- Limit operator secrets permission (CVE-2023-26484, bsc#1209359) 0001-Vulnerability-fix-limit-operator-secrets-permission.patch OBS-URL: https://build.opensuse.org/request/show/1072516 OBS-URL: https://build.opensuse.org/package/show/Virtualization/kubevirt?expand=0&rev=109
806 lines
32 KiB
Diff
806 lines
32 KiB
Diff
From b53906b1295910964ba4b3b1b5a2d3668307f79c Mon Sep 17 00:00:00 2001
|
|
From: Kyle Lane <kylelane@google.com>
|
|
Date: Fri, 3 Feb 2023 00:49:59 +0000
|
|
Subject: [PATCH] [Vulnerability fix] limit operator secrets permission
|
|
|
|
Also change structure to hold service account names in resource/generate/components due to circular dependancy.
|
|
|
|
Change-Id: I01c2619a9705b3c3f144d1d8567687df011d00fa
|
|
Signed-off-by: Kyle Lane kylelane@google.com
|
|
---
|
|
manifests/generated/operator-csv.yaml.in | 9 +++++
|
|
.../rbac-operator.authorization.k8s.yaml.in | 9 +++++
|
|
pkg/virt-api/webhooks/BUILD.bazel | 2 +-
|
|
.../mutating-webhook/mutators/BUILD.bazel | 2 +-
|
|
.../mutators/vmi-mutator_test.go | 4 +-
|
|
pkg/virt-api/webhooks/utils.go | 8 ++--
|
|
.../validating-webhook/admitters/BUILD.bazel | 2 +-
|
|
.../admitters/vmi-create-admitter_test.go | 9 ++---
|
|
.../admitters/vmi-update-admitter_test.go | 10 ++---
|
|
.../resource/generate/components/BUILD.bazel | 2 +-
|
|
.../generate/components/daemonsets.go | 3 +-
|
|
.../generate/components/deployments.go | 7 ++--
|
|
.../components/serviceaccountnames.go | 9 +++++
|
|
.../resource/generate/rbac/BUILD.bazel | 2 +
|
|
.../resource/generate/rbac/apiserver.go | 24 ++++++------
|
|
.../resource/generate/rbac/controller.go | 22 +++++------
|
|
.../resource/generate/rbac/handler.go | 22 +++++------
|
|
.../resource/generate/rbac/operator.go | 37 ++++++++++++-------
|
|
.../resource/generate/rbac/operator_test.go | 10 +++--
|
|
19 files changed, 116 insertions(+), 77 deletions(-)
|
|
create mode 100644 pkg/virt-operator/resource/generate/components/serviceaccountnames.go
|
|
|
|
diff --git a/manifests/generated/operator-csv.yaml.in b/manifests/generated/operator-csv.yaml.in
|
|
index 8c84822e0..53d2c30e5 100644
|
|
--- a/manifests/generated/operator-csv.yaml.in
|
|
+++ b/manifests/generated/operator-csv.yaml.in
|
|
@@ -1275,6 +1275,15 @@ spec:
|
|
- rules:
|
|
- apiGroups:
|
|
- ""
|
|
+ resourceNames:
|
|
+ - kubevirt-ca
|
|
+ - kubevirt-export-ca
|
|
+ - kubevirt-virt-handler-certs
|
|
+ - kubevirt-virt-handler-server-certs
|
|
+ - kubevirt-operator-certs
|
|
+ - kubevirt-virt-api-certs
|
|
+ - kubevirt-controller-certs
|
|
+ - kubevirt-exportproxy-certs
|
|
resources:
|
|
- secrets
|
|
verbs:
|
|
diff --git a/manifests/generated/rbac-operator.authorization.k8s.yaml.in b/manifests/generated/rbac-operator.authorization.k8s.yaml.in
|
|
index 71605ecda..254a1a977 100644
|
|
--- a/manifests/generated/rbac-operator.authorization.k8s.yaml.in
|
|
+++ b/manifests/generated/rbac-operator.authorization.k8s.yaml.in
|
|
@@ -17,6 +17,15 @@ metadata:
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
+ resourceNames:
|
|
+ - kubevirt-ca
|
|
+ - kubevirt-export-ca
|
|
+ - kubevirt-virt-handler-certs
|
|
+ - kubevirt-virt-handler-server-certs
|
|
+ - kubevirt-operator-certs
|
|
+ - kubevirt-virt-api-certs
|
|
+ - kubevirt-controller-certs
|
|
+ - kubevirt-exportproxy-certs
|
|
resources:
|
|
- secrets
|
|
verbs:
|
|
diff --git a/pkg/virt-api/webhooks/BUILD.bazel b/pkg/virt-api/webhooks/BUILD.bazel
|
|
index abe364190..1ea095692 100644
|
|
--- a/pkg/virt-api/webhooks/BUILD.bazel
|
|
+++ b/pkg/virt-api/webhooks/BUILD.bazel
|
|
