CNS-2801 - Minimize the operator's RBAC access (#163)

* Change namespace to be a value on the Controller and StateApplier instead of coming from agentSpec. Modify objects to take the value from their own fields. * Add env var to pass the operator's namespace into the code and use it for the agent * Add a description to the Namespace field to indicate it is deprecated and will not have any effect. * Reduce operator workload permissions to a role instead of ClusterRole * Move dataplane RBAC to a subfolder to separate operator vs dataplane * Commit generated file diff * Add dataplane files to the kustomization * Remove duplicated Dataplane items * Keep the old ClusterRoleBinding name to avoid duplicates if redeploying a newer operator. Rename the local RoleBinding instead to avoid conflicts. * Restrict PriorityClass RBAC * Restrict webhook RBAC by resource name when possible * Move dataplane RBAC objects to the operator chart - so the agent chart mimics deploying a CR with secret * Update Readmes to match the "same-namespace" enforcement. Remove references to repositories that we don't support. Added the missing labeling when pre-creating a namespace. * Sync operator.yaml in the chart with RBAC changes and some missing items from last releases * Bump charts version due to breaking changes. Bumped app version there as well to be latest so far. * Minor comment change * Added some explanation behind the RBAC setup and how to update it * Update deployment.yaml to also mount the namespace env var * Replace namespace var in dataplane_rbac.yaml * Added deprecation notice as godoc to CRD.Namespace * Add Namespace to each component's constructor. Don't set the namespace on the k8s object as it has no affect (NamespacedName is what sets the namespace). * Removed the public registry secret from all dataplane accounts since they shouldn't need it
octarinesec · Jul 11, 2023 · b83d0be · b83d0be
1 parent 8d296ec
commit b83d0be
Show file tree

Hide file tree

Showing 42 changed files with 603 additions and 439 deletions.
diff --git a/api/v1/cbcontainersagent_types.go b/api/v1/cbcontainersagent_types.go
@@ -30,7 +30,13 @@ type CBContainersAgentSpec struct {
 	ClusterName string                   `json:"clusterName,required"`
 	Version     string                   `json:"version,required"`
 	Gateways    CBContainersGatewaysSpec `json:"gateways,required"`
+	// The field below remains to avoid moving the CRD from v1 to v2.
+	// It MUST not be used as agent namespace should be controlled outside the operator itself.
+	// This is because a custom namespace in the CRD requires high privileges by the operator across the whole cluster to be able to "switch" namespaces on demand.
+
 	// +kubebuilder:default:="cbcontainers-dataplane"
+	// Namespace is deprecated and the value has no effect. Do not use.
+	// Deprecated: The operator and agent always run in the same namespace. See documentation for ways to customize this namespace.
 	Namespace string `json:"namespace,omitempty"`
 	// +kubebuilder:default:="cbcontainers-access-token"
 	AccessTokenSecretName string `json:"accessTokenSecretName,omitempty"`

diff --git a/cbcontainers/state/components/cluster_configmap.go b/cbcontainers/state/components/cluster_configmap.go
@@ -17,9 +17,9 @@ type ConfigurationK8sObject struct {
 	Namespace string
 }
 
-func NewConfigurationK8sObject() *ConfigurationK8sObject {
+func NewConfigurationK8sObject(namespace string) *ConfigurationK8sObject {
 	return &ConfigurationK8sObject{
-		Namespace: commonState.DataPlaneNamespaceName,
+		Namespace: namespace,
 	}
 }
 
@@ -35,12 +35,11 @@ func (obj *ConfigurationK8sObject) MutateK8sObject(k8sObject client.Object, agen
 		return fmt.Errorf("expected ConfigMap K8s object")
 	}
 
