Restrict the controller to watch only kcp-system namespace

kyma-project · Nov 25, 2024 · 620b488 · 620b488
1 parent 0a48f6c
commit 620b488
Show file tree

Hide file tree

Showing 10 changed files with 51 additions and 40 deletions.
diff --git a/cmd/main.go b/cmd/main.go
@@ -22,7 +22,9 @@ import (
 	"flag"
 	"fmt"
 	"io"
+	corev1 "k8s.io/api/core/v1"
 	"os"
+	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"time"
 
 	"github.com/gardener/gardener/pkg/apis/core/v1beta1"
@@ -41,6 +43,7 @@ import (
 	"github.com/kyma-project/infrastructure-manager/pkg/gardener/shoot/extender/auditlogs"
 	"github.com/pkg/errors"
 	rbacv1 "k8s.io/api/rbac/v1"
+	k8slabels "k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
@@ -119,6 +122,7 @@ func main() {
 		HealthProbeBindAddress: probeAddr,
 		LeaderElection:         enableLeaderElection,
 		LeaderElectionID:       "f1c68560.kyma-project.io",
+		Cache:                  restrictWatchedNamespace(),
 		// LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily
 		// when the Manager ends. This requires the binary to immediately end when the
 		// Manager is stopped, otherwise, this setting is unsafe. Setting this significantly
@@ -314,3 +318,26 @@ func refreshRuntimeMetrics(restConfig *rest.Config, logger logr.Logger, metrics
 		metrics.SetRuntimeStates(rt)
 	}
 }
+
+func restrictWatchedNamespace() cache.Options {
+	return cache.Options{
+		ByObject: map[client.Object]cache.ByObject{
+			&corev1.Secret{}: {
+				Label: k8slabels.Everything(),
+				Namespaces: map[string]cache.Config{
+					"kcp-system": {},
+				},
+			},
+			&infrastructuremanagerv1.Runtime{}: {
+				Namespaces: map[string]cache.Config{
+					"kcp-system": {},
+				},
+			},
+			&infrastructuremanagerv1.GardenerCluster{}: {
+				Namespaces: map[string]cache.Config{
+					"kcp-system": {},
+				},
+			},
+		},
+	}
+}
diff --git a/config/rbac/cluster_editor_role.yaml b/config/rbac/cluster_editor_role.yaml
@@ -1,15 +1,16 @@
 # permissions for end users to edit clusters.
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   labels:
-    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/name: 1errole
     app.kubernetes.io/instance: cluster-editor-role
     app.kubernetes.io/component: rbac
     app.kubernetes.io/created-by: infrastructure-manager
     app.kubernetes.io/part-of: infrastructure-manager
     app.kubernetes.io/managed-by: kustomize
   name: cluster-editor-role
+  namespace: kcp-system
 rules:
 - apiGroups:
   - infrastructuremanager.kyma-project.io

diff --git a/config/rbac/cluster_viewer_role.yaml b/config/rbac/cluster_viewer_role.yaml
@@ -1,6 +1,6 @@
 # permissions for end users to view clusters.
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   labels:
     app.kubernetes.io/name: clusterrole
@@ -10,6 +10,7 @@ metadata:
     app.kubernetes.io/part-of: infrastructure-manager
     app.kubernetes.io/managed-by: kustomize
   name: cluster-viewer-role
+  namespace: kcp-system
 rules:
 - apiGroups:
   - infrastructuremanager.kyma-project.io

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -1,8 +1,9 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   name: infrastructure-manager-role
+  namespace: kcp-system
 rules:
 - apiGroups:
   - ""
@@ -19,6 +20,7 @@ rules:
   - infrastructuremanager.kyma-project.io
   resources:
   - gardenerclusters
+  - runtimes
   verbs:
   - create
   - delete
@@ -31,29 +33,7 @@ rules:
   - infrastructuremanager.kyma-project.io
   resources:
   - gardenerclusters/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - infrastructuremanager.kyma-project.io
-  resources:
   - gardenerclusters/status
-  verbs:
-  - update
-- apiGroups:
-  - infrastructuremanager.kyma-project.io
-  resources:
-  - runtimes
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - infrastructuremanager.kyma-project.io
-  resources:
   - runtimes/finalizers
   verbs:
   - update

diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml
@@ -1,8 +1,8 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   labels:
-    app.kubernetes.io/name: clusterrolebinding
+    app.kubernetes.io/name: rolebinding
     app.kubernetes.io/instance: infrastructure-manager-rolebinding
     app.kubernetes.io/component: rbac
     app.kubernetes.io/created-by: infrastructure-manager
@@ -11,9 +11,9 @@ metadata:
   name: infrastructure-manager-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: infrastructure-manager-role
 subjects:
 - kind: ServiceAccount
   name: infrastructure-manager
-  namespace: system
+  namespace: kcp-system
diff --git a/config/rbac/runtime_editor_role.yaml b/config/rbac/runtime_editor_role.yaml
@@ -1,11 +1,12 @@
 # permissions for end users to edit runtimes.
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   labels:
     app.kubernetes.io/name: infrastructure-manager
     app.kubernetes.io/managed-by: kustomize
   name: runtime-editor-role
+  namespace: kcp-system
 rules:
 - apiGroups:
   - infrastructuremanager.kyma-project.io

diff --git a/config/rbac/runtime_viewer_role.yaml b/config/rbac/runtime_viewer_role.yaml
@@ -1,11 +1,12 @@
 # permissions for end users to view runtimes.
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   labels:
     app.kubernetes.io/name: infrastructure-manager
     app.kubernetes.io/managed-by: kustomize
   name: runtime-viewer-role
+  namespace: kcp-system
 rules:
 - apiGroups:
   - infrastructuremanager.kyma-project.io

diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml
@@ -9,4 +9,4 @@ metadata:
     app.kubernetes.io/part-of: infrastructure-manager
     app.kubernetes.io/managed-by: kustomize
   name: infrastructure-manager
-  namespace: system
+  namespace: kcp-system
diff --git a/internal/controller/kubeconfig/gardener_cluster_controller.go b/internal/controller/kubeconfig/gardener_cluster_controller.go
@@ -77,10 +77,10 @@ type KubeconfigProvider interface {
 	Fetch(ctx context.Context, shootName string) (string, error)
 }
 
-//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;delete
-//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/finalizers,verbs=update
-//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/status,verbs=update
+//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters,verbs=get;list;watch;create;update;patch;delete,namespace=kcp-system
+//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;delete,namespace=kcp-system
+//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/finalizers,verbs=update,namespace=kcp-system
+//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/status,verbs=update,namespace=kcp-system
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.

diff --git a/internal/controller/runtime/runtime_controller.go b/internal/controller/runtime/runtime_controller.go
@@ -41,9 +41,9 @@ type RuntimeReconciler struct {
 	EventRecorder record.EventRecorder
 }
 
-//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/finalizers,verbs=update
+//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes,verbs=get;list;watch;create;update;patch;delete,namespace=kcp-system
+//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/status,verbs=get;update;patch,namespace=kcp-system
+//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/finalizers,verbs=update,namespace=kcp-system
 
 var requCounter = 0 // nolint:gochecknoglobals