From 620b488429eca6a825faeabecc2607948adf5ad5 Mon Sep 17 00:00:00 2001 From: Rafal Foks Date: Mon, 25 Nov 2024 12:09:58 +0100 Subject: [PATCH 1/4] Restrict the controller to watch only kcp-system namespace --- cmd/main.go | 27 +++++++++++++++++++ config/rbac/cluster_editor_role.yaml | 5 ++-- config/rbac/cluster_viewer_role.yaml | 3 ++- config/rbac/role.yaml | 26 +++--------------- config/rbac/role_binding.yaml | 8 +++--- config/rbac/runtime_editor_role.yaml | 3 ++- config/rbac/runtime_viewer_role.yaml | 3 ++- config/rbac/service_account.yaml | 2 +- .../kubeconfig/gardener_cluster_controller.go | 8 +++--- .../controller/runtime/runtime_controller.go | 6 ++--- 10 files changed, 51 insertions(+), 40 deletions(-) diff --git a/cmd/main.go b/cmd/main.go index cbe7554f..8208221b 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -22,7 +22,9 @@ import ( "flag" "fmt" "io" + corev1 "k8s.io/api/core/v1" "os" + "sigs.k8s.io/controller-runtime/pkg/cache" "time" "github.com/gardener/gardener/pkg/apis/core/v1beta1" @@ -41,6 +43,7 @@ import ( "github.com/kyma-project/infrastructure-manager/pkg/gardener/shoot/extender/auditlogs" "github.com/pkg/errors" rbacv1 "k8s.io/api/rbac/v1" + k8slabels "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/runtime" utilruntime "k8s.io/apimachinery/pkg/util/runtime" clientgoscheme "k8s.io/client-go/kubernetes/scheme" @@ -119,6 +122,7 @@ func main() { HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, LeaderElectionID: "f1c68560.kyma-project.io", + Cache: restrictWatchedNamespace(), // LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily // when the Manager ends. This requires the binary to immediately end when the // Manager is stopped, otherwise, this setting is unsafe. Setting this significantly @@ -314,3 +318,26 @@ func refreshRuntimeMetrics(restConfig *rest.Config, logger logr.Logger, metrics metrics.SetRuntimeStates(rt) } } + +func restrictWatchedNamespace() cache.Options { + return cache.Options{ + ByObject: map[client.Object]cache.ByObject{ + &corev1.Secret{}: { + Label: k8slabels.Everything(), + Namespaces: map[string]cache.Config{ + "kcp-system": {}, + }, + }, + &infrastructuremanagerv1.Runtime{}: { + Namespaces: map[string]cache.Config{ + "kcp-system": {}, + }, + }, + &infrastructuremanagerv1.GardenerCluster{}: { + Namespaces: map[string]cache.Config{ + "kcp-system": {}, + }, + }, + }, + } +} diff --git a/config/rbac/cluster_editor_role.yaml b/config/rbac/cluster_editor_role.yaml index 64abe8ce..84dda500 100644 --- a/config/rbac/cluster_editor_role.yaml +++ b/config/rbac/cluster_editor_role.yaml @@ -1,15 +1,16 @@ # permissions for end users to edit clusters. apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: labels: - app.kubernetes.io/name: clusterrole + app.kubernetes.io/name: 1errole app.kubernetes.io/instance: cluster-editor-role app.kubernetes.io/component: rbac app.kubernetes.io/created-by: infrastructure-manager app.kubernetes.io/part-of: infrastructure-manager app.kubernetes.io/managed-by: kustomize name: cluster-editor-role + namespace: kcp-system rules: - apiGroups: - infrastructuremanager.kyma-project.io diff --git a/config/rbac/cluster_viewer_role.yaml b/config/rbac/cluster_viewer_role.yaml index d183607b..43df4e6d 100644 --- a/config/rbac/cluster_viewer_role.yaml +++ b/config/rbac/cluster_viewer_role.yaml @@ -1,6 +1,6 @@ # permissions for end users to view clusters. apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: labels: app.kubernetes.io/name: clusterrole @@ -10,6 +10,7 @@ metadata: app.kubernetes.io/part-of: infrastructure-manager app.kubernetes.io/managed-by: kustomize name: cluster-viewer-role + namespace: kcp-system rules: - apiGroups: - infrastructuremanager.kyma-project.io diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 7681c444..6b06da55 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -1,8 +1,9 @@ --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: name: infrastructure-manager-role + namespace: kcp-system rules: - apiGroups: - "" @@ -19,6 +20,7 @@ rules: - infrastructuremanager.kyma-project.io resources: - gardenerclusters + - runtimes verbs: - create - delete @@ -31,29 +33,7 @@ rules: - infrastructuremanager.kyma-project.io resources: - gardenerclusters/finalizers - verbs: - - update -- apiGroups: - - infrastructuremanager.kyma-project.io - resources: - gardenerclusters/status - verbs: - - update -- apiGroups: - - infrastructuremanager.kyma-project.io - resources: - - runtimes - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - infrastructuremanager.kyma-project.io - resources: - runtimes/finalizers verbs: - update diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml index 60f28ad3..6cd75b05 100644 --- a/config/rbac/role_binding.yaml +++ b/config/rbac/role_binding.yaml @@ -1,8 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: labels: - app.kubernetes.io/name: clusterrolebinding + app.kubernetes.io/name: rolebinding app.kubernetes.io/instance: infrastructure-manager-rolebinding app.kubernetes.io/component: rbac app.kubernetes.io/created-by: infrastructure-manager @@ -11,9 +11,9 @@ metadata: name: infrastructure-manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: Role name: infrastructure-manager-role subjects: - kind: ServiceAccount name: infrastructure-manager - namespace: system + namespace: kcp-system diff --git a/config/rbac/runtime_editor_role.yaml b/config/rbac/runtime_editor_role.yaml index 014838b7..ceb3ba03 100644 --- a/config/rbac/runtime_editor_role.yaml +++ b/config/rbac/runtime_editor_role.yaml @@ -1,11 +1,12 @@ # permissions for end users to edit runtimes. apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: labels: app.kubernetes.io/name: infrastructure-manager app.kubernetes.io/managed-by: kustomize name: runtime-editor-role + namespace: kcp-system rules: - apiGroups: - infrastructuremanager.kyma-project.io diff --git a/config/rbac/runtime_viewer_role.yaml b/config/rbac/runtime_viewer_role.yaml index d9d0024e..0c5ac175 100644 --- a/config/rbac/runtime_viewer_role.yaml +++ b/config/rbac/runtime_viewer_role.yaml @@ -1,11 +1,12 @@ # permissions for end users to view runtimes. apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: labels: app.kubernetes.io/name: infrastructure-manager app.kubernetes.io/managed-by: kustomize name: runtime-viewer-role + namespace: kcp-system rules: - apiGroups: - infrastructuremanager.kyma-project.io diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml index 5c3330c2..3ddd25a9 100644 --- a/config/rbac/service_account.yaml +++ b/config/rbac/service_account.yaml @@ -9,4 +9,4 @@ metadata: app.kubernetes.io/part-of: infrastructure-manager app.kubernetes.io/managed-by: kustomize name: infrastructure-manager - namespace: system + namespace: kcp-system diff --git a/internal/controller/kubeconfig/gardener_cluster_controller.go b/internal/controller/kubeconfig/gardener_cluster_controller.go index c532e203..87cba31e 100644 --- a/internal/controller/kubeconfig/gardener_cluster_controller.go +++ b/internal/controller/kubeconfig/gardener_cluster_controller.go @@ -77,10 +77,10 @@ type KubeconfigProvider interface { Fetch(ctx context.Context, shootName string) (string, error) } -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;delete -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/finalizers,verbs=update -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/status,verbs=update +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters,verbs=get;list;watch;create;update;patch;delete,namespace=kcp-system +//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;delete,namespace=kcp-system +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/finalizers,verbs=update,namespace=kcp-system +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/status,verbs=update,namespace=kcp-system // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. diff --git a/internal/controller/runtime/runtime_controller.go b/internal/controller/runtime/runtime_controller.go index 1f8eb574..5aa8f530 100644 --- a/internal/controller/runtime/runtime_controller.go +++ b/internal/controller/runtime/runtime_controller.go @@ -41,9 +41,9 @@ type RuntimeReconciler struct { EventRecorder record.EventRecorder } -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/finalizers,verbs=update +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes,verbs=get;list;watch;create;update;patch;delete,namespace=kcp-system +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/status,verbs=get;update;patch,namespace=kcp-system +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/finalizers,verbs=update,namespace=kcp-system var requCounter = 0 // nolint:gochecknoglobals From d9f0b2882a226ec78eaddd57304097f997beb328 Mon Sep 17 00:00:00 2001 From: Rafal Foks Date: Mon, 25 Nov 2024 12:43:10 +0100 Subject: [PATCH 2/4] Fix imports --- cmd/main.