CNS-2801 - Minimize the operator's RBAC access

api/v1/cbcontainersagent_types.go

@@ -30,7 +30,12 @@ type CBContainersAgentSpec struct {
 	ClusterName string                   `json:"clusterName,required"`
 	Version     string                   `json:"version,required"`
 	Gateways    CBContainersGatewaysSpec `json:"gateways,required"`
+	// The field below remains to avoid moving the CRD from v1 to v2.
+	// It MUST not be used as agent namespace should be controlled outside the operator itself.
+	// This is because a custom namespace in the CRD requires high privileges by the operator across the whole cluster to be able to "switch" namespaces on demand.
+
 	// +kubebuilder:default:="cbcontainers-dataplane"
+	// Namespace is deprecated and the value has no effect. Do not use.
 	Namespace string `json:"namespace,omitempty"`
 	// +kubebuilder:default:="cbcontainers-access-token"
 	AccessTokenSecretName string `json:"accessTokenSecretName,omitempty"`

cbcontainers/state/components/cluster_configmap.go

@@ -35,12 +35,12 @@ func (obj *ConfigurationK8sObject) MutateK8sObject(k8sObject client.Object, agen
 		return fmt.Errorf("expected ConfigMap K8s object")
 	}
 
-	configMap.Namespace = agentSpec.Namespace
+	configMap.Namespace = obj.Namespace
 	configMap.Data = map[string]string{
 		commonState.DataPlaneConfigmapAccountKey:            agentSpec.Account,
 		commonState.DataPlaneConfigmapClusterKey:            agentSpec.ClusterName,
 		commonState.DataPlaneConfigmapAgentVersionKey:       agentSpec.Version,
-		commonState.DataPlaneConfigmapDataplaneNamespaceKey: agentSpec.Namespace,
+		commonState.DataPlaneConfigmapDataplaneNamespaceKey: configMap.Namespace,
 		commonState.DataPlaneConfigmapApiSchemeKey:          agentSpec.Gateways.ApiGateway.Scheme,
 		commonState.DataPlaneConfigmapApiHostKey:            agentSpec.Gateways.ApiGateway.Host,
 		commonState.DataPlaneConfigmapApiPortKey:            strconv.Itoa(agentSpec.Gateways.ApiGateway.Port),

cbcontainers/state/components/enforcer_deployment.go

@@ -84,8 +84,7 @@ func (obj *EnforcerDeploymentK8sObject) MutateK8sObject(k8sObject client.Object,
 	if objectsDiffer(deployment.Spec.Template.Spec.ImagePullSecrets, desiredImagePullSecrets) {
 		deployment.Spec.Template.Spec.ImagePullSecrets = desiredImagePullSecrets
 	}
-	obj.Namespace = agentSpec.Namespace
-	deployment.Namespace = agentSpec.Namespace
+	deployment.Namespace = obj.Namespace
 	obj.mutateAnnotations(deployment, enforcer)
 	obj.mutateVolumes(&deployment.Spec.Template.Spec)
 	obj.mutateAffinityAndNodeSelector(&deployment.Spec.Template.Spec, enforcer)

cbcontainers/state/components/enforcer_mutating_webhook.go

@@ -65,10 +65,10 @@ func (obj *EnforcerMutatingWebhookK8sObject) MutateK8sObject(k8sObject client.Ob
 
 	enforcer := &agentSpec.Components.Basic.Enforcer
 	obj.mutateWebhookConfigurationLabels(webhookConfiguration, enforcer)
-	return obj.mutateWebhooks(webhookConfiguration, enforcer, agentSpec.Namespace)
+	return obj.mutateWebhooks(webhookConfiguration, enforcer)
 }
 