-	configMap.Namespace = agentSpec.Namespace
 	configMap.Data = map[string]string{
 		commonState.DataPlaneConfigmapAccountKey:            agentSpec.Account,
 		commonState.DataPlaneConfigmapClusterKey:            agentSpec.ClusterName,
 		commonState.DataPlaneConfigmapAgentVersionKey:       agentSpec.Version,
-		commonState.DataPlaneConfigmapDataplaneNamespaceKey: agentSpec.Namespace,
+		commonState.DataPlaneConfigmapDataplaneNamespaceKey: obj.Namespace,
 		commonState.DataPlaneConfigmapApiSchemeKey:          agentSpec.Gateways.ApiGateway.Scheme,
 		commonState.DataPlaneConfigmapApiHostKey:            agentSpec.Gateways.ApiGateway.Host,
 		commonState.DataPlaneConfigmapApiPortKey:            strconv.Itoa(agentSpec.Gateways.ApiGateway.Port),

diff --git a/cbcontainers/state/components/enforcer_deployment.go b/cbcontainers/state/components/enforcer_deployment.go
@@ -42,9 +42,9 @@ type EnforcerDeploymentK8sObject struct {
 	Namespace string
 }
 
-func NewEnforcerDeploymentK8sObject() *EnforcerDeploymentK8sObject {
+func NewEnforcerDeploymentK8sObject(namespace string) *EnforcerDeploymentK8sObject {
 	return &EnforcerDeploymentK8sObject{
-		Namespace: commonState.DataPlaneNamespaceName,
+		Namespace: namespace,
 	}
 }
 
@@ -84,8 +84,6 @@ func (obj *EnforcerDeploymentK8sObject) MutateK8sObject(k8sObject client.Object,
 	if objectsDiffer(deployment.Spec.Template.Spec.ImagePullSecrets, desiredImagePullSecrets) {
 		deployment.Spec.Template.Spec.ImagePullSecrets = desiredImagePullSecrets
 	}
-	obj.Namespace = agentSpec.Namespace
-	deployment.Namespace = agentSpec.Namespace
 	obj.mutateAnnotations(deployment, enforcer)
 	obj.mutateVolumes(&deployment.Spec.Template.Spec)
 	obj.mutateAffinityAndNodeSelector(&deployment.Spec.Template.Spec, enforcer)

diff --git a/cbcontainers/state/components/enforcer_mutating_webhook.go b/cbcontainers/state/components/enforcer_mutating_webhook.go
@@ -34,10 +34,10 @@ type EnforcerMutatingWebhookK8sObject struct {
 	ServiceNamespace string
 }
 
-func NewEnforcerMutatingWebhookK8sObject(kubeletVersion string) *EnforcerMutatingWebhookK8sObject {
+func NewEnforcerMutatingWebhookK8sObject(serviceNamespace, kubeletVersion string) *EnforcerMutatingWebhookK8sObject {
 	return &EnforcerMutatingWebhookK8sObject{
 		kubeletVersion:   kubeletVersion,
-		ServiceNamespace: commonState.DataPlaneNamespaceName,
+		ServiceNamespace: serviceNamespace,
 	}
 }
 
@@ -65,10 +65,10 @@ func (obj *EnforcerMutatingWebhookK8sObject) MutateK8sObject(k8sObject client.Ob
 
 	enforcer := &agentSpec.Components.Basic.Enforcer
 	obj.mutateWebhookConfigurationLabels(webhookConfiguration, enforcer)
-	return obj.mutateWebhooks(webhookConfiguration, enforcer, agentSpec.Namespace)
+	return obj.mutateWebhooks(webhookConfiguration, enforcer)
 }
 
-func (obj *EnforcerMutatingWebhookK8sObject) mutateWebhooks(webhookConfiguration adapters.WebhookConfigurationAdapter, enforcer *cbcontainersv1.CBContainersEnforcerSpec, serviceNamespace string) error {
+func (obj *EnforcerMutatingWebhookK8sObject) mutateWebhooks(webhookConfiguration adapters.WebhookConfigurationAdapter, enforcer *cbcontainersv1.CBContainersEnforcerSpec) error {
 	var resourcesWebhookObj adapters.WebhookAdapter
 
 	initializeWebhooks := false
@@ -93,7 +93,7 @@ func (obj *EnforcerMutatingWebhookK8sObject) mutateWebhooks(webhookConfiguration
 		resourcesWebhookObj = updatedWebhooks[0]
 	}
 
