Allow specifically-listed cluster-scoped verbs (#576)

GoogleCloudPlatform · Oct 14, 2022 · eab3f1e · eab3f1e
1 parent 9b9cf2f
commit eab3f1e
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 4 deletions.
diff --git a/marketplace/deployer_util/config_helper.py b/marketplace/deployer_util/config_helper.py
@@ -1049,13 +1049,12 @@ def has_discouraged_cluster_scoped_permissions(self):
       return True
     # Consider apiGroups=['*'] + resources=['*'] + verbs=[<write>],
     # which is essentially `cluster-admin`.
+    # Allow if verbs are explicitly declared for applications which
+    # truly need those permissions.
     for rules in self.custom_cluster_role_rules():
       for rule in rules:
-        write_verbs = set(
-            ['*', 'create', 'update', 'patch', 'delete',
-             'deletecollection']).intersection(set(rule.get('verbs')))
         if '*' in rule.get('apiGroups') and '*' in rule.get(
-            'resources') and write_verbs:
+            'resources') and '*' in rule.get('verbs'):
           return True
     return False
 

diff --git a/marketplace/deployer_util/config_helper_test.py b/marketplace/deployer_util/config_helper_test.py
@@ -752,6 +752,37 @@ def test_deployer_service_account_cluster_scoped_mock_cluster_admin_role_enforce
                                 'Disallowed service account role'):
       schema.validate()
 
+  def test_deployer_service_account_cluster_scoped_mock_cluster_admin_role_verbs_allowed_validate(
+      self):
+    schema = config_helper.Schema.load_yaml("""
+        x-google-marketplace:
+          schemaVersion: v2
+
+          applicationApiVersion: v1beta1
+
+          publishedVersion: 6.5.130-metadata
+          publishedVersionMetadata:
+            releaseNote: Bug fixes
+            recommended: true
+
+          images: {}
+
+          deployerServiceAccount:
+            description: >
+              Asks for write cluster-scoped permissions when actually needed
+            roles:
+            - type: ClusterRole
+              rulesType: CUSTOM
+              rules:
+              - apiGroups: ['*']
+                resources: ['*']
+                verbs: ['create','delete','deletecollection','get','list','patch','update','watch']
+        properties:
+          simple:
+            type: string
+        """)
+    schema.validate()
+
   def test_deployer_service_account_no_escalated_permissions_allowed_validate(
       self):
     schema = config_helper.Schema.load_yaml("""