From 8fb2555ba257cd744c999da87a10782898b9b46c Mon Sep 17 00:00:00 2001 From: Lucas Caparelli Date: Sun, 18 Oct 2020 19:17:41 -0300 Subject: [PATCH 1/3] Generate SCC-related resources when on OCP Signed-off-by: Lucas Caparelli --- .../nexus-operator.clusterserviceversion.yaml | 19 +++++ config/rbac/role.yaml | 19 +++++ .../nexus/resource/deployment/manager.go | 29 +++----- .../nexus/resource/deployment/manager_test.go | 6 +- .../nexus/resource/networking/manager.go | 58 ++++++--------- .../nexus/resource/networking/manager_test.go | 14 +--- .../nexus/resource/persistence/manager.go | 27 +++---- .../resource/persistence/manager_test.go | 6 +- controllers/nexus/resource/resources.go | 8 ++- .../nexus/resource/security/cluster_role.go | 41 +++++++++++ .../nexus/resource/security/manager.go | 71 +++++++++++++------ .../nexus/resource/security/manager_test.go | 30 ++------ .../nexus/resource/security/role_binding.go | 42 +++++++++++ controllers/nexus/resource/security/scc.go | 50 +++++++++++++ controllers/nexus_controller.go | 2 + nexus-operator.yaml | 19 +++++ pkg/framework/fetcher.go | 17 +++++ pkg/framework/kinds.go | 17 +++-- 18 files changed, 328 insertions(+), 147 deletions(-) create mode 100644 controllers/nexus/resource/security/cluster_role.go create mode 100644 controllers/nexus/resource/security/role_binding.go create mode 100644 controllers/nexus/resource/security/scc.go diff --git a/bundle/manifests/nexus-operator.clusterserviceversion.yaml b/bundle/manifests/nexus-operator.clusterserviceversion.yaml index b98ff23e..b4d13ef7 100644 --- a/bundle/manifests/nexus-operator.clusterserviceversion.yaml +++ b/bundle/manifests/nexus-operator.clusterserviceversion.yaml @@ -167,6 +167,16 @@ spec: - patch - update - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrole + - rolebinding + verbs: + - create + - get + - update + - watch - apiGroups: - route.openshift.io resources: @@ -179,6 +189,15 @@ spec: - patch - update - watch + - apiGroups: + - security.openshift.io + resources: + - scc + verbs: + - create + - get + - update + - watch - apiGroups: - authentication.k8s.io resources: diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 92cb9563..12445393 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -98,6 +98,16 @@ rules: - patch - update - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrole + - rolebinding + verbs: + - create + - get + - update + - watch - apiGroups: - route.openshift.io resources: @@ -110,3 +120,12 @@ rules: - patch - update - watch +- apiGroups: + - security.openshift.io + resources: + - scc + verbs: + - create + - get + - update + - watch diff --git a/controllers/nexus/resource/deployment/manager.go b/controllers/nexus/resource/deployment/manager.go index 5051501f..a1addfa2 100644 --- a/controllers/nexus/resource/deployment/manager.go +++ b/controllers/nexus/resource/deployment/manager.go @@ -15,7 +15,6 @@ package deployment import ( - "fmt" "reflect" "strings" @@ -23,7 +22,6 @@ import ( "github.com/RHsyseng/operator-utils/pkg/resource/compare" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/api/errors" "sigs.k8s.io/controller-runtime/pkg/client" "github.com/m88i/nexus-operator/api/v1alpha1" @@ -31,17 +29,13 @@ import ( "github.com/m88i/nexus-operator/pkg/logger" ) -var managedObjectsRef = map[string]resource.KubernetesResource{ - framework.DeploymentKind: &appsv1.Deployment{}, - framework.ServiceKind: &corev1.Service{}, -} - // Manager is responsible for creating deployment-related resources, fetching deployed ones and comparing them // Use with zero values will result in a panic. Use the NewManager function to get a properly initialized manager type Manager struct { - nexus *v1alpha1.Nexus - client client.Client - log logger.Logger + nexus *v1alpha1.Nexus + client client.Client + log logger.Logger + managedObjectsRef map[string]resource.KubernetesResource } // NewManager creates a deployment resources manager @@ -51,6 +45,11 @@ func NewManager(nexus *v1alpha1.Nexus, client client.Client) *Manager { nexus: nexus, client: client, log: logger.GetLoggerWithResource("deployment_manager", nexus), + + managedObjectsRef: map[string]resource.KubernetesResource{ + framework.DeploymentKind: &appsv1.Deployment{}, + framework.ServiceKind: &corev1.Service{}, + }, } } @@ -63,15 +62,7 @@ func (m *Manager) GetRequiredResources() ([]resource.KubernetesResource, error) // GetDeployedResources returns the deployment-related resources deployed on the cluster func (m *Manager) GetDeployedResources() ([]resource.KubernetesResource, error) { - var resources []resource.KubernetesResource - for resType, resRef := range managedObjectsRef { - if err := framework.Fetch(m.client, framework.Key(m.nexus), resRef, resType); err == nil { - resources = append(resources, resRef) - } else if !errors.IsNotFound(err) { - return nil, fmt.Errorf("could not fetch %s (%s/%s): %v", resType, m.nexus.Namespace, m.nexus.Name, err) - } - } - return resources, nil + return framework.FetchDeployedResources(m.managedObjectsRef, m.nexus, m.client) } // GetCustomComparator returns the custom comp function used to compare a deployment-related resource diff --git a/controllers/nexus/resource/deployment/manager_test.go b/controllers/nexus/resource/deployment/manager_test.go index eaff6a14..441931cc 100644 --- a/controllers/nexus/resource/deployment/manager_test.go +++ b/controllers/nexus/resource/deployment/manager_test.go @@ -79,10 +79,8 @@ func TestManager_GetRequiredResources(t *testing.T) { func TestManager_GetDeployedResources(t *testing.T) { // first no deployed resources fakeClient := test.NewFakeClientBuilder().Build() - mgr := &Manager{ - nexus: allDefaultsCommunityNexus, - client: fakeClient, - } + mgr := NewManager(allDefaultsCommunityNexus, fakeClient) + resources, err := mgr.GetDeployedResources() assert.Nil(t, resources) assert.Len(t, resources, 0) diff --git a/controllers/nexus/resource/networking/manager.go b/controllers/nexus/resource/networking/manager.go index 288202a2..e4a8461c 100644 --- a/controllers/nexus/resource/networking/manager.go +++ b/controllers/nexus/resource/networking/manager.go @@ -22,7 +22,6 @@ import ( "github.com/RHsyseng/operator-utils/pkg/resource/compare" routev1 "github.com/openshift/api/route/v1" networkingv1beta1 "k8s.io/api/networking/v1beta1" - "k8s.io/apimachinery/pkg/api/errors" "sigs.k8s.io/controller-runtime/pkg/client" "github.com/m88i/nexus-operator/api/v1alpha1" @@ -32,7 +31,6 @@ import ( ) const ( - discOCPFailureFormat = "unable to determine if cluster is Openshift: %v" discFailureFormat = "unable to determine if %s are available: %v" // resource type, error resUnavailableFormat = "%s are not available in this cluster" // resource type ) @@ -40,38 +38,43 @@ const ( // Manager is responsible for creating networking resources, fetching deployed ones and comparing them // Use with zero values will result in a panic. Use the NewManager function to get a properly initialized manager type Manager struct { - nexus *v1alpha1.Nexus - client client.Client - log logger.Logger - routeAvailable, ingressAvailable, ocp bool + nexus *v1alpha1.Nexus + client client.Client + log logger.Logger + managedObjectsRef map[string]resource.KubernetesResource + + routeAvailable, ingressAvailable bool } // NewManager creates a networking resources manager // It is expected that the Nexus has been previously validated. func NewManager(nexus *v1alpha1.Nexus, client client.Client) (*Manager, error) { + mgr := &Manager{ + nexus: nexus, + client: client, + log: logger.GetLoggerWithResource("networking_manager", nexus), + managedObjectsRef: make(map[string]resource.KubernetesResource), + } + routeAvailable, err := discovery.IsRouteAvailable() if err != nil { return nil, fmt.Errorf(discFailureFormat, "routes", err) } + if routeAvailable { + mgr.routeAvailable = true + mgr.managedObjectsRef[framework.RouteKind] = &routev1.Route{} + } ingressAvailable, err := discovery.IsIngressAvailable() if err != nil { return nil, fmt.Errorf(discFailureFormat, "ingresses", err) } - - ocp, err := discovery.IsOpenShift() - if err != nil { - return nil, fmt.Errorf(discOCPFailureFormat, err) + if ingressAvailable { + mgr.ingressAvailable = true + mgr.managedObjectsRef[framework.IngressKind] = &networkingv1beta1.Ingress{} } - return &Manager{ - nexus: nexus, - client: client, - routeAvailable: routeAvailable, - ingressAvailable: ingressAvailable, - ocp: ocp, - log: logger.GetLoggerWithResource("networking_manager", nexus), - }, nil + return mgr, nil } func (m *Manager) IngressAvailable() bool { @@ -129,24 +132,7 @@ func (m *Manager) createIngress() *networkingv1beta1.Ingress { // GetDeployedResources returns the networking resources deployed on the cluster func (m *Manager) GetDeployedResources() ([]resource.KubernetesResource, error) { - var resources []resource.KubernetesResource - if m.routeAvailable { - route := &routev1.Route{} - if err := framework.Fetch(m.client, framework.Key(m.nexus), route, framework.RouteKind); err == nil { - resources = append(resources, route) - } else if !errors.IsNotFound(err) { - return nil, fmt.Errorf("could not fetch %s (%s/%s): %v", framework.RouteKind, m.nexus.Namespace, m.nexus.Name, err) - } - } - if m.ingressAvailable { - ingress := &networkingv1beta1.Ingress{} - if err := framework.Fetch(m.client, framework.Key(m.nexus), ingress, framework.IngressKind); err == nil { - resources = append(resources, ingress) - } else if !errors.IsNotFound(err) { - return nil, fmt.Errorf("could not fetch %s (%s/%s): %v", framework.IngressKind, m.nexus.Namespace, m.nexus.Name, err) - } - } - return resources, nil + return framework.FetchDeployedResources(m.managedObjectsRef, m.nexus, m.client) } // GetCustomComparator returns the custom comp function used to compare a networking resource. diff --git a/controllers/nexus/resource/networking/manager_test.go b/controllers/nexus/resource/networking/manager_test.go index b0542515..e9ef8bda 100644 --- a/controllers/nexus/resource/networking/manager_test.go +++ b/controllers/nexus/resource/networking/manager_test.go @@ -79,7 +79,6 @@ func TestNewManager(t *testing.T) { client: test.NewFakeClientBuilder().WithIngress().Build(), routeAvailable: false, ingressAvailable: true, - ocp: false, }, k8sClientWithIngress, }, @@ -90,7 +89,6 @@ func TestNewManager(t *testing.T) { client: test.NewFakeClientBuilder().Build(), routeAvailable: false, ingressAvailable: false, - ocp: false, }, k8sClient, }, @@ -101,7 +99,6 @@ func TestNewManager(t *testing.T) { client: test.NewFakeClientBuilder().OnOpenshift().Build(), routeAvailable: true, ingressAvailable: false, - ocp: true, }, ocpClient, }, @@ -115,7 +112,6 @@ func TestNewManager(t *testing.T) { assert.NotNil(t, got.nexus) assert.Equal(t, tt.want.routeAvailable, got.routeAvailable) assert.Equal(t, tt.want.ingressAvailable, got.ingressAvailable) - assert.Equal(t, tt.want.ocp, got.ocp) } // simulate discovery 500 response, expect error @@ -147,7 +143,6 @@ func TestManager_GetRequiredResources(t *testing.T) { client: test.NewFakeClientBuilder().OnOpenshift().Build(), log: logger.GetLoggerWithResource("test", routeNexus), routeAvailable: true, - ocp: true, } resources, err = mgr.GetRequiredResources() assert.Nil(t, err) @@ -216,13 +211,8 @@ func TestManager_createIngress(t *testing.T) { func TestManager_GetDeployedResources(t *testing.T) { // first with no deployed resources fakeClient := test.NewFakeClientBuilder().WithIngress().OnOpenshift().Build() - mgr := &Manager{ - nexus: nodePortNexus, - client: fakeClient, - ingressAvailable: true, - routeAvailable: true, - ocp: true, - } + mgr, _ := NewManager(nodePortNexus, fakeClient, fakeClient) + resources, err := mgr.GetDeployedResources() assert.Nil(t, resources) assert.Len(t, resources, 0) diff --git a/controllers/nexus/resource/persistence/manager.go b/controllers/nexus/resource/persistence/manager.go index 64d7d5a3..49fac32f 100644 --- a/controllers/nexus/resource/persistence/manager.go +++ b/controllers/nexus/resource/persistence/manager.go @@ -15,12 +15,10 @@ package persistence import ( - "fmt" "reflect" "github.com/RHsyseng/operator-utils/pkg/resource" corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/api/errors" "sigs.k8s.io/controller-runtime/pkg/client" "github.com/m88i/nexus-operator/api/v1alpha1" @@ -28,16 +26,13 @@ import ( "github.com/m88i/nexus-operator/pkg/logger" ) -var managedObjectsRef = map[string]resource.KubernetesResource{ - framework.PVCKind: &corev1.PersistentVolumeClaim{}, -} - // Manager is responsible for creating persistence resources, fetching deployed ones and comparing them // Use with zero values will result in a panic. Use the NewManager function to get a properly initialized manager type Manager struct { - nexus *v1alpha1.Nexus - client client.Client - log logger.Logger + nexus *v1alpha1.Nexus + client client.Client + log logger.Logger + managedObjectsRef map[string]resource.KubernetesResource } // NewManager creates a persistence resources manager @@ -47,6 +42,10 @@ func NewManager(nexus *v1alpha1.Nexus, client client.Client) *Manager { nexus: nexus, client: client, log: logger.GetLoggerWithResource("persistence_manager", nexus), + + managedObjectsRef: map[string]resource.KubernetesResource{ + framework.PVCKind: &corev1.PersistentVolumeClaim{}, + }, } } @@ -66,15 +65,7 @@ func (m *Manager) GetRequiredResources() ([]resource.KubernetesResource, error) // GetDeployedResources returns the persistence resources deployed on the cluster func (m *Manager) GetDeployedResources() ([]resource.KubernetesResource, error) { - var resources []resource.KubernetesResource - for resType, resRef := range managedObjectsRef { - if err := framework.Fetch(m.client, framework.Key(m.nexus), resRef, resType); err == nil { - resources = append(resources, resRef) - } else if !errors.IsNotFound(err) { - return nil, fmt.Errorf("could not fetch %s (%s/%s): %v", resType, m.nexus.Namespace, m.nexus.Name, err) - } - } - return resources, nil + return