Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP5:GA
kubevirt
0003-Vulnerability-fix-limit-operator-secrets-p...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0003-Vulnerability-fix-limit-operator-secrets-permission.patch of Package kubevirt
From 9b8de48301a52b3bd9f1622f78e7e6b475b25813 Mon Sep 17 00:00:00 2001 From: Kyle Lane <kylelane@google.com> Date: Fri, 3 Feb 2023 00:49:59 +0000 Subject: [PATCH] [Vulnerability fix] limit operator secrets permission Also change structure to hold service account names in resource/generate/components due to circular dependancy. Change-Id: I01c2619a9705b3c3f144d1d8567687df011d00fa Signed-off-by: Kyle Lane kylelane@google.com --- manifests/generated/operator-csv.yaml.in | 9 +++++ .../rbac-operator.authorization.k8s.yaml.in | 9 +++++ pkg/virt-api/webhooks/BUILD.bazel | 2 +- .../mutating-webhook/mutators/BUILD.bazel | 2 +- .../mutators/vmi-mutator_test.go | 4 +- pkg/virt-api/webhooks/utils.go | 8 ++-- .../validating-webhook/admitters/BUILD.bazel | 2 +- .../admitters/vmi-create-admitter_test.go | 9 ++--- .../admitters/vmi-update-admitter_test.go | 10 ++--- .../resource/generate/components/BUILD.bazel | 2 +- .../generate/components/daemonsets.go | 3 +- .../generate/components/deployments.go | 7 ++-- .../components/serviceaccountnames.go | 9 +++++ .../resource/generate/rbac/BUILD.bazel | 2 + .../resource/generate/rbac/apiserver.go | 24 ++++++------ .../resource/generate/rbac/controller.go | 22 +++++------ .../resource/generate/rbac/handler.go | 22 +++++------ .../resource/generate/rbac/operator.go | 37 ++++++++++++------- .../resource/generate/rbac/operator_test.go | 10 +++-- 19 files changed, 116 insertions(+), 77 deletions(-) create mode 100644 pkg/virt-operator/resource/generate/components/serviceaccountnames.go diff --git a/manifests/generated/operator-csv.yaml.in b/manifests/generated/operator-csv.yaml.in index 59c7b7bfb..b8fbd78aa 100644 --- a/manifests/generated/operator-csv.yaml.in +++ b/manifests/generated/operator-csv.yaml.in @@ -1237,6 +1237,15 @@ spec: - rules: - apiGroups: - "" + resourceNames: + - kubevirt-ca + - kubevirt-export-ca + - kubevirt-virt-handler-certs + - kubevirt-virt-handler-server-certs + - kubevirt-operator-certs + - kubevirt-virt-api-certs + - kubevirt-controller-certs + - kubevirt-exportproxy-certs resources: - secrets verbs: diff --git a/manifests/generated/rbac-operator.authorization.k8s.yaml.in b/manifests/generated/rbac-operator.authorization.k8s.yaml.in index e066d5e9e..62db7e121 100644 --- a/manifests/generated/rbac-operator.authorization.k8s.yaml.in +++ b/manifests/generated/rbac-operator.authorization.k8s.yaml.in @@ -17,6 +17,15 @@ metadata: rules: - apiGroups: - "" + resourceNames: + - kubevirt-ca + - kubevirt-export-ca + - kubevirt-virt-handler-certs + - kubevirt-virt-handler-server-certs + - kubevirt-operator-certs + - kubevirt-virt-api-certs + - kubevirt-controller-certs + - kubevirt-exportproxy-certs resources: - secrets verbs: diff --git a/pkg/virt-api/webhooks/BUILD.bazel b/pkg/virt-api/webhooks/BUILD.bazel index b7ebdc8cb..8da9ed58e 100644 --- a/pkg/virt-api/webhooks/BUILD.bazel +++ b/pkg/virt-api/webhooks/BUILD.bazel @@ -12,7 +12,7 @@ go_library( visibility = ["//visibility:public"], deps = [ "//pkg/virt-handler/node-labeller/util:go_default_library", - "//pkg/virt-operator/resource/generate/rbac:go_default_library", + "//pkg/virt-operator/resource/generate/components:go_default_library", "//staging/src/kubevirt.io/api/core/v1:go_default_library", "//staging/src/kubevirt.io/api/pool/v1alpha1:go_default_library", "//staging/src/kubevirt.io/client-go/log:go_default_library", diff --git a/pkg/virt-api/webhooks/mutating-webhook/mutators/BUILD.bazel b/pkg/virt-api/webhooks/mutating-webhook/mutators/BUILD.bazel