patch apparmor annotations for job & cronjobs and updating rbac rules

Signed-off-by: Prateek Nandle <[email protected]>
kubearmor · May 27, 2024 · eaa5f0e · eaa5f0e
1 parent 0eaec66
commit eaa5f0e
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 2 deletions.
diff --git a/KubeArmor/core/k8sHandler.go b/KubeArmor/core/k8sHandler.go
@@ -230,6 +230,10 @@ func (kh *K8sHandler) PatchResourceWithAppArmorAnnotations(namespaceName, deploy
 	}
 
 	spec := `{"spec":{"template":{"metadata":{"annotations":{"kubearmor-policy":"enabled",`
+	if kind == "CronJob" {
+		spec = `{"spec":{"jobTemplate":{"spec":{"template":{"metadata":{"annotations":{"kubearmor-policy":"enabled",`
+	}
+
 	count := len(appArmorAnnotations)
 
 	for k, v := range appArmorAnnotations {
@@ -246,7 +250,11 @@ func (kh *K8sHandler) PatchResourceWithAppArmorAnnotations(namespaceName, deploy
 		count--
 	}
 
-	spec = spec + `}}}}}`
+	if kind == "CronJob" {
+		spec = spec + `}}}}}}}`
+	} else {
+		spec = spec + `}}}}}`
+	}
 
 	if kind == "StatefulSet" {
 		_, err := kh.K8sClient.AppsV1().StatefulSets(namespaceName).Patch(context.Background(), deploymentName, types.StrategicMergePatchType, []byte(spec), metav1.PatchOptions{})
@@ -292,6 +300,11 @@ func (kh *K8sHandler) PatchResourceWithAppArmorAnnotations(namespaceName, deploy
 		if err != nil {
 			return err
 		}
+	} else if kind == "CronJob" {
+		_, err := kh.K8sClient.BatchV1().CronJobs(namespaceName).Patch(context.Background(), deploymentName, types.StrategicMergePatchType, []byte(spec), metav1.PatchOptions{})
+		if err != nil {
+			return err
+		}
 	} else if kind == "Pod" {
 		// this condition wont be triggered, handled by controller
 		return nil

diff --git a/deployments/get/objects.go b/deployments/get/objects.go
@@ -54,7 +54,7 @@ func GetClusterRole() *rbacv1.ClusterRole {
 			{
 				APIGroups: []string{"batch"},
 				Resources: []string{"jobs", "cronjobs"},
-				Verbs:     []string{"get"},
+				Verbs:     []string{"get", "patch", "list", "watch", "update"},
 			},
 			{
 				APIGroups: []string{"security.kubearmor.com"},

diff --git a/deployments/helm/KubeArmor/templates/RBAC/roles.yaml b/deployments/helm/KubeArmor/templates/RBAC/roles.yaml
@@ -36,6 +36,10 @@ rules:
   - cronjobs
   verbs:
   - get
+  - patch
+  - list
+  - watch
+  - update
 - apiGroups:
   - security.kubearmor.com
   resources:

diff --git a/deployments/helm/KubeArmorOperator/templates/clusterrole-rbac.yaml b/deployments/helm/KubeArmorOperator/templates/clusterrole-rbac.yaml
@@ -129,6 +129,10 @@ rules:
   - cronjobs
   verbs:
   - get
+  - patch
+  - list
+  - watch
+  - update
 - apiGroups:
   - security.kubearmor.com
   resources:

diff --git a/pkg/KubeArmorOperator/config/rbac/clusterrole.yaml b/pkg/KubeArmorOperator/config/rbac/clusterrole.yaml
@@ -130,6 +130,10 @@ rules:
   - cronjobs
   verbs:
   - get
+  - patch
+  - list
+  - watch
+  - update
 - apiGroups:
   - security.kubearmor.com
   resources: