Tighten Vizier clusterroles/roles

Summary: Some of our clusterroles were overly permissive. This diff updates the clusterroles and creates some new namespace-scoped roles for the various Vizier service accounts. Test Plan: - Deploy fresh Vizier - Update existing Vizier - Update existing non-operator Vizier Reviewers: vihang, zasgar Reviewed By: vihang Signed-off-by: Michelle Nguyen <michellenguyen@pixielabs.ai> Differential Revision: https://phab.corp.pixielabs.ai/D12291 GitOrigin-RevId: c0b3b187190121b94e29a23c7872b1f26fb52eca
wangzhuzhen · Sep 27, 2022 · ff26221 · ff26221
1 parent 927fa47
commit ff26221
Show file tree

Hide file tree

Showing 5 changed files with 152 additions and 39 deletions.
diff --git a/k8s/operator/helm/templates/deleter_role.yaml b/k8s/operator/helm/templates/deleter_role.yaml
@@ -7,7 +7,7 @@ metadata:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: pl-deleter-binding
+  name: pl-deleter-cluster-binding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -20,35 +20,58 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: pl-deleter-role
+  name: pl-deleter-cluster-role
 rules:
 # Allow actions on Kubernetes objects
+- apiGroups:
+  - rbac.authorization.k8s.io
+  - etcd.database.coreos.com
+  - nats.io
+  resources:
+  - clusterroles
+  - clusterrolebindings
+  - persistentvolumes
+  - etcdclusters
+  - natsclusters
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: pl-deleter-role
+rules:
 - apiGroups:
   - ""
   - apps
   - rbac.authorization.k8s.io
   - extensions
-  - etcd.database.coreos.com
   - batch
-  - nats.io
   - policy
   resources:
-  - clusterroles
-  - clusterrolebindings
   - configmaps
   - secrets
   - pods
   - services
   - deployments
   - daemonsets
   - persistentvolumes
-  - persistentvolumeclaims
   - roles
   - rolebindings
   - serviceaccounts
-  - etcdclusters
   - statefulsets
   - cronjobs
   - jobs
-  - natsclusters
   verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: pl-deleter-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: pl-deleter-role
+subjects:
+- kind: ServiceAccount
+  name: pl-deleter-service-account
+  namespace: "{{ .Release.Namespace }}"
diff --git a/k8s/vizier/base/metadata_role.yaml b/k8s/vizier/base/metadata_role.yaml
@@ -20,7 +20,9 @@ rules:
   - replicasets
   - deployments
   verbs:
-  - "*"
+  - "watch"
+  - "get"
+  - "list"
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -60,3 +62,27 @@ subjects:
 - kind: ServiceAccount
   name: metadata-service-account
   namespace: pl
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: pl-vizier-metadata-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: pl-vizier-metadata-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: pl-vizier-metadata-role
+subjects:
+- kind: ServiceAccount
+  name: metadata-service-account
+  namespace: pl
diff --git a/k8s/vizier/bootstrap/cloud_connector_role.yaml b/k8s/vizier/bootstrap/cloud_connector_role.yaml
@@ -6,24 +6,55 @@ metadata:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
+metadata:
+  name: pl-cloud-connector-cluster-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - "get"
+  - "watch"
+  - "list"
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - "get"
+  resourceNames:
+  - "kube-system"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: pl-cloud-connector-cluster-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: pl-cloud-connector-cluster-role
+subjects:
+- kind: ServiceAccount
+  name: cloud-conn-service-account
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
 metadata:
   name: pl-cloud-connector-role
 rules:
 - apiGroups:
   - ""
   - px.dev
   resources:
-  - pods
-  - nodes
   - services
-  - endpoints
-  - namespaces
-  - jobs
   - events
   - pods/log
   - viziers
   verbs:
-  - "*"
+  - "get"
+  - "watch"
+  - "list"
 - apiGroups:
   - batch
   resources:
@@ -34,17 +65,20 @@ rules:
   - ""
   resources:
   - secrets
+  - endpoints
+  - pods
   verbs:
   - "*"
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
-  name: pl-cloud-connector-cluster-binding
+  name: pl-cloud-connector-binding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: pl-cloud-connector-role
 subjects:
 - kind: ServiceAccount
   name: cloud-conn-service-account
+  namespace: pl
diff --git a/k8s/vizier/bootstrap/updater_role.yaml b/k8s/vizier/bootstrap/updater_role.yaml