index 06fe70e4f..85b50e86b 100644 --- a/pkg/virt-api/webhooks/mutating-webhook/mutators/BUILD.bazel +++ b/pkg/virt-api/webhooks/mutating-webhook/mutators/BUILD.bazel @@ -56,7 +56,7 @@ go_test( "//pkg/virt-api/webhooks:go_default_library", "//pkg/virt-config:go_default_library", "//pkg/virt-handler/node-labeller/util:go_default_library", - "//pkg/virt-operator/resource/generate/rbac:go_default_library", + "//pkg/virt-operator/resource/generate/components:go_default_library", "//staging/src/kubevirt.io/api/clone:go_default_library", "//staging/src/kubevirt.io/api/clone/v1alpha1:go_default_library", "//staging/src/kubevirt.io/api/core:go_default_library", diff --git a/pkg/virt-api/webhooks/mutating-webhook/mutators/vmi-mutator_test.go b/pkg/virt-api/webhooks/mutating-webhook/mutators/vmi-mutator_test.go index 16efbe35f..907967a45 100644 --- a/pkg/virt-api/webhooks/mutating-webhook/mutators/vmi-mutator_test.go +++ b/pkg/virt-api/webhooks/mutating-webhook/mutators/vmi-mutator_test.go @@ -46,10 +46,10 @@ import ( "kubevirt.io/kubevirt/pkg/virt-api/webhooks" virtconfig "kubevirt.io/kubevirt/pkg/virt-config" nodelabellerutil "kubevirt.io/kubevirt/pkg/virt-handler/node-labeller/util" - "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac" + "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components" ) -var privilegedUser = fmt.Sprintf("%s:%s:%s:%s", "system", "serviceaccount", "kubevirt", rbac.ControllerServiceAccountName) +var privilegedUser = fmt.Sprintf("%s:%s:%s:%s", "system", "serviceaccount", "kubevirt", components.ControllerServiceAccountName) var _ = Describe("VirtualMachineInstance Mutator", func() { var vmi *v1.VirtualMachineInstance diff --git a/pkg/virt-api/webhooks/utils.go b/pkg/virt-api/webhooks/utils.go index 948b2adcf..20a4a66bb 100644 --- a/pkg/virt-api/webhooks/utils.go +++ b/pkg/virt-api/webhooks/utils.go @@ -29,7 +29,7 @@ import ( poolv1 "kubevirt.io/api/pool/v1alpha1" "kubevirt.io/client-go/log" - "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac" + "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components" v1 "kubevirt.io/api/core/v1" clientutil "kubevirt.io/client-go/util" @@ -90,9 +90,9 @@ func IsKubeVirtServiceAccount(serviceAccount string) bool { } prefix := fmt.Sprintf("system:serviceaccount:%s", ns) - return serviceAccount == fmt.Sprintf("%s:%s", prefix, rbac.ApiServiceAccountName) || - serviceAccount == fmt.Sprintf("%s:%s", prefix, rbac.HandlerServiceAccountName) || - serviceAccount == fmt.Sprintf("%s:%s", prefix, rbac.ControllerServiceAccountName) + return serviceAccount == fmt.Sprintf("%s:%s", prefix, components.ApiServiceAccountName) || + serviceAccount == fmt.Sprintf("%s:%s", prefix, components.HandlerServiceAccountName) || + serviceAccount == fmt.Sprintf("%s:%s", prefix, components.ControllerServiceAccountName) } func IsARM64() bool { diff --git a/pkg/virt-api/webhooks/validating-webhook/admitters/BUILD.bazel b/pkg/virt-api/webhooks/validating-webhook/admitters/BUILD.bazel index 1654755ae..b73b4a3f1 100644 --- a/pkg/virt-api/webhooks/validating-webhook/admitters/BUILD.bazel +++ b/pkg/virt-api/webhooks/validating-webhook/admitters/BUILD.bazel @@ -98,7 +98,7 @@ go_test( "//pkg/virt-api/webhooks:go_default_library", "//pkg/virt-config:go_default_library", "//pkg/virt-handler/node-labeller/util:go_default_library", - "//pkg/virt-operator/resource/generate/rbac:go_default_library", + "//pkg/virt-operator/resource/generate/components:go_default_library", "//staging/src/kubevirt.io/api/clone:go_default_library", "//staging/src/kubevirt.io/api/clone/v1alpha1:go_default_library", "//staging/src/kubevirt.io/api/core:go_default_library", diff --git a/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter_test.go b/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter_test.go index d56a7493b..eff7c8b03 100644 --- a/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter_test.go +++ b/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter_test.go @@ -27,8 +27,6 @@ import ( "kubevirt.io/client-go/api" - "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac" - . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" admissionv1 "k8s.io/api/admission/v1" @@ -49,6 +47,7 @@ import ( "kubevirt.io/kubevirt/pkg/virt-api/webhooks" virtconfig "kubevirt.io/kubevirt/pkg/virt-config" nodelabellerutil "kubevirt.io/kubevirt/pkg/virt-handler/node-labeller/util" + "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components" ) var _ = Describe("Validating VMICreate Admitter", func() { @@ -401,17 +400,17 @@ var _ = Describe("Validating VMICreate Admitter", func() { }, Entry("Create restricted label by API", map[string]string{v1.NodeNameLabel: "someValue"}, - rbac.ApiServiceAccountName, + components.ApiServiceAccountName, true, ), Entry("Create restricted label by Handler", map[string]string{v1.NodeNameLabel: "someValue"}, - rbac.HandlerServiceAccountName, + components.HandlerServiceAccountName, true, ), Entry("Create restricted label by Controller", map[string]string{v1.NodeNameLabel: "someValue"}, - rbac.ControllerServiceAccountName, + components.ControllerServiceAccountName, true, ), Entry("Create restricted label by non kubevirt user", diff --git a/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-update-admitter_test.go b/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-update-admitter_test.go index 83a9d0390..a9f7af477 100644 --- a/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-update-admitter_test.go +++ b/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-update-admitter_test.go @@ -39,7 +39,7 @@ import ( "kubevirt.io/kubevirt/pkg/testutils" webhookutils "kubevirt.io/kubevirt/pkg/util/webhooks" "kubevirt.io/kubevirt/pkg/virt-api/webhooks" - "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac" + "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components" ) var _ = Describe("Validating VMIUpdate Admitter", func() { @@ -190,17 +190,17 @@ var _ = Describe("Validating VMIUpdate Admitter", func() { Entry("Update by API", map[string]string{v1.NodeNameLabel: "someValue"}, map[string]string{v1.NodeNameLabel: "someNewValue"}, - rbac.ApiServiceAccountName, + components.ApiServiceAccountName, ), Entry("Update by Handler", map[string]string{v1.NodeNameLabel: "someValue"}, map[string]string{v1.NodeNameLabel: "someNewValue"}, - rbac.HandlerServiceAccountName, + components.HandlerServiceAccountName, ), Entry("Update by Controller", map[string]string{v1.NodeNameLabel: "someValue"}, map[string]string{v1.NodeNameLabel: "someNewValue"}, - rbac.ControllerServiceAccountName, + components.ControllerServiceAccountName, ), ) @@ -560,7 +560,7 @@ var _ = Describe("Validating VMIUpdate Admitter", func() { resp := vmiUpdateAdmitter.Admit(ar) Expect(resp.Allowed).To(expected) }, - Entry("Should admit internal sa", "system:serviceaccount:kubevirt:"+rbac.ApiServiceAccountName, BeTrue()), + Entry("Should admit internal sa", "system:serviceaccount:kubevirt:"+components.ApiServiceAccountName, BeTrue()), Entry("Should reject regular user", "system:serviceaccount:someNamespace:someUser", BeFalse()), ) }) diff --git a/pkg/virt-operator/resource/generate/components/BUILD.bazel b/pkg/virt-operator/resource/generate/components/BUILD.bazel index 8a1b46b56..146c37a5f 100644 --- a/pkg/virt-operator/resource/generate/components/BUILD.bazel +++ b/pkg/virt-operator/resource/generate/components/BUILD.bazel @@ -11,6 +11,7 @@ go_library( "routes.go", "scc.go", "secrets.go", + "serviceaccountnames.go", "validations_generated.go", "webhooks.go", ], @@ -21,7 +22,6 @@ go_library( "//pkg/certificates/triple:go_default_library", "//pkg/certificates/triple/cert:go_default_library", "//pkg/virt-config:go_default_library", - "//pkg/virt-operator/resource/generate/rbac:go_default_library", "//pkg/virt-operator/util:go_default_library", "//staging/src/kubevirt.io/api/clone:go_default_library", "//staging/src/kubevirt.io/api/clone/v1alpha1:go_default_library", diff --git a/pkg/virt-operator/resource/generate/components/daemonsets.go b/pkg/virt-operator/resource/generate/components/daemonsets.go index b6e9426d1..2a3c863f6 100644 --- a/pkg/virt-operator/resource/generate/components/daemonsets.go +++ b/pkg/virt-operator/resource/generate/components/daemonsets.go @@ -13,7 +13,6 @@ import ( virtv1 "kubevirt.io/api/core/v1" virtconfig "kubevirt.io/kubevirt/pkg/virt-config" - "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac" operatorutil "kubevirt.io/kubevirt/pkg/virt-operator/util" ) @@ -77,7 +76,7 @@ func NewHandlerDaemonSet(namespace string, repository string, imagePrefix string } pod := &daemonset.Spec.Template.Spec - pod.ServiceAccountName = rbac.HandlerServiceAccountName + pod.ServiceAccountName = HandlerServiceAccountName pod.HostPID = true // nodelabeller currently only support x86 diff --git a/pkg/virt-operator/resource/generate/components/deployments.go b/pkg/virt-operator/resource/generate/components/deployments.go index 9af531287..a64476bb8 100644 --- a/pkg/virt-operator/resource/generate/components/deployments.go +++ b/pkg/virt-operator/resource/generate/components/deployments.go @@ -34,7 +34,6 @@ import ( virtv1 "kubevirt.io/api/core/v1" - "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac" operatorutil "kubevirt.io/kubevirt/pkg/virt-operator/util" ) @@ -318,7 +317,7 @@ func NewApiServerDeployment(namespace string, repository string, imagePrefix str attachProfileVolume(&deployment.Spec.Template.Spec) pod := &deployment.Spec.Template.Spec - pod.ServiceAccountName = rbac.ApiServiceAccountName + pod.ServiceAccountName = ApiServiceAccountName pod.SecurityContext = &corev1.PodSecurityContext{ RunAsNonRoot: boolPtr(true), SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}, @@ -392,7 +391,7 @@ func NewControllerDeployment(namespace string, repository string, imagePrefix st } pod := &deployment.Spec.Template.Spec - pod.ServiceAccountName = rbac.ControllerServiceAccountName + pod.ServiceAccountName = ControllerServiceAccountName pod.SecurityContext = &corev1.PodSecurityContext{ RunAsNonRoot: boolPtr(true), SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}, @@ -663,7 +662,7 @@ func NewExportProxyDeployment(namespace string, repository string, imagePrefix s attachProfileVolume(&deployment.Spec.Template.Spec) pod := &deployment.Spec.Template.Spec - pod.ServiceAccountName = rbac.ExportProxyServiceAccountName + pod.ServiceAccountName = ExportProxyServiceAccountName pod.SecurityContext = &corev1.PodSecurityContext{ RunAsNonRoot: boolPtr(true), } diff --git a/pkg/virt-operator/resource/generate/components/serviceaccountnames.go b/pkg/virt-operator/resource/generate/components/serviceaccountnames.go new file mode 100644 index 000000000..0948629bb --- /dev/null +++ b/pkg/virt-operator/resource/generate/components/serviceaccountnames.go @@ -0,0 +1,9 @@ +package components + +const ( + ApiServiceAccountName = "kubevirt-apiserver" + ControllerServiceAccountName = "kubevirt-controller" + ExportProxyServiceAccountName = "kubevirt-exportproxy" + HandlerServiceAccountName = "kubevirt-handler" + OperatorServiceAccountName = "kubevirt-operator" +) diff --git a/pkg/virt-operator/resource/generate/rbac/BUILD.bazel b/pkg/virt-operator/resource/generate/rbac/BUILD.bazel index fb3952f7b..8de09055f 100644 --- a/pkg/virt-operator/resource/generate/rbac/BUILD.bazel +++ b/pkg/virt-operator/resource/generate/rbac/BUILD.bazel @@ -14,6 +14,7 @@ go_library( importpath = "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac", visibility = ["//visibility:public"], deps = [ + "//pkg/virt-operator/resource/generate/components:go_default_library", "//staging/src/kubevirt.io/api/clone:go_default_library", "//staging/src/kubevirt.io/api/core/v1:go_default_library", "//staging/src/kubevirt.io/api/instancetype:go_default_library", @@ -33,6 +34,7 @@ go_test( ], embed = [":go_default_library"], deps = [ + "//pkg/virt-operator/resource/generate/components:go_default_library", "//staging/src/kubevirt.io/client-go/testutils:go_default_library", "//vendor/github.com/onsi/ginkgo/v2:go_default_library", "//vendor/github.com/onsi/gomega:go_default_library", diff --git a/pkg/virt-operator/resource/generate/rbac/apiserver.go b/pkg/virt-operator/resource/generate/rbac/apiserver.go index 43f7d5647..5b77ce4bd 100644 --- a/pkg/virt-operator/resource/generate/rbac/apiserver.go +++ b/pkg/virt-operator/resource/generate/rbac/apiserver.go @@ -26,6 +26,8 @@ import ( "kubevirt.io/api/instancetype" + "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components" + virtv1 "kubevirt.io/api/core/v1" "kubevirt.io/api/migrations" ) @@ -36,8 +38,6 @@ const ( GroupName = "kubevirt.io" ) -const ApiServiceAccountName = "kubevirt-apiserver" - func GetAllApiServer(namespace string) []runtime.Object { return []runtime.Object{ newApiServerServiceAccount(namespace), @@ -57,7 +57,7 @@ func newApiServerServiceAccount(namespace string) *corev1.ServiceAccount { }, ObjectMeta: metav1.ObjectMeta{ Namespace: namespace, - Name: ApiServiceAccountName, + Name: components.ApiServiceAccountName, Labels: map[string]string{ virtv1.AppLabel: "", }, @@ -72,7 +72,7 @@ func newApiServerClusterRole() *rbacv1.ClusterRole { Kind: "ClusterRole", }, ObjectMeta: metav1.ObjectMeta{ - Name: ApiServiceAccountName, + Name: components.ApiServiceAccountName, Labels: map[string]string{ virtv1.AppLabel: "", }, @@ -265,7 +265,7 @@ func newApiServerClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding Kind: "ClusterRoleBinding", }, ObjectMeta: metav1.ObjectMeta{ - Name: ApiServiceAccountName, + Name: components.ApiServiceAccountName, Labels: map[string]string{ virtv1.AppLabel: "", }, @@ -273,13 +273,13 @@ func newApiServerClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding RoleRef: rbacv1.RoleRef{ APIGroup: VersionName, Kind: "ClusterRole", - Name: ApiServiceAccountName, + Name: components.ApiServiceAccountName, }, Subjects: []rbacv1.Subject{ { Kind: "ServiceAccount", Namespace: namespace, - Name: ApiServiceAccountName, + Name: components.ApiServiceAccountName, }, }, } @@ -306,7 +306,7 @@ func newApiServerAuthDelegatorClusterRoleBinding(namespace string) *rbacv1.Clust { Kind: "ServiceAccount", Namespace: namespace, - Name: ApiServiceAccountName, + Name: components.ApiServiceAccountName, }, }, } @@ -320,7 +320,7 @@ func newApiServerRole(namespace string) *rbacv1.Role { }, ObjectMeta: metav1.ObjectMeta{ Namespace: namespace, - Name: ApiServiceAccountName, + Name: components.ApiServiceAccountName, Labels: map[string]string{ virtv1.AppLabel: "", }, @@ -349,7 +349,7 @@ func newApiServerRoleBinding(namespace string) *rbacv1.RoleBinding { }, ObjectMeta: metav1.ObjectMeta{ Namespace: namespace, - Name: ApiServiceAccountName, + Name: components.ApiServiceAccountName, Labels: map[string]string{ virtv1.AppLabel: "", }, @@ -357,13 +357,13 @@ func newApiServerRoleBinding(namespace string) *rbacv1.RoleBinding { RoleRef: rbacv1.RoleRef{ APIGroup: VersionName, Kind: "Role", - Name: ApiServiceAccountName, + Name: components.ApiServiceAccountName, }, Subjects: []rbacv1.Subject{ { Kind: "ServiceAccount", Namespace: namespace, - Name: ApiServiceAccountName, + Name: components.ApiServiceAccountName, }, }, } diff --git a/pkg/virt-operator/resource/generate/rbac/controller.go b/pkg/virt-operator/resource/generate/rbac/controller.go index 8da9f0a5d..3ebe9c1aa 100644 --- a/pkg/virt-operator/resource/generate/rbac/controller.go +++ b/pkg/virt-operator/resource/generate/rbac/controller.go @@ -26,14 +26,14 @@ import ( "kubevirt.io/api/clone" + "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components" + "kubevirt.io/api/instancetype" virtv1 "kubevirt.io/api/core/v1" "kubevirt.io/api/migrations" ) -const ControllerServiceAccountName = "kubevirt-controller" - func GetAllController(namespace string) []runtime.Object { return []runtime.Object{ newControllerServiceAccount(namespace), @@ -52,7 +52,7 @@ func newControllerServiceAccount(namespace string) *corev1.ServiceAccount { }, ObjectMeta: metav1.ObjectMeta{ Namespace: namespace, - Name: ControllerServiceAccountName, + Name: components.ControllerServiceAccountName, Labels: map[string]string{ virtv1.AppLabel: "", }, @@ -67,7 +67,7 @@ func newControllerRole(namespace string) *rbacv1.Role { Kind: "Role", }, ObjectMeta: metav1.ObjectMeta{ - Name: ControllerServiceAccountName, + Name: components.ControllerServiceAccountName, Namespace: namespace, Labels: map[string]string{ virtv1.AppLabel: "", @@ -124,7 +124,7 @@ func newControllerRoleBinding(namespace string) *rbacv1.RoleBinding { Kind: "RoleBinding", }, ObjectMeta: metav1.ObjectMeta{ - Name: ControllerServiceAccountName, + Name: components.ControllerServiceAccountName, Namespace: namespace, Labels: map[string]string{ virtv1.AppLabel: "", @@ -133,13 +133,13 @@ func newControllerRoleBinding(namespace string) *rbacv1.RoleBinding { RoleRef: rbacv1.RoleRef{ APIGroup: VersionName, Kind: "Role", - Name: ControllerServiceAccountName, + Name: components.ControllerServiceAccountName, }, Subjects: []rbacv1.Subject{ { Kind: "ServiceAccount", Namespace: namespace, - Name: ControllerServiceAccountName, + Name: components.ControllerServiceAccountName, }, }, } @@ -152,7 +152,7 @@ func newControllerClusterRole() *rbacv1.ClusterRole { Kind: "ClusterRole", }, ObjectMeta: metav1.ObjectMeta{ - Name: ControllerServiceAccountName, + Name: components.ControllerServiceAccountName, Labels: map[string]string{ virtv1.AppLabel: "", }, @@ -512,7 +512,7 @@ func newControllerClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBindin Kind: "ClusterRoleBinding", }, ObjectMeta: metav1.ObjectMeta{ - Name: ControllerServiceAccountName, + Name: components.ControllerServiceAccountName, Labels: map[string]string{ virtv1.AppLabel: "", }, @@ -520,13 +520,13 @@ func newControllerClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBindin RoleRef: rbacv1.RoleRef{ APIGroup: "rbac.authorization.k8s.io", Kind: "ClusterRole", - Name: ControllerServiceAccountName, + Name: components.ControllerServiceAccountName, }, Subjects: []rbacv1.Subject{ { Kind: "ServiceAccount", Namespace: namespace, - Name: ControllerServiceAccountName, + Name: components.ControllerServiceAccountName, }, }, } diff --git a/pkg/virt-operator/resource/generate/rbac/handler.go b/pkg/virt-operator/resource/generate/rbac/handler.go index c47adc28a..e55a4044e 100644 --- a/pkg/virt-operator/resource/generate/rbac/handler.go +++ b/pkg/virt-operator/resource/generate/rbac/handler.go @@ -27,9 +27,9 @@ import ( virtv1 "kubevirt.io/api/core/v1" "kubevirt.io/api/migrations" -) -const HandlerServiceAccountName = "kubevirt-handler" + "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components" +) func GetAllHandler(namespace string) []runtime.Object { return []runtime.Object{ @@ -49,7 +49,7 @@ func newHandlerServiceAccount(namespace