storage-operator: Tighten ClusterRole permissions

We don't want too open permissions for security reasons that were made obvious in #2634. We thus reduce the rules deployed to the bare minimum, and add some inline comments to better explain why each ruleset is needed. Fixes: #2084
scality · Jun 19, 2020 · 7bea636 · 7bea636
1 parent d5814cc
commit 7bea636
Showing 1 changed file with 51 additions and 16 deletions.
diff --git a/storage-operator/deploy/role.yaml b/storage-operator/deploy/role.yaml
@@ -4,36 +4,63 @@ metadata:
   creationTimestamp: null
   name: storage-operator
 rules:
+# For recording transition events
 - apiGroups:
   - ""
   resources:
-  - pods
-  - nodes
-  - services
-  - endpoints
-  - persistentvolumes
-  - persistentvolumeclaims
   - events
-  - configmaps
-  - secrets
   verbs:
-  - '*'
+  - create
+  - patch
+# For setting up monitoring for itself
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - create
+  - update
 - apiGroups:
   - apps
   resources:
   - deployments
-  - daemonsets
   - replicasets
-  - statefulsets
   verbs:
-  - '*'
+  - get
 - apiGroups:
   - monitoring.coreos.com
   resources:
   - servicemonitors
   verbs:
   - get
   - create
+# For reading its own name and namespace
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+# For managing its lock
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  resourceNames:
+  - storage-operator-lock
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  # NOTE: cannot scope "create" to a resourceName, see
+  # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources
+  - create
+# For managing its own graceful termination
 - apiGroups:
   - apps
   resourceNames:
@@ -42,24 +69,32 @@ rules:
   - deployments/finalizers
   verbs:
   - update
+# For managing owned PVs
 - apiGroups:
   - ""
   resources:
-  - pods
+  - persistentvolumes
   verbs:
-  - get
+  - '*'
+# For reading a Node's MetalK8s version
 - apiGroups:
-  - apps
+  - ""
   resources:
-  - replicasets
+  - nodes
   verbs:
   - get
+  # NOTE: we only use "get" in code, but the controller-runtime tooling uses
+  #       "list" and "watch" to manage a cache
+  - list
+  - watch
+# For every custom resource from this Operator
 - apiGroups:
   - storage.metalk8s.scality.com
   resources:
   - '*'
   verbs:
   - '*'
+# For reading device preparation details (formatting and mounting options)
 - apiGroups:
   - storage.k8s.io
   resources: