add finalizer to CR for kubernetes 1.20 update (#283)

Co-authored-by: hirokuni.kitahara <[email protected]@hirokunikitaharanoMacBook-Pro.local>

Author: hirokuni-kitahara

integrity-shield-operator/api/v1alpha1/integrityshield_types.go

@@ -56,6 +56,8 @@ const (
 	DefaultKeyringFilename                    = "pubring.gpg"
 	DefaultIShieldWebhookTimeout              = 10
 	SATokenPath                               = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+
+	CleanupFinalizerName = "cleanup.finalizers.integrityshield.io"
 )
 
 // EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!

integrity-shield-operator/config/samples/apis_v1alpha1_integrityshield.yaml

@@ -2,6 +2,8 @@ apiVersion: apis.integrityshield.io/v1alpha1
 kind: IntegrityShield
 metadata:
   name: integrity-shield-server
+  finalizers:
+  - cleanup.finalizers.integrityshield.io
 spec:
   namespace: integrity-shield-operator-system
   shieldConfig:

integrity-shield-operator/controllers/integrityshield.go

@@ -106,6 +106,32 @@ func (r *IntegrityShieldReconciler) createOrUpdateCRD(instance *apiv1alpha1.Inte
 
 }
 
+func (r *IntegrityShieldReconciler) deleteCRD(instance *apiv1alpha1.IntegrityShield, expected *extv1.CustomResourceDefinition) (ctrl.Result, error) {
+	ctx := context.Background()
+	found := &extv1.CustomResourceDefinition{}
+
+	reqLogger := r.Log.WithValues(
+		"Instance.Name", instance.Name,
+		"CustomResourceDefinition.Name", expected.Name)
+
+	err := r.Get(ctx, types.NamespacedName{Name: expected.Name}, found)
+
+	if err == nil {
+		reqLogger.Info(fmt.Sprintf("Deleting the IShield CustomResourceDefinition %s", expected.Name))
+		err = r.Delete(ctx, found)
+		if err != nil {
+			reqLogger.Error(err, fmt.Sprintf("Failed to delete the IShield CustomResourceDefinition %s", expected.Name))
+			return ctrl.Result{}, err
+		}
+		return ctrl.Result{Requeue: true, RequeueAfter: time.Second * 1}, nil
+	} else if errors.IsNotFound(err) {
+		return ctrl.Result{Requeue: true, RequeueAfter: time.Second * 1}, nil
+	} else {
+		return ctrl.Result{}, err
+	}
+
+}
+
 func (r *IntegrityShieldReconciler) createOrUpdateShieldConfigCRD(
 	instance *apiv1alpha1.IntegrityShield) (ctrl.Result, error) {
 	expected := res.BuildShieldConfigCRD(instance)
@@ -135,6 +161,35 @@ func (r *IntegrityShieldReconciler) createOrUpdateResourceSigningProfileCRD(
 	return r.createOrUpdateCRD(instance, expected)
 }
 
+func (r *IntegrityShieldReconciler) deleteShieldConfigCRD(
+	instance *apiv1alpha1.IntegrityShield) (ctrl.Result, error) {
+	expected := res.BuildShieldConfigCRD(instance)
+	return r.deleteCRD(instance, expected)
+}
+
+func (r *IntegrityShieldReconciler) deleteSignerConfigCRD(
+	instance *apiv1alpha1.IntegrityShield) (ctrl.Result, error) {
+	expected := res.BuildSignerConfigCRD(instance)
+	return r.deleteCRD(instance, expected)
+}
+func (r *IntegrityShieldReconciler) deleteResourceSignatureCRD(
+	instance *apiv1alpha1.IntegrityShield) (ctrl.Result, error) {
+	expected := res.BuildResourceSignatureCRD(instance)
+	return r.deleteCRD(instance, expected)
+}
+
+func (r *IntegrityShieldReconciler) deleteHelmReleaseMetadataCRD(
+	instance *apiv1alpha1.IntegrityShield) (ctrl.Result, error) {
+	expected := res.BuildHelmReleaseMetadataCRD(instance)
+	return r.deleteCRD(instance, expected)
+}
+
+func (r *IntegrityShieldReconciler) deleteResourceSigningProfileCRD(
+	instance *apiv1alpha1.IntegrityShield) (ctrl.Result, error) {
+	expected := res.BuildResourceSigningProfileCRD(instance)
+	return r.deleteCRD(instance, expected)
+}
+
 /**********************************************
 
 				CR
@@ -409,6 +464,33 @@ func (r *IntegrityShieldReconciler) createOrUpdateClusterRole(instance *apiv1alp
 
 }
 
+func (r *IntegrityShieldReconciler) deleteClusterRole(instance *apiv1alpha1.IntegrityShield, expected *rbacv1.ClusterRole) (ctrl.Result, error) {
+	ctx := context.Background()
+	found := &rbacv1.ClusterRole{}
+
+	reqLogger := r.Log.WithValues(
+		"Instance.Name", instance.Name,
+		"ClusterRole.Name", expected.Name)
+
+	err := r.Get(ctx, types.NamespacedName{Name: expected.Name}, found)
+
+	if err == nil {
+		reqLogger.Info(fmt.Sprintf("Deleting the IShield ClusterRole %s", expected.Name))
+		err = r.Delete(ctx, found)
+		if err != nil {
+			reqLogger.Error(err, fmt.Sprintf("Failed to delete the IShield ClusterRole %s", expected.Name))
+			return ctrl.Result{}, err
+		}
+		return ctrl.Result{Requeue: true, RequeueAfter: time.Second * 1}, nil
+	} else if errors.IsNotFound(err) {
+
+		return ctrl.Result{Requeue: true, RequeueAfter: time.Second * 1}, nil
+	} else {
+		return ctrl.Result{}, err
+	}
+
+}
+
 func (r *IntegrityShieldReconciler) createOrUpdateClusterRoleBinding(instance *apiv1alpha1.IntegrityShield, expected *rbacv1.ClusterRoleBinding) (ctrl.Result, error) {
 	ctx := context.Background()
 	found := &rbacv1.ClusterRoleBinding{}
@@ -451,6 +533,32 @@ func (r *IntegrityShieldReconciler) createOrUpdateClusterRoleBinding(instance *a
 
 }
 
+func (r *IntegrityShieldReconciler) deleteClusterRoleBinding(instance *apiv1alpha1.IntegrityShield, expected *rbacv1.ClusterRoleBinding) (ctrl.Result, error) {
+	ctx := context.Background()
+	found := &rbacv1.ClusterRoleBinding{}
+
+	reqLogger := r.Log.WithValues(
+		"Instance.Name", instance.Name,
+		"ClusterRoleBinding.Name", expected.Name)
+
+	err := r.Get(ctx, types.NamespacedName{Name: expected.Name}, found)
+
+	if err == nil {
+		reqLogger.Info(fmt.Sprintf("Deleting the IShield ClusterRoleBinding %s", expected.Name))
+		err = r.Delete(ctx, found)
+		if err != nil {
+			reqLogger.Error(err, fmt.Sprintf("Failed to delete the IShield ClusterRoleBinding %s", expected.Name))
+			return ctrl.Result{}, err
+		}
+		return ctrl.Result{Requeue: true, RequeueAfter: time.Second * 1}, nil
+	} else if errors.IsNotFound(err) {
+		return ctrl.Result{Requeue: true, RequeueAfter: time.Second * 1}, nil
+	} else {
+		return ctrl.Result{}, err
+	}
+
+}
+
 func (r *IntegrityShieldReconciler) createOrUpdateRole(instance *apiv1alpha1.IntegrityShield, expected *rbacv1.Role) (ctrl.Result, error) {
 	ctx := context.Background()
 	found := &rbacv1.Role{}
@@ -543,6 +651,12 @@ func (r *IntegrityShieldReconciler) createOrUpdateClusterRoleBindingForIShieldAd
 	return r.createOrUpdateClusterRoleBinding(instance, expected)
 }
 
+func (r *IntegrityShieldReconciler) deleteClusterRoleBindingForIShieldAdmin(
+	instance *apiv1alpha1.IntegrityShield) (ctrl.Result, error) {
+	expected := res.BuildClusterRoleBindingForIShieldAdmin(instance)
+	return r.deleteClusterRoleBinding(instance, expected)
+}
+
 func (r *IntegrityShieldReconciler) createOrUpdateRoleBindingForIShieldAdmin(
 	instance *apiv1alpha1.IntegrityShield) (ctrl.Result, error) {
 	expected := res.BuildRoleBindingForIShieldAdmin(instance)
@@ -561,13 +675,25 @@ func (r *IntegrityShieldReconciler) createOrUpdateClusterRoleForIShieldAdmin(
 	return r.createOrUpdateClusterRole(instance, expected)
 }
 