string) *corev1.ServiceAccount { }, ObjectMeta: metav1.ObjectMeta{ Namespace: namespace, - Name: HandlerServiceAccountName, + Name: components.HandlerServiceAccountName, Labels: map[string]string{ virtv1.AppLabel: "", }, @@ -64,7 +64,7 @@ func newHandlerClusterRole() *rbacv1.ClusterRole { Kind: "ClusterRole", }, ObjectMeta: metav1.ObjectMeta{ - Name: HandlerServiceAccountName, + Name: components.HandlerServiceAccountName, Labels: map[string]string{ virtv1.AppLabel: "", }, @@ -167,7 +167,7 @@ func newHandlerClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding { Kind: "ClusterRoleBinding", }, ObjectMeta: metav1.ObjectMeta{ - Name: HandlerServiceAccountName, + Name: components.HandlerServiceAccountName, Labels: map[string]string{ virtv1.AppLabel: "", }, @@ -175,13 +175,13 @@ func newHandlerClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding { RoleRef: rbacv1.RoleRef{ APIGroup: "rbac.authorization.k8s.io", Kind: "ClusterRole", - Name: HandlerServiceAccountName, + Name: components.HandlerServiceAccountName, }, Subjects: []rbacv1.Subject{ { Kind: "ServiceAccount", Namespace: namespace, - Name: HandlerServiceAccountName, + Name: components.HandlerServiceAccountName, }, }, } @@ -195,7 +195,7 @@ func newHandlerRole(namespace string) *rbacv1.Role { }, ObjectMeta: metav1.ObjectMeta{ Namespace: namespace, - Name: HandlerServiceAccountName, + Name: components.HandlerServiceAccountName, Labels: map[string]string{ virtv1.AppLabel: "", }, @@ -224,7 +224,7 @@ func newHandlerRoleBinding(namespace string) *rbacv1.RoleBinding { }, ObjectMeta: metav1.ObjectMeta{ Namespace: namespace, - Name: HandlerServiceAccountName, + Name: components.HandlerServiceAccountName, Labels: map[string]string{ virtv1.AppLabel: "", }, @@ -232,13 +232,13 @@ func newHandlerRoleBinding(namespace string) *rbacv1.RoleBinding { RoleRef: rbacv1.RoleRef{ APIGroup: "rbac.authorization.k8s.io", Kind: "Role", - Name: HandlerServiceAccountName, + Name: components.HandlerServiceAccountName, }, Subjects: []rbacv1.Subject{ { Kind: "ServiceAccount", Namespace: namespace, - Name: HandlerServiceAccountName, + Name: components.HandlerServiceAccountName, }, }, } diff --git a/pkg/virt-operator/resource/generate/rbac/operator.go b/pkg/virt-operator/resource/generate/rbac/operator.go index 29ec8c85a..f15dfa554 100644 --- a/pkg/virt-operator/resource/generate/rbac/operator.go +++ b/pkg/virt-operator/resource/generate/rbac/operator.go @@ -26,6 +26,8 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" virtv1 "kubevirt.io/api/core/v1" + + "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components" ) const ( @@ -33,7 +35,6 @@ const ( GroupNameRoute = "route.openshift.io" serviceAccountFmt = "%s:%s:%s" ) -const OperatorServiceAccountName = "kubevirt-operator" // Used for manifest generation only, not by the operator itself func GetAllOperator(namespace string) []interface{} { @@ -54,7 +55,7 @@ func newOperatorServiceAccount(namespace string) *corev1.ServiceAccount { }, ObjectMeta: metav1.ObjectMeta{ Namespace: namespace, - Name: OperatorServiceAccountName, + Name: components.OperatorServiceAccountName, Labels: map[string]string{ virtv1.AppLabel: "", }, @@ -74,7 +75,7 @@ func NewOperatorClusterRole() *rbacv1.ClusterRole { Kind: "ClusterRole", }, ObjectMeta: metav1.ObjectMeta{ - Name: OperatorServiceAccountName, + Name: components.OperatorServiceAccountName, Labels: map[string]string{ virtv1.AppLabel: "", }, @@ -396,7 +397,7 @@ func newOperatorClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding Kind: "ClusterRoleBinding", }, ObjectMeta: metav1.ObjectMeta{ - Name: OperatorServiceAccountName, + Name: components.OperatorServiceAccountName, Labels: map[string]string{ virtv1.AppLabel: "", }, @@ -404,13 +405,13 @@ func newOperatorClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding RoleRef: rbacv1.RoleRef{ APIGroup: VersionName, Kind: "ClusterRole", - Name: OperatorServiceAccountName, + Name: components.OperatorServiceAccountName, }, Subjects: []rbacv1.Subject{ { Kind: "ServiceAccount", Namespace: namespace, - Name: OperatorServiceAccountName, + Name: components.OperatorServiceAccountName, }, }, } @@ -432,13 +433,13 @@ func newOperatorRoleBinding(namespace string) *rbacv1.RoleBinding { RoleRef: rbacv1.RoleRef{ APIGroup: VersionName, Kind: "Role", - Name: OperatorServiceAccountName, + Name: components.OperatorServiceAccountName, }, Subjects: []rbacv1.Subject{ { Kind: "ServiceAccount", Namespace: namespace, - Name: OperatorServiceAccountName, + Name: components.OperatorServiceAccountName, }, }, } @@ -452,7 +453,7 @@ func NewOperatorRole(namespace string) *rbacv1.Role { Kind: "Role", }, ObjectMeta: metav1.ObjectMeta{ - Name: OperatorServiceAccountName, + Name: components.OperatorServiceAccountName, Namespace: namespace, Labels: map[string]string{ virtv1.AppLabel: "", @@ -466,6 +467,16 @@ func NewOperatorRole(namespace string) *rbacv1.Role { Resources: []string{ "secrets", }, + ResourceNames: []string{ + components.KubeVirtCASecretName, + components.KubeVirtExportCASecretName, + components.VirtHandlerCertSecretName, + components.VirtHandlerServerCertSecretName, + components.VirtOperatorCertSecretName, + components.VirtApiCertSecretName, + components.VirtControllerCertSecretName, + components.VirtExportProxyCertSecretName, + }, Verbs: []string{ "create", "get", @@ -526,10 +537,10 @@ func GetKubevirtComponentsServiceAccounts(namespace string) map[string]bool { usermap := make(map[string]bool) prefix := "system:serviceaccount" - usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, HandlerServiceAccountName)] = true - usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, ApiServiceAccountName)] = true - usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, ControllerServiceAccountName)] = true - usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, OperatorServiceAccountName)] = true + usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, components.HandlerServiceAccountName)] = true + usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, components.ApiServiceAccountName)] = true + usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, components.ControllerServiceAccountName)] = true + usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, components.OperatorServiceAccountName)] = true return usermap } diff --git a/pkg/virt-operator/resource/generate/rbac/operator_test.go b/pkg/virt-operator/resource/generate/rbac/operator_test.go index 701a8c4f5..51bd479cc 100644 --- a/pkg/virt-operator/resource/generate/rbac/operator_test.go +++ b/pkg/virt-operator/resource/generate/rbac/operator_test.go @@ -26,6 +26,8 @@ import ( . "github.com/onsi/gomega" v1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" + + "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components" ) var _ = Describe("RBAC", func() { @@ -75,10 +77,10 @@ var _ = Describe("RBAC", func() { func(name string) { Expect(serviceAccounts).To(HaveKey(MatchRegexp(fmt.Sprintf(".*%s.*", name)))) }, - Entry("for Handler", HandlerServiceAccountName), - Entry("for Api", ApiServiceAccountName), - Entry("for Controller", ControllerServiceAccountName), - Entry("for Operator", OperatorServiceAccountName), + Entry("for Handler", components.HandlerServiceAccountName), + Entry("for Api", components.ApiServiceAccountName), + Entry("for Controller", components.ControllerServiceAccountName), + Entry("for Operator", components.OperatorServiceAccountName), ) }) -- 2.39.2
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