-func (obj *EnforcerMutatingWebhookK8sObject) mutateWebhooks(webhookConfiguration adapters.WebhookConfigurationAdapter, enforcer *cbcontainersv1.CBContainersEnforcerSpec, serviceNamespace string) error {
+func (obj *EnforcerMutatingWebhookK8sObject) mutateWebhooks(webhookConfiguration adapters.WebhookConfigurationAdapter, enforcer *cbcontainersv1.CBContainersEnforcerSpec) error {
 	var resourcesWebhookObj adapters.WebhookAdapter
 
 	initializeWebhooks := false
@@ -93,7 +93,7 @@ func (obj *EnforcerMutatingWebhookK8sObject) mutateWebhooks(webhookConfiguration
 		resourcesWebhookObj = updatedWebhooks[0]
 	}
 
-	obj.mutateResourcesWebhook(resourcesWebhookObj, enforcer.WebhookTimeoutSeconds, enforcer.FailurePolicy, serviceNamespace)
+	obj.mutateResourcesWebhook(resourcesWebhookObj, enforcer.WebhookTimeoutSeconds, enforcer.FailurePolicy)
 	return nil
 }
 
@@ -107,7 +107,7 @@ func (obj *EnforcerMutatingWebhookK8sObject) findWebhookByName(webhooks []adapte
 	return nil, false
 }
 
-func (obj *EnforcerMutatingWebhookK8sObject) mutateResourcesWebhook(resourcesWebhook adapters.WebhookAdapter, timeoutSeconds int32, failurePolicy, serviceNamespace string) {
+func (obj *EnforcerMutatingWebhookK8sObject) mutateResourcesWebhook(resourcesWebhook adapters.WebhookAdapter, timeoutSeconds int32, failurePolicy string) {
 	resourcesWebhook.SetName(MutatingWebhookName)
 	resourcesWebhook.SetFailurePolicy(failurePolicy)
 	resourcesWebhook.SetSideEffects(MutatingWebhookSideEffect)
@@ -123,7 +123,7 @@ func (obj *EnforcerMutatingWebhookK8sObject) mutateResourcesWebhook(resourcesWeb
 	}
 	resourcesWebhook.SetCABundle(obj.tlsSecretValues.CaCert)
 	resourcesWebhook.SetServiceName(EnforcerName)
-	resourcesWebhook.SetServiceNamespace(serviceNamespace)
+	resourcesWebhook.SetServiceNamespace(obj.ServiceNamespace)
 	resourcesWebhook.SetServicePath(&MutatingWebhookPath)
 }
 

cbcontainers/state/components/enforcer_service.go

@@ -45,7 +45,7 @@ func (obj *EnforcerServiceK8sObject) MutateK8sObject(k8sObject client.Object, ag
 
 	service.Labels = enforcer.Labels
 	service.Spec.Type = coreV1.ServiceTypeClusterIP
-	service.Namespace = agentSpec.Namespace
+	service.Namespace = obj.Namespace
 	service.Spec.Selector = map[string]string{
 		EnforcerLabelKey: EnforcerName,
 	}

cbcontainers/state/components/enforcer_tls_secret.go

@@ -47,7 +47,7 @@ func (obj *EnforcerTlsK8sObject) MutateK8sObject(k8sObject client.Object, spec *
 		return fmt.Errorf("expected Secret K8s object")
 	}
 
-	secret.Namespace = spec.Namespace
+	secret.Namespace = obj.Namespace
 	tlsSecretValues, err := obj.tlsSecretsValuesCreator.CreateTlsSecretsValues(types.NamespacedName{Name: EnforcerName, Namespace: obj.Namespace})
 	if err != nil {
 		return err

cbcontainers/state/components/image_scanning_reporter_deployment.go

@@ -55,7 +55,7 @@ func (obj *ImageScanningReporterDeploymentK8sObject) MutateK8sObject(k8sObject c
 	}
 
 	clusterScanning := &agentSpec.Components.ClusterScanning
-	deployment.Namespace = agentSpec.Namespace
+	deployment.Namespace = obj.Namespace
 	imageScanningReporter := &clusterScanning.ImageScanningReporter
 	obj.initiateDeployment(deployment, agentSpec)
 	obj.mutateLabels(deployment, imageScanningReporter)

cbcontainers/state/components/image_scanning_reporter_service.go

@@ -43,7 +43,7 @@ func (obj *ImageScanningReporterServiceK8sObject) MutateK8sObject(k8sObject clie
 
 	imageScanningReporter := &agentSpec.Components.ClusterScanning.ImageScanningReporter
 