+func (r *IntegrityShieldReconciler) deleteClusterRoleForIShieldAdmin(
+	instance *apiv1alpha1.IntegrityShield) (ctrl.Result, error) {
+	expected := res.BuildClusterRoleForIShieldAdmin(instance)
+	return r.deleteClusterRole(instance, expected)
+}
+
 // for ie
 func (r *IntegrityShieldReconciler) createOrUpdateClusterRoleBindingForIShield(
 	instance *apiv1alpha1.IntegrityShield) (ctrl.Result, error) {
 	expected := res.BuildClusterRoleBindingForIShield(instance)
 	return r.createOrUpdateClusterRoleBinding(instance, expected)
 }
 
+func (r *IntegrityShieldReconciler) deleteClusterRoleBindingForIShield(
+	instance *apiv1alpha1.IntegrityShield) (ctrl.Result, error) {
+	expected := res.BuildClusterRoleBindingForIShield(instance)
+	return r.deleteClusterRoleBinding(instance, expected)
+}
+
 func (r *IntegrityShieldReconciler) createOrUpdateRoleBindingForIShield(
 	instance *apiv1alpha1.IntegrityShield) (ctrl.Result, error) {
 	expected := res.BuildRoleBindingForIShield(instance)
@@ -586,6 +712,12 @@ func (r *IntegrityShieldReconciler) createOrUpdateClusterRoleForIShield(
 	return r.createOrUpdateClusterRole(instance, expected)
 }
 
+func (r *IntegrityShieldReconciler) deleteClusterRoleForIShield(
+	instance *apiv1alpha1.IntegrityShield) (ctrl.Result, error) {
+	expected := res.BuildClusterRoleForIShield(instance)
+	return r.deleteClusterRole(instance, expected)
+}
+
 func (r *IntegrityShieldReconciler) createOrUpdatePodSecurityPolicy(instance *apiv1alpha1.IntegrityShield) (ctrl.Result, error) {
 	ctx := context.Background()
 	expected := res.BuildPodSecurityPolicy(instance)
@@ -629,6 +761,33 @@ func (r *IntegrityShieldReconciler) createOrUpdatePodSecurityPolicy(instance *ap
 
 }
 
+// delete ishield-psp
+func (r *IntegrityShieldReconciler) deletePodSecurityPolicy(instance *apiv1alpha1.IntegrityShield) (ctrl.Result, error) {
+	ctx := context.Background()
+	expected := res.BuildPodSecurityPolicy(instance)
+	found := &policyv1.PodSecurityPolicy{}
+
+	reqLogger := r.Log.WithValues(
+		"Instance.Name", instance.Name,
+		"PodSecurityPolicy.Name", expected.Name)
+
+	err := r.Get(ctx, types.NamespacedName{Name: expected.Name}, found)
+
+	if err == nil {
+		reqLogger.Info("Deleting the IShield PodSecurityPolicy")
+		err = r.Delete(ctx, found)
+		if err != nil {
+			reqLogger.Error(err, "Failed to delete the IShield PodSecurityPolicy")
+			return ctrl.Result{}, err
+		}
+		return ctrl.Result{Requeue: true, RequeueAfter: time.Second * 1}, nil
+	} else if errors.IsNotFound(err) {
+		return ctrl.Result{Requeue: true, RequeueAfter: time.Second * 1}, nil
+	} else {
+		return ctrl.Result{}, err
+	}
+}
+
 /**********************************************
 
 				Secret

integrity-shield-operator/controllers/integrityshield_controller.go

@@ -71,10 +71,32 @@ func (r *IntegrityShieldReconciler) Reconcile(req ctrl.Request) (ctrl.Result, er
 	var recErr error
 
 	// apply default config if not ignored
+	// this step is necessary to identify default resource names such as ishield-webhook-config, so this should be done even before finalizer
 	if !instance.Spec.IgnoreDefaultIShieldCR {
 		instance = resources.MergeDefaultIntegrityShieldCR(instance, "")
 	}
 