-	obj.mutateResourcesWebhook(resourcesWebhookObj, enforcer.WebhookTimeoutSeconds, enforcer.FailurePolicy, serviceNamespace)
+	obj.mutateResourcesWebhook(resourcesWebhookObj, enforcer.WebhookTimeoutSeconds, enforcer.FailurePolicy)
 	return nil
 }
 
@@ -107,7 +107,7 @@ func (obj *EnforcerMutatingWebhookK8sObject) findWebhookByName(webhooks []adapte
 	return nil, false
 }
 
-func (obj *EnforcerMutatingWebhookK8sObject) mutateResourcesWebhook(resourcesWebhook adapters.WebhookAdapter, timeoutSeconds int32, failurePolicy, serviceNamespace string) {
+func (obj *EnforcerMutatingWebhookK8sObject) mutateResourcesWebhook(resourcesWebhook adapters.WebhookAdapter, timeoutSeconds int32, failurePolicy string) {
 	resourcesWebhook.SetName(MutatingWebhookName)
 	resourcesWebhook.SetFailurePolicy(failurePolicy)
 	resourcesWebhook.SetSideEffects(MutatingWebhookSideEffect)
@@ -123,7 +123,7 @@ func (obj *EnforcerMutatingWebhookK8sObject) mutateResourcesWebhook(resourcesWeb
 	}
 	resourcesWebhook.SetCABundle(obj.tlsSecretValues.CaCert)
 	resourcesWebhook.SetServiceName(EnforcerName)
-	resourcesWebhook.SetServiceNamespace(serviceNamespace)
+	resourcesWebhook.SetServiceNamespace(obj.ServiceNamespace)
 	resourcesWebhook.SetServicePath(&MutatingWebhookPath)
 }
 

diff --git a/cbcontainers/state/components/enforcer_service.go b/cbcontainers/state/components/enforcer_service.go
@@ -4,7 +4,6 @@ import (
 	"fmt"
 
 	cbcontainersv1 "github.com/vmware/cbcontainers-operator/api/v1"
-	commonState "github.com/vmware/cbcontainers-operator/cbcontainers/state/common"
 	coreV1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
@@ -21,9 +20,9 @@ type EnforcerServiceK8sObject struct {
 	Namespace string
 }
 
-func NewEnforcerServiceK8sObject() *EnforcerServiceK8sObject {
+func NewEnforcerServiceK8sObject(namespace string) *EnforcerServiceK8sObject {
 	return &EnforcerServiceK8sObject{
-		Namespace: commonState.DataPlaneNamespaceName,
+		Namespace: namespace,
 	}
 }
 
@@ -45,7 +44,6 @@ func (obj *EnforcerServiceK8sObject) MutateK8sObject(k8sObject client.Object, ag
 
 	service.Labels = enforcer.Labels
 	service.Spec.Type = coreV1.ServiceTypeClusterIP
-	service.Namespace = agentSpec.Namespace
 	service.Spec.Selector = map[string]string{
 		EnforcerLabelKey: EnforcerName,
 	}

diff --git a/cbcontainers/state/components/enforcer_tls_secret.go b/cbcontainers/state/components/enforcer_tls_secret.go
@@ -5,7 +5,6 @@ import (
 
 	cbcontainersv1 "github.com/vmware/cbcontainers-operator/api/v1"
 	"github.com/vmware/cbcontainers-operator/cbcontainers/models"
-	commonState "github.com/vmware/cbcontainers-operator/cbcontainers/state/common"
 	coreV1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -26,10 +25,10 @@ type EnforcerTlsK8sObject struct {
 	Namespace string
 }
 
