diff --git a/0001-Vulnerability-fix-limit-operator-secrets-permission.patch b/0001-Vulnerability-fix-limit-operator-secrets-permission.patch new file mode 100644 index 0000000..8ff2325 --- /dev/null +++ b/0001-Vulnerability-fix-limit-operator-secrets-permission.patch @@ -0,0 +1,805 @@ +From b53906b1295910964ba4b3b1b5a2d3668307f79c Mon Sep 17 00:00:00 2001 +From: Kyle Lane +Date: Fri, 3 Feb 2023 00:49:59 +0000 +Subject: [PATCH] [Vulnerability fix] limit operator secrets permission + +Also change structure to hold service account names in resource/generate/components due to circular dependancy. + +Change-Id: I01c2619a9705b3c3f144d1d8567687df011d00fa +Signed-off-by: Kyle Lane kylelane@google.com +--- + manifests/generated/operator-csv.yaml.in | 9 +++++ + .../rbac-operator.authorization.k8s.yaml.in | 9 +++++ + pkg/virt-api/webhooks/BUILD.bazel | 2 +- + .../mutating-webhook/mutators/BUILD.bazel | 2 +- + .../mutators/vmi-mutator_test.go | 4 +- + pkg/virt-api/webhooks/utils.go | 8 ++-- + .../validating-webhook/admitters/BUILD.bazel | 2 +- + .../admitters/vmi-create-admitter_test.go | 9 ++--- + .../admitters/vmi-update-admitter_test.go | 10 ++--- + .../resource/generate/components/BUILD.bazel | 2 +- + .../generate/components/daemonsets.go | 3 +- + .../generate/components/deployments.go | 7 ++-- + .../components/serviceaccountnames.go | 9 +++++ + .../resource/generate/rbac/BUILD.bazel | 2 + + .../resource/generate/rbac/apiserver.go | 24 ++++++------ + .../resource/generate/rbac/controller.go | 22 +++++------ + .../resource/generate/rbac/handler.go | 22 +++++------ + .../resource/generate/rbac/operator.go | 37 ++++++++++++------- + .../resource/generate/rbac/operator_test.go | 10 +++-- + 19 files changed, 116 insertions(+), 77 deletions(-) + create mode 100644 pkg/virt-operator/resource/generate/components/serviceaccountnames.go + +diff --git a/manifests/generated/operator-csv.yaml.in b/manifests/generated/operator-csv.yaml.in +index 8c84822e0..53d2c30e5 100644 +--- a/manifests/generated/operator-csv.yaml.in ++++ b/manifests/generated/operator-csv.yaml.in +@@ -1275,6 +1275,15 @@ spec: + - rules: + - apiGroups: + - "" ++ resourceNames: ++ - kubevirt-ca ++ - kubevirt-export-ca ++ - kubevirt-virt-handler-certs ++ - kubevirt-virt-handler-server-certs ++ - kubevirt-operator-certs ++ - kubevirt-virt-api-certs ++ - kubevirt-controller-certs ++ - kubevirt-exportproxy-certs + resources: + - secrets + verbs: +diff --git a/manifests/generated/rbac-operator.authorization.k8s.yaml.in b/manifests/generated/rbac-operator.authorization.k8s.yaml.in +index 71605ecda..254a1a977 100644 +--- a/manifests/generated/rbac-operator.authorization.k8s.yaml.in ++++ b/manifests/generated/rbac-operator.authorization.k8s.yaml.in +@@ -17,6 +17,15 @@ metadata: + rules: + - apiGroups: + - "" ++ resourceNames: ++ - kubevirt-ca ++ - kubevirt-export-ca ++ - kubevirt-virt-handler-certs ++ - kubevirt-virt-handler-server-certs ++ - kubevirt-operator-certs ++ - kubevirt-virt-api-certs ++ - kubevirt-controller-certs ++ - kubevirt-exportproxy-certs + resources: + - secrets + verbs: +diff --git a/pkg/virt-api/webhooks/BUILD.bazel b/pkg/virt-api/webhooks/BUILD.bazel +index abe364190..1ea095692 100644 +--- a/pkg/virt-api/webhooks/BUILD.bazel ++++ b/pkg/virt-api/webhooks/BUILD.bazel +@@ -15,7 +15,7 @@ go_library( + "//pkg/util:go_default_library", + "//pkg/virt-config:go_default_library", + "//pkg/virt-handler/node-labeller/util:go_default_library", +- "//pkg/virt-operator/resource/generate/rbac:go_default_library", ++ "//pkg/virt-operator/resource/generate/components:go_default_library", + "//staging/src/kubevirt.io/api/core/v1:go_default_library", + "//staging/src/kubevirt.io/api/pool/v1alpha1:go_default_library", + "//staging/src/kubevirt.io/client-go/log:go_default_library", +diff --git a/pkg/virt-api/webhooks/mutating-webhook/mutators/BUILD.bazel b/pkg/virt-api/webhooks/mutating-webhook/mutators/BUILD.bazel +index e956bf21e..5e03b0d9d 100644 +--- a/pkg/virt-api/webhooks/mutating-webhook/mutators/BUILD.bazel ++++ b/pkg/virt-api/webhooks/mutating-webhook/mutators/BUILD.bazel +@@ -55,7 +55,7 @@ go_test( + "//pkg/virt-api/webhooks:go_default_library", + "//pkg/virt-config:go_default_library", + "//pkg/virt-handler/node-labeller/util:go_default_library", +- "//pkg/virt-operator/resource/generate/rbac:go_default_library", ++ "//pkg/virt-operator/resource/generate/components:go_default_library", + "//staging/src/kubevirt.io/api/clone:go_default_library", + "//staging/src/kubevirt.io/api/clone/v1alpha1:go_default_library", + "//staging/src/kubevirt.io/api/core:go_default_library", +diff --git a/pkg/virt-api/webhooks/mutating-webhook/mutators/vmi-mutator_test.go b/pkg/virt-api/webhooks/mutating-webhook/mutators/vmi-mutator_test.go +index 025bf368a..f156eca9a 100644 +--- a/pkg/virt-api/webhooks/mutating-webhook/mutators/vmi-mutator_test.go ++++ b/pkg/virt-api/webhooks/mutating-webhook/mutators/vmi-mutator_test.go +@@ -46,10 +46,10 @@ import ( + "kubevirt.io/kubevirt/pkg/virt-api/webhooks" + virtconfig "kubevirt.io/kubevirt/pkg/virt-config" + nodelabellerutil "kubevirt.io/kubevirt/pkg/virt-handler/node-labeller/util" +- "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac" ++ "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components" + ) + +-var privilegedUser = fmt.Sprintf("%s:%s:%s:%s", "system", "serviceaccount", "kubevirt", rbac.ControllerServiceAccountName) ++var privilegedUser = fmt.Sprintf("%s:%s:%s:%s", "system", "serviceaccount", "kubevirt", components.ControllerServiceAccountName) + + var _ = Describe("VirtualMachineInstance Mutator", func() { + var vmi *v1.VirtualMachineInstance +diff --git a/pkg/virt-api/webhooks/utils.go b/pkg/virt-api/webhooks/utils.go +index 816a6beb3..653d41012 100644 +--- a/pkg/virt-api/webhooks/utils.go ++++ b/pkg/virt-api/webhooks/utils.go +@@ -29,7 +29,7 @@ import ( + poolv1 "kubevirt.io/api/pool/v1alpha1" + "kubevirt.io/client-go/log" + +- "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac" ++ "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components" + + v1 "kubevirt.io/api/core/v1" + clientutil "kubevirt.io/client-go/util" +@@ -89,9 +89,9 @@ func IsKubeVirtServiceAccount(serviceAccount string) bool { + } + + prefix := fmt.Sprintf("system:serviceaccount:%s", ns) +- return serviceAccount == fmt.Sprintf("%s:%s", prefix, rbac.ApiServiceAccountName) || +- serviceAccount == fmt.Sprintf("%s:%s", prefix, rbac.HandlerServiceAccountName) || +- serviceAccount == fmt.Sprintf("%s:%s", prefix, rbac.ControllerServiceAccountName) ++ return serviceAccount == fmt.Sprintf("%s:%s", prefix, components.ApiServiceAccountName) || ++ serviceAccount == fmt.Sprintf("%s:%s", prefix, components.HandlerServiceAccountName) || ++ serviceAccount == fmt.Sprintf("%s:%s", prefix, components.ControllerServiceAccountName) + } + + func IsARM64() bool { +diff --git a/pkg/virt-api/webhooks/validating-webhook/admitters/BUILD.bazel b/pkg/virt-api/webhooks/validating-webhook/admitters/BUILD.bazel +index 03a74eb2f..65da66d1c 100644 +--- a/pkg/virt-api/webhooks/validating-webhook/admitters/BUILD.bazel ++++ b/pkg/virt-api/webhooks/validating-webhook/admitters/BUILD.bazel +@@ -99,7 +99,7 @@ go_test( + "//pkg/virt-api/webhooks:go_default_library", + "//pkg/virt-config:go_default_library", + "//pkg/virt-handler/node-labeller/util:go_default_library", +- "//pkg/virt-operator/resource/generate/rbac:go_default_library", ++ "//pkg/virt-operator/resource/generate/components:go_default_library", + "//staging/src/kubevirt.io/api/clone:go_default_library", + "//staging/src/kubevirt.io/api/clone/v1alpha1:go_default_library", + "//staging/src/kubevirt.io/api/core:go_default_library", +diff --git a/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter_test.go b/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter_test.go +index 685ddf5fc..51dda99f5 100644 +--- a/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter_test.go ++++ b/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter_test.go +@@ -27,8 +27,6 @@ import ( + + "kubevirt.io/client-go/api" + +- "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac" +- + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + admissionv1 "k8s.io/api/admission/v1" +@@ -49,6 +47,7 @@ import ( + "kubevirt.io/kubevirt/pkg/virt-api/webhooks" + virtconfig "kubevirt.io/kubevirt/pkg/virt-config" + nodelabellerutil "kubevirt.io/kubevirt/pkg/virt-handler/node-labeller/util" ++ "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components" + ) + + var _ = Describe("Validating VMICreate Admitter", func() { +@@ -424,17 +423,17 @@ var _ = Describe("Validating VMICreate Admitter", func() { + }, + Entry("Create restricted label by API", + map[string]string{v1.NodeNameLabel: "someValue"}, +- rbac.ApiServiceAccountName, ++ components.ApiServiceAccountName, + true, + ), + Entry("Create restricted label by Handler", + map[string]string{v1.NodeNameLabel: "someValue"}, +- rbac.HandlerServiceAccountName, ++ components.HandlerServiceAccountName, + true, + ), + Entry("Create restricted label by Controller", + map[string]string{v1.NodeNameLabel: "someValue"}, +- rbac.ControllerServiceAccountName, ++ components.ControllerServiceAccountName, + true, + ), + Entry("Create restricted label by non kubevirt user", +diff --git a/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-update-admitter_test.go b/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-update-admitter_test.go +index 83a9d0390..a9f7af477 100644 +--- a/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-update-admitter_test.go ++++ b/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-update-admitter_test.go +@@ -39,7 +39,7 @@ import ( + "kubevirt.io/kubevirt/pkg/testutils" + webhookutils "kubevirt.io/kubevirt/pkg/util/webhooks" + "kubevirt.io/kubevirt/pkg/virt-api/webhooks" +- "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac" ++ "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components" + ) + + var _ = Describe("Validating VMIUpdate Admitter", func() { +@@ -190,17 +190,17 @@ var _ = Describe("Validating VMIUpdate Admitter", func() { + Entry("Update by API", + map[string]string{v1.NodeNameLabel: "someValue"}, + map[string]string{v1.NodeNameLabel: "someNewValue"}, +- rbac.ApiServiceAccountName, ++ components.ApiServiceAccountName, + ), + Entry("Update by Handler", + map[string]string{v1.NodeNameLabel: "someValue"}, + map[string]string{v1.NodeNameLabel: "someNewValue"}, +- rbac.HandlerServiceAccountName, ++ components.HandlerServiceAccountName, + ), + Entry("Update by Controller", + map[string]string{v1.NodeNameLabel: "someValue"}, + map[string]string{v1.NodeNameLabel: "someNewValue"}, +- rbac.ControllerServiceAccountName, ++ components.ControllerServiceAccountName, + ), + ) + +@@ -560,7 +560,7 @@ var _ = Describe("Validating VMIUpdate Admitter", func() { + resp := vmiUpdateAdmitter.Admit(ar) + Expect(resp.Allowed).To(expected) + }, +- Entry("Should admit internal sa", "system:serviceaccount:kubevirt:"+rbac.ApiServiceAccountName, BeTrue()), ++ Entry("Should admit internal sa", "system:serviceaccount:kubevirt:"+components.ApiServiceAccountName, BeTrue()), + Entry("Should reject regular user", "system:serviceaccount:someNamespace:someUser", BeFalse()), + ) + }) +diff --git a/pkg/virt-operator/resource/generate/components/BUILD.bazel b/pkg/virt-operator/resource/generate/components/BUILD.bazel +index 583b63a04..22e1524c3 100644 +--- a/pkg/virt-operator/resource/generate/components/BUILD.bazel ++++ b/pkg/virt-operator/resource/generate/components/BUILD.bazel +@@ -11,6 +11,7 @@ go_library( + "routes.go", + "scc.go", + "secrets.go", ++ "serviceaccountnames.go", + "validations_generated.go", + "webhooks.go", + ], +@@ -21,7 +22,6 @@ go_library( + "//pkg/certificates/triple:go_default_library", + "//pkg/certificates/triple/cert:go_default_library", + "//pkg/virt-config:go_default_library", +- "//pkg/virt-operator/resource/generate/rbac:go_default_library", + "//pkg/virt-operator/util:go_default_library", + "//staging/src/kubevirt.io/api/clone:go_default_library", + "//staging/src/kubevirt.io/api/clone/v1alpha1:go_default_library", +diff --git a/pkg/virt-operator/resource/generate/components/daemonsets.go b/pkg/virt-operator/resource/generate/components/daemonsets.go +index 7524f7487..4717e4bec 100644 +--- a/pkg/virt-operator/resource/generate/components/daemonsets.go ++++ b/pkg/virt-operator/resource/generate/components/daemonsets.go +@@ -13,7 +13,6 @@ import ( + virtv1 "kubevirt.io/api/core/v1" + + virtconfig "kubevirt.io/kubevirt/pkg/virt-config" +- "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac" + operatorutil "kubevirt.io/kubevirt/pkg/virt-operator/util" + ) + +@@ -81,7 +80,7 @@ func NewHandlerDaemonSet(namespace, repository, imagePrefix, version, launcherVe + } + + pod := &daemonset.Spec.Template.Spec +- pod.ServiceAccountName = rbac.HandlerServiceAccountName ++ pod.ServiceAccountName = HandlerServiceAccountName + pod.HostPID = true + + // nodelabeller currently only support x86 +diff --git a/pkg/virt-operator/resource/generate/components/deployments.go b/pkg/virt-operator/resource/generate/components/deployments.go +index 9d5666def..8a900e7f0 100644 +--- a/pkg/virt-operator/resource/generate/components/deployments.go ++++ b/pkg/virt-operator/resource/generate/components/deployments.go +@@ -35,7 +35,6 @@ import ( + + virtv1 "kubevirt.io/api/core/v1" + +- "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac" + operatorutil "kubevirt.io/kubevirt/pkg/virt-operator/util" + ) + +@@ -326,7 +325,7 @@ func NewApiServerDeployment(namespace, repository, imagePrefix, version, product + attachProfileVolume(&deployment.Spec.Template.Spec) + + pod := &deployment.Spec.Template.Spec +- pod.ServiceAccountName = rbac.ApiServiceAccountName ++ pod.ServiceAccountName = ApiServiceAccountName + pod.SecurityContext = &corev1.PodSecurityContext{ + RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}, +@@ -407,7 +406,7 @@ func NewControllerDeployment(namespace, repository, imagePrefix, controllerVersi + } + + pod := &deployment.Spec.Template.Spec +- pod.ServiceAccountName = rbac.ControllerServiceAccountName ++ pod.ServiceAccountName = ControllerServiceAccountName + pod.SecurityContext = &corev1.PodSecurityContext{ + RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}, +@@ -645,7 +644,7 @@ func NewExportProxyDeployment(namespace, repository, imagePrefix, version, produ + attachProfileVolume(&deployment.Spec.Template.Spec) + + pod := &deployment.Spec.Template.Spec +- pod.ServiceAccountName = rbac.ExportProxyServiceAccountName ++ pod.ServiceAccountName = ExportProxyServiceAccountName + pod.SecurityContext = &corev1.PodSecurityContext{ + RunAsNonRoot: boolPtr(true), + } +diff --git a/pkg/virt-operator/resource/generate/components/serviceaccountnames.go b/pkg/virt-operator/resource/generate/components/serviceaccountnames.go +new file mode 100644 +index 000000000..0948629bb +--- /dev/null ++++ b/pkg/virt-operator/resource/generate/components/serviceaccountnames.go +@@ -0,0 +1,9 @@ ++package components ++ ++const ( ++ ApiServiceAccountName = "kubevirt-apiserver" ++ ControllerServiceAccountName = "kubevirt-controller" ++ ExportProxyServiceAccountName = "kubevirt-exportproxy" ++ HandlerServiceAccountName = "kubevirt-handler" ++ OperatorServiceAccountName = "kubevirt-operator" ++) +diff --git a/pkg/virt-operator/resource/generate/rbac/BUILD.bazel b/pkg/virt-operator/resource/generate/rbac/BUILD.bazel +index fb3952f7b..8de09055f 100644 +--- a/pkg/virt-operator/resource/generate/rbac/BUILD.bazel ++++ b/pkg/virt-operator/resource/generate/rbac/BUILD.bazel +@@ -14,6 +14,7 @@ go_library( + importpath = "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac", + visibility = ["//visibility:public"], + deps = [ ++ "//pkg/virt-operator/resource/generate/components:go_default_library", + "//staging/src/kubevirt.io/api/clone:go_default_library", + "//staging/src/kubevirt.io/api/core/v1:go_default_library", + "//staging/src/kubevirt.io/api/instancetype:go_default_library", +@@ -33,6 +34,7 @@ go_test( + ], + embed = [":go_default_library"], + deps = [ ++ "//pkg/virt-operator/resource/generate/components:go_default_library", + "//staging/src/kubevirt.io/client-go/testutils:go_default_library", + "//vendor/github.com/onsi/ginkgo/v2:go_default_library", + "//vendor/github.com/onsi/gomega:go_default_library", +diff --git a/pkg/virt-operator/resource/generate/rbac/apiserver.go b/pkg/virt-operator/resource/generate/rbac/apiserver.go +index 7263471a6..932f7391e 100644 +--- a/pkg/virt-operator/resource/generate/rbac/apiserver.go ++++ b/pkg/virt-operator/resource/generate/rbac/apiserver.go +@@ -26,6 +26,8 @@ import ( + + "kubevirt.io/api/instancetype" + ++ "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components" ++ + virtv1 "kubevirt.io/api/core/v1" + "kubevirt.io/api/migrations" + ) +@@ -36,8 +38,6 @@ const ( + GroupName = "kubevirt.io" + ) + +-const ApiServiceAccountName = "kubevirt-apiserver" +- + func GetAllApiServer(namespace string) []runtime.Object { + return []runtime.Object{ + newApiServerServiceAccount(namespace), +@@ -57,7 +57,7 @@ func newApiServerServiceAccount(namespace string) *corev1.ServiceAccount { + }, + ObjectMeta: metav1.ObjectMeta{ + Namespace: namespace, +- Name: ApiServiceAccountName, ++ Name: components.ApiServiceAccountName, + Labels: map[string]string{ + virtv1.AppLabel: "", + }, +@@ -72,7 +72,7 @@ func newApiServerClusterRole() *rbacv1.ClusterRole { + Kind: "ClusterRole", + }, + ObjectMeta: metav1.ObjectMeta{ +- Name: ApiServiceAccountName, ++ Name: components.ApiServiceAccountName, + Labels: map[string]string{ + virtv1.AppLabel: "", + }, +@@ -267,7 +267,7 @@ func newApiServerClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding + Kind: "ClusterRoleBinding", + }, + ObjectMeta: metav1.ObjectMeta{ +- Name: ApiServiceAccountName, ++ Name: components.ApiServiceAccountName, + Labels: map[string]string{ + virtv1.AppLabel: "", + }, +@@ -275,13 +275,13 @@ func newApiServerClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding + RoleRef: rbacv1.RoleRef{ + APIGroup: VersionName, + Kind: "ClusterRole", +- Name: ApiServiceAccountName, ++ Name: components.ApiServiceAccountName, + }, + Subjects: []rbacv1.Subject{ + { + Kind: "ServiceAccount", + Namespace: namespace, +- Name: ApiServiceAccountName, ++ Name: components.ApiServiceAccountName, + }, + }, + } +@@ -308,7 +308,7 @@ func newApiServerAuthDelegatorClusterRoleBinding(namespace string) *rbacv1.Clust + { + Kind: "ServiceAccount", + Namespace: namespace, +- Name: ApiServiceAccountName, ++ Name: components.ApiServiceAccountName, + }, + }, + } +@@ -322,7 +322,7 @@ func newApiServerRole(namespace string) *rbacv1.Role { + }, + ObjectMeta: metav1.ObjectMeta{ + Namespace: namespace, +- Name: ApiServiceAccountName, ++ Name: components.ApiServiceAccountName, + Labels: map[string]string{ + virtv1.AppLabel: "", + }, +@@ -351,7 +351,7 @@ func newApiServerRoleBinding(namespace string) *rbacv1.RoleBinding { + }, + ObjectMeta: metav1.ObjectMeta{ + Namespace: namespace, +- Name: ApiServiceAccountName, ++ Name: components.ApiServiceAccountName, + Labels: map[string]string{ + virtv1.AppLabel: "", + }, +@@ -359,13 +359,13 @@ func newApiServerRoleBinding(namespace string) *rbacv1.RoleBinding { + RoleRef: rbacv1.RoleRef{ + APIGroup: VersionName, + Kind: "Role", +- Name: ApiServiceAccountName, ++ Name: components.ApiServiceAccountName, + }, + Subjects: []rbacv1.Subject{ + { + Kind: "ServiceAccount", + Namespace: namespace, +- Name: ApiServiceAccountName, ++ Name: components.ApiServiceAccountName, + }, + }, + } +diff --git a/pkg/virt-operator/resource/generate/rbac/controller.go b/pkg/virt-operator/resource/generate/rbac/controller.go +index 2adb51225..9542a24fe 100644 +--- a/pkg/virt-operator/resource/generate/rbac/controller.go ++++ b/pkg/virt-operator/resource/generate/rbac/controller.go +@@ -26,14 +26,14 @@ import ( + + "kubevirt.io/api/clone" + ++ "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components" ++ + "kubevirt.io/api/instancetype" + + virtv1 "kubevirt.io/api/core/v1" + "kubevirt.io/api/migrations" + ) + +-const ControllerServiceAccountName = "kubevirt-controller" +- + func