framework.FetchDeployedResources(m.managedObjectsRef, m.nexus, m.client) } // GetCustomComparator returns the custom comp function used to compare a persistence resource. diff --git a/controllers/nexus/resource/persistence/manager_test.go b/controllers/nexus/resource/persistence/manager_test.go index 9c333e06..8f9075e4 100644 --- a/controllers/nexus/resource/persistence/manager_test.go +++ b/controllers/nexus/resource/persistence/manager_test.go @@ -75,10 +75,8 @@ func TestManager_GetRequiredResources(t *testing.T) { func TestManager_GetDeployedResources(t *testing.T) { // first with no deployed resources fakeClient := test.NewFakeClientBuilder().Build() - mgr := &Manager{ - nexus: baseNexus, - client: fakeClient, - } + mgr := NewManager(baseNexus, fakeClient) + resources, err := mgr.GetDeployedResources() assert.Nil(t, resources) assert.Len(t, resources, 0) diff --git a/controllers/nexus/resource/resources.go b/controllers/nexus/resource/resources.go index cc39dcc9..bfd6cd31 100644 --- a/controllers/nexus/resource/resources.go +++ b/controllers/nexus/resource/resources.go @@ -49,6 +49,12 @@ func NewSupervisor(client client.Client) Supervisor { // InitManagers initializes the managers responsible for the resources life cycle func (s *supervisor) InitManagers(nexus *v1alpha1.Nexus) error { s.log = logger.GetLoggerWithResource("resource_supervisor", nexus) + + securityManager, err := security.NewManager(nexus, s.client) + if err != nil { + return fmt.Errorf("unable to create security manager: %v", err) + } + networkManager, err := networking.NewManager(nexus, s.client) if err != nil { return fmt.Errorf("unable to create networking manager: %v", err) @@ -57,7 +63,7 @@ func (s *supervisor) InitManagers(nexus *v1alpha1.Nexus) error { s.managers = []Manager{ deployment.NewManager(nexus, s.client), persistence.NewManager(nexus, s.client), - security.NewManager(nexus, s.client), + securityManager, networkManager, } return nil diff --git a/controllers/nexus/resource/security/cluster_role.go b/controllers/nexus/resource/security/cluster_role.go new file mode 100644 index 00000000..ded5192a --- /dev/null +++ b/controllers/nexus/resource/security/cluster_role.go @@ -0,0 +1,41 @@ +// Copyright 2020 Nexus Operator and/or its authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package security + +import ( + secv1 "github.com/openshift/api/security/v1" + rbacv1 "k8s.io/api/rbac/v1" + controllerruntime "sigs.k8s.io/controller-runtime" +) + +const ( + verbUse = "use" + sccResourceName = "securitycontextconstraints" + clusterRoleName = "nexus-community" +) + +func defaultClusterRole() *rbacv1.ClusterRole { + return &rbacv1.ClusterRole{ + ObjectMeta: controllerruntime.ObjectMeta{Name: clusterRoleName}, + Rules: []rbacv1.PolicyRule{ + { + APIGroups: []string{secv1.GroupName}, + ResourceNames: []string{sccName}, + Resources: []string{sccResourceName}, + Verbs: []string{verbUse}, + }, + }, + } +} diff --git a/controllers/nexus/resource/security/manager.go b/controllers/nexus/resource/security/manager.go index bb71f931..e0643beb 100644 --- a/controllers/nexus/resource/security/manager.go +++ b/controllers/nexus/resource/security/manager.go @@ -17,59 +17,88 @@ package security import ( "fmt" "reflect" + "strings" "github.com/RHsyseng/operator-utils/pkg/resource" + secv1 "github.com/openshift/api/security/v1" core "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/api/errors" + rbacv1 "k8s.io/api/rbac/v1" + "k8s.io/client-go/discovery" "sigs.k8s.io/controller-runtime/pkg/client" "github.com/m88i/nexus-operator/api/v1alpha1" + "github.com/m88i/nexus-operator/controllers/nexus/resource/validation" + "github.com/m88i/nexus-operator/pkg/cluster/openshift" "github.com/m88i/nexus-operator/pkg/framework" "github.com/m88i/nexus-operator/pkg/logger" ) -var managedObjectsRef = map[string]resource.KubernetesResource{ - framework.SecretKind: &core.Secret{}, - framework.SvcAccountKind: &core.ServiceAccount{}, -} - // Manager is responsible for creating security resources, fetching deployed ones and comparing them // Use with zero values will result in a panic. Use the NewManager function to get a properly initialized manager type Manager struct { - nexus *v1alpha1.Nexus - client client.Client - log logger.Logger + nexus *v1alpha1.Nexus + client client.Client + log logger.Logger + isOCP bool + managedObjectsRef map[string]resource.KubernetesResource } // NewManager creates a security resources Manager -func NewManager(nexus *v1alpha1.Nexus, client client.Client) *Manager { - return &Manager{ +func NewManager(nexus *v1alpha1.Nexus, client client.Client, disc discovery.DiscoveryInterface) (*Manager, error) { + mgr := &Manager{ nexus: nexus, client: client, log: logger.GetLoggerWithResource("security_manager", nexus), + + managedObjectsRef: map[string]resource.KubernetesResource{ + framework.SecretKind: &core.Secret{}, + framework.SvcAccountKind: &core.ServiceAccount{}, + }, + } + + isOCP, err := openshift.IsOpenShift(disc) + if err != nil { + return nil, fmt.Errorf("unable to determine if on Openshift: %v", err) + } + if isOCP { + mgr.isOCP = true + mgr.managedObjectsRef[framework.SCCKind] = &secv1.SecurityContextConstraints{} + mgr.managedObjectsRef[framework.RoleBindingKind] = &rbacv1.RoleBinding{} + mgr.managedObjectsRef[framework.ClusterRoleKind] = &rbacv1.ClusterRole{} } + + return mgr, nil } // GetRequiredResources returns the resources initialized by the Manager func (m *Manager) GetRequiredResources() ([]resource.KubernetesResource, error) { m.log.Debug("Generating required resource", "kind", framework.SvcAccountKind) m.log.Debug("Generating required resource", "kind", framework.SecretKind) - return []resource.KubernetesResource{defaultServiceAccount(m.nexus), defaultSecret(m.nexus)}, nil -} + resources := []resource.KubernetesResource{defaultServiceAccount(m.nexus), defaultSecret(m.nexus)} -// GetDeployedResources returns the security resources deployed on the cluster -func (m *Manager) GetDeployedResources() ([]resource.KubernetesResource, error) { - var resources []resource.KubernetesResource - for resType, resRef := range managedObjectsRef { - if err := framework.Fetch(m.client, framework.Key(m.nexus), resRef, resType); err == nil { - resources = append(resources, resRef) - } else if !errors.IsNotFound(err) { - return nil, fmt.Errorf("could not fetch %s (%s/%s): %v", resType, m.nexus.Namespace, m.nexus.Name, err) + if m.isOCP { + // the SCC and the ClusterRole are cluster-scoped, but still part of the desired state + // so we should ensure they're properly configured on each reconciliation + m.log.Debug("Generating required resource", "kind", framework.SCCKind) + resources = append(resources, defaultSCC()) + m.log.Debug("Generating required resource", "kind", framework.ClusterRoleKind) + resources = append(resources, defaultClusterRole()) + + // we only want to bind the Service Account to the ClusterRole if using the community image + if m.nexus.Spec.Image == strings.Split(validation.NexusCommunityImage, ":")[0] { + m.log.Debug("Generating required resource", "kind", framework.RoleBindingKind) + resources = append(resources, defaultRoleBinding(m.nexus)) } } + return resources, nil } +// GetDeployedResources returns the security resources deployed on the cluster +func (m *Manager) GetDeployedResources() ([]resource.KubernetesResource, error) { + return framework.FetchDeployedResources(m.managedObjectsRef, m.nexus, m.client) +} + // GetCustomComparator returns the custom comp function used to compare a security resource. // Returns nil if there is none func (m *Manager) GetCustomComparator(t reflect.Type) func(deployed resource.KubernetesResource, requested resource.KubernetesResource) bool { diff --git a/controllers/nexus/resource/security/manager_test.go b/controllers/nexus/resource/security/manager_test.go index 08087dd5..2716dcf8 100644 --- a/controllers/nexus/resource/security/manager_test.go +++ b/controllers/nexus/resource/security/manager_test.go @@ -28,7 +28,6 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "github.com/m88i/nexus-operator/api/v1alpha1" - "github.com/m88i/nexus-operator/pkg/framework" "github.com/m88i/nexus-operator/pkg/test" ) @@ -43,7 +42,8 @@ func TestNewManager(t *testing.T) { nexus: nexus, client: client, } - got := NewManager(nexus, client) + got, err := NewManager(nexus, client, client) + assert.Nil(t, err) assert.Equal(t, want.nexus, got.nexus) assert.Equal(t, want.client, got.client) } @@ -57,7 +57,7 @@ func TestManager_GetRequiredResources(t *testing.T) { log: logger.GetLoggerWithResource("test", baseNexus), } - // the default service accout is _always_ created + // the default service account is _always_ created // even if the user specified a different one resources, err := mgr.GetRequiredResources() assert.Nil(t, err) @@ -69,10 +69,8 @@ func TestManager_GetRequiredResources(t *testing.T) { func TestManager_GetDeployedResources(t *testing.T) { // first with no deployed resources fakeClient := test.NewFakeClientBuilder().Build() - mgr := &Manager{ - nexus: baseNexus, - client: fakeClient, - } + mgr, _ := NewManager(baseNexus, fakeClient, fakeClient) + resources, err := mgr.GetDeployedResources() assert.Nil(t, resources) assert.Len(t, resources, 0) @@ -95,24 +93,6 @@ func TestManager_GetDeployedResources(t *testing.T) { assert.Contains(t, err.Error(), mockErrorMsg) } -func