@@ -2,58 +2,76 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: updater-service-account
-  labels:
-    vizier-updater-dep: "true"
+  name: pl-updater-service-account
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: pl-updater-binding
-  labels:
-    vizier-updater-dep: "true"
+  name: pl-updater-cluster-binding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: pl-updater-role
 subjects:
 - kind: ServiceAccount
-  name: updater-service-account
+  name: pl-updater-service-account
+  namespace: "{{ .Release.Namespace }}"
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: pl-updater-role
-  labels:
-    vizier-updater-dep: "true"
+  name: pl-updater-cluster-role
 rules:
 # Allow actions on Kubernetes objects
+- apiGroups:
+  - rbac.authorization.k8s.io
+  - etcd.database.coreos.com
+  - nats.io
+  resources:
+  - clusterroles
+  - clusterrolebindings
+  - persistentvolumes
+  - etcdclusters
+  - natsclusters
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: pl-updater-role
+rules:
 - apiGroups:
   - ""
   - apps
   - rbac.authorization.k8s.io
   - extensions
-  - etcd.database.coreos.com
   - batch
-  - nats.io
   - policy
   resources:
-  - clusterroles
-  - clusterrolebindings
   - configmaps
   - secrets
   - pods
   - services
   - deployments
   - daemonsets
   - persistentvolumes
-  - persistentvolumeclaims
   - roles
   - rolebindings
   - serviceaccounts
-  - etcdclusters
   - statefulsets
   - cronjobs
   - jobs
-  - natsclusters
   verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: pl-updater-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: pl-updater-role
+subjects:
+- kind: ServiceAccount
+  name: pl-updater-service-account
+  namespace: "{{ .Release.Namespace }}"
diff --git a/src/utils/template_generator/vizier_yamls/vizier_yamls.go b/src/utils/template_generator/vizier_yamls/vizier_yamls.go
@@ -362,14 +362,14 @@ func generateVzYAMLs(clientset *kubernetes.Clientset, yamlMap map[string]string)
 			TemplateValue:   fmt.Sprintf(".%s.svc", nsTmpl),
 		},
 		{
-			TemplateMatcher: yamls.GenerateResourceNameMatcherFn("pl-psp-binding"),
+			TemplateMatcher: yamls.GenerateResourceNameMatcherFn("pl-updater-binding"),
 			Patch:           `{ "subjects": [{ "name": "updater-service-account", "namespace": "__PX_SUBJECT_NAMESPACE__", "kind": "ServiceAccount" }] }`,
 			Placeholder:     "__PX_SUBJECT_NAMESPACE__",
 			TemplateValue:   nsTmpl,
 		},
 		{
-			TemplateMatcher: yamls.GenerateResourceNameMatcherFn("pl-updater-binding"),
-			Patch:           `{ "subjects": [{ "name": "updater-service-account", "namespace": "__PX_SUBJECT_NAMESPACE__", "kind": "ServiceAccount" }] }`,
+			TemplateMatcher: yamls.GenerateResourceNameMatcherFn("pl-updater-cluster-binding"),
+			Patch:           `{ "subjects": [{ "name": "updater-service-account", "namespace": "__PXqgq_SUBJECT_NAMESPACE__", "kind": "ServiceAccount" }] }`,
 			Placeholder:     "__PX_SUBJECT_NAMESPACE__",
 			TemplateValue:   nsTmpl,
 		},
@@ -379,12 +379,24 @@ func generateVzYAMLs(clientset *kubernetes.Clientset, yamlMap map[string]string)
 			Placeholder:     "__PX_SUBJECT_NAMESPACE__",
 			TemplateValue:   nsTmpl,
 		},
+		{
+			TemplateMatcher: yamls.GenerateResourceNameMatcherFn("pl-cloud-connector-binding"),
+			Patch:           `{ "subjects": [{ "name": "cloud-conn-service-account", "namespace": "__PX_SUBJECT_NAMESPACE__", "kind": "ServiceAccount" }] }`,
+			Placeholder:     "__PX_SUBJECT_NAMESPACE__",
+			TemplateValue:   nsTmpl,
+		},
 		{
 			TemplateMatcher: yamls.GenerateResourceNameMatcherFn("pl-vizier-metadata-cluster-binding"),
 			Patch:           `{ "subjects": [{ "name": "metadata-service-account", "namespace": "__PX_SUBJECT_NAMESPACE__", "kind": "ServiceAccount" }] }`,
 			Placeholder:     "__PX_SUBJECT_NAMESPACE__",
 			TemplateValue:   nsTmpl,
 		},
+		{
+			TemplateMatcher: yamls.GenerateResourceNameMatcherFn("pl-vizier-metadata-binding"),
+			Patch:           `{ "subjects": [{ "name": "metadata-service-account", "namespace": "__PX_SUBJECT_NAMESPACE__", "kind": "ServiceAccount" }] }`,
+			Placeholder:     "__PX_SUBJECT_NAMESPACE__",
+			TemplateValue:   nsTmpl,
+		},
 		{
 			TemplateMatcher: yamls.GenerateResourceNameMatcherFn("pl-vizier-crd-metadata-binding"),
 			Patch:           `{ "subjects": [{ "name": "metadata-service-account", "namespace": "__PX_SUBJECT_NAMESPACE__", "kind": "ServiceAccount" }] }`,