Reduce permission for cluster manager and klusterlet (#325)

Signed-off-by: Jian Qiu <[email protected]>

deploy/cluster-manager/config/rbac/cluster_role.yaml

@@ -5,8 +5,11 @@ metadata:
 rules:
 # Allow the registration-operator to create workload
 - apiGroups: [""]
-  resources: ["configmaps", "namespaces", "serviceaccounts", "services", "pods"]
+  resources: ["configmaps", "namespaces", "serviceaccounts", "services"]
   verbs: ["create", "get", "list", "update", "watch", "patch", "delete", "deletecollection"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get"]
 - apiGroups: [""]
   resources: ["secrets"]
   verbs: ["get", "list", "watch", "update", "patch", "delete"]

deploy/cluster-manager/olm-catalog/cluster-manager/manifests/cluster-manager.clusterserviceversion.yaml

@@ -59,7 +59,7 @@ metadata:
     categories: Integration & Delivery,OpenShift Optional
     certified: "false"
     containerImage: quay.io/open-cluster-management/registration-operator:latest
-    createdAt: "2023-11-28T10:34:20Z"
+    createdAt: "2023-11-30T07:06:56Z"
     description: Manages the installation and upgrade of the ClusterManager.
     operators.operatorframework.io/builder: operator-sdk-v1.32.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
@@ -118,7 +118,6 @@ spec:
           - namespaces
           - serviceaccounts
           - services
-          - pods
           verbs:
           - create
           - get
@@ -128,6 +127,12 @@ spec:
           - patch
           - delete
           - deletecollection
+        - apiGroups:
+          - ""
+          resources:
+          - pods
+          verbs:
+          - get
         - apiGroups:
           - ""
           resourceNames:

deploy/klusterlet/config/rbac/cluster_role.yaml

@@ -5,8 +5,22 @@ metadata:
 rules:
 # Allow the registration-operator to create workload
 - apiGroups: [""]
-  resources: ["secrets", "configmaps", "serviceaccounts"]
+  resources: ["configmaps", "serviceaccounts"]
   verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["update", "get", "list", "watch", "delete"]
+  resourceNames:
+    - "open-cluster-management-image-pull-credentials"
+    - "bootstrap-hub-kubeconfig"
+    - "hub-kubeconfig-secret"
+    - "external-managed-kubeconfig"
+    - "external-managed-kubeconfig-work"
+    - "external-managed-kubeconfig-registration"
+    - "external-managed-kubeconfig-agent"
 # get pods and replicasets is for event creation
 - apiGroups: [""]
   resources: ["pods"]

deploy/klusterlet/olm-catalog/klusterlet/manifests/klusterlet.clusterserviceversion.yaml

@@ -31,7 +31,7 @@ metadata:
     categories: Integration & Delivery,OpenShift Optional
     certified: "false"
     containerImage: quay.io/open-cluster-management/registration-operator:latest
-    createdAt: "2023-11-28T10:34:20Z"
+    createdAt: "2023-11-30T08:06:17Z"
     description: Manages the installation and upgrade of the Klusterlet.
     operators.operatorframework.io/builder: operator-sdk-v1.32.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
@@ -93,7 +93,6 @@ spec:
         - apiGroups:
           - ""
           resources:
-          - secrets
           - configmaps
           - serviceaccounts
           verbs:
@@ -104,6 +103,30 @@ spec:
           - watch
           - patch
           - delete
+        - apiGroups:
+          - ""
+          resources:
+          - secrets
+          verbs:
+          - create
+        - apiGroups:
+          - ""
+          resourceNames:
+          - open-cluster-management-image-pull-credentials
+          - bootstrap-hub-kubeconfig
+          - hub-kubeconfig-secret
+          - external-managed-kubeconfig
+          - external-managed-kubeconfig-work
+          - external-managed-kubeconfig-registration
+          - external-managed-kubeconfig-agent
+          resources:
+          - secrets
+          verbs:
+          - update
+          - get
+          - list
+          - watch
+          - delete
         - apiGroups:
           - ""
           resources:

manifests/cluster-manager/hub/cluster-manager-addon-manager-clusterrole.yaml

@@ -5,8 +5,11 @@ metadata:
 rules:
 # Allow controller to get/list/watch/create/delete configmaps/events
 - apiGroups: [""]
-  resources: ["configmaps", "events", "pods"]
+  resources: ["configmaps", "events"]
   verbs: ["get", "list", "watch", "create", "update", "delete", "deletecollection", "patch"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get"]
 - apiGroups: ["apps"]
   resources: ["replicasets"]
   verbs: ["get"] 

manifests/cluster-manager/hub/cluster-manager-manifestworkreplicaset-clusterrole.yaml

