From f6ec2c84b3a2ba85ece8f19041d8668d989b9a37 Mon Sep 17 00:00:00 2001 From: patoarvizu Date: Mon, 8 Feb 2021 21:49:59 -0500 Subject: [PATCH 1/3] Explicitly ignore 'default' service accounts --- controllers/serviceaccount_controller.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/controllers/serviceaccount_controller.go b/controllers/serviceaccount_controller.go index cdad2db..bc1e6fa 100644 --- a/controllers/serviceaccount_controller.go +++ b/controllers/serviceaccount_controller.go @@ -153,6 +153,11 @@ func (r *ServiceAccountReconciler) Reconcile(req ctrl.Request) (ctrl.Result, err return reconcile.Result{}, nil } + if instance.ObjectMeta.Name == "default" { + reqLogger.V(1).Info(fmt.Sprintf("Explicitly ignoring 'default' ServiceAccount in namespace %s, to avoid overwriting Vaults 'default' policy", &instance.ObjectMeta.Namespace)) + return reconcile.Result{}, nil + } + vaultConfig := &bankvaultsv1alpha1.Vault{} ns, _ := getOperatorNamespace() err = r.Client.Get(context.TODO(), types.NamespacedName{Name: TargetVaultName, Namespace: ns}, vaultConfig) From 722d2c5c901bfa49a25e11e8a9ba2f725885151c Mon Sep 17 00:00:00 2001 From: patoarvizu Date: Mon, 8 Feb 2021 21:55:44 -0500 Subject: [PATCH 2/3] Add test case for 'default' service accounts --- test/e2e/operator_test.go | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/test/e2e/operator_test.go b/test/e2e/operator_test.go index d195250..4e7c255 100644 --- a/test/e2e/operator_test.go +++ b/test/e2e/operator_test.go @@ -122,6 +122,19 @@ var _ = Describe("All namespaces", func() { }) }) +var _ = Describe("Any namespace", func() { + Context("When annotating a service account called 'default'", func() { + It("Should NOT create a Vault role or policy wit that name", func() { + serviceAccount, err := createServiceAccount("default", "default", map[string]string{}) + Expect(err).ToNot(HaveOccurred()) + err = testVaultRole("default", []string{"*"}) + Expect(err).To(HaveOccurred()) + err = k8sClient.Delete(context.TODO(), serviceAccount) + Expect(err).ToNot(HaveOccurred()) + }) + }) +}) + var _ = AfterSuite(func() { By("tearing down the test environment") err := testEnv.Stop() From 9a31b7a1d0104f0f21f8ac656b8080809c7189bf Mon Sep 17 00:00:00 2001 From: patoarvizu Date: Mon, 8 Feb 2021 21:59:57 -0500 Subject: [PATCH 3/3] Add note to README --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 0015b5d..5523bab 100644 --- a/README.md +++ b/README.md @@ -120,6 +120,7 @@ Here's the list of architectures the images are being built for, and their corre * If the annotation is added to a service account that matches a role/policy that already exists in the Vault CRD will be modified, but all other role/policies will be kept as they are defined. * Currently, the Operator will add the appropriate configuration, but won't remove it if the annotation is removed (or set to a non-`true` value), or if the service account itself is removed. +* The controller will explicitly ignore any service accounts named `default`, to avoid accidentally overwriting Vault's built-in [`default` policy](https://www.vaultproject.io/docs/concepts/policies#default-policy). ## Help wanted!