-	service.Namespace = agentSpec.Namespace
+	service.Namespace = obj.Namespace
 	service.Labels = imageScanningReporter.Labels
 	service.Spec.Type = coreV1.ServiceTypeClusterIP
 	service.Spec.Selector = map[string]string{

cbcontainers/state/components/monitor_deployment.go

@@ -76,7 +76,7 @@ func (obj *MonitorDeploymentK8sObject) MutateK8sObject(k8sObject client.Object,
 		deployment.Spec.Template.ObjectMeta.Annotations = make(map[string]string)
 	}
 
-	deployment.Namespace = agentSpec.Namespace
+	deployment.Namespace = obj.Namespace
 	deployment.Spec.Replicas = &MonitorReplicas
 	deployment.ObjectMeta.Labels = desiredLabels
 	deployment.Spec.Selector.MatchLabels = desiredLabels

cbcontainers/state/components/registry_secret.go

@@ -46,7 +46,7 @@ func (obj *RegistrySecretK8sObject) MutateK8sObject(k8sObject client.Object, spe
 
 	secret.Type = obj.registrySecretValues.Type
 	secret.Data = obj.registrySecretValues.Data
-	secret.Namespace = spec.Namespace
+	secret.Namespace = obj.Namespace
 
 	return nil
 }

cbcontainers/state/components/resolver_service.go

@@ -46,7 +46,7 @@ func (obj *ResolverServiceK8sObject) MutateK8sObject(k8sObject client.Object, ag
 	service.Spec.Type = coreV1.ServiceTypeClusterIP
 	service.Spec.ClusterIP = coreV1.ClusterIPNone
 
-	service.Namespace = agentSpec.Namespace
+	service.Namespace = obj.Namespace
 	service.Spec.Selector = map[string]string{
 		resolverLabelKey: ResolverName,
 	}

cbcontainers/state/components/runtime_resolver_deployment.go

@@ -89,7 +89,7 @@ func (obj *ResolverDeploymentK8sObject) MutateK8sObject(k8sObject client.Object,
 		}
 	}
 
-	deployment.Namespace = agentSpec.Namespace
+	deployment.Namespace = obj.Namespace
 	deployment.Spec.Replicas = replicasCount
 	deployment.ObjectMeta.Labels = desiredLabels
 	deployment.Spec.Selector.MatchLabels = desiredLabels

cbcontainers/state/components/sensor_daemon_set.go

@@ -120,7 +120,7 @@ func (obj *SensorDaemonSetK8sObject) MutateK8sObject(k8sObject client.Object, ag
 		daemonSet.Spec.Template.Spec.HostPID = false
 	}
 
-	daemonSet.Namespace = agentSpec.Namespace
+	daemonSet.Namespace = obj.Namespace
 	obj.mutateLabels(daemonSet, agentSpec)
 	obj.mutateAnnotations(daemonSet, agentSpec)
 	obj.mutateVolumes(daemonSet, agentSpec)

cbcontainers/state/components/state_reporter_deployment.go

@@ -72,7 +72,7 @@ func (obj *StateReporterDeploymentK8sObject) MutateK8sObject(k8sObject client.Ob
 		deployment.Spec.Template.ObjectMeta.Annotations = make(map[string]string)
 	}
 
-	deployment.Namespace = agentSpec.Namespace
+	deployment.Namespace = obj.Namespace
 	deployment.Spec.Replicas = &StateReporterReplicas
 	deployment.ObjectMeta.Labels = desiredLabels
 	deployment.Spec.Selector.MatchLabels = desiredLabels

cbcontainers/state/state_applier.go

@@ -39,9 +39,10 @@ type StateApplier struct {
 	imageScanningReporterService    *components.ImageScanningReporterServiceK8sObject
 	applier                         AgentComponentApplier
 	log                             logr.Logger
+	agentNamespace                  string
 }
 