TestManager_getDeployedSvcAccnt(t *testing.T) { - mgr := &Manager{ - nexus: baseNexus, - client: test.NewFakeClientBuilder().Build(), - } - - // first, test without creating the svcAccnt - err := framework.Fetch(mgr.client, framework.Key(mgr.nexus), managedObjectsRef[framework.SvcAccountKind], framework.SvcAccountKind) - assert.True(t, errors.IsNotFound(err)) - - // now test after creating the svcAccnt - svcAccnt := &corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: mgr.nexus.Name, Namespace: mgr.nexus.Namespace}} - assert.NoError(t, mgr.client.Create(ctx.TODO(), svcAccnt)) - err = framework.Fetch(mgr.client, framework.Key(svcAccnt), svcAccnt, framework.SvcAccountKind) - assert.NotNil(t, svcAccnt) - assert.NoError(t, err) -} - func TestManager_GetCustomComparator(t *testing.T) { // the nexus and the client should have no effect on the // comparator functions offered by the manager diff --git a/controllers/nexus/resource/security/role_binding.go b/controllers/nexus/resource/security/role_binding.go new file mode 100644 index 00000000..6f72b141 --- /dev/null +++ b/controllers/nexus/resource/security/role_binding.go @@ -0,0 +1,42 @@ +// Copyright 2020 Nexus Operator and/or its authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package security + +import ( + rbacv1 "k8s.io/api/rbac/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + "github.com/m88i/nexus-operator/api/v1alpha1" +) + +const clusterRoleKind = "ClusterRole" + +func defaultRoleBinding(nexus *v1alpha1.Nexus) *rbacv1.RoleBinding { + return &rbacv1.RoleBinding{ + ObjectMeta: metav1.ObjectMeta{Name: "community-nexus-uid-200"}, + Subjects: []rbacv1.Subject{ + { + Name: nexus.Spec.ServiceAccountName, + Namespace: nexus.Namespace, + Kind: rbacv1.ServiceAccountKind, + }, + }, + RoleRef: rbacv1.RoleRef{ + APIGroup: rbacv1.GroupName, + Kind: clusterRoleKind, + Name: clusterRoleName, + }, + } +} diff --git a/controllers/nexus/resource/security/scc.go b/controllers/nexus/resource/security/scc.go new file mode 100644 index 00000000..bcc57ba2 --- /dev/null +++ b/controllers/nexus/resource/security/scc.go @@ -0,0 +1,50 @@ +// Copyright 2020 Nexus Operator and/or its authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package security + +import ( + secv1 "github.com/openshift/api/security/v1" + controllerruntime "sigs.k8s.io/controller-runtime" +) + +var ( + communityUID = int64(200) + sccName = "allow-nexus-userid-200" +) + +func defaultSCC() *secv1.SecurityContextConstraints { + return &secv1.SecurityContextConstraints{ + ObjectMeta: controllerruntime.ObjectMeta{Name: sccName}, + FSGroup: secv1.FSGroupStrategyOptions{ + Type: secv1.FSGroupStrategyMustRunAs, + Ranges: []secv1.IDRange{{Min: communityUID, Max: communityUID}}, + }, + RunAsUser: secv1.RunAsUserStrategyOptions{ + Type: secv1.RunAsUserStrategyMustRunAs, + UID: &communityUID, + }, + SELinuxContext: secv1.SELinuxContextStrategyOptions{ + Type: secv1.SELinuxStrategyMustRunAs, + }, + SupplementalGroups: secv1.SupplementalGroupsStrategyOptions{ + Type: secv1.SupplementalGroupsStrategyMustRunAs, + Ranges: []secv1.IDRange{{Min: communityUID, Max: communityUID}}, + }, + Volumes: []secv1.FSType{ + secv1.FSTypePersistentVolumeClaim, + secv1.FSTypeSecret, + }, + } +} diff --git a/controllers/nexus_controller.go b/controllers/nexus_controller.go index 311e719c..7f6a4564 100644 --- a/controllers/nexus_controller.go +++ b/controllers/nexus_controller.go @@ -71,6 +71,8 @@ type NexusReconciler struct { // +kubebuilder:rbac:groups=monitoring.coreos.com,resources=servicemonitors,verbs=get;create // +kubebuilder:rbac:groups=route.openshift.io,resources=routes,verbs=create;delete;get;list;patch;update;watch // +kubebuilder:rbac:groups=networking.k8s.io,resources=ingresses,verbs=create;delete;get;list;patch;update;watch +// +kubebuilder:rbac:groups=security.openshift.io,resources=scc,verbs=create;get;update;watch +// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrole;rolebinding,verbs=create;get;update;watch func (r *NexusReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { _ = context.Background() diff --git a/nexus-operator.yaml b/nexus-operator.yaml index 931d7b72..99207b07 100644 --- a/nexus-operator.yaml +++ b/nexus-operator.yaml @@ -476,6 +476,16 @@ rules: - patch - update - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrole + - rolebinding + verbs: + - create + - get + - update + - watch - apiGroups: - route.openshift.io resources: @@ -488,6 +498,15 @@ rules: - patch - update - watch +- apiGroups: + - security.openshift.io + resources: + - scc + verbs: + - create + - get + - update + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/pkg/framework/fetcher.go b/pkg/framework/fetcher.go index 58e4b421..14ddb0f6 100644 --- a/pkg/framework/fetcher.go +++ b/pkg/framework/fetcher.go @@ -16,13 +16,30 @@ package framework import ( ctx "context" + "fmt" "github.com/RHsyseng/operator-utils/pkg/resource" "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/types" "sigs.k8s.io/controller-runtime/pkg/client" + + "github.com/m88i/nexus-operator/api/v1alpha1" ) +// FetchDeployedResources fetches deployed resources whose Kind is present in "managedObjectsRef" +func FetchDeployedResources(managedObjectsRef map[string]resource.KubernetesResource, nexus *v1alpha1.Nexus, cli client.Client) ([]resource.KubernetesResource, error) { + var resources []resource.KubernetesResource + for resType, resRef := range managedObjectsRef { + if err := Fetch(cli, Key(nexus), resRef, resType); err == nil { + resources = append(resources, resRef) + } else if !errors.IsNotFound(err) { + return nil, fmt.Errorf("could not fetch %s (%s/%s): %v", resType, nexus.Namespace, nexus.Name, err) + } + } + return resources, nil +} + +// Fetch fetches a single deployed resource and stores it in "instance" func Fetch(client client.Client, key types.NamespacedName, instance resource.KubernetesResource, kind string) error { log.Info("Attempting to fetch deployed resource", "kind", kind, "namespacedName", key) if err := client.Get(ctx.TODO(), key, instance); err != nil { diff --git a/pkg/framework/kinds.go b/pkg/framework/kinds.go index d3b4bc10..d585cbee 100644 --- a/pkg/framework/kinds.go +++ b/pkg/framework/kinds.go @@ -15,11 +15,14 @@ package framework const ( - DeploymentKind = "Deployment" - IngressKind = "Ingress" - PVCKind = "Persistent Volume Claim" - RouteKind = "Route" - SecretKind = "Secret" - ServiceKind = "Service" - SvcAccountKind = "Service Account" + ClusterRoleKind = "Cluster Role" + DeploymentKind = "Deployment" + IngressKind = "Ingress" + PVCKind = "Persistent Volume Claim" + RoleBindingKind = "Role Binding" + RouteKind = "Route" + SecretKind = "Secret" + ServiceKind = "Service" + SCCKind = "Security Context Constraint" + SvcAccountKind = "Service Account" ) From 7df54e10a5631958614002eee61af56250969e22 Mon Sep 17 00:00:00 2001 From: Lucas Caparelli Date: Fri, 23 Oct 2020 19:49:44 -0300 Subject: [PATCH 2/3] Adjust discovery usage Signed-off-by: Lucas Caparelli --- controllers/nexus/resource/networking/manager_test.go | 3 ++- controllers/nexus/resource/security/manager.go | 7 +++---- controllers/nexus/resource/security/manager_test.go | 6 ++++-- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/controllers/nexus/resource/networking/manager_test.go b/controllers/nexus/resource/networking/manager_test.go index e9ef8bda..30990368 100644 --- a/controllers/nexus/resource/networking/manager_test.go +++ b/controllers/nexus/resource/networking/manager_test.go @@ -211,7 +211,8 @@ func TestManager_createIngress(t *testing.T) { func TestManager_GetDeployedResources(t *testing.T) { // first with no deployed resources fakeClient := test.NewFakeClientBuilder().WithIngress().OnOpenshift().Build() - mgr, _ := NewManager(nodePortNexus, fakeClient, fakeClient) + discovery.SetClient(fakeClient) + mgr, _ := NewManager(nodePortNexus, fakeClient) resources, err := mgr.GetDeployedResources() assert.Nil(t, resources) diff --git a/controllers/nexus/resource/security/manager.go b/controllers/nexus/resource/security/manager.go index e0643beb..80d85ef5 100644 --- a/controllers/nexus/resource/security/manager.go +++ b/controllers/nexus/resource/security/manager.go @@ -23,12 +23,11 @@ import ( secv1 "github.com/openshift/api/security/v1" core "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" - "k8s.io/client-go/discovery" "sigs.k8s.io/controller-runtime/pkg/client" "github.com/m88i/nexus-operator/api/v1alpha1" "github.com/m88i/nexus-operator/controllers/nexus/resource/validation" - "github.com/m88i/nexus-operator/pkg/cluster/openshift" + "github.com/m88i/nexus-operator/pkg/cluster/discovery" "github.com/m88i/nexus-operator/pkg/framework" "github.com/m88i/nexus-operator/pkg/logger" ) @@ -44,7 +43,7 @@ type Manager struct { } // NewManager creates a security resources Manager -func NewManager(nexus *v1alpha1.Nexus, client client.Client, disc discovery.DiscoveryInterface) (*Manager, error) { +func NewManager(nexus *v1alpha1.Nexus, client client.Client) (*Manager, error) { mgr := &Manager{ nexus: nexus, client: client, @@ -56,7 +55,7 @@ func NewManager(nexus *v1alpha1.Nexus, client client.Client, disc discovery.Disc }, } - isOCP, err := openshift.IsOpenShift(disc) + isOCP, err := discovery.IsOpenShift() if err != nil { return nil, fmt.Errorf("unable