GetAllController(namespace string) []runtime.Object { + return []runtime.Object{ + newControllerServiceAccount(namespace), +@@ -52,7 +52,7 @@ func newControllerServiceAccount(namespace string) *corev1.ServiceAccount { + }, + ObjectMeta: metav1.ObjectMeta{ + Namespace: namespace, +- Name: ControllerServiceAccountName, ++ Name: components.ControllerServiceAccountName, + Labels: map[string]string{ + virtv1.AppLabel: "", + }, +@@ -67,7 +67,7 @@ func newControllerRole(namespace string) *rbacv1.Role { + Kind: "Role", + }, + ObjectMeta: metav1.ObjectMeta{ +- Name: ControllerServiceAccountName, ++ Name: components.ControllerServiceAccountName, + Namespace: namespace, + Labels: map[string]string{ + virtv1.AppLabel: "", +@@ -124,7 +124,7 @@ func newControllerRoleBinding(namespace string) *rbacv1.RoleBinding { + Kind: "RoleBinding", + }, + ObjectMeta: metav1.ObjectMeta{ +- Name: ControllerServiceAccountName, ++ Name: components.ControllerServiceAccountName, + Namespace: namespace, + Labels: map[string]string{ + virtv1.AppLabel: "", +@@ -133,13 +133,13 @@ func newControllerRoleBinding(namespace string) *rbacv1.RoleBinding { + RoleRef: rbacv1.RoleRef{ + APIGroup: VersionName, + Kind: "Role", +- Name: ControllerServiceAccountName, ++ Name: components.ControllerServiceAccountName, + }, + Subjects: []rbacv1.Subject{ + { + Kind: "ServiceAccount", + Namespace: namespace, +- Name: ControllerServiceAccountName, ++ Name: components.ControllerServiceAccountName, + }, + }, + } +@@ -152,7 +152,7 @@ func newControllerClusterRole() *rbacv1.ClusterRole { + Kind: "ClusterRole", + }, + ObjectMeta: metav1.ObjectMeta{ +- Name: ControllerServiceAccountName, ++ Name: components.ControllerServiceAccountName, + Labels: map[string]string{ + virtv1.AppLabel: "", + }, +@@ -515,7 +515,7 @@ func newControllerClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBindin + Kind: "ClusterRoleBinding", + }, + ObjectMeta: metav1.ObjectMeta{ +- Name: ControllerServiceAccountName, ++ Name: components.ControllerServiceAccountName, + Labels: map[string]string{ + virtv1.AppLabel: "", + }, +@@ -523,13 +523,13 @@ func newControllerClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBindin + RoleRef: rbacv1.RoleRef{ + APIGroup: "rbac.authorization.k8s.io", + Kind: "ClusterRole", +- Name: ControllerServiceAccountName, ++ Name: components.ControllerServiceAccountName, + }, + Subjects: []rbacv1.Subject{ + { + Kind: "ServiceAccount", + Namespace: namespace, +- Name: ControllerServiceAccountName, ++ Name: components.ControllerServiceAccountName, + }, + }, + } +diff --git a/pkg/virt-operator/resource/generate/rbac/handler.go b/pkg/virt-operator/resource/generate/rbac/handler.go +index c47adc28a..e55a4044e 100644 +--- a/pkg/virt-operator/resource/generate/rbac/handler.go ++++ b/pkg/virt-operator/resource/generate/rbac/handler.go +@@ -27,9 +27,9 @@ import ( + + virtv1 "kubevirt.io/api/core/v1" + "kubevirt.io/api/migrations" +-) + +-const HandlerServiceAccountName = "kubevirt-handler" ++ "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components" ++) + + func GetAllHandler(namespace string) []runtime.Object { + return []runtime.Object{ +@@ -49,7 +49,7 @@ func newHandlerServiceAccount(namespace string) *corev1.ServiceAccount { + }, + ObjectMeta: metav1.ObjectMeta{ + Namespace: namespace, +- Name: HandlerServiceAccountName, ++ Name: components.HandlerServiceAccountName, + Labels: map[string]string{ + virtv1.AppLabel: "", + }, +@@ -64,7 +64,7 @@ func newHandlerClusterRole() *rbacv1.ClusterRole { + Kind: "ClusterRole", + }, + ObjectMeta: metav1.ObjectMeta{ +- Name: HandlerServiceAccountName, ++ Name: components.HandlerServiceAccountName, + Labels: map[string]string{ + virtv1.AppLabel: "", + }, +@@ -167,7 +167,7 @@ func newHandlerClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding { + Kind: "ClusterRoleBinding", + }, + ObjectMeta: metav1.ObjectMeta{ +- Name: HandlerServiceAccountName, ++ Name: components.HandlerServiceAccountName, + Labels: map[string]string{ + virtv1.AppLabel: "", + }, +@@ -175,13 +175,13 @@ func newHandlerClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding { + RoleRef: rbacv1.RoleRef{ + APIGroup: "rbac.authorization.k8s.io", + Kind: "ClusterRole", +- Name: HandlerServiceAccountName, ++ Name: components.HandlerServiceAccountName, + }, + Subjects: []rbacv1.Subject{ + { + Kind: "ServiceAccount", + Namespace: namespace, +- Name: HandlerServiceAccountName, ++ Name: components.HandlerServiceAccountName, + }, + }, + } +@@ -195,7 +195,7 @@ func newHandlerRole(namespace string) *rbacv1.Role { + }, + ObjectMeta: metav1.ObjectMeta{ + Namespace: namespace, +- Name: HandlerServiceAccountName, ++ Name: components.HandlerServiceAccountName, + Labels: map[string]string{ + virtv1.AppLabel: "", + }, +@@ -224,7 +224,7 @@ func newHandlerRoleBinding(namespace string) *rbacv1.RoleBinding { + }, + ObjectMeta: metav1.ObjectMeta{ + Namespace: namespace, +- Name: HandlerServiceAccountName, ++ Name: components.HandlerServiceAccountName, + Labels: map[string]string{ + virtv1.AppLabel: "", + }, +@@ -232,13 +232,13 @@ func newHandlerRoleBinding(namespace string) *rbacv1.RoleBinding { + RoleRef: rbacv1.RoleRef{ + APIGroup: "rbac.authorization.k8s.io", + Kind: "Role", +- Name: HandlerServiceAccountName, ++ Name: components.HandlerServiceAccountName, + }, + Subjects: []rbacv1.Subject{ + { + Kind: "ServiceAccount", + Namespace: namespace, +- Name: HandlerServiceAccountName, ++ Name: components.HandlerServiceAccountName, + }, + }, + } +diff --git a/pkg/virt-operator/resource/generate/rbac/operator.go b/pkg/virt-operator/resource/generate/rbac/operator.go +index 29ec8c85a..f15dfa554 100644 +--- a/pkg/virt-operator/resource/generate/rbac/operator.go ++++ b/pkg/virt-operator/resource/generate/rbac/operator.go +@@ -26,6 +26,8 @@ import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + virtv1 "kubevirt.io/api/core/v1" ++ ++ "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components" + ) + + const ( +@@ -33,7 +35,6 @@ const ( + GroupNameRoute = "route.openshift.io" + serviceAccountFmt = "%s:%s:%s" + ) +-const OperatorServiceAccountName = "kubevirt-operator" + + // Used for manifest generation only, not by the operator itself + func GetAllOperator(namespace string) []interface{} { +@@ -54,7 +55,7 @@ func newOperatorServiceAccount(namespace string) *corev1.ServiceAccount { + }, + ObjectMeta: metav1.ObjectMeta{ + Namespace: namespace, +- Name: OperatorServiceAccountName, ++ Name: components.OperatorServiceAccountName, + Labels: map[string]string{ + virtv1.AppLabel: "", + }, +@@ -74,7 +75,7 @@ func NewOperatorClusterRole() *rbacv1.ClusterRole { + Kind: "ClusterRole", + }, + ObjectMeta: metav1.ObjectMeta{ +- Name: OperatorServiceAccountName, ++ Name: components.OperatorServiceAccountName, + Labels: map[string]string{ + virtv1.AppLabel: "", + }, +@@ -396,7 +397,7 @@ func newOperatorClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding + Kind: "ClusterRoleBinding", + }, + ObjectMeta: metav1.ObjectMeta{ +- Name: OperatorServiceAccountName, ++ Name: components.OperatorServiceAccountName, + Labels: map[string]string{ + virtv1.AppLabel: "", + }, +@@ -404,13 +405,13 @@ func newOperatorClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding + RoleRef: rbacv1.RoleRef{ + APIGroup: VersionName, + Kind: "ClusterRole", +- Name: OperatorServiceAccountName, ++ Name: components.OperatorServiceAccountName, + }, + Subjects: []rbacv1.Subject{ + { + Kind: "ServiceAccount", + Namespace: namespace, +- Name: OperatorServiceAccountName, ++ Name: components.OperatorServiceAccountName, + }, + }, + } +@@ -432,13 +433,13 @@ func newOperatorRoleBinding(namespace string) *rbacv1.RoleBinding { + RoleRef: rbacv1.RoleRef{ + APIGroup: VersionName, + Kind: "Role", +- Name: OperatorServiceAccountName, ++ Name: components.OperatorServiceAccountName, + }, + Subjects: []rbacv1.Subject{ + { + Kind: "ServiceAccount", + Namespace: namespace, +- Name: OperatorServiceAccountName, ++ Name: components.OperatorServiceAccountName, + }, + }, + } +@@ -452,7 +453,7 @@ func NewOperatorRole(namespace string) *rbacv1.Role { + Kind: "Role", + }, + ObjectMeta: metav1.ObjectMeta{ +- Name: OperatorServiceAccountName, ++ Name: components.OperatorServiceAccountName, + Namespace: namespace, + Labels: map[string]string{ + virtv1.AppLabel: "", +@@ -466,6 +467,16 @@ func NewOperatorRole(namespace string) *rbacv1.Role { + Resources: []string{ + "secrets", + }, ++ ResourceNames: []string{ ++ components.KubeVirtCASecretName, ++ components.KubeVirtExportCASecretName, ++ components.VirtHandlerCertSecretName, ++ components.VirtHandlerServerCertSecretName, ++ components.VirtOperatorCertSecretName, ++ components.VirtApiCertSecretName, ++ components.VirtControllerCertSecretName, ++ components.VirtExportProxyCertSecretName, ++ }, + Verbs: []string{ + "create", + "get", +@@ -526,10 +537,10 @@ func GetKubevirtComponentsServiceAccounts(namespace string) map[string]bool { + usermap := make(map[string]bool) + + prefix := "system:serviceaccount" +- usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, HandlerServiceAccountName)] = true +- usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, ApiServiceAccountName)] = true +- usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, ControllerServiceAccountName)] = true +- usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, OperatorServiceAccountName)] = true ++ usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, components.HandlerServiceAccountName)] = true ++ usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, components.ApiServiceAccountName)] = true ++ usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, components.ControllerServiceAccountName)] = true ++ usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, components.OperatorServiceAccountName)] = true + + return usermap + } +diff --git a/pkg/virt-operator/resource/generate/rbac/operator_test.go b/pkg/virt-operator/resource/generate/rbac/operator_test.go +index 701a8c4f5..51bd479cc 100644 +--- a/pkg/virt-operator/resource/generate/rbac/operator_test.go ++++ b/pkg/virt-operator/resource/generate/rbac/operator_test.go +@@ -26,6 +26,8 @@ import ( + . "github.com/onsi/gomega" + v1 "k8s.io/api/core/v1" + rbacv1 "k8s.io/api/rbac/v1" ++ ++ "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components" + ) + + var _ = Describe("RBAC", func() { +@@ -75,10 +77,10 @@ var _ = Describe("RBAC", func() { + func(name string) { + Expect(serviceAccounts).To(HaveKey(MatchRegexp(fmt.Sprintf(".*%s.*", name)))) + }, +- Entry("for Handler", HandlerServiceAccountName), +- Entry("for Api", ApiServiceAccountName), +- Entry("for Controller", ControllerServiceAccountName), +- Entry("for Operator", OperatorServiceAccountName), ++ Entry("for Handler", components.HandlerServiceAccountName), ++ Entry("for Api", components.ApiServiceAccountName), ++ Entry("for Controller", components.ControllerServiceAccountName), ++ Entry("for Operator", components.OperatorServiceAccountName), + ) + + }) +-- +2.39.2 + diff --git a/kubevirt.changes b/kubevirt.changes index b979658..4356c60 100644 --- a/kubevirt.changes +++ b/kubevirt.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Mar 16 09:13:41 UTC 2023 - Vasily Ulyanov + +- Limit operator secrets permission (CVE-2023-26484, bsc#1209359) + 0001-Vulnerability-fix-limit-operator-secrets-permission.patch + ------------------------------------------------------------------- Thu Mar 2 07:12:05 UTC 2023 - Vasily Ulyanov diff --git a/kubevirt.spec b/kubevirt.spec index d3a82ab..fa113dd 100644 --- a/kubevirt.spec +++ b/kubevirt.spec @@ -28,12 +28,13 @@ Source1: kubevirt_containers_meta Source2: kubevirt_containers_meta.service Source3: %{url}/releases/download/v%{version}/disks-images-provider.yaml Source100: %{name}-rpmlintrc +Patch0: 0001-Vulnerability-fix-limit-operator-secrets-permission.patch BuildRequires: glibc-devel-static BuildRequires: golang-packaging BuildRequires: pkgconfig BuildRequires: rsync BuildRequires: sed -BuildRequires: golang(API) = 1.19 +BuildRequires: golang(API) >= 1.19 BuildRequires: pkgconfig(libvirt) ExclusiveArch: x86_64 aarch64