Configure manager to properly impersonate when communicating with man…

…aged clusters (#3050) * Configure manager to properly impersonate when communicating with managed clusters * Add UTs
tigera · Dec 9, 2023 · 669fd10 · 669fd10
1 parent b5bc6ad
commit 669fd10
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 0 deletions.
diff --git a/pkg/controller/manager/manager_controller.go b/pkg/controller/manager/manager_controller.go
@@ -620,6 +620,12 @@ func (r *ReconcileManager) Reconcile(ctx context.Context, request reconcile.Requ
 	if err != nil {
 		return reconcile.Result{}, err
 	}
+	if tenant.MultiTenant() {
+		// In a multi-tenant environment, we need to grant access to the canonical tigera-manager:tigera-manager service account
+		// so that es-proxy passes Voltron's authorization checks when accessing managed clusters. This is because per-tenant manager instances
+		// impersonate as this serviceaccount on these flows.
+		namespaces = append(namespaces, render.ManagerNamespace)
+	}
 
 	managerCfg := &render.ManagerConfiguration{
 		KeyValidatorConfig:      keyValidatorConfig,

diff --git a/pkg/controller/manager/manager_controller_test.go b/pkg/controller/manager/manager_controller_test.go
@@ -1141,6 +1141,12 @@ var _ = Describe("Manager controller tests", func() {
 						Namespace: tenantBNamespace,
 					},
 				}
+				clusterRoleBinding := rbacv1.ClusterRoleBinding{
+					TypeMeta: metav1.TypeMeta{Kind: "ClusterRoleBinding", APIVersion: "v1"},
+					ObjectMeta: metav1.ObjectMeta{
+						Name: render.ManagerClusterRoleBinding,
+					},
+				}
 
 				// We called Reconcile without specifying a namespace, so neither of these namespaced deployments should
 				// exist yet
@@ -1183,6 +1189,12 @@ var _ = Describe("Manager controller tests", func() {
 
 				err = test.GetResource(c, &tenantBDeployment)
 				Expect(kerror.IsNotFound(err)).Should(BeFalse())
+
+				// Ensure a cluster role binding was created that binds both tenants, as well as the
+				// canonical manager service account.
+				err = test.GetResource(c, &clusterRoleBinding)
+				Expect(kerror.IsNotFound(err)).Should(BeFalse())
+				Expect(clusterRoleBinding.Subjects).To(HaveLen(3))
 			})
 		})
 	})

diff --git a/pkg/render/manager.go b/pkg/render/manager.go
@@ -587,6 +587,7 @@ func (c *managerComponent) managerEsProxyContainer() corev1.Container {
 		if c.cfg.Tenant.MultiTenant() {
 			// This cluster supports multiple tenants. Point the manager at the correct Linseed instance for this tenant.
 			env = append(env, corev1.EnvVar{Name: "LINSEED_URL", Value: fmt.Sprintf("https://tigera-linseed.%s.svc", c.cfg.Namespace)})
+			env = append(env, corev1.EnvVar{Name: "TENANT_NAMESPACE", Value: c.cfg.Namespace})
 		}
 	}
 

diff --git a/pkg/render/manager_test.go b/pkg/render/manager_test.go
@@ -994,6 +994,8 @@ var _ = Describe("Tigera Secure Manager rendering tests", func() {
 			Expect(envs).To(ContainElement(corev1.EnvVar{Name: "VOLTRON_REQUIRE_TENANT_CLAIM", Value: "true"}))
 			Expect(envs).To(ContainElement(corev1.EnvVar{Name: "VOLTRON_LINSEED_ENDPOINT", Value: fmt.Sprintf("https://tigera-linseed.%s.svc", tenantANamespace)}))
 			Expect(esProxyEnv).To(ContainElement(corev1.EnvVar{Name: "VOLTRON_URL", Value: fmt.Sprintf("https://tigera-manager.%s.svc:9443", tenantANamespace)}))
+			Expect(esProxyEnv).To(ContainElement(corev1.EnvVar{Name: "TENANT_ID", Value: "tenant-a"}))
+			Expect(esProxyEnv).To(ContainElement(corev1.EnvVar{Name: "TENANT_NAMESPACE", Value: tenantANamespace}))
 		})
 
 		It("should not install UISettings / UISettingsGroups", func() {
@@ -1049,12 +1051,16 @@ var _ = Describe("Tigera Secure Manager rendering tests", func() {
 			Expect(envs).To(ContainElement(corev1.EnvVar{Name: "VOLTRON_TENANT_ID", Value: "tenant-a"}))
 			Expect(envs).To(ContainElement(corev1.EnvVar{Name: "VOLTRON_REQUIRE_TENANT_CLAIM", Value: "true"}))
 			Expect(esProxyEnv).To(ContainElement(corev1.EnvVar{Name: "VOLTRON_URL", Value: fmt.Sprintf("https://tigera-manager.%s.svc:9443", render.ManagerNamespace)}))
+			Expect(esProxyEnv).To(ContainElement(corev1.EnvVar{Name: "TENANT_ID", Value: "tenant-a"}))
 
 			// Make sure we don't render multi-tenant environment variables
 			for _, env := range envs {
 				Expect(env.Name).NotTo(Equal("VOLTRON_TENANT_NAMESPACE"))
 				Expect(env.Name).NotTo(Equal("VOLTRON_LINSEED_ENDPOINT"))
 			}
+			for _, env := range esProxyEnv {
+				Expect(env.Name).NotTo(Equal("TENANT_NAMESPACE"))
+			}
 		})
 	})
 })