change api and observer roles to the minimum privileges (#353)

Signed-off-by: ruriko <[email protected]>

Author: rurikudo

integrity-shield-operator/controllers/integrityshield.go

@@ -517,14 +517,14 @@ func (r *IntegrityShieldReconciler) deleteClusterRoleBindingForIShield(
 	return r.deleteClusterRoleBinding(instance, expected)
 }
 
-// cluster role binding for observer sa
-func (r *IntegrityShieldReconciler) createOrUpdateObserverClusterRoleBindingForIShield(
+// cluster role binding - observer
+func (r *IntegrityShieldReconciler) createOrUpdateClusterRoleBindingForObserver(
 	instance *apiv1.IntegrityShield) (ctrl.Result, error) {
 	expected := res.BuildClusterRoleBindingForObserver(instance)
 	return r.createOrUpdateClusterRoleBinding(instance, expected)
 }
 
-func (r *IntegrityShieldReconciler) deleteObserverClusterRoleBindingForIShield(
+func (r *IntegrityShieldReconciler) deleteClusterRoleBindingForObserver(
 	instance *apiv1.IntegrityShield) (ctrl.Result, error) {
 	expected := res.BuildClusterRoleBindingForObserver(instance)
 	return r.deleteClusterRoleBinding(instance, expected)
@@ -543,14 +543,14 @@ func (r *IntegrityShieldReconciler) deleteClusterRoleForIShield(
 	return r.deleteClusterRole(instance, expected)
 }
 
-// cluster role for observer sa
-func (r *IntegrityShieldReconciler) createOrUpdateObserverClusterRoleForIShield(
+// cluster role - observer
+func (r *IntegrityShieldReconciler) createOrUpdateClusterRoleForObserver(
 	instance *apiv1.IntegrityShield) (ctrl.Result, error) {
 	expected := res.BuildClusterRoleForObserver(instance)
 	return r.createOrUpdateClusterRole(instance, expected)
 }
 
-func (r *IntegrityShieldReconciler) deleteObserverClusterRoleForIShield(
+func (r *IntegrityShieldReconciler) deleteClusterRoleForObserver(
 	instance *apiv1.IntegrityShield) (ctrl.Result, error) {
 	expected := res.BuildClusterRoleForObserver(instance)
 	return r.deleteClusterRole(instance, expected)
@@ -563,13 +563,27 @@ func (r *IntegrityShieldReconciler) createOrUpdateRoleBindingForIShield(
 	return r.createOrUpdateRoleBinding(instance, expected)
 }
 
+// role binding - observer
+func (r *IntegrityShieldReconciler) createOrUpdateRoleBindingForObserver(
+	instance *apiv1.IntegrityShield) (ctrl.Result, error) {
+	expected := res.BuildRoleBindingForObserver(instance)
+	return r.createOrUpdateRoleBinding(instance, expected)
+}
+
 // role
 func (r *IntegrityShieldReconciler) createOrUpdateRoleForIShield(
 	instance *apiv1.IntegrityShield) (ctrl.Result, error) {
 	expected := res.BuildRoleForIShield(instance)
 	return r.createOrUpdateRole(instance, expected)
 }
 
+// role - observer
+func (r *IntegrityShieldReconciler) createOrUpdateRoleForObserver(
+	instance *apiv1.IntegrityShield) (ctrl.Result, error) {
+	expected := res.BuildRoleForObserver(instance)
+	return r.createOrUpdateRole(instance, expected)
+}
+
 func (r *IntegrityShieldReconciler) createOrUpdatePodSecurityPolicy(instance *apiv1.IntegrityShield) (ctrl.Result, error) {
 	ctx := context.Background()
 	expected := res.BuildPodSecurityPolicy(instance)

integrity-shield-operator/controllers/integrityshield_controller.go

@@ -100,13 +100,13 @@ func (r *IntegrityShieldReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		return ctrl.Result{}, nil
 	}
 
-	// Pod Security Policy (PSP)
+	//Pod Security Policy (PSP)
 	recResult, recErr = r.createOrUpdatePodSecurityPolicy(instance)
 	if recErr != nil || recResult.Requeue {
 		return recResult, recErr
 	}
 
-	// Config
+	//Config
 	recResult, recErr = r.createOrUpdateRequestHandlerConfig(instance)
 	if recErr != nil || recResult.Requeue {
 		return recResult, recErr
@@ -143,22 +143,37 @@ func (r *IntegrityShieldReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 
 	// Observer
 	if instance.Spec.Observer.Enabled {
+		//CRD
 		recResult, recErr = r.createOrUpdateObserverResultCRD(instance)
 		if recErr != nil || recResult.Requeue {
 			return recResult, recErr
 		}
+		//Service Account
 		recResult, recErr = r.createOrUpdateObserverServiceAccount(instance)
 		if recErr != nil || recResult.Requeue {
 			return recResult, recErr
 		}
-		recResult, recErr = r.createOrUpdateObserverClusterRoleForIShield(instance)
+		//Cluster Role
+		recResult, recErr = r.createOrUpdateClusterRoleForObserver(instance)
 		if recErr != nil || recResult.Requeue {
 			return recResult, recErr
 		}
-		recResult, recErr = r.createOrUpdateObserverClusterRoleBindingForIShield(instance)
+		//Cluster Role Binding
+		recResult, recErr = r.createOrUpdateClusterRoleBindingForObserver(instance)
 		if recErr != nil || recResult.Requeue {
 			return recResult, recErr
 		}
+		//Role
+		recResult, recErr = r.createOrUpdateRoleForObserver(instance)
+		if recErr != nil || recResult.Requeue {
+			return recResult, recErr
+		}
+		//Role Binding
+		recResult, recErr = r.createOrUpdateRoleBindingForObserver(instance)
+		if recErr != nil || recResult.Requeue {
+			return recResult, recErr
+		}
+		//Deployment
 		recResult, recErr = r.createOrUpdateObserverDeployment(instance)
 		if recErr != nil || recResult.Requeue {
 			return recResult, recErr
@@ -167,7 +182,6 @@ func (r *IntegrityShieldReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 
 	// Gatekeeper
 	if instance.Spec.UseGatekeeper {
-
 		// Shield API Secret
 		recResult, recErr = r.createOrUpdateTlsSecret(instance)
 		if recErr != nil || recResult.Requeue {
@@ -291,11 +305,11 @@ func (r *IntegrityShieldReconciler) deleteClusterScopedChildrenResources(instanc
 	}
 
