller.go | 1 + 3 files changed, 1 insertion(+), 6 deletions(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 8f23c0d5..07baef8a 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -10,13 +10,8 @@ rules: resources: - pods verbs: - - create - - delete - get - list - - patch - - update - - watch - apiGroups: - "" resources: diff --git a/controllers/swift_controller.go b/controllers/swift_controller.go index ec3dd1b1..d83f4d37 100644 --- a/controllers/swift_controller.go +++ b/controllers/swift_controller.go @@ -61,7 +61,6 @@ type SwiftReconciler struct { // +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update // service account permissions that are needed to grant permission to the above // +kubebuilder:rbac:groups="security.openshift.io",resourceNames=nonroot-v2,resources=securitycontextconstraints,verbs=use -// +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. diff --git a/controllers/swiftstorage_controller.go b/controllers/swiftstorage_controller.go index d4918bbd..775cfcb8 100644 --- a/controllers/swiftstorage_controller.go +++ b/controllers/swiftstorage_controller.go @@ -83,6 +83,7 @@ type Netconfig struct { //+kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch; //+kubebuilder:rbac:groups=network.openstack.org,resources=dnsdata,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=core,resources=nodes,verbs=get;list +//+kubebuilder:rbac:groups="",resources=pods,verbs=get;list // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. From 68dead625f15b7d6ad175eba1d0d147c7a9c725e Mon Sep 17 00:00:00 2001 From: Christian Schwede Date: Tue, 16 Apr 2024 20:44:13 +0200 Subject: [PATCH 4/4] Remove RBAC rules for ClusterRole and -Binding Commit 32066cc removed the creation of ClusterRoles and -Bindings, this patch removes the unneeded RBAC roles as well. --- config/rbac/role.yaml | 24 ------------------------ controllers/swiftring_controller.go | 5 ----- 2 files changed, 29 deletions(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 07baef8a..16bd4384 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -221,30 +221,6 @@ rules: - patch - update - watch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterroles - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - apiGroups: - rbac.authorization.k8s.io resources: diff --git a/controllers/swiftring_controller.go b/controllers/swiftring_controller.go index 71f84213..ecf7f753 100644 --- a/controllers/swiftring_controller.go +++ b/controllers/swiftring_controller.go @@ -41,7 +41,6 @@ import ( "github.com/openstack-k8s-operators/swift-operator/pkg/swiftring" batchv1 "k8s.io/api/batch/v1" corev1 "k8s.io/api/core/v1" - rbacv1 "k8s.io/api/rbac/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/client-go/kubernetes" ) @@ -60,8 +59,6 @@ type SwiftRingReconciler struct { //+kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=*,resources=configmaps,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch -//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=get;list;watch;create;update;patch;delete // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. @@ -312,8 +309,6 @@ func (r *SwiftRingReconciler) SetupWithManager(mgr ctrl.Manager) error { For(&swiftv1beta1.SwiftRing{}). Owns(&batchv1.Job{}). Owns(&corev1.ConfigMap{}). - Owns(&rbacv1.ClusterRole{}). - Owns(&rbacv1.ClusterRoleBinding{}). Watches(&swiftv1beta1.SwiftStorage{}, handler.EnqueueRequestsFromMapFunc(swiftRingFilter)). Watches(&dataplanev1.OpenStackDataPlaneNodeSet{}, handler.EnqueueRequestsFromMapFunc(swiftRingFilter)). Complete(r)