@@ -15,7 +15,7 @@ go_library(
|
|
"//pkg/util:go_default_library",
|
|
"//pkg/virt-config:go_default_library",
|
|
"//pkg/virt-handler/node-labeller/util:go_default_library",
|
|
- "//pkg/virt-operator/resource/generate/rbac:go_default_library",
|
|
+ "//pkg/virt-operator/resource/generate/components:go_default_library",
|
|
"//staging/src/kubevirt.io/api/core/v1:go_default_library",
|
|
"//staging/src/kubevirt.io/api/pool/v1alpha1:go_default_library",
|
|
"//staging/src/kubevirt.io/client-go/log:go_default_library",
|
|
diff --git a/pkg/virt-api/webhooks/mutating-webhook/mutators/BUILD.bazel b/pkg/virt-api/webhooks/mutating-webhook/mutators/BUILD.bazel
|
|
index e956bf21e..5e03b0d9d 100644
|
|
--- a/pkg/virt-api/webhooks/mutating-webhook/mutators/BUILD.bazel
|
|
+++ b/pkg/virt-api/webhooks/mutating-webhook/mutators/BUILD.bazel
|
|
@@ -55,7 +55,7 @@ go_test(
|
|
"//pkg/virt-api/webhooks:go_default_library",
|
|
"//pkg/virt-config:go_default_library",
|
|
"//pkg/virt-handler/node-labeller/util:go_default_library",
|
|
- "//pkg/virt-operator/resource/generate/rbac:go_default_library",
|
|
+ "//pkg/virt-operator/resource/generate/components:go_default_library",
|
|
"//staging/src/kubevirt.io/api/clone:go_default_library",
|
|
"//staging/src/kubevirt.io/api/clone/v1alpha1:go_default_library",
|
|
"//staging/src/kubevirt.io/api/core:go_default_library",
|
|
diff --git a/pkg/virt-api/webhooks/mutating-webhook/mutators/vmi-mutator_test.go b/pkg/virt-api/webhooks/mutating-webhook/mutators/vmi-mutator_test.go
|
|
index 025bf368a..f156eca9a 100644
|
|
--- a/pkg/virt-api/webhooks/mutating-webhook/mutators/vmi-mutator_test.go
|
|
+++ b/pkg/virt-api/webhooks/mutating-webhook/mutators/vmi-mutator_test.go
|
|
@@ -46,10 +46,10 @@ import (
|
|
"kubevirt.io/kubevirt/pkg/virt-api/webhooks"
|
|
virtconfig "kubevirt.io/kubevirt/pkg/virt-config"
|
|
nodelabellerutil "kubevirt.io/kubevirt/pkg/virt-handler/node-labeller/util"
|
|
- "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac"
|
|
+ "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components"
|
|
)
|
|
|
|
-var privilegedUser = fmt.Sprintf("%s:%s:%s:%s", "system", "serviceaccount", "kubevirt", rbac.ControllerServiceAccountName)
|
|
+var privilegedUser = fmt.Sprintf("%s:%s:%s:%s", "system", "serviceaccount", "kubevirt", components.ControllerServiceAccountName)
|
|
|
|
var _ = Describe("VirtualMachineInstance Mutator", func() {
|
|
var vmi *v1.VirtualMachineInstance
|
|
diff --git a/pkg/virt-api/webhooks/utils.go b/pkg/virt-api/webhooks/utils.go
|
|
index 816a6beb3..653d41012 100644
|
|
--- a/pkg/virt-api/webhooks/utils.go
|
|
+++ b/pkg/virt-api/webhooks/utils.go
|
|
@@ -29,7 +29,7 @@ import (
|
|
poolv1 "kubevirt.io/api/pool/v1alpha1"
|
|
"kubevirt.io/client-go/log"
|
|
|
|
- "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac"
|
|
+ "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components"
|
|
|
|
v1 "kubevirt.io/api/core/v1"
|
|
clientutil "kubevirt.io/client-go/util"
|
|
@@ -89,9 +89,9 @@ func IsKubeVirtServiceAccount(serviceAccount string) bool {
|
|
}
|
|
|
|
prefix := fmt.Sprintf("system:serviceaccount:%s", ns)
|
|
- return serviceAccount == fmt.Sprintf("%s:%s", prefix, rbac.ApiServiceAccountName) ||
|
|
- serviceAccount == fmt.Sprintf("%s:%s", prefix, rbac.HandlerServiceAccountName) ||
|
|
- serviceAccount == fmt.Sprintf("%s:%s", prefix, rbac.ControllerServiceAccountName)
|
|
+ return serviceAccount == fmt.Sprintf("%s:%s", prefix, components.ApiServiceAccountName) ||
|
|
+ serviceAccount == fmt.Sprintf("%s:%s", prefix, components.HandlerServiceAccountName) ||
