Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introduce a restricted role for APM agent configuration #3155

Merged
merged 3 commits into from
Jun 2, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion pkg/apis/apm/v1/webhook.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ var (
validationLog = logf.Log.WithName("apm-v1-validation")

// apmAgentConfigurationMinVersion is the minimum required version to establish an association with Kibana
apmAgentConfigurationMinVersion = version.MustParse("7.3.0")
apmAgentConfigurationMinVersion = version.MustParse("7.5.1")

defaultChecks = []func(*ApmServer) field.ErrorList{
checkNoUnknownFields,
Expand Down
8 changes: 4 additions & 4 deletions pkg/apis/apm/v1/webhook_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -97,20 +97,20 @@ func TestWebhook(t *testing.T) {
Operation: admissionv1beta1.Create,
Object: func(t *testing.T, uid string) []byte {
apm := mkApmServer(uid)
apm.Spec.Version = "7.2.0"
apm.Spec.Version = "7.4.0"
apm.Spec.KibanaRef = commonv1.ObjectSelector{Name: "kbname", Namespace: "kbns"}
return serialize(t, apm)
},
Check: test.ValidationWebhookFailed(
`spec.kibanaRef: Forbidden: required version for Kibana association is 7.3.0 but desired version is 7.2.0`,
`spec.kibanaRef: Forbidden: required version for Kibana association is 7.5.1 but desired version is 7.4.0`,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Late nit: should read "minimum required version..."

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the feedback, I'll fix this as part of #3154

),
},
{
Name: "support-72-if-kibana-ref-not-set",
Name: "support-74-if-kibana-ref-not-set",
Operation: admissionv1beta1.Create,
Object: func(t *testing.T, uid string) []byte {
apm := mkApmServer(uid)
apm.Spec.Version = "7.2.0"
apm.Spec.Version = "7.4.0"
return serialize(t, apm)
},
Check: test.ValidationWebhookSucceeded,
Expand Down
3 changes: 2 additions & 1 deletion pkg/controller/association/controller/apm_kibana.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ import (
"github.com/elastic/cloud-on-k8s/pkg/controller/association"
"github.com/elastic/cloud-on-k8s/pkg/controller/common/operator"
"github.com/elastic/cloud-on-k8s/pkg/controller/common/watches"
"github.com/elastic/cloud-on-k8s/pkg/controller/elasticsearch/user"
"github.com/elastic/cloud-on-k8s/pkg/controller/kibana"
"github.com/elastic/cloud-on-k8s/pkg/utils/k8s"
"github.com/elastic/cloud-on-k8s/pkg/utils/rbac"
Expand Down Expand Up @@ -40,7 +41,7 @@ func AddApmKibana(mgr manager.Manager, accessReviewer rbac.AccessReviewer, param
UserSecretSuffix: "apm-kb-user",
CASecretLabelName: kibana.KibanaNameLabelName,
ESUserRole: func(_ commonv1.Associated) (string, error) {
return "kibana_user", nil
return user.ApmAgentUserRole, nil
},
SetDynamicWatches: func(association commonv1.Association, w watches.DynamicWatches) error {
kibanaKey := association.AssociationRef().NamespacedName()
Expand Down
11 changes: 9 additions & 2 deletions pkg/controller/elasticsearch/client/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,10 +35,17 @@ type IndexRole struct {
Privileges []string `json:",omitempty"`
}

type ApplicationRole struct {
Application string `json:"application,omitempty"`
Privileges []string `json:"privileges,omitempty"`
Resources []string `json:"resources,omitempty"`
}

// Role represents an Elasticsearch role.
type Role struct {
Cluster []string `json:"cluster,omitempty"`
Indices []IndexRole `json:"indices,omitempty"`
Cluster []string `json:"cluster,omitempty"`
Indices []IndexRole `json:"indices,omitempty"`
Applications []ApplicationRole `json:"applications,omitempty"`
}

// Client captures the information needed to interact with an Elasticsearch cluster via HTTP
Expand Down
2 changes: 1 addition & 1 deletion pkg/controller/elasticsearch/user/reconcile_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,6 @@ func Test_aggregateRoles(t *testing.T) {
c := k8s.WrappedFakeClient(sampleUserProvidedRolesSecret...)
roles, err := aggregateRoles(c, sampleEsWithAuth, initDynamicWatches(), record.NewFakeRecorder(10))
require.NoError(t, err)
require.Len(t, roles, 6)
require.Len(t, roles, 7)
require.Contains(t, roles, ProbeUserRole, "role1", "role2")
}
14 changes: 14 additions & 0 deletions pkg/controller/elasticsearch/user/roles.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@ const (
ApmUserRoleV7 = "eck_apm_user_role_v7"
// ApmUserRoleV75 is the name of the role used by APMServer instances to connect to Elasticsearch from version 7.5
ApmUserRoleV75 = "eck_apm_user_role_v75"

// ApmAgentUserRole is the name of the role used by APMServer instances to connect to Kibana
ApmAgentUserRole = "eck_apm_agent_user_role"
)

var (
Expand Down Expand Up @@ -58,6 +61,17 @@ var (
},
},
},
ApmAgentUserRole: esclient.Role{
Cluster: []string{},
Indices: []esclient.IndexRole{},
Applications: []esclient.ApplicationRole{
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@simitt @sqren would be glad to have your review on this role. Thanks 🙏

Copy link
Member

@sorenlouv sorenlouv May 28, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm 👍
fyi: In parallel I'm working on improving this by making this behaviour default for the apm_user role: elastic/elasticsearch#57201.

It might not be available until 8.0 (so still quite a long way out) but better than never.

{
Application: "kibana-.kibana",
Resources: []string{"space:default"},
Privileges: []string{"feature_apm.read"},
},
},
},
}
)

Expand Down