From 57269eca4c64c24599998d0406e720bd305b7a5b Mon Sep 17 00:00:00 2001 From: Michael Morello Date: Tue, 2 Jun 2020 08:56:57 +0200 Subject: [PATCH] Introduce a restricted role for agent configuration (#3155) * Introduce a role for the APM agent configuration * Set min. APM Server version to 7.5.1 --- pkg/apis/apm/v1/webhook.go | 2 +- pkg/apis/apm/v1/webhook_test.go | 8 ++++---- .../association/controller/apm_kibana.go | 3 ++- pkg/controller/elasticsearch/client/client.go | 11 +++++++++-- .../elasticsearch/user/reconcile_test.go | 2 +- pkg/controller/elasticsearch/user/roles.go | 14 ++++++++++++++ 6 files changed, 31 insertions(+), 9 deletions(-) diff --git a/pkg/apis/apm/v1/webhook.go b/pkg/apis/apm/v1/webhook.go index 59fc6b31e5..720da19d13 100644 --- a/pkg/apis/apm/v1/webhook.go +++ b/pkg/apis/apm/v1/webhook.go @@ -24,7 +24,7 @@ var ( validationLog = logf.Log.WithName("apm-v1-validation") // apmAgentConfigurationMinVersion is the minimum required version to establish an association with Kibana - apmAgentConfigurationMinVersion = version.MustParse("7.3.0") + apmAgentConfigurationMinVersion = version.MustParse("7.5.1") defaultChecks = []func(*ApmServer) field.ErrorList{ checkNoUnknownFields, diff --git a/pkg/apis/apm/v1/webhook_test.go b/pkg/apis/apm/v1/webhook_test.go index 5ad7013446..034e8495d7 100644 --- a/pkg/apis/apm/v1/webhook_test.go +++ b/pkg/apis/apm/v1/webhook_test.go @@ -97,20 +97,20 @@ func TestWebhook(t *testing.T) { Operation: admissionv1beta1.Create, Object: func(t *testing.T, uid string) []byte { apm := mkApmServer(uid) - apm.Spec.Version = "7.2.0" + apm.Spec.Version = "7.4.0" apm.Spec.KibanaRef = commonv1.ObjectSelector{Name: "kbname", Namespace: "kbns"} return serialize(t, apm) }, Check: test.ValidationWebhookFailed( - `spec.kibanaRef: Forbidden: required version for Kibana association is 7.3.0 but desired version is 7.2.0`, + `spec.kibanaRef: Forbidden: required version for Kibana association is 7.5.1 but desired version is 7.4.0`, ), }, { - Name: "support-72-if-kibana-ref-not-set", + Name: "support-74-if-kibana-ref-not-set", Operation: admissionv1beta1.Create, Object: func(t *testing.T, uid string) []byte { apm := mkApmServer(uid) - apm.Spec.Version = "7.2.0" + apm.Spec.Version = "7.4.0" return serialize(t, apm) }, Check: test.ValidationWebhookSucceeded, diff --git a/pkg/controller/association/controller/apm_kibana.go b/pkg/controller/association/controller/apm_kibana.go index 9ab63da506..248c91b720 100644 --- a/pkg/controller/association/controller/apm_kibana.go +++ b/pkg/controller/association/controller/apm_kibana.go @@ -13,6 +13,7 @@ import ( "github.com/elastic/cloud-on-k8s/pkg/controller/association" "github.com/elastic/cloud-on-k8s/pkg/controller/common/operator" "github.com/elastic/cloud-on-k8s/pkg/controller/common/watches" + "github.com/elastic/cloud-on-k8s/pkg/controller/elasticsearch/user" "github.com/elastic/cloud-on-k8s/pkg/controller/kibana" "github.com/elastic/cloud-on-k8s/pkg/utils/k8s" "github.com/elastic/cloud-on-k8s/pkg/utils/rbac" @@ -40,7 +41,7 @@ func AddApmKibana(mgr manager.Manager, accessReviewer rbac.AccessReviewer, param UserSecretSuffix: "apm-kb-user", CASecretLabelName: kibana.KibanaNameLabelName, ESUserRole: func(_ commonv1.Associated) (string, error) { - return "kibana_user", nil + return user.ApmAgentUserRole, nil }, SetDynamicWatches: func(association commonv1.Association, w watches.DynamicWatches) error { kibanaKey := association.AssociationRef().NamespacedName() diff --git a/pkg/controller/elasticsearch/client/client.go b/pkg/controller/elasticsearch/client/client.go index 7fadefdfaa..e76dd7d50c 100644 --- a/pkg/controller/elasticsearch/client/client.go +++ b/pkg/controller/elasticsearch/client/client.go @@ -35,10 +35,17 @@ type IndexRole struct { Privileges []string `json:",omitempty"` } +type ApplicationRole struct { + Application string `json:"application,omitempty"` + Privileges []string `json:"privileges,omitempty"` + Resources []string `json:"resources,omitempty"` +} + // Role represents an Elasticsearch role. type Role struct { - Cluster []string `json:"cluster,omitempty"` - Indices []IndexRole `json:"indices,omitempty"` + Cluster []string `json:"cluster,omitempty"` + Indices []IndexRole `json:"indices,omitempty"` + Applications []ApplicationRole `json:"applications,omitempty"` } // Client captures the information needed to interact with an Elasticsearch cluster via HTTP diff --git a/pkg/controller/elasticsearch/user/reconcile_test.go b/pkg/controller/elasticsearch/user/reconcile_test.go index 14cd79d1f4..fb5fdd1e50 100644 --- a/pkg/controller/elasticsearch/user/reconcile_test.go +++ b/pkg/controller/elasticsearch/user/reconcile_test.go @@ -75,6 +75,6 @@ func Test_aggregateRoles(t *testing.T) { c := k8s.WrappedFakeClient(sampleUserProvidedRolesSecret...) roles, err := aggregateRoles(c, sampleEsWithAuth, initDynamicWatches(), record.NewFakeRecorder(10)) require.NoError(t, err) - require.Len(t, roles, 6) + require.Len(t, roles, 7) require.Contains(t, roles, ProbeUserRole, "role1", "role2") } diff --git a/pkg/controller/elasticsearch/user/roles.go b/pkg/controller/elasticsearch/user/roles.go index 2c25b38b16..f47ffa011e 100644 --- a/pkg/controller/elasticsearch/user/roles.go +++ b/pkg/controller/elasticsearch/user/roles.go @@ -25,6 +25,9 @@ const ( ApmUserRoleV7 = "eck_apm_user_role_v7" // ApmUserRoleV75 is the name of the role used by APMServer instances to connect to Elasticsearch from version 7.5 ApmUserRoleV75 = "eck_apm_user_role_v75" + + // ApmAgentUserRole is the name of the role used by APMServer instances to connect to Kibana + ApmAgentUserRole = "eck_apm_agent_user_role" ) var ( @@ -58,6 +61,17 @@ var ( }, }, }, + ApmAgentUserRole: esclient.Role{ + Cluster: []string{}, + Indices: []esclient.IndexRole{}, + Applications: []esclient.ApplicationRole{ + { + Application: "kibana-.kibana", + Resources: []string{"space:default"}, + Privileges: []string{"feature_apm.read"}, + }, + }, + }, } )