From 3e535d49a4349a6ccbc39fcd4df5ecc109af0f7b Mon Sep 17 00:00:00 2001 From: Florian Bacher Date: Thu, 27 Apr 2023 14:46:42 +0200 Subject: [PATCH 1/6] chore(cert-manager): reduce secret permissions Signed-off-by: Florian Bacher --- klt-cert-manager/config/rbac/role.yaml | 3 ++- .../keptnwebhookcertificate_controller.go | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/klt-cert-manager/config/rbac/role.yaml b/klt-cert-manager/config/rbac/role.yaml index 8874f8f096..f044e0855e 100644 --- a/klt-cert-manager/config/rbac/role.yaml +++ b/klt-cert-manager/config/rbac/role.yaml @@ -51,13 +51,14 @@ metadata: rules: - apiGroups: - "" + resourceNames: + - klt-certs resources: - secrets verbs: - create - delete - get - - list - patch - update - watch diff --git a/klt-cert-manager/controllers/keptnwebhookcontroller/keptnwebhookcertificate_controller.go b/klt-cert-manager/controllers/keptnwebhookcontroller/keptnwebhookcertificate_controller.go index 1ba14be41e..3b4cf46727 100644 --- a/klt-cert-manager/controllers/keptnwebhookcontroller/keptnwebhookcertificate_controller.go +++ b/klt-cert-manager/controllers/keptnwebhookcontroller/keptnwebhookcertificate_controller.go @@ -37,7 +37,7 @@ type KeptnWebhookCertificateReconciler struct { // +kubebuilder:rbac:groups="apps",resources=deployments,verbs=get;list;watch; //role -// +kubebuilder:rbac:groups="",namespace=keptn-lifecycle-toolkit-system,resources=secrets,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups="",namespace=keptn-lifecycle-toolkit-system,resources=secrets,verbs=get;watch;create;update;patch;delete,resourceNames=klt-certs // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. From 27342feed41767e8b724f18c1022afea4367c918 Mon Sep 17 00:00:00 2001 From: Florian Bacher Date: Fri, 28 Apr 2023 07:33:21 +0200 Subject: [PATCH 2/6] disable secret cache Signed-off-by: Florian Bacher --- klt-cert-manager/main.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/klt-cert-manager/main.go b/klt-cert-manager/main.go index d837285545..15b5baaacd 100644 --- a/klt-cert-manager/main.go +++ b/klt-cert-manager/main.go @@ -4,6 +4,7 @@ import ( "flag" "log" "os" + "sigs.k8s.io/controller-runtime/pkg/client" "github.com/kelseyhightower/envconfig" "github.com/keptn/lifecycle-toolkit/klt-cert-manager/controllers/keptnwebhookcontroller" @@ -69,6 +70,7 @@ func main() { HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, LeaderElectionID: "f9d59293.keptn.sh", + ClientDisableCacheFor: []client.Object{&corev1.Secret{}}, // LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily // when the Manager ends. This requires the binary to immediately end when the // Manager is stopped, otherwise, this setting is unsafe. Setting this significantly From 2e83a57899089e442d3cfd270ef2826f3043b6a5 Mon Sep 17 00:00:00 2001 From: Florian Bacher Date: Fri, 28 Apr 2023 09:00:40 +0200 Subject: [PATCH 3/6] fix rbac setup Signed-off-by: Florian Bacher --- klt-cert-manager/config/rbac/role.yaml | 10 ++++++++-- .../keptnwebhookcertificate_controller.go | 6 +++--- klt-cert-manager/main.go | 4 +++- 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/klt-cert-manager/config/rbac/role.yaml b/klt-cert-manager/config/rbac/role.yaml index f044e0855e..fb07623e8a 100644 --- a/klt-cert-manager/config/rbac/role.yaml +++ b/klt-cert-manager/config/rbac/role.yaml @@ -49,6 +49,14 @@ metadata: name: certificate-operator-role namespace: keptn-lifecycle-toolkit-system rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - list + - watch - apiGroups: - "" resourceNames: @@ -56,9 +64,7 @@ rules: resources: - secrets verbs: - - create - delete - get - patch - update - - watch diff --git