-func NewEnforcerTlsK8sObject(tlsSecretsValuesCreator TlsSecretsValuesCreator) *EnforcerTlsK8sObject {
+func NewEnforcerTlsK8sObject(namespace string, tlsSecretsValuesCreator TlsSecretsValuesCreator) *EnforcerTlsK8sObject {
 	return &EnforcerTlsK8sObject{
 		tlsSecretsValuesCreator: tlsSecretsValuesCreator,
-		Namespace:               commonState.DataPlaneNamespaceName,
+		Namespace:               namespace,
 	}
 }
 
@@ -47,7 +46,6 @@ func (obj *EnforcerTlsK8sObject) MutateK8sObject(k8sObject client.Object, spec *
 		return fmt.Errorf("expected Secret K8s object")
 	}
 
-	secret.Namespace = spec.Namespace
 	tlsSecretValues, err := obj.tlsSecretsValuesCreator.CreateTlsSecretsValues(types.NamespacedName{Name: EnforcerName, Namespace: obj.Namespace})
 	if err != nil {
 		return err

diff --git a/cbcontainers/state/components/enforcer_validating_webhook.go b/cbcontainers/state/components/enforcer_validating_webhook.go
@@ -7,7 +7,6 @@ import (
 	cbcontainersv1 "github.com/vmware/cbcontainers-operator/api/v1"
 	"github.com/vmware/cbcontainers-operator/cbcontainers/models"
 	"github.com/vmware/cbcontainers-operator/cbcontainers/state/adapters"
-	commonState "github.com/vmware/cbcontainers-operator/cbcontainers/state/common"
 	"github.com/vmware/cbcontainers-operator/cbcontainers/utils"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -36,10 +35,10 @@ type EnforcerValidatingWebhookK8sObject struct {
 	ServiceNamespace string
 }
 
-func NewEnforcerValidatingWebhookK8sObject(kubeletVersion string) *EnforcerValidatingWebhookK8sObject {
+func NewEnforcerValidatingWebhookK8sObject(serviceNamespace, kubeletVersion string) *EnforcerValidatingWebhookK8sObject {
 	return &EnforcerValidatingWebhookK8sObject{
 		kubeletVersion:   kubeletVersion,
-		ServiceNamespace: commonState.DataPlaneNamespaceName,
+		ServiceNamespace: serviceNamespace,
 	}
 }
 

diff --git a/cbcontainers/state/components/image_scanning_reporter_deployment.go b/cbcontainers/state/components/image_scanning_reporter_deployment.go
@@ -34,9 +34,9 @@ type ImageScanningReporterDeploymentK8sObject struct {
 	Namespace string
 }
 
-func NewImageScanningReporterDeploymentK8sObject() *ImageScanningReporterDeploymentK8sObject {
+func NewImageScanningReporterDeploymentK8sObject(namespace string) *ImageScanningReporterDeploymentK8sObject {
 	return &ImageScanningReporterDeploymentK8sObject{
-		Namespace: commonState.DataPlaneNamespaceName,
+		Namespace: namespace,
 	}
 }
 
@@ -55,7 +55,6 @@ func (obj *ImageScanningReporterDeploymentK8sObject) MutateK8sObject(k8sObject c
 	}
 
 	clusterScanning := &agentSpec.Components.ClusterScanning
-	deployment.Namespace = agentSpec.Namespace
 	imageScanningReporter := &clusterScanning.ImageScanningReporter
 	obj.initiateDeployment(deployment, agentSpec)
 	obj.mutateLabels(deployment, imageScanningReporter)

diff --git a/cbcontainers/state/components/image_scanning_reporter_service.go b/cbcontainers/state/components/image_scanning_reporter_service.go
@@ -4,7 +4,6 @@ import (
 	"fmt"
 
 	cbcontainersv1 "github.com/vmware/cbcontainers-operator/api/v1"
-	commonState "github.com/vmware/cbcontainers-operator/cbcontainers/state/common"
 	coreV1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
@@ -21,9 +20,9 @@ type ImageScanningReporterServiceK8sObject struct {
 	Namespace string
 }
 
