Set the operator up with enforced secrets

To prevent arbitrary secret access using compromised SAs, the SAs created by Submariner are now configured to enforce mountable secrets. This requires that accessible secrets be listed explicitly in the SA. To make this simple, use a static name for the broker secret. To allow secrets to be configured, leave them alone when creating or updating the SAs. Signed-off-by: Stephen Kitt <[email protected]>
submariner-io · May 15, 2024 · 3d0bcac · 3d0bcac
1 parent c3be593
commit 3d0bcac
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 9 deletions.
diff --git a/go.mod b/go.mod
@@ -21,7 +21,7 @@ require (
 	github.com/submariner-io/lighthouse v0.18.0-m3
 	github.com/submariner-io/shipyard v0.18.0-m3
 	github.com/submariner-io/submariner v0.18.0-m3
-	github.com/submariner-io/submariner-operator v0.18.0-m3.0.20240507123154-22f72647baf5
+	github.com/submariner-io/submariner-operator v0.18.0-m3.0.20240515114358-cfdfb992ebae
 	github.com/uw-labs/lichen v0.1.7
 	golang.org/x/net v0.25.0
 	golang.org/x/oauth2 v0.20.0

diff --git a/go.sum b/go.sum
@@ -529,8 +529,8 @@ github.com/submariner-io/shipyard v0.18.0-m3 h1:N0/BAwTv5p6O7PgvQeouUzcgybJtq7QQ
 github.com/submariner-io/shipyard v0.18.0-m3/go.mod h1:qs1LOCrPfM6H3JzR8TWNXFW4hvBiY+8gJ6OOjF4o4E0=
 github.com/submariner-io/submariner v0.18.0-m3 h1:IVpsPwFHLc1AK4/Ga8GtgdXVxnu3w7SfmoEgprmrcOw=
 github.com/submariner-io/submariner v0.18.0-m3/go.mod h1:tvUTVjiY98DavqZODJtP8Qu5ubyrsR9ej8kahSCY8G8=
-github.com/submariner-io/submariner-operator v0.18.0-m3.0.20240507123154-22f72647baf5 h1:b95vo3VsbKgyxc3nHDCGZl7ifleK7GSyjmooxYxfCJQ=
-github.com/submariner-io/submariner-operator v0.18.0-m3.0.20240507123154-22f72647baf5/go.mod h1:JIxqSFy3BCA12tTi3rfO5BfYfpUq0dx/PHv/KR7ypUo=
+github.com/submariner-io/submariner-operator v0.18.0-m3.0.20240515114358-cfdfb992ebae h1:a1YKMCT4A9kj4P90Kfn7Bp5zXGwZz90Su0JUGQ3BlRU=
+github.com/submariner-io/submariner-operator v0.18.0-m3.0.20240515114358-cfdfb992ebae/go.mod h1:9vo1bFNhNOpyd/+qjbW2MhQBA33jk9ZPHK7uFZC8zm0=
 github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=

diff --git a/pkg/join/join.go b/pkg/join/join.go
@@ -210,7 +210,7 @@ func populateBrokerSecret(brokerInfo *broker.Info) *v1.Secret {
 	// We need to copy the broker token secret as an opaque secret to store it in the connecting cluster
 	return &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			GenerateName: "broker-secret-",
+			Name: "submariner-broker-secret",
 		},
 		Type: v1.SecretTypeOpaque,
 		Data: brokerInfo.ClientToken.Data,

diff --git a/pkg/serviceaccount/ensure.go b/pkg/serviceaccount/ensure.go
@@ -43,11 +43,7 @@ const (
 )
 
 func ensure(ctx context.Context, kubeClient kubernetes.Interface, namespace string, sa *corev1.ServiceAccount) (bool, error) {
-	result, err := util.CreateOrUpdate(ctx, resource.ForServiceAccount(kubeClient, namespace), sa,
-		func(existing *corev1.ServiceAccount) (*corev1.ServiceAccount, error) {
-			existing.Secrets = nil
-			return existing, nil
-		})
+	result, err := util.CreateOrUpdate(ctx, resource.ForServiceAccount(kubeClient, namespace), sa, util.Replace(sa))
 
 	return result == util.OperationResultCreated, errors.Wrapf(err, "error creating or updating ServiceAccount %q", sa.Name)
 }