to determine if on Openshift: %v", err) } diff --git a/controllers/nexus/resource/security/manager_test.go b/controllers/nexus/resource/security/manager_test.go index 2716dcf8..8473268e 100644 --- a/controllers/nexus/resource/security/manager_test.go +++ b/controllers/nexus/resource/security/manager_test.go @@ -20,6 +20,7 @@ import ( "reflect" "testing" + "github.com/m88i/nexus-operator/pkg/cluster/discovery" "github.com/m88i/nexus-operator/pkg/logger" "github.com/stretchr/testify/assert" @@ -38,11 +39,12 @@ func TestNewManager(t *testing.T) { // so here we just check if the resulting manager took in the arguments correctly nexus := baseNexus client := test.NewFakeClientBuilder().Build() + discovery.SetClient(client) want := &Manager{ nexus: nexus, client: client, } - got, err := NewManager(nexus, client, client) + got, err := NewManager(nexus, client) assert.Nil(t, err) assert.Equal(t, want.nexus, got.nexus) assert.Equal(t, want.client, got.client) @@ -69,7 +71,7 @@ func TestManager_GetRequiredResources(t *testing.T) { func TestManager_GetDeployedResources(t *testing.T) { // first with no deployed resources fakeClient := test.NewFakeClientBuilder().Build() - mgr, _ := NewManager(baseNexus, fakeClient, fakeClient) + mgr, _ := NewManager(baseNexus, fakeClient) resources, err := mgr.GetDeployedResources() assert.Nil(t, resources) From 5b13e629bd06c82546918d2331216756630d5e51 Mon Sep 17 00:00:00 2001 From: Lucas Caparelli Date: Fri, 23 Oct 2020 20:19:19 -0300 Subject: [PATCH 3/3] Register security API and fix role permissions Signed-off-by: Lucas Caparelli --- bundle/manifests/nexus-operator.clusterserviceversion.yaml | 2 ++ config/rbac/role.yaml | 2 ++ controllers/nexus_controller.go | 4 ++-- main.go | 6 ++++-- nexus-operator.yaml | 2 ++ 5 files changed, 12 insertions(+), 4 deletions(-) diff --git a/bundle/manifests/nexus-operator.clusterserviceversion.yaml b/bundle/manifests/nexus-operator.clusterserviceversion.yaml index b4d13ef7..ad8c9c7f 100644 --- a/bundle/manifests/nexus-operator.clusterserviceversion.yaml +++ b/bundle/manifests/nexus-operator.clusterserviceversion.yaml @@ -175,6 +175,7 @@ spec: verbs: - create - get + - list - update - watch - apiGroups: @@ -196,6 +197,7 @@ spec: verbs: - create - get + - list - update - watch - apiGroups: diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 12445393..a2917bd8 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -106,6 +106,7 @@ rules: verbs: - create - get + - list - update - watch - apiGroups: @@ -127,5 +128,6 @@ rules: verbs: - create - get + - list - update - watch diff --git a/controllers/nexus_controller.go b/controllers/nexus_controller.go index 7f6a4564..bb3ef543 100644 --- a/controllers/nexus_controller.go +++ b/controllers/nexus_controller.go @@ -71,8 +71,8 @@ type NexusReconciler struct { // +kubebuilder:rbac:groups=monitoring.coreos.com,resources=servicemonitors,verbs=get;create // +kubebuilder:rbac:groups=route.openshift.io,resources=routes,verbs=create;delete;get;list;patch;update;watch // +kubebuilder:rbac:groups=networking.k8s.io,resources=ingresses,verbs=create;delete;get;list;patch;update;watch -// +kubebuilder:rbac:groups=security.openshift.io,resources=scc,verbs=create;get;update;watch -// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrole;rolebinding,verbs=create;get;update;watch +// +kubebuilder:rbac:groups=security.openshift.io,resources=scc,verbs=create;get;list;update;watch +// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrole;rolebinding,verbs=create;get;list;update;watch func (r *NexusReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { _ = context.Background() diff --git a/main.go b/main.go index f395a244..92162430 100644 --- a/main.go +++ b/main.go @@ -23,6 +23,7 @@ import ( "strings" routev1 "github.com/openshift/api/route/v1" + secv1 "github.com/openshift/api/security/v1" "k8s.io/apimachinery/pkg/runtime" utilruntime "k8s.io/apimachinery/pkg/util/runtime" k8sdisc "k8s.io/client-go/discovery" @@ -45,8 +46,9 @@ var ( ) func init() { - // adding routev1 - utilruntime.Must(routev1.AddToScheme(scheme)) + // adding routev1 (routes) and secv1 (SCCs) + utilruntime.Must(routev1.Install(scheme)) + utilruntime.Must(secv1.Install(scheme)) utilruntime.Must(clientgoscheme.AddToScheme(scheme)) utilruntime.Must(appsv1alpha1.AddToScheme(scheme)) // +kubebuilder:scaffold:scheme diff --git a/nexus-operator.yaml b/nexus-operator.yaml index 99207b07..63a2e89d 100644 --- a/nexus-operator.yaml +++ b/nexus-operator.yaml @@ -484,6 +484,7 @@ rules: verbs: - create - get + - list - update - watch - apiGroups: @@ -505,6 +506,7 @@ rules: verbs: - create - get + - list - update - watch ---