a/klt-cert-manager/controllers/keptnwebhookcontroller/keptnwebhookcertificate_controller.go b/klt-cert-manager/controllers/keptnwebhookcontroller/keptnwebhookcertificate_controller.go index 3b4cf46727..58f0b1f085 100644 --- a/klt-cert-manager/controllers/keptnwebhookcontroller/keptnwebhookcertificate_controller.go +++ b/klt-cert-manager/controllers/keptnwebhookcontroller/keptnwebhookcertificate_controller.go @@ -3,6 +3,7 @@ package keptnwebhookcontroller import ( "context" "fmt" + corev1 "k8s.io/api/core/v1" "reflect" "github.com/go-logr/logr" @@ -10,7 +11,6 @@ import ( "github.com/pkg/errors" admissionregistrationv1 "k8s.io/api/admissionregistration/v1" appsv1 "k8s.io/api/apps/v1" - corev1 "k8s.io/api/core/v1" apiv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/runtime" @@ -37,7 +37,8 @@ type KeptnWebhookCertificateReconciler struct { // +kubebuilder:rbac:groups="apps",resources=deployments,verbs=get;list;watch; //role -// +kubebuilder:rbac:groups="",namespace=keptn-lifecycle-toolkit-system,resources=secrets,verbs=get;watch;create;update;patch;delete,resourceNames=klt-certs +// +kubebuilder:rbac:groups="",namespace=keptn-lifecycle-toolkit-system,resources=secrets,verbs=get;update;patch;delete,resourceNames=klt-certs +// +kubebuilder:rbac:groups="",namespace=keptn-lifecycle-toolkit-system,resources=secrets,verbs=create;list;watch // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. @@ -98,7 +99,6 @@ func (r *KeptnWebhookCertificateReconciler) SetupWithManager(mgr ctrl.Manager) e WithEventFilter(eventfilter.ForLabelsAndNamespace(labels.SelectorFromSet(r.MatchLabels), r.Namespace)). Owns(&corev1.Secret{}). Complete(r) - } func (r *KeptnWebhookCertificateReconciler) setCertificates(ctx context.Context, certSecret *certificateSecret) error { diff --git a/klt-cert-manager/main.go b/klt-cert-manager/main.go index 15b5baaacd..bb8e02e960 100644 --- a/klt-cert-manager/main.go +++ b/klt-cert-manager/main.go @@ -62,6 +62,8 @@ func main() { ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) + disableCacheFor := []client.Object{&corev1.Secret{}} + mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ Scheme: scheme, Namespace: env.KLTNamespace, @@ -70,7 +72,7 @@ func main() { HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, LeaderElectionID: "f9d59293.keptn.sh", - ClientDisableCacheFor: []client.Object{&corev1.Secret{}}, + ClientDisableCacheFor: disableCacheFor, // LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily // when the Manager ends. This requires the binary to immediately end when the // Manager is stopped, otherwise, this setting is unsafe. Setting this significantly From b87ab3f13bfe2523435dcc3d5172e705b327dbab Mon Sep 17 00:00:00 2001 From: Florian Bacher Date: Fri, 28 Apr 2023 09:35:09 +0200 Subject: [PATCH 4/6] fix linting Signed-off-by: Florian Bacher --- .../keptnwebhookcertificate_controller.go | 2 +- klt-cert-manager/main.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/klt-cert-manager/controllers/keptnwebhookcontroller/keptnwebhookcertificate_controller.go b/klt-cert-manager/controllers/keptnwebhookcontroller/keptnwebhookcertificate_controller.go index 58f0b1f085..0d5a32fc7e 100644 --- a/klt-cert-manager/controllers/keptnwebhookcontroller/keptnwebhookcertificate_controller.go +++ b/klt-cert-manager/controllers/keptnwebhookcontroller/keptnwebhookcertificate_controller.go @@ -3,7 +3,6 @@ package keptnwebhookcontroller import ( "context" "fmt" - corev1 "k8s.io/api/core/v1" "reflect" "github.com/go-logr/logr" @@ -11,6 +10,7 @@ import ( "github.com/pkg/errors" admissionregistrationv1 "k8s.io/api/admissionregistration/v1" appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" apiv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/runtime" diff --git a/klt-cert-manager/main.go b/klt-cert-manager/main.go index bb8e02e960..f9a27a1c0a 100644 --- a/klt-cert-manager/main.go +++ b/klt-cert-manager/main.go @@ -4,7 +4,6 @@ import ( "flag" "log" "os" - "sigs.k8s.io/controller-runtime/pkg/client" "github.com/kelseyhightower/envconfig" "github.com/keptn/lifecycle-toolkit/klt-cert-manager/controllers/keptnwebhookcontroller" @@ -17,6 +16,7 @@ import ( // to ensure that exec-entrypoint and run can make use of them. _ "k8s.io/client-go/plugin/pkg/client/auth" ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" // nolint:gci From dbdd261a2d3026ccb4b13ab9f43299e0dd1a938e Mon Sep 17 00:00:00 2001 From: Florian Bacher Date: Fri, 28 Apr 2023 09:37:59 +0200 Subject: [PATCH 5/6] re-enable cache because list/watch permission could not be removed Signed-off-by: Florian Bacher --- klt-cert-manager/main.go | 4 ---- 1 file changed, 4 deletions(-) diff --git a/klt-cert-manager/main.go b/klt-cert-manager/main.go index f9a27a1c0a..d837285545 100644 --- a/klt-cert-manager/main.go +++ b/klt-cert-manager/main.go @@ -16,7 +16,6 @@ import ( // to ensure that exec-entrypoint and run can make use of them. _ "k8s.io/client-go/plugin/pkg/client/auth" ctrl "sigs.k8s.io/controller-runtime" - "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" // nolint:gci @@ -62,8 +61,6 @@ func main() { ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) - disableCacheFor := []client.Object{&corev1.Secret{}} - mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ Scheme: scheme, Namespace: env.KLTNamespace, @@ -72,7 +69,6 @@ func main() { HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, LeaderElectionID: "f9d59293.keptn.sh", - ClientDisableCacheFor: disableCacheFor, // LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily // when the Manager ends. This requires the binary to immediately end when the // Manager is stopped, otherwise, this setting is unsafe. Setting this significantly From e42192eff27b0912ed16ec56e1631a6b35508fc2 Mon Sep 17 00:00:00 2001 From: Florian Bacher Date: Fri, 28 Apr 2023 09:54:38 +0200 Subject: [PATCH 6/6] re-enable cache because list/watch permission could not be removed Signed-off-by: Florian Bacher --- klt-cert-manager/config/rbac/role.yaml | 1 - .../keptnwebhookcertificate_controller.go | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/klt-cert-manager/config/rbac/role.yaml b/klt-cert-manager/config/rbac/role.yaml index fb07623e8a..a4a3257bf5 100644 --- a/klt-cert-manager/config/rbac/role.yaml +++ b/klt-cert-manager/config/rbac/role.yaml @@ -64,7 +64,6 @@ rules: resources: - secrets verbs: - - delete - get - patch - update diff --git a/klt-cert-manager/controllers/keptnwebhookcontroller/keptnwebhookcertificate_controller.go b/klt-cert-manager/controllers/keptnwebhookcontroller/keptnwebhookcertificate_controller.go index 0d5a32fc7e..6d36aa1c81 100644 --- a/klt-cert-manager/controllers/keptnwebhookcontroller/keptnwebhookcertificate_controller.go +++ b/klt-cert-manager/controllers/keptnwebhookcontroller/keptnwebhookcertificate_controller.go @@ -37,7 +37,7 @@ type KeptnWebhookCertificateReconciler struct { // +kubebuilder:rbac:groups="apps",resources=deployments,verbs=get;list;watch; //role -// +kubebuilder:rbac:groups="",namespace=keptn-lifecycle-toolkit-system,resources=secrets,verbs=get;update;patch;delete,resourceNames=klt-certs +// +kubebuilder:rbac:groups="",namespace=keptn-lifecycle-toolkit-system,resources=secrets,verbs=get;update;patch,resourceNames=klt-certs // +kubebuilder:rbac:groups="",namespace=keptn-lifecycle-toolkit-system,resources=secrets,verbs=create;list;watch // Reconcile is part of the main kubernetes reconciliation loop which aims to