@@ -4,8 +4,11 @@ metadata:
   name: open-cluster-management:{{ .ClusterManagerName }}-work:controller
 rules:
 - apiGroups: [ "" ]
-  resources: [ "configmaps", "pods"]
+  resources: [ "configmaps"]
   verbs: [ "get", "list", "watch"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get"]
 # Allow create subjectaccessreviews
 - apiGroups: ["authorization.k8s.io"]
   resources: ["subjectaccessreviews"]

manifests/cluster-manager/hub/cluster-manager-placement-clusterrole.yaml

@@ -5,8 +5,11 @@ metadata:
 rules:
 # Allow controller to get/list/watch/create/delete configmaps
 - apiGroups: [""]
-  resources: ["configmaps", "pods"]
+  resources: ["configmaps"]
   verbs: ["get", "list", "watch", "create", "delete", "update"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get"]
 - apiGroups: ["apps"]
   resources: ["replicasets"]
   verbs: ["get"] 

manifests/cluster-manager/hub/cluster-manager-registration-clusterrole.yaml

@@ -12,8 +12,11 @@ rules:
   verbs: ["update"]
 # Allow hub to get/list/watch/create/delete namespace and service account
 - apiGroups: [""]
-  resources: ["namespaces", "serviceaccounts", "configmaps", "pods"]
+  resources: ["namespaces", "serviceaccounts", "configmaps"]
   verbs: ["get", "list", "watch", "create", "delete", "update"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get"]
 - apiGroups: ["", "events.k8s.io"]
   resources: ["events"]
   verbs: ["create", "patch", "update"]

manifests/klusterlet/management/klusterlet-registration-role.yaml

@@ -13,6 +13,9 @@ rules:
 - apiGroups: [""]
   resources: ["pods"]
   verbs: ["get"]
+- apiGroups: ["apps"]
+  resources: ["replicasets"]
+  verbs: ["get"]
 - apiGroups: ["coordination.k8s.io"]
   resources: ["leases"]
   verbs: ["create", "get", "list", "update", "watch", "patch"]

manifests/klusterlet/management/klusterlet-work-role.yaml

@@ -16,3 +16,9 @@ rules:
 - apiGroups: ["", "events.k8s.io"]
   resources: ["events"]
   verbs: ["create", "patch", "update"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get"]
+- apiGroups: ["apps"]
+  resources: ["replicasets"]
+  verbs: ["get"]

pkg/operator/operators/klusterlet/options.go

@@ -2,7 +2,7 @@ package klusterlet
 
 import (
 	"context"
-	"io/ioutil"
+	"os"
 	"time"
 
 	"github.com/openshift/library-go/pkg/controller/controllercmd"
@@ -65,7 +65,7 @@ func (o *Options) RunKlusterletOperator(ctx context.Context, controllerContext *
 
 	hubConfigSecretInformer := newOneTermInformer(helpers.HubKubeConfig)
 	bootstrapConfigSecretInformer := newOneTermInformer(helpers.BootstrapHubKubeConfig)
-	externalConfigSecretInformer := newOneTermInformer(helpers.WorkWebhookSecret)
+	externalConfigSecretInformer := newOneTermInformer(helpers.ExternalManagedKubeConfig)
 
 	secretInformers := map[string]corev1informers.SecretInformer{
 		helpers.HubKubeConfig:             hubConfigSecretInformer.Core().V1().Secrets(),
@@ -92,7 +92,7 @@ func (o *Options) RunKlusterletOperator(ctx context.Context, controllerContext *
 
 	// Read component namespace
 	operatorNamespace := defaultComponentNamespace
-	nsBytes, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace")
+	nsBytes, err := os.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace")
 	if err == nil {
 		operatorNamespace = string(nsBytes)
 	}