+	// Integrity Shield is under deletion - finalizer step
+	if !instance.ObjectMeta.DeletionTimestamp.IsZero() {
+		if containsString(instance.ObjectMeta.Finalizers, apisv1alpha1.CleanupFinalizerName) {
+			if err := r.deleteClusterScopedChildrenResources(instance); err != nil {
+				// if fail to delete the external dependency here, return with error
+				// so that it can be retried
+				reqLogger.Error(err, "Error occured during finalizer process. retrying soon.")
+				return ctrl.Result{}, err
+			}
+
+			// remove our finalizer from the list and update it.
+			instance.ObjectMeta.Finalizers = removeString(instance.ObjectMeta.Finalizers, apisv1alpha1.CleanupFinalizerName)
+			if err := r.Update(context.Background(), instance); err != nil {
+				return ctrl.Result{}, err
+			}
+		}
+		return ctrl.Result{}, nil
+	}
+
+	// otherwise, normal reconcile
+
 	if ok, nonReadyKey := r.isKeyRingReady(instance); !ok {
 		reqLogger.Info(fmt.Sprintf("KeyRing secret \"%s\" does not exist. Skip reconciling.", nonReadyKey))
 		return ctrl.Result{Requeue: true}, nil
@@ -237,3 +259,85 @@ func (r *IntegrityShieldReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		Owns(&apisv1alpha1.IntegrityShield{}).
 		Complete(r)
 }
+
+func (r *IntegrityShieldReconciler) deleteClusterScopedChildrenResources(instance *apisv1alpha1.IntegrityShield) error {
+	// delete any cluster scope resources owned by the instance
+	// (In Iubernetes 1.20 and later, a garbage collector ignore cluster scope children even if their owner is deleted)
+	var err error
+	_, err = r.deleteWebhook(instance)
+	if err != nil {
+		return err
+	}
+	_, err = r.deletePodSecurityPolicy(instance)
+	if err != nil {
+		return err
+	}
+	if !instance.Spec.Security.AutoIShieldAdminCreationDisabled {
+		_, err = r.deleteClusterRoleBindingForIShieldAdmin(instance)
+		if err != nil {
+			return err
+		}
+		_, err = r.deleteClusterRoleForIShieldAdmin(instance)
+		if err != nil {
+			return err
+		}
+	}
+	_, err = r.deleteClusterRoleBindingForIShield(instance)
+	if err != nil {
+		return err
+	}
+	_, err = r.deleteClusterRoleForIShield(instance)
+	if err != nil {
+		return err
+	}
+
+	enabledPulgins := instance.Spec.ShieldConfig.GetEnabledPlugins()
+	if enabledPulgins["helm"] {
+		_, err = r.deleteHelmReleaseMetadataCRD(instance)
+		if err != nil {
+			return err
+		}
+	}
+
+	_, err = r.deleteResourceSigningProfileCRD(instance)
+	if err != nil {
+		return err
+	}
+
+	_, err = r.deleteResourceSignatureCRD(instance)
+	if err != nil {
+		return err
+	}
+
+	_, err = r.deleteSignerConfigCRD(instance)
+	if err != nil {
+		return err
+	}
+
+	_, err = r.deleteShieldConfigCRD(instance)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// Helper functions to check and remove string from a slice of strings.
+func containsString(slice []string, s string) bool {
+	for _, item := range slice {
+		if item == s {
+			return true
+		}
+	}
+	return false
+}
+
+func removeString(slice []string, s string) (result []string) {
+	for _, item := range slice {
+		if item == s {
+			continue
+		}
+		result = append(result, item)
+	}
+	return
+}

integrity-shield-operator/resources/testdata/integrityShieldCR.yaml

@@ -2,6 +2,8 @@ apiVersion: apis.integrityshield.io/v1alpha1
 kind: IntegrityShield
 metadata:
   creationTimestamp: null
+  finalizers:
+  - cleanup.finalizers.integrityshield.io
   name: integrity-shield-server
 spec:
   affinity: {}

shield/pkg/shield/checkFunctions.go

@@ -103,7 +103,7 @@ func iShieldResourceCheck(reqc *common.ReqContext, config *config.ShieldConfig,
 	gcReq := checkIfGarbageCollectorRequest(reqc)
 	spSAReq := checkIfSpecialServiceAccountRequest(reqc)
 
-	if (iShieldOperatorResource && (adminReq || gcReq || spSAReq)) || (iShieldServerResource && (operatorReq || serverReq || gcReq || spSAReq)) {
+	if (iShieldOperatorResource && (adminReq || operatorReq || gcReq || spSAReq)) || (iShieldServerResource && (operatorReq || serverReq || gcReq || spSAReq)) {
 		ctx.Allow = true
 		ctx.Verified = true
 		ctx.ReasonCode = common.REASON_ISHIELD_ADMIN