-func NewStateApplier(apiReader client.Reader, agentComponentApplier AgentComponentApplier, k8sVersion string, tlsSecretsValuesCreator components.TlsSecretsValuesCreator, log logr.Logger) *StateApplier {
+func NewStateApplier(apiReader client.Reader, agentComponentApplier AgentComponentApplier, k8sVersion, agentNamespace string, tlsSecretsValuesCreator components.TlsSecretsValuesCreator, log logr.Logger) *StateApplier {
 	return &StateApplier{
 		desiredConfigMap:                components.NewConfigurationK8sObject(),
 		desiredRegistrySecret:           components.NewRegistrySecretK8sObject(),
@@ -60,6 +61,7 @@ func NewStateApplier(apiReader client.Reader, agentComponentApplier AgentCompone
 		imageScanningReporterService:    components.NewImageScanningReporterServiceK8sObject(),
 		applier:                         agentComponentApplier,
 		log:                             log,
+		agentNamespace:                  agentNamespace,
 	}
 }
 
@@ -69,13 +71,7 @@ func (c *StateApplier) GetPriorityClassEmptyK8sObject() client.Object {
 
 func (c *StateApplier) ApplyDesiredState(ctx context.Context, agentSpec *cbcontainersv1.CBContainersAgentSpec, registrySecret *models.RegistrySecretValues, setOwner applymentOptions.OwnerSetter) (bool, error) {
 	applyOptions := applymentOptions.NewApplyOptions().SetOwnerSetter(setOwner)
-
-	// The namespace field of the agent spec should always be populated, because it has a default value
-	// but just in case include this check here in case it turns out to be empty in the future.
-	// By default all objects have the "cbcontainers-dataplane" as namespace.
-	if agentSpec.Namespace != "" {
-		c.setNamespace(agentSpec.Namespace)
-	}
+	c.setNamespace(c.agentNamespace)
 
 	coreMutated, err := c.applyCoreComponents(ctx, agentSpec, registrySecret, applyOptions)
 	if err != nil {

cbcontainers/state/state_applier_test.go

@@ -148,7 +148,6 @@ func testStateApplier(t *testing.T, setup StateApplierTestSetup, k8sVersion, nam
 	agentSpec := &cbcontainersv1.CBContainersAgentSpec{
 		Account:     Account,
 		ClusterName: Cluster,
-		Namespace:   namespace,
 		Gateways: cbcontainersv1.CBContainersGatewaysSpec{
 			ApiGateway: cbcontainersv1.CBContainersApiGatewaySpec{
 				Scheme:  ApiGateWayScheme,
@@ -190,7 +189,7 @@ func testStateApplier(t *testing.T, setup StateApplierTestSetup, k8sVersion, nam
 
 	setup(mockObjects)
 
-	stateApplier := state.NewStateApplier(testUtilsMocks.NewMockReader(ctrl), mockObjects.componentApplier, k8sVersion, mockObjects.secretValuesCreator, logrTesting.NewTestLogger(t))
+	stateApplier := state.NewStateApplier(testUtilsMocks.NewMockReader(ctrl), mockObjects.componentApplier, k8sVersion, namespace, mockObjects.secretValuesCreator, logrTesting.NewTestLogger(t))
 	return stateApplier.ApplyDesiredState(context.Background(), agentSpec, &models.RegistrySecretValues{}, nil)
 }
 

charts/cbcontainers-agent/README.md

@@ -21,15 +21,7 @@ There are 8 required fields that need to be provided by the user:
 | `spec.gateways.hardeningEventsGatewayHost` | The URL of the CBC Hardening events Gateway       |
 | `spec.gateways.runtimeEventsGatewayHost`   | The URL of the CBC Runtime events Gateway         |
 
