From d6e3656a42984dbd5e0e248f4b178205390cb03a Mon Sep 17 00:00:00 2001 From: weizhoublue <45163302+weizhoublue@users.noreply.github.com> Date: Wed, 14 Aug 2024 18:24:01 +0800 Subject: [PATCH] Merge pull request #3880 from cyclinder/rbac_cve rbac: remove permissions for patch/update nodes and webhook resources Signed-off-by: robot --- charts/spiderpool/templates/role.yaml | 13 ++++++++----- .../apis/spiderpool.spidernet.io/v2beta1/rbac.go | 5 +++-- pkg/multuscniconfig/utils.go | 2 +- 3 files changed, 12 insertions(+), 8 deletions(-) diff --git a/charts/spiderpool/templates/role.yaml b/charts/spiderpool/templates/role.yaml index f4c9049a67..65f8fba6d7 100644 --- a/charts/spiderpool/templates/role.yaml +++ b/charts/spiderpool/templates/role.yaml @@ -10,7 +10,6 @@ rules: - configmaps - endpoints - namespaces - - nodes - pods - pods/status verbs: @@ -33,18 +32,22 @@ rules: - patch - update - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch - apiGroups: - admissionregistration.k8s.io resources: - mutatingwebhookconfigurations - validatingwebhookconfigurations verbs: - - create - - delete - get - list - - patch - - update - watch - apiGroups: - apiextensions.k8s.io diff --git a/pkg/k8s/apis/spiderpool.spidernet.io/v2beta1/rbac.go b/pkg/k8s/apis/spiderpool.spidernet.io/v2beta1/rbac.go index 58b55e5161..a45fb43198 100644 --- a/pkg/k8s/apis/spiderpool.spidernet.io/v2beta1/rbac.go +++ b/pkg/k8s/apis/spiderpool.spidernet.io/v2beta1/rbac.go @@ -11,10 +11,11 @@ // +kubebuilder:rbac:groups="resource.k8s.io",resources=resourceclaims;resourceclaims/status;podschedulingcontexts/status;resourceclaimtemplates;resourceclasses;podschedulingcontexts,verbs=get;list;patch;watch;update // +kubebuilder:rbac:groups="networking.k8s.io",resources=servicecidrs,verbs=get;list;watch // +kubebuilder:rbac:groups="batch",resources=jobs;cronjobs,verbs=get;list;watch;update -// +kubebuilder:rbac:groups="",resources=nodes;namespaces;endpoints;pods;pods/status;configmaps,verbs=get;list;watch;update;patch;delete;deletecollection +// +kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch +// +kubebuilder:rbac:groups="",resources=namespaces;endpoints;pods;pods/status;configmaps,verbs=get;list;watch;update;patch;delete;deletecollection // +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=kubevirt.io,resources=virtualmachines;virtualmachineinstances,verbs=get;list -// +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=mutatingwebhookconfigurations;validatingwebhookconfigurations,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=mutatingwebhookconfigurations;validatingwebhookconfigurations,verbs=get;list;watch // +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=apps.kruise.io,resources=clonesets;statefulsets,verbs=get;list;watch // +kubebuilder:rbac:groups=crd.projectcalico.org,resources=ippools,verbs=get;list;watch diff --git a/pkg/multuscniconfig/utils.go b/pkg/multuscniconfig/utils.go index 555cb6ca85..a662e59590 100644 --- a/pkg/multuscniconfig/utils.go +++ b/pkg/multuscniconfig/utils.go @@ -213,7 +213,7 @@ func ParsePodNetworkObjectName(podnetwork string) (string, string, string, error for i := range allItems { matched := compile.MatchString(allItems[i]) if !matched && len([]rune(allItems[i])) > 0 { - return "", "", "", fmt.Errorf(fmt.Sprintf("parsePodNetworkObjectName: Failed to parse: one or more items did not match comma-delimited format (must consist of lower case alphanumeric characters). Must start and end with an alphanumeric character), mismatch @ '%v'", allItems[i])) + return "", "", "", fmt.Errorf("parsePodNetworkObjectName: Failed to parse: one or more items did not match comma-delimited format (must consist of lower case alphanumeric characters). Must start and end with an alphanumeric character), mismatch @ '%v'", allItems[i]) } }