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/cmd/main.go b/cmd/main.go index 8208221b..8b74982c 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -22,11 +22,12 @@ import ( "flag" "fmt" "io" - corev1 "k8s.io/api/core/v1" "os" - "sigs.k8s.io/controller-runtime/pkg/cache" "time" + corev1 "k8s.io/api/core/v1" + "sigs.k8s.io/controller-runtime/pkg/cache" + "github.com/gardener/gardener/pkg/apis/core/v1beta1" gardener_apis "github.com/gardener/gardener/pkg/client/core/clientset/versioned/typed/core/v1beta1" gardener_oidc "github.com/gardener/oidc-webhook-authenticator/apis/authentication/v1alpha1" From 90d203d67f7924a7d5281337924c2a28d9fdbc16 Mon Sep 17 00:00:00 2001 From: Rafal Foks Date: Tue, 26 Nov 2024 10:24:14 +0100 Subject: [PATCH 3/4] Revert RBAC changes in favor of different PR --- config/rbac/cluster_editor_role.yaml | 5 ++-- config/rbac/cluster_viewer_role.yaml | 3 +-- config/rbac/role.yaml | 26 ++++++++++++++++--- config/rbac/role_binding.yaml | 8 +++--- config/rbac/runtime_editor_role.yaml | 3 +-- config/rbac/runtime_viewer_role.yaml | 3 +-- config/rbac/service_account.yaml | 2 +- .../kubeconfig/gardener_cluster_controller.go | 8 +++--- .../controller/runtime/runtime_controller.go | 6 ++--- 9 files changed, 40 insertions(+), 24 deletions(-) diff --git a/config/rbac/cluster_editor_role.yaml b/config/rbac/cluster_editor_role.yaml index 84dda500..64abe8ce 100644 --- a/config/rbac/cluster_editor_role.yaml +++ b/config/rbac/cluster_editor_role.yaml @@ -1,16 +1,15 @@ # permissions for end users to edit clusters. apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: labels: - app.kubernetes.io/name: 1errole + app.kubernetes.io/name: clusterrole app.kubernetes.io/instance: cluster-editor-role app.kubernetes.io/component: rbac app.kubernetes.io/created-by: infrastructure-manager app.kubernetes.io/part-of: infrastructure-manager app.kubernetes.io/managed-by: kustomize name: cluster-editor-role - namespace: kcp-system rules: - apiGroups: - infrastructuremanager.kyma-project.io diff --git a/config/rbac/cluster_viewer_role.yaml b/config/rbac/cluster_viewer_role.yaml index 43df4e6d..d183607b 100644 --- a/config/rbac/cluster_viewer_role.yaml +++ b/config/rbac/cluster_viewer_role.yaml @@ -1,6 +1,6 @@ # permissions for end users to view clusters. apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: labels: app.kubernetes.io/name: clusterrole @@ -10,7 +10,6 @@ metadata: app.kubernetes.io/part-of: infrastructure-manager app.kubernetes.io/managed-by: kustomize name: cluster-viewer-role - namespace: kcp-system rules: - apiGroups: - infrastructuremanager.kyma-project.io diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 6b06da55..7681c444 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -1,9 +1,8 @@ --- apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: name: infrastructure-manager-role - namespace: kcp-system rules: - apiGroups: - "" @@ -20,7 +19,6 @@ rules: - infrastructuremanager.kyma-project.io resources: - gardenerclusters - - runtimes verbs: - create - delete @@ -33,7 +31,29 @@ rules: - infrastructuremanager.kyma-project.io resources: - gardenerclusters/finalizers + verbs: + - update +- apiGroups: + - infrastructuremanager.kyma-project.io + resources: - gardenerclusters/status + verbs: + - update +- apiGroups: + - infrastructuremanager.kyma-project.io + resources: + - runtimes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - infrastructuremanager.kyma-project.io + resources: - runtimes/finalizers verbs: - update diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml index 6cd75b05..60f28ad3 100644 --- a/config/rbac/role_binding.yaml +++ b/config/rbac/role_binding.yaml @@ -1,8 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: labels: - app.kubernetes.io/name: rolebinding + app.kubernetes.io/name: clusterrolebinding app.kubernetes.io/instance: infrastructure-manager-rolebinding app.kubernetes.io/component: rbac app.kubernetes.io/created-by: infrastructure-manager @@ -11,9 +11,9 @@ metadata: name: infrastructure-manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io - kind: Role + kind: ClusterRole name: infrastructure-manager-role subjects: - kind: ServiceAccount name: infrastructure-manager - namespace: kcp-system + namespace: system diff --git a/config/rbac/runtime_editor_role.yaml b/config/rbac/runtime_editor_role.yaml index ceb3ba03..014838b7 100644 --- a/config/rbac/runtime_editor_role.yaml +++ b/config/rbac/runtime_editor_role.yaml @@ -1,12 +1,11 @@ # permissions for end users to edit runtimes. apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: labels: app.kubernetes.io/name: infrastructure-manager app.kubernetes.io/managed-by: kustomize name: runtime-editor-role - namespace: kcp-system rules: - apiGroups: - infrastructuremanager.kyma-project.io diff --git a/config/rbac/runtime_viewer_role.yaml b/config/rbac/runtime_viewer_role.yaml index 0c5ac175..d9d0024e 100644 --- a/config/rbac/runtime_viewer_role.yaml +++ b/config/rbac/runtime_viewer_role.yaml @@ -1,12 +1,11 @@ # permissions for end users to view runtimes. apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: labels: app.kubernetes.io/name: infrastructure-manager app.kubernetes.io/managed-by: kustomize name: runtime-viewer-role - namespace: kcp-system rules: - apiGroups: - infrastructuremanager.kyma-project.io diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml index 3ddd25a9..5c3330c2 100644 --- a/config/rbac/service_account.yaml +++ b/config/rbac/service_account.yaml @@ -9,4 +9,4 @@ metadata: app.kubernetes.io/part-of: infrastructure-manager app.kubernetes.io/managed-by: kustomize name: infrastructure-manager - namespace: kcp-system + namespace: system diff --git a/internal/controller/kubeconfig/gardener_cluster_controller.go b/internal/controller/kubeconfig/gardener_cluster_controller.go index 87cba31e..c532e203 100644 --- a/internal/controller/kubeconfig/gardener_cluster_controller.go +++ b/internal/controller/kubeconfig/gardener_cluster_controller.go @@ -77,10 +77,10 @@ type KubeconfigProvider interface { Fetch(ctx context.Context, shootName string) (string, error) } -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters,verbs=get;list;watch;create;update;patch;delete,namespace=kcp-system -//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;delete,namespace=kcp-system -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/finalizers,verbs=update,namespace=kcp-system -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/status,verbs=update,namespace=kcp-system +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;delete +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/finalizers,verbs=update +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/status,verbs=update // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. diff --git a/internal/controller/runtime/runtime_controller.go b/internal/controller/runtime/runtime_controller.go index 5aa8f530..1f8eb574 100644 --- a/internal/controller/runtime/runtime_controller.go +++ b/internal/controller/runtime/runtime_controller.go @@ -41,9 +41,9 @@ type RuntimeReconciler struct { EventRecorder record.EventRecorder } -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes,verbs=get;list;watch;create;update;patch;delete,namespace=kcp-system -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/status,verbs=get;update;patch,namespace=kcp-system -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/finalizers,verbs=update,namespace=kcp-system +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/status,verbs=get;update;patch +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/finalizers,verbs=update var requCounter = 0 // nolint:gochecknoglobals From 6b0f498f81f55349a0620a6b0227329e0a8d26f9 Mon Sep 17 00:00:00 2001 From: Rafal Foks Date: Tue, 26 Nov 2024 10:50:17 +0100 Subject: [PATCH 4/4] Fix linter --- cmd/main.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/cmd/main.go b/cmd/main.go index f84901bb..3806bdac 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -25,9 +25,6 @@ import ( "os" "time" - corev1 "k8s.io/api/core/v1" - "sigs.k8s.io/controller-runtime/pkg/cache" - "github.com/gardener/gardener/pkg/apis/core/v1beta1" gardener_apis "github.com/gardener/gardener/pkg/client/core/clientset/versioned/typed/core/v1beta1" gardener_oidc "github.com/gardener/oidc-webhook-authenticator/apis/authentication/v1alpha1" @@ -43,6 +40,7 @@ import ( "github.com/kyma-project/infrastructure-manager/pkg/gardener/kubeconfig" "github.com/kyma-project/infrastructure-manager/pkg/gardener/shoot/extender/auditlogs" "github.com/pkg/errors" + corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" k8slabels "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/runtime" @@ -52,6 +50,7 @@ import ( "k8s.io/client-go/rest" "k8s.io/client-go/util/flowcontrol" ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/cache" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap"