From 05894c907cd9fe7f993e329120f0d6fe52b22e75 Mon Sep 17 00:00:00 2001 From: Mikhail Zholobov Date: Tue, 3 Sep 2024 16:11:15 +0200 Subject: [PATCH 1/4] fix: Replace wildcards in RBAC objects with explicit resources and verbs Signed-off-by: Mikhail Zholobov --- config/rbac/role.yaml | 90 +++++++++++++------ .../eventing/cloudeventsource_controller.go | 2 +- .../clustercloudeventsource_controller.go | 2 +- ...clustertriggerauthentication_controller.go | 2 +- controllers/keda/scaledjob_controller.go | 4 +- controllers/keda/scaledobject_controller.go | 11 ++- .../keda/triggerauthentication_controller.go | 2 +- 7 files changed, 75 insertions(+), 38 deletions(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index fd9cf99b941..e7fd6a8c627 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -18,7 +18,8 @@ rules: resources: - events verbs: - - '*' + - create + - patch - apiGroups: - "" resources: @@ -44,22 +45,6 @@ rules: verbs: - list - watch -- apiGroups: - - '*' - resources: - - '*' - verbs: - - get -- apiGroups: - - '*' - resources: - - '*/scale' - verbs: - - get - - list - - patch - - update - - watch - apiGroups: - admissionregistration.k8s.io resources: @@ -88,39 +73,74 @@ rules: verbs: - list - watch +- apiGroups: + - apps + resources: + - deployments/scale + - statefulsets/scale + verbs: + - get + - list + - patch + - update + - watch - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - - '*' + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - batch resources: - jobs verbs: - - '*' + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - eventing.keda.sh resources: - cloudeventsources - cloudeventsources/status verbs: - - '*' + - get + - list + - patch + - update + - watch - apiGroups: - eventing.keda.sh resources: - clustercloudeventsources - clustercloudeventsources/status verbs: - - '*' + - get + - list + - patch + - update + - watch - apiGroups: - keda.sh resources: - clustertriggerauthentications - clustertriggerauthentications/status verbs: - - '*' + - get + - list + - patch + - update + - watch - apiGroups: - keda.sh resources: @@ -128,7 +148,11 @@ rules: - scaledjobs/finalizers - scaledjobs/status verbs: - - '*' + - get + - list + - patch + - update + - watch - apiGroups: - keda.sh resources: @@ -136,14 +160,22 @@ rules: - scaledobjects/finalizers - scaledobjects/status verbs: - - '*' + - get + - list + - patch + - update + - watch - apiGroups: - keda.sh resources: - triggerauthentications - triggerauthentications/status verbs: - - '*' + - get + - list + - patch + - update + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -168,4 +200,10 @@ rules: resources: - leases verbs: - - '*' + - create + - delete + - get + - list + - patch + - update + - watch diff --git a/controllers/eventing/cloudeventsource_controller.go b/controllers/eventing/cloudeventsource_controller.go index 5bb78f5e9ca..0a4c2e6a523 100644 --- a/controllers/eventing/cloudeventsource_controller.go +++ b/controllers/eventing/cloudeventsource_controller.go @@ -54,7 +54,7 @@ func NewCloudEventSourceReconciler(c client.Client, e eventemitter.EventHandler) } } -// +kubebuilder:rbac:groups=eventing.keda.sh,resources=cloudeventsources;cloudeventsources/status,verbs="*" +// +kubebuilder:rbac:groups=eventing.keda.sh,resources=cloudeventsources;cloudeventsources/status,verbs=get;list;watch;update;patch // Reconcile performs reconciliation on the identified EventSource resource based on the request information passed, returns the result and an error (if any). diff --git a/controllers/eventing/clustercloudeventsource_controller.go b/controllers/eventing/clustercloudeventsource_controller.go index 0ccb26f811a..2204f18f0ca 100644 --- a/controllers/eventing/clustercloudeventsource_controller.go +++ b/controllers/eventing/clustercloudeventsource_controller.go @@ -54,7 +54,7 @@ func NewClusterCloudEventSourceReconciler(c client.Client, e eventemitter.EventH } } -// +kubebuilder:rbac:groups=eventing.keda.sh,resources=clustercloudeventsources;clustercloudeventsources/status,verbs="*" +// +kubebuilder:rbac:groups=eventing.keda.sh,resources=clustercloudeventsources;clustercloudeventsources/status,verbs=get;list;watch;update;patch // Reconcile performs reconciliation on the identified EventSource resource based on the request information passed, returns the result and an error (if any). func (r *ClusterCloudEventSourceReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { diff --git a/controllers/keda/clustertriggerauthentication_controller.go