 	if instance.Spec.Observer.Enabled {
-		_, err = r.deleteObserverClusterRoleForIShield(instance)
+		_, err = r.deleteClusterRoleForObserver(instance)
 		if err != nil {
 			return err
 		}
-		_, err = r.deleteObserverClusterRoleBindingForIShield(instance)
+		_, err = r.deleteClusterRoleBindingForObserver(instance)
 		if err != nil {
 			return err
 		}

integrity-shield-operator/resources/role.go

@@ -76,10 +76,10 @@ func BuildClusterRoleForIShield(cr *apiv1.IntegrityShield) *rbacv1.ClusterRole {
 		Rules: []rbacv1.PolicyRule{
 			{
 				APIGroups: []string{
-					"", "apis.integrityshield.io",
+					"apis.integrityshield.io",
 				},
 				Resources: []string{
-					"secrets", "manifestintegrityprofiles",
+					"manifestintegrityprofiles",
 				},
 				Verbs: []string{
 					"get", "list", "watch", "patch", "update",
@@ -198,7 +198,6 @@ func BuildRoleForIShield(cr *apiv1.IntegrityShield) *rbacv1.Role {
 	return role
 }
 
-// TODO: should be minimum privilege
 func BuildClusterRoleForObserver(cr *apiv1.IntegrityShield) *rbacv1.ClusterRole {
 	labels := map[string]string{
 		"app":                          cr.Name,
@@ -221,7 +220,37 @@ func BuildClusterRoleForObserver(cr *apiv1.IntegrityShield) *rbacv1.ClusterRole
 					"*",
 				},
 				Verbs: []string{
-					"get", "list", "create", "update",
+					"get", "list",
+				},
+			},
+		},
+	}
+	return role
+}
+
+func BuildRoleForObserver(cr *apiv1.IntegrityShield) *rbacv1.Role {
+	labels := map[string]string{
+		"app":                          cr.Name,
+		"app.kubernetes.io/name":       cr.Name,
+		"app.kubernetes.io/managed-by": "operator",
+		"role":                         "security",
+	}
+	role := &rbacv1.Role{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      cr.Spec.Security.ObserverRole,
+			Namespace: cr.Namespace,
+			Labels:    labels,
+		},
+		Rules: []rbacv1.PolicyRule{
+			{
+				APIGroups: []string{
+					"apis.integrityshield.io", "",
+				},
+				Resources: []string{
+					"manifestintegritystates", "configmaps",
+				},
+				Verbs: []string{
+					"get", "list", "create", "watch", "patch", "update",
 				},
 			},
 		},
@@ -249,6 +278,11 @@ func BuildRoleBindingForIShield(cr *apiv1.IntegrityShield) *rbacv1.RoleBinding {
 				Name:      cr.Spec.Security.APIServiceAccountName,
 				Namespace: cr.Namespace,
 			},
+			{
+				Kind:      "ServiceAccount",
+				Name:      cr.Spec.Security.ObserverServiceAccountName,
+				Namespace: cr.Namespace,
+			},
 		},
 		RoleRef: rbacv1.RoleRef{
 			APIGroup: "rbac.authorization.k8s.io",
@@ -259,6 +293,36 @@ func BuildRoleBindingForIShield(cr *apiv1.IntegrityShield) *rbacv1.RoleBinding {
 	return rolebinding
 }
 
+//role-binding observer
+func BuildRoleBindingForObserver(cr *apiv1.IntegrityShield) *rbacv1.RoleBinding {
+	labels := map[string]string{
+		"app":                          cr.Name,
+		"app.kubernetes.io/name":       cr.Name,
+		"app.kubernetes.io/managed-by": "operator",
+		"role":                         "security",
+	}
+	rolebinding := &rbacv1.RoleBinding{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      cr.Spec.Security.ObserverRoleBinding,
+			Namespace: cr.Namespace,
+			Labels:    labels,
+		},
+		Subjects: []rbacv1.Subject{
+			{
+				Kind:      "ServiceAccount",
+				Name:      cr.Spec.Security.ObserverServiceAccountName,
+				Namespace: cr.Namespace,
+			},
+		},
+		RoleRef: rbacv1.RoleRef{
+			APIGroup: "rbac.authorization.k8s.io",
+			Kind:     "Role",
+			Name:     cr.Spec.Security.ObserverRole,
+		},
+	}
+	return rolebinding
+}
+
 func BuildClusterRoleBindingForObserver(cr *apiv1.IntegrityShield) *rbacv1.ClusterRoleBinding {
 	labels := map[string]string{
 		"app":                          cr.Name,