-After setting these required fields in a `values.yaml` file you can install the chart from our repo:
-
-```sh
-helm repo add vmware TODO-chart-repo/TODO-chart-name -f values.yaml
-helm repo update
-helm install cbcontainers-agent TODO-chart-repo/TODO-chart-name -f values.yaml --namespace cbcontainers-dataplane
-```
-
-or from source
+After setting these required fields in a `values.yaml` file you can install the chart from source
 
 ```sh
 cd charts/cbcontainers-agent
@@ -46,9 +38,14 @@ For all the possible values see <https://github.com/octarinesec/octarine-operato
 
 ### Namespace
 
-By default the CBContainers agent will be installed in the `cbcontainers-dataplane` namespace.
+The CBContainers agent will be running in the same namespace as the deployed operator. This is by design as only 1 running agent per cluster is supported.
+To customize that namespace, see [operator-chart](../cbcontainers-operator).
+
+The actual namespace where helm tracks the release (see [--namespace flag](https://helm.sh/docs/helm/helm_install/)) is not important to the agent chart, 
+but the recommended approach is to also use the same namespace as the operator chart.
 
-If you want to change that set the `agentNamespce` value in your `values.yaml` file.
+The `agentNamespace` value is only required if the agent chart is responsible for deploying the agent's secret as well. See [secret detection](#secret-creation) for details.
+If the secret is pre-created before deploying the agent, then `agentNamespace` has no effect.  
 
 ### Secret creation
 

charts/cbcontainers-agent/cbcontainers-agent-chart/Chart.yaml

@@ -2,5 +2,5 @@ apiVersion: v2
 name: cbcontainers-agent
 description: A Helm chart for installing the CBContainers Agent
 type: application
-version: 1.0.0
-appVersion: "2.11.0"
+version: 2.0.0
+appVersion: "2.12.1"

charts/cbcontainers-agent/cbcontainers-agent-chart/values.yaml

@@ -9,5 +9,5 @@ clusterGroup: ""
 # clusterName is the name that will be used for the cluster that the agent is installed on
 clusterName: ""
 # agentNamespace is the name of the namespace in which the agent will be installed
-# that namespace should exist before the chart is installed
+# that namespace must exist before the chart is installed and must match the namespace where the operator is deployed
 agentNamespace: "cbcontainers-dataplane"

charts/cbcontainers-operator/README.md

@@ -12,30 +12,22 @@ The chart can be installed as is, without any customization or modifications.
 
 You can create the Helm release in any namespace that you want.
 
-You can also customize the namespace in which the operator is installed.
+You can also customize the namespace in which the operator itself is installed.
 See [Customization](#namespace).
 
 ### Installing the operator chart
 
-Now, install the actual helm chart in the namespace based on the chosen option 1 or 2 above.
-
-```sh
-helm repo add vmware TODO-chart-repo/TODO-chart-name
-helm repo update
-helm install cbcontainers-operator TODO-chart-repo/TODO-chart-name --namespace X
-```
-
-or from source:
+Now, install the actual helm chart from source:
 
