From a82757c24080214646c4a8ca465e1a66c9660b25 Mon Sep 17 00:00:00 2001 From: Prateek Nandle Date: Sun, 26 May 2024 03:08:50 +0530 Subject: [PATCH] patch apparmor annotations for cronjobs and updating rbac rules Signed-off-by: Prateek Nandle --- KubeArmor/core/k8sHandler.go | 15 ++++++++++++++- deployments/get/objects.go | 2 +- .../helm/KubeArmor/templates/RBAC/roles.yaml | 4 ++++ .../templates/clusterrole-rbac.yaml | 4 ++++ .../config/rbac/clusterrole.yaml | 4 ++++ 5 files changed, 27 insertions(+), 2 deletions(-) diff --git a/KubeArmor/core/k8sHandler.go b/KubeArmor/core/k8sHandler.go index f65f4c2e0e..7cac5da30f 100644 --- a/KubeArmor/core/k8sHandler.go +++ b/KubeArmor/core/k8sHandler.go @@ -230,6 +230,10 @@ func (kh *K8sHandler) PatchResourceWithAppArmorAnnotations(namespaceName, deploy } spec := `{"spec":{"template":{"metadata":{"annotations":{"kubearmor-policy":"enabled",` + if kind == "CronJob" { + spec = `{"spec":{"jobTemplate":{"spec":{"template":{"metadata":{"annotations":{"kubearmor-policy":"enabled",` + } + count := len(appArmorAnnotations) for k, v := range appArmorAnnotations { @@ -246,7 +250,11 @@ func (kh *K8sHandler) PatchResourceWithAppArmorAnnotations(namespaceName, deploy count-- } - spec = spec + `}}}}}` + if kind == "CronJob" { + spec = spec + `}}}}}}}` + } else { + spec = spec + `}}}}}` + } if kind == "StatefulSet" { _, err := kh.K8sClient.AppsV1().StatefulSets(namespaceName).Patch(context.Background(), deploymentName, types.StrategicMergePatchType, []byte(spec), metav1.PatchOptions{}) @@ -292,6 +300,11 @@ func (kh *K8sHandler) PatchResourceWithAppArmorAnnotations(namespaceName, deploy if err != nil { return err } + } else if kind == "CronJob" { + _, err := kh.K8sClient.BatchV1().CronJobs(namespaceName).Patch(context.Background(), deploymentName, types.StrategicMergePatchType, []byte(spec), metav1.PatchOptions{}) + if err != nil { + return err + } } else if kind == "Pod" { // this condition wont be triggered, handled by controller return nil diff --git a/deployments/get/objects.go b/deployments/get/objects.go index 41fe81e37a..41d1347f97 100644 --- a/deployments/get/objects.go +++ b/deployments/get/objects.go @@ -54,7 +54,7 @@ func GetClusterRole() *rbacv1.ClusterRole { { APIGroups: []string{"batch"}, Resources: []string{"jobs", "cronjobs"}, - Verbs: []string{"get"}, + Verbs: []string{"get", "patch", "list", "watch", "update"}, }, { APIGroups: []string{"security.kubearmor.com"}, diff --git a/deployments/helm/KubeArmor/templates/RBAC/roles.yaml b/deployments/helm/KubeArmor/templates/RBAC/roles.yaml index c556f66b7e..96ceac7b4e 100644 --- a/deployments/helm/KubeArmor/templates/RBAC/roles.yaml +++ b/deployments/helm/KubeArmor/templates/RBAC/roles.yaml @@ -36,6 +36,10 @@ rules: - cronjobs verbs: - get + - patch + - list + - watch + - update - apiGroups: - security.kubearmor.com resources: diff --git a/deployments/helm/KubeArmorOperator/templates/clusterrole-rbac.yaml b/deployments/helm/KubeArmorOperator/templates/clusterrole-rbac.yaml index a16899dec2..db2a937449 100644 --- a/deployments/helm/KubeArmorOperator/templates/clusterrole-rbac.yaml +++ b/deployments/helm/KubeArmorOperator/templates/clusterrole-rbac.yaml @@ -129,6 +129,10 @@ rules: - cronjobs verbs: - get + - patch + - list + - watch + - update - apiGroups: - security.kubearmor.com resources: diff --git a/pkg/KubeArmorOperator/config/rbac/clusterrole.yaml b/pkg/KubeArmorOperator/config/rbac/clusterrole.yaml index 156e279516..5a6a99e91e 100644 --- a/pkg/KubeArmorOperator/config/rbac/clusterrole.yaml +++ b/pkg/KubeArmorOperator/config/rbac/clusterrole.yaml @@ -130,6 +130,10 @@ rules: - cronjobs verbs: - get + - patch + - list + - watch + - update - apiGroups: - security.kubearmor.com resources: