From 620b488429eca6a825faeabecc2607948adf5ad5 Mon Sep 17 00:00:00 2001
From: Rafal Foks <r.fok74@gmail.com>
Date: Mon, 25 Nov 2024 12:09:58 +0100
Subject: [PATCH] Restrict the controller to watch only kcp-system namespace

---
 cmd/main.go                                   | 27 +++++++++++++++++++
 config/rbac/cluster_editor_role.yaml          |  5 ++--
 config/rbac/cluster_viewer_role.yaml          |  3 ++-
 config/rbac/role.yaml                         | 26 +++---------------
 config/rbac/role_binding.yaml                 |  8 +++---
 config/rbac/runtime_editor_role.yaml          |  3 ++-
 config/rbac/runtime_viewer_role.yaml          |  3 ++-
 config/rbac/service_account.yaml              |  2 +-
 .../kubeconfig/gardener_cluster_controller.go |  8 +++---
 .../controller/runtime/runtime_controller.go  |  6 ++---
 10 files changed, 51 insertions(+), 40 deletions(-)

diff --git a/cmd/main.go b/cmd/main.go
index cbe7554f..8208221b 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -22,7 +22,9 @@ import (
 	"flag"
 	"fmt"
 	"io"
+	corev1 "k8s.io/api/core/v1"
 	"os"
+	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"time"
 
 	"github.com/gardener/gardener/pkg/apis/core/v1beta1"
@@ -41,6 +43,7 @@ import (
 	"github.com/kyma-project/infrastructure-manager/pkg/gardener/shoot/extender/auditlogs"
 	"github.com/pkg/errors"
 	rbacv1 "k8s.io/api/rbac/v1"
+	k8slabels "k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
@@ -119,6 +122,7 @@ func main() {
 		HealthProbeBindAddress: probeAddr,
 		LeaderElection:         enableLeaderElection,
 		LeaderElectionID:       "f1c68560.kyma-project.io",
+		Cache:                  restrictWatchedNamespace(),
 		// LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily
 		// when the Manager ends. This requires the binary to immediately end when the
 		// Manager is stopped, otherwise, this setting is unsafe. Setting this significantly
@@ -314,3 +318,26 @@ func refreshRuntimeMetrics(restConfig *rest.Config, logger logr.Logger, metrics
 		metrics.SetRuntimeStates(rt)
 	}
 }
+
+func restrictWatchedNamespace() cache.Options {
+	return cache.Options{
+		ByObject: map[client.Object]cache.ByObject{
+			&corev1.Secret{}: {
+				Label: k8slabels.Everything(),
+				Namespaces: map[string]cache.Config{
+					"kcp-system": {},
+				},
+			},
+			&infrastructuremanagerv1.Runtime{}: {
+				Namespaces: map[string]cache.Config{
+					"kcp-system": {},
+				},
+			},
+			&infrastructuremanagerv1.GardenerCluster{}: {
+				Namespaces: map[string]cache.Config{
+					"kcp-system": {},
+				},
+			},
+		},
+	}
+}
diff --git a/config/rbac/cluster_editor_role.yaml b/config/rbac/cluster_editor_role.yaml
index 64abe8ce..84dda500 100644
--- a/config/rbac/cluster_editor_role.yaml
+++ b/config/rbac/cluster_editor_role.yaml
@@ -1,15 +1,16 @@
 # permissions for end users to edit clusters.
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   labels:
-    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/name: 1errole
     app.kubernetes.io/instance: cluster-editor-role
     app.kubernetes.io/component: rbac
     app.kubernetes.io/created-by: infrastructure-manager
     app.kubernetes.io/part-of: infrastructure-manager
     app.kubernetes.io/managed-by: kustomize
   name: cluster-editor-role
+  namespace: kcp-system
 rules:
 - apiGroups:
   - infrastructuremanager.kyma-project.io
diff --git a/config/rbac/cluster_viewer_role.yaml b/config/rbac/cluster_viewer_role.yaml
index d183607b..43df4e6d 100644
--- a/config/rbac/cluster_viewer_role.yaml
+++ b/config/rbac/cluster_viewer_role.yaml
@@ -1,6 +1,6 @@
 # permissions for end users to view clusters.
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   labels:
     app.kubernetes.io/name: clusterrole
@@ -10,6 +10,7 @@ metadata:
     app.kubernetes.io/part-of: infrastructure-manager
     app.kubernetes.io/managed-by: kustomize
   name: cluster-viewer-role
+  namespace: kcp-system
 rules:
 - apiGroups:
   - infrastructuremanager.kyma-project.io
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 7681c444..6b06da55 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -1,8 +1,9 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   name: infrastructure-manager-role
+  namespace: kcp-system
 rules:
 - apiGroups:
   - ""
@@ -19,6 +20,7 @@ rules:
   - infrastructuremanager.kyma-project.io
   resources:
   - gardenerclusters
+  - runtimes
   verbs:
   - create
   - delete
@@ -31,29 +33,7 @@ rules:
   - infrastructuremanager.kyma-project.io
   resources:
   - gardenerclusters/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - infrastructuremanager.kyma-project.io
-  resources:
   - gardenerclusters/status
-  verbs:
-  - update
-- apiGroups:
-  - infrastructuremanager.kyma-project.io
-  resources:
-  - runtimes
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - infrastructuremanager.kyma-project.io
-  resources:
   - runtimes/finalizers
   verbs:
   - update
diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml
index 60f28ad3..6cd75b05 100644
--- a/config/rbac/role_binding.yaml
+++ b/config/rbac/role_binding.yaml
@@ -1,8 +1,8 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   labels:
-    app.kubernetes.io/name: clusterrolebinding
+    app.kubernetes.io/name: rolebinding
     app.kubernetes.io/instance: infrastructure-manager-rolebinding
     app.kubernetes.io/component: rbac
     app.kubernetes.io/created-by: infrastructure-manager
@@ -11,9 +11,9 @@ metadata:
   name: infrastructure-manager-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: infrastructure-manager-role
 subjects:
 - kind: ServiceAccount
   name: infrastructure-manager
-  namespace: system
+  namespace: kcp-system
diff --git a/config/rbac/runtime_editor_role.yaml b/config/rbac/runtime_editor_role.yaml
index 014838b7..ceb3ba03 100644
--- a/config/rbac/runtime_editor_role.yaml
+++ b/config/rbac/runtime_editor_role.yaml
@@ -1,11 +1,12 @@
 # permissions for end users to edit runtimes.
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   labels:
     app.kubernetes.io/name: infrastructure-manager
     app.kubernetes.io/managed-by: kustomize
   name: runtime-editor-role
+  namespace: kcp-system
 rules:
 - apiGroups:
   - infrastructuremanager.kyma-project.io
diff --git a/config/rbac/runtime_viewer_role.yaml b/config/rbac/runtime_viewer_role.yaml
index d9d0024e..0c5ac175 100644
--- a/config/rbac/runtime_viewer_role.yaml
+++ b/config/rbac/runtime_viewer_role.yaml
@@ -1,11 +1,12 @@
 # permissions for end users to view runtimes.
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   labels:
     app.kubernetes.io/name: infrastructure-manager
     app.kubernetes.io/managed-by: kustomize
   name: runtime-viewer-role
+  namespace: kcp-system
 rules:
 - apiGroups:
   - infrastructuremanager.kyma-project.io
diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml
index 5c3330c2..3ddd25a9 100644
--- a/config/rbac/service_account.yaml
+++ b/config/rbac/service_account.yaml
@@ -9,4 +9,4 @@ metadata:
     app.kubernetes.io/part-of: infrastructure-manager
     app.kubernetes.io/managed-by: kustomize
   name: infrastructure-manager
-  namespace: system
+  namespace: kcp-system
diff --git a/internal/controller/kubeconfig/gardener_cluster_controller.go b/internal/controller/kubeconfig/gardener_cluster_controller.go
index c532e203..87cba31e 100644
--- a/internal/controller/kubeconfig/gardener_cluster_controller.go
+++ b/internal/controller/kubeconfig/gardener_cluster_controller.go
@@ -77,10 +77,10 @@ type KubeconfigProvider interface {
 	Fetch(ctx context.Context, shootName string) (string, error)
 }
 
-//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;delete
-//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/finalizers,verbs=update
-//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/status,verbs=update
+//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters,verbs=get;list;watch;create;update;patch;delete,namespace=kcp-system
+//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;delete,namespace=kcp-system
+//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/finalizers,verbs=update,namespace=kcp-system
+//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/status,verbs=update,namespace=kcp-system
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
diff --git a/internal/controller/runtime/runtime_controller.go b/internal/controller/runtime/runtime_controller.go
index 1f8eb574..5aa8f530 100644
--- a/internal/controller/runtime/runtime_controller.go
+++ b/internal/controller/runtime/runtime_controller.go
@@ -41,9 +41,9 @@ type RuntimeReconciler struct {
 	EventRecorder record.EventRecorder
 }
 
-//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/finalizers,verbs=update
+//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes,verbs=get;list;watch;create;update;patch;delete,namespace=kcp-system
+//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/status,verbs=get;update;patch,namespace=kcp-system
+//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/finalizers,verbs=update,namespace=kcp-system
 
 var requCounter = 0 // nolint:gochecknoglobals