-func NewImageScanningReporterServiceK8sObject() *ImageScanningReporterServiceK8sObject {
+func NewImageScanningReporterServiceK8sObject(namespace string) *ImageScanningReporterServiceK8sObject {
 	return &ImageScanningReporterServiceK8sObject{
-		Namespace: commonState.DataPlaneNamespaceName,
+		Namespace: namespace,
 	}
 }
 
@@ -43,7 +42,6 @@ func (obj *ImageScanningReporterServiceK8sObject) MutateK8sObject(k8sObject clie
 
 	imageScanningReporter := &agentSpec.Components.ClusterScanning.ImageScanningReporter
 
-	service.Namespace = agentSpec.Namespace
 	service.Labels = imageScanningReporter.Labels
 	service.Spec.Type = coreV1.ServiceTypeClusterIP
 	service.Spec.Selector = map[string]string{

diff --git a/cbcontainers/state/components/monitor_deployment.go b/cbcontainers/state/components/monitor_deployment.go
@@ -37,9 +37,9 @@ type MonitorDeploymentK8sObject struct {
 	Namespace string
 }
 
-func NewMonitorDeploymentK8sObject() *MonitorDeploymentK8sObject {
+func NewMonitorDeploymentK8sObject(namespace string) *MonitorDeploymentK8sObject {
 	return &MonitorDeploymentK8sObject{
-		Namespace: commonState.DataPlaneNamespaceName,
+		Namespace: namespace,
 	}
 }
 
@@ -76,7 +76,6 @@ func (obj *MonitorDeploymentK8sObject) MutateK8sObject(k8sObject client.Object,
 		deployment.Spec.Template.ObjectMeta.Annotations = make(map[string]string)
 	}
 
-	deployment.Namespace = agentSpec.Namespace
 	deployment.Spec.Replicas = &MonitorReplicas
 	deployment.ObjectMeta.Labels = desiredLabels
 	deployment.Spec.Selector.MatchLabels = desiredLabels

diff --git a/cbcontainers/state/components/registry_secret.go b/cbcontainers/state/components/registry_secret.go
@@ -18,9 +18,9 @@ type RegistrySecretK8sObject struct {
 	Namespace string
 }
 
-func NewRegistrySecretK8sObject() *RegistrySecretK8sObject {
+func NewRegistrySecretK8sObject(namespace string) *RegistrySecretK8sObject {
 	return &RegistrySecretK8sObject{
-		Namespace: commonState.DataPlaneNamespaceName,
+		Namespace: namespace,
 	}
 }
 
@@ -46,7 +46,6 @@ func (obj *RegistrySecretK8sObject) MutateK8sObject(k8sObject client.Object, spe
 
 	secret.Type = obj.registrySecretValues.Type
 	secret.Data = obj.registrySecretValues.Data
-	secret.Namespace = spec.Namespace
 
 	return nil
 }
diff --git a/cbcontainers/state/components/resolver_service.go b/cbcontainers/state/components/resolver_service.go
@@ -4,7 +4,6 @@ import (
 	"fmt"
 
 	cbcontainersv1 "github.com/vmware/cbcontainers-operator/api/v1"
-	commonState "github.com/vmware/cbcontainers-operator/cbcontainers/state/common"
 	coreV1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
@@ -20,9 +19,9 @@ type ResolverServiceK8sObject struct {
 	Namespace string
 }
 
-func NewResolverServiceK8sObject() *ResolverServiceK8sObject {
+func NewResolverServiceK8sObject(namespace string) *ResolverServiceK8sObject {
 	return &ResolverServiceK8sObject{
-		Namespace: commonState.DataPlaneNamespaceName,
+		Namespace: namespace,
 	}
 }
 