 ```sh
 cd charts/cbcontainers-operator
-helm install cbcontainers-operator ./cbcontainers-operator-chart --namespace X
+helm install cbcontainers-operator ./cbcontainers-operator-chart
 ```
 
 ## Customization
 
 | Parameter                        | Description                                         | Default                                                                            |
-| -------------------------------- | --------------------------------------------------- | ---------------------------------------------------------------------------------- |
+|----------------------------------|-----------------------------------------------------|------------------------------------------------------------------------------------|
 | `spec.operator.image.repository` | The repository of the operator image                | `cbartifactory/octarine-operator`                                                  |
 | `spec.operator.image.version`    | The version of the operator image                   | The latest version of the operator image                                           |
 | `spec.operator.resources`        | Carbon Black Container Operator resources           | `{requests: {memory: "64Mi", cpu: "30m"}, limits: {memory: "256Mi", cpu: "200m"}}` |
@@ -51,6 +43,16 @@ If you want to change that, set the `operatorNamespace` field in your `values.ya
 The chart will automatically create the namespace that you have chosen to install the operator into.
 If you don't want to do that (because you have already created the namespace), set the `createOperatorNamespace` field in your `values.yaml` file to `false`.
 
+If the namespace is pre-created, then it must also be labeled properly or the operator and agent might not reconcile successfully. 
+The commands below show an example of creating a custom namespace, labeling and installing the operator inside.
+
+```sh
+NAMESPACE=<choose_your_value>
+kubectl create namespace $NAMESPACE
+kubectl label namespace $NAMESPACE control-plane=operator octarine=ignore
+helm install cbcontainers-operator ./cbcontainers-operator-chart --set createOperatorNamespace=false,operatorNamespace=$NAMESPACE
+```
+
 ### CRD Installation
 
 By default, installing the chart will also create the `CBContainersAgent` CRD.
@@ -71,7 +73,7 @@ For more info see <https://github.com/octarinesec/octarine-operator/tree/master#
 
 ## Templates
 
-This chart consists of two [templates](cbcontainers-operator-chart/templates).
+This chart consists of four [templates](cbcontainers-operator-chart/templates).
 
 The [operator.yaml](cbcontainers-operator-chart/templates/operator.yaml) file contains all resources, apart from the operator deployment.
 It is generated via `kustomize`.
@@ -81,3 +83,6 @@ The [deployment.yaml](cbcontainers-operator-chart/templates/deployment.yaml) fil
 It is derived from [this Kustomize configuration](../../config/manager) but because it needs to be configurable via Helm it is heavily templated.
 Because of that it cannot be generated automatically, so it should be maintained by hand.
 If any changes are make to the [Kustomize configuration](../../config/manager), they should also be reflected in that file.
+
+The [dataplane_rbac.yaml](cbcontainers-operator-chart/templates/dataplane_rbac.yaml) and [dataplane_service_accounts](cbcontainers-operator-chart/templates/dataplane_service_accounts.yaml) 
+files contain necessary RBAC objects for the agent to work as expected. 

charts/cbcontainers-operator/cbcontainers-operator-chart/Chart.yaml

@@ -2,5 +2,5 @@ apiVersion: v2
 name: cbcontainers-operator
 description: A Helm chart for installing the CBContainers operator
 type: application
-version: 1.0.0
-appVersion: v5.6.0
+version: 2.0.0
+appVersion: v5.6.2

charts/cbcontainers-agent/cbcontainers-agent-chart/templates/rbac.yaml → charts/cbcontainers-operator/cbcontainers-operator-chart/templates/dataplane_rbac.yaml

@@ -115,7 +115,7 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: cbcontainers-agent-node
-    namespace: {{ default "cbcontainers-dataplane" .Values.agentNamespace }}
+    namespace: {{ default "cbcontainers-dataplane" .Values.operatorNamespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -128,7 +128,7 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: cbcontainers-enforcer
-    namespace: {{ default "cbcontainers-dataplane" .Values.agentNamespace }}
+    namespace: {{ default "cbcontainers-dataplane" .Values.operatorNamespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -141,7 +141,7 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: cbcontainers-image-scanning
-    namespace: {{ default "cbcontainers-dataplane" .Values.agentNamespace }}
+    namespace: {{ default "cbcontainers-dataplane" .Values.operatorNamespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -154,7 +154,7 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: cbcontainers-monitor
-    namespace: {{ default "cbcontainers-dataplane" .Values.agentNamespace }}
+    namespace: {{ default "cbcontainers-dataplane" .Values.operatorNamespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -167,7 +167,7 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: cbcontainers-runtime-resolver
-    namespace: {{ default "cbcontainers-dataplane" .Values.agentNamespace }}
+    namespace: {{ default "cbcontainers-dataplane" .Values.operatorNamespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -180,4 +180,4 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: cbcontainers-state-reporter
-    namespace: {{ default "cbcontainers-dataplane" .Values.agentNamespace }}
+    namespace: {{ default "cbcontainers-dataplane" .Values.operatorNamespace }}