b/controllers/keda/clustertriggerauthentication_controller.go index aabab91c4c3..a8d7718416d 100644 --- a/controllers/keda/clustertriggerauthentication_controller.go +++ b/controllers/keda/clustertriggerauthentication_controller.go @@ -57,7 +57,7 @@ func init() { clusterTriggerAuthPromMetricsLock = &sync.Mutex{} } -// +kubebuilder:rbac:groups=keda.sh,resources=clustertriggerauthentications;clustertriggerauthentications/status,verbs="*" +// +kubebuilder:rbac:groups=keda.sh,resources=clustertriggerauthentications;clustertriggerauthentications/status,verbs=get;list;watch;update;patch // Reconcile performs reconciliation on the identified TriggerAuthentication resource based on the request information passed, returns the result and an error (if any). func (r *ClusterTriggerAuthenticationReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { diff --git a/controllers/keda/scaledjob_controller.go b/controllers/keda/scaledjob_controller.go index 4a145c7c024..fabc5d446c7 100755 --- a/controllers/keda/scaledjob_controller.go +++ b/controllers/keda/scaledjob_controller.go @@ -50,8 +50,8 @@ import ( "github.com/kedacore/keda/v2/pkg/util" ) -// +kubebuilder:rbac:groups=keda.sh,resources=scaledjobs;scaledjobs/finalizers;scaledjobs/status,verbs="*" -// +kubebuilder:rbac:groups=batch,resources=jobs,verbs="*" +// +kubebuilder:rbac:groups=keda.sh,resources=scaledjobs;scaledjobs/finalizers;scaledjobs/status,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;update;patch;create;delete // ScaledJobReconciler reconciles a ScaledJob object type ScaledJobReconciler struct { diff --git a/controllers/keda/scaledobject_controller.go b/controllers/keda/scaledobject_controller.go index b18c84ae61d..33369b64d4f 100755 --- a/controllers/keda/scaledobject_controller.go +++ b/controllers/keda/scaledobject_controller.go @@ -54,16 +54,15 @@ import ( "github.com/kedacore/keda/v2/pkg/util" ) -// +kubebuilder:rbac:groups=keda.sh,resources=scaledobjects;scaledobjects/finalizers;scaledobjects/status,verbs="*" -// +kubebuilder:rbac:groups=autoscaling,resources=horizontalpodautoscalers,verbs="*" +// +kubebuilder:rbac:groups=keda.sh,resources=scaledobjects;scaledobjects/finalizers;scaledobjects/status,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=autoscaling,resources=horizontalpodautoscalers,verbs=get;list;watch;update;patch;create;delete // +kubebuilder:rbac:groups="",resources=configmaps;configmaps/status,verbs=get;list;watch -// +kubebuilder:rbac:groups="",resources=events,verbs="*" +// +kubebuilder:rbac:groups="",resources=events,verbs=create;patch // +kubebuilder:rbac:groups="",resources=pods;services;services;secrets;external,verbs=get;list;watch -// +kubebuilder:rbac:groups="*",resources="*/scale",verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups="apps",resources=deployments/scale;statefulsets/scale,verbs=get;list;watch;update;patch // +kubebuilder:rbac:groups="",resources="serviceaccounts",verbs=list;watch -// +kubebuilder:rbac:groups="*",resources="*",verbs=get // +kubebuilder:rbac:groups="apps",resources=deployments;statefulsets,verbs=list;watch -// +kubebuilder:rbac:groups="coordination.k8s.io",namespace=keda,resources=leases,verbs="*" +// +kubebuilder:rbac:groups="coordination.k8s.io",namespace=keda,resources=leases,verbs=get;list;watch;update;patch;create;delete // +kubebuilder:rbac:groups="",resources="limitranges",verbs=list;watch // ScaledObjectReconciler reconciles a ScaledObject object diff --git a/controllers/keda/triggerauthentication_controller.go b/controllers/keda/triggerauthentication_controller.go index b5ab9e1bd82..2627c6683b1 100755 --- a/controllers/keda/triggerauthentication_controller.go +++ b/controllers/keda/triggerauthentication_controller.go @@ -58,7 +58,7 @@ func init() { triggerAuthPromMetricsLock = &sync.Mutex{} } -// +kubebuilder:rbac:groups=keda.sh,resources=triggerauthentications;triggerauthentications/status,verbs="*" +// +kubebuilder:rbac:groups=keda.sh,resources=triggerauthentications;triggerauthentications/status,verbs=get;list;watch;update;patch // Reconcile performs reconciliation on the identified TriggerAuthentication resource based on the request information passed, returns the result and an error (if any). func (r *TriggerAuthenticationReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { From bbc839cb328c1001a960f92766482cae82bfea93 Mon Sep 17 00:00:00 2001 From: Mikhail Zholobov Date: Tue, 3 Sep 2024 20:27:25 +0200 Subject: [PATCH 2/4] Update changelog Signed-off-by: Mikhail Zholobov --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 32f6c393aae..e6014684572 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -58,6 +58,7 @@ To learn more about active deprecations, we recommend checking [GitHub Discussio ### New - **General**: Cache miss fallback in validating webhook for ScaledObjects with direct kubernetes client ([#5973](https://github.com/kedacore/keda/issues/5973)) +- **General**: Replace wildcards in RBAC objects with explicit resources and verbs ([#6129](https://github.com/kedacore/keda/pull/6129)) - **CloudEventSource**: Introduce ClusterCloudEventSource ([#3533](https://github.com/kedacore/keda/issues/3533)) - **CloudEventSource**: Provide ClusterCloudEventSource around the management of ScaledJobs resources ([#3523](https://github.com/kedacore/keda/issues/3523)) - **CloudEventSource**: Provide ClusterCloudEventSource around the management of TriggerAuthentication/ClusterTriggerAuthentication resources ([#3524](https://github.com/kedacore/keda/issues/3524)) From 09e545fe62c21ed50f3de49b1d0642633e66285a Mon Sep 17 00:00:00 2001 From: Mikhail Zholobov Date: Fri, 13 Sep 2024 10:30:20 +0200 Subject: [PATCH 3/4] Revert the deletion of RBAC rule "allow to get any resource" Signed-off-by: Mikhail Zholobov --- config/rbac/role.yaml | 6 ++++++ controllers/keda/scaledobject_controller.go | 1 + 2 files changed, 7 insertions(+) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index e7fd6a8c627..9d8e7ce79d4 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -45,6 +45,12 @@ rules: verbs: - list - watch +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get - apiGroups: - admissionregistration.k8s.io resources: diff --git a/controllers/keda/scaledobject_controller.go b/controllers/keda/scaledobject_controller.go index 33369b64d4f..041f8ca3ed0 100755 --- a/controllers/keda/scaledobject_controller.go +++ b/controllers/keda/scaledobject_controller.go @@ -61,6 +61,7 @@ import ( // +kubebuilder:rbac:groups="",resources=pods;services;services;secrets;external,verbs=get;list;watch // +kubebuilder:rbac:groups="apps",resources=deployments/scale;statefulsets/scale,verbs=get;list;watch;update;patch // +kubebuilder:rbac:groups="",resources="serviceaccounts",verbs=list;watch +// +kubebuilder:rbac:groups="*",resources="*",verbs=get // +kubebuilder:rbac:groups="apps",resources=deployments;statefulsets,verbs=list;watch // +kubebuilder:rbac:groups="coordination.k8s.io",namespace=keda,resources=leases,verbs=get;list;watch;update;patch;create;delete // +kubebuilder:rbac:groups="",resources="limitranges",verbs=list;watch From cc7e1a1cef8b1c5078a783ffe8ee2bacfe0dd4db Mon Sep 17 00:00:00 2001 From: Mikhail Zholobov Date: Thu, 31 Oct 2024 09:25:46 +0100 Subject: [PATCH 4/4] Rollback the RBAC rule for "*/scale" According to the PR review comment. --- config/rbac/role.yaml | 21 ++++++++++----------- controllers/keda/scaledobject_controller.go | 2 +- 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 9d8e7ce79d4..f8bb706592c 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -51,6 +51,16 @@ rules: - '*' verbs: - get +- apiGroups: + - '*' + resources: + - '*/scale' + verbs: + - get + - list + - patch + - update + - watch - apiGroups: - admissionregistration.k8s.io resources: @@ -79,17 +89,6 @@ rules: verbs: - list - watch -- apiGroups: - - apps - resources: - - deployments/scale - - statefulsets/scale - verbs: - - get - - list - - patch - - update - - watch - apiGroups: - autoscaling resources: diff --git a/controllers/keda/scaledobject_controller.go b/controllers/keda/scaledobject_controller.go index 041f8ca3ed0..951dd80fbda 100755 --- a/controllers/keda/scaledobject_controller.go +++ b/controllers/keda/scaledobject_controller.go @@ -59,7 +59,7 @@ import ( // +kubebuilder:rbac:groups="",resources=configmaps;configmaps/status,verbs=get;list;watch // +kubebuilder:rbac:groups="",resources=events,verbs=create;patch // +kubebuilder:rbac:groups="",resources=pods;services;services;secrets;external,verbs=get;list;watch -// +kubebuilder:rbac:groups="apps",resources=deployments/scale;statefulsets/scale,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups="*",resources="*/scale",verbs=get;list;watch;update;patch // +kubebuilder:rbac:groups="",resources="serviceaccounts",verbs=list;watch // +kubebuilder:rbac:groups="*",resources="*",verbs=get // +kubebuilder:rbac:groups="apps",resources=deployments;statefulsets,verbs=list;watch