@@ -46,7 +45,6 @@ func (obj *ResolverServiceK8sObject) MutateK8sObject(k8sObject client.Object, ag
 	service.Spec.Type = coreV1.ServiceTypeClusterIP
 	service.Spec.ClusterIP = coreV1.ClusterIPNone
 
-	service.Namespace = agentSpec.Namespace
 	service.Spec.Selector = map[string]string{
 		resolverLabelKey: ResolverName,
 	}

diff --git a/cbcontainers/state/components/runtime_resolver_deployment.go b/cbcontainers/state/components/runtime_resolver_deployment.go
@@ -36,9 +36,9 @@ type ResolverDeploymentK8sObject struct {
 	APIReader client.Reader
 }
 
-func NewResolverDeploymentK8sObject(apiReader client.Reader) *ResolverDeploymentK8sObject {
+func NewResolverDeploymentK8sObject(namespace string, apiReader client.Reader) *ResolverDeploymentK8sObject {
 	return &ResolverDeploymentK8sObject{
-		Namespace: commonState.DataPlaneNamespaceName,
+		Namespace: namespace,
 		APIReader: apiReader,
 	}
 }
@@ -89,7 +89,6 @@ func (obj *ResolverDeploymentK8sObject) MutateK8sObject(k8sObject client.Object,
 		}
 	}
 
-	deployment.Namespace = agentSpec.Namespace
 	deployment.Spec.Replicas = replicasCount
 	deployment.ObjectMeta.Labels = desiredLabels
 	deployment.Spec.Selector.MatchLabels = desiredLabels

diff --git a/cbcontainers/state/components/sensor_daemon_set.go b/cbcontainers/state/components/sensor_daemon_set.go
@@ -95,9 +95,9 @@ type SensorDaemonSetK8sObject struct {
 	Namespace string
 }
 
-func NewSensorDaemonSetK8sObject() *SensorDaemonSetK8sObject {
+func NewSensorDaemonSetK8sObject(namespace string) *SensorDaemonSetK8sObject {
 	return &SensorDaemonSetK8sObject{
-		Namespace: commonState.DataPlaneNamespaceName,
+		Namespace: namespace,
 	}
 }
 
@@ -131,7 +131,6 @@ func (obj *SensorDaemonSetK8sObject) MutateK8sObject(k8sObject client.Object, ag
 		daemonSet.Spec.Template.Spec.HostPID = false
 	}
 
-	daemonSet.Namespace = agentSpec.Namespace
 	obj.mutateLabels(daemonSet, agentSpec)
 	obj.mutateAnnotations(daemonSet, agentSpec)
 	obj.mutateVolumes(daemonSet, agentSpec)

diff --git a/cbcontainers/state/components/state_reporter_deployment.go b/cbcontainers/state/components/state_reporter_deployment.go
@@ -32,9 +32,9 @@ type StateReporterDeploymentK8sObject struct {
 	Namespace string
 }
 
-func NewStateReporterDeploymentK8sObject() *StateReporterDeploymentK8sObject {
+func NewStateReporterDeploymentK8sObject(namespace string) *StateReporterDeploymentK8sObject {
 	return &StateReporterDeploymentK8sObject{
-		Namespace: commonState.DataPlaneNamespaceName,
+		Namespace: namespace,
 	}
 }
 
@@ -72,7 +72,6 @@ func (obj *StateReporterDeploymentK8sObject) MutateK8sObject(k8sObject client.Ob
 		deployment.Spec.Template.ObjectMeta.Annotations = make(map[string]string)
 	}
 
-	deployment.Namespace = agentSpec.Namespace
 	deployment.Spec.Replicas = &StateReporterReplicas
 	deployment.ObjectMeta.Labels = desiredLabels
 	deployment.Spec.Selector.MatchLabels = desiredLabels