|
|
+ serviceAccount == fmt.Sprintf("%s:%s", prefix, components.ControllerServiceAccountName)
|
|
}
|
|
|
|
func IsARM64() bool {
|
|
diff --git a/pkg/virt-api/webhooks/validating-webhook/admitters/BUILD.bazel b/pkg/virt-api/webhooks/validating-webhook/admitters/BUILD.bazel
|
|
index 03a74eb2f..65da66d1c 100644
|
|
--- a/pkg/virt-api/webhooks/validating-webhook/admitters/BUILD.bazel
|
|
+++ b/pkg/virt-api/webhooks/validating-webhook/admitters/BUILD.bazel
|
|
@@ -99,7 +99,7 @@ go_test(
|
|
"//pkg/virt-api/webhooks:go_default_library",
|
|
"//pkg/virt-config:go_default_library",
|
|
"//pkg/virt-handler/node-labeller/util:go_default_library",
|
|
- "//pkg/virt-operator/resource/generate/rbac:go_default_library",
|
|
+ "//pkg/virt-operator/resource/generate/components:go_default_library",
|
|
"//staging/src/kubevirt.io/api/clone:go_default_library",
|
|
"//staging/src/kubevirt.io/api/clone/v1alpha1:go_default_library",
|
|
"//staging/src/kubevirt.io/api/core:go_default_library",
|
|
diff --git a/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter_test.go b/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter_test.go
|
|
index 685ddf5fc..51dda99f5 100644
|
|
--- a/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter_test.go
|
|
+++ b/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter_test.go
|
|
@@ -27,8 +27,6 @@ import (
|
|
|
|
"kubevirt.io/client-go/api"
|
|
|
|
- "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac"
|
|
-
|
|
. "github.com/onsi/ginkgo/v2"
|
|
. "github.com/onsi/gomega"
|
|
admissionv1 "k8s.io/api/admission/v1"
|
|
@@ -49,6 +47,7 @@ import (
|
|
"kubevirt.io/kubevirt/pkg/virt-api/webhooks"
|
|
virtconfig "kubevirt.io/kubevirt/pkg/virt-config"
|
|
nodelabellerutil "kubevirt.io/kubevirt/pkg/virt-handler/node-labeller/util"
|
|
+ "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components"
|
|
)
|
|
|
|
var _ = Describe("Validating VMICreate Admitter", func() {
|
|
@@ -424,17 +423,17 @@ var _ = Describe("Validating VMICreate Admitter", func() {
|
|
},
|
|
Entry("Create restricted label by API",
|
|
map[string]string{v1.NodeNameLabel: "someValue"},
|
|
- rbac.ApiServiceAccountName,
|
|
+ components.ApiServiceAccountName,
|
|
true,
|
|
),
|
|
Entry("Create restricted label by Handler",
|
|
map[string]string{v1.NodeNameLabel: "someValue"},
|
|
- rbac.HandlerServiceAccountName,
|
|
+ components.HandlerServiceAccountName,
|
|
true,
|
|
),
|
|
Entry("Create restricted label by Controller",
|
|
map[string]string{v1.NodeNameLabel: "someValue"},
|
|
- rbac.ControllerServiceAccountName,
|
|
+ components.ControllerServiceAccountName,
|
|
true,
|
|
),
|
|
Entry("Create restricted label by non kubevirt user",
|
|
diff --git a/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-update-admitter_test.go b/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-update-admitter_test.go
|
|
index 83a9d0390..a9f7af477 100644
|
|
--- a/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-update-admitter_test.go
|
|
+++ b/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-update-admitter_test.go
|
|
@@ -39,7 +39,7 @@ import (
|
|
"kubevirt.io/kubevirt/pkg/testutils"
|
|
webhookutils "kubevirt.io/kubevirt/pkg/util/webhooks"
|
|
"kubevirt.io/kubevirt/pkg/virt-api/webhooks"
|
|
- "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac"
|
|
+ "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components"
|
|
)
|
|
|
|
var _ = Describe("Validating VMIUpdate Admitter", func() {
|
|
@@ -190,17 +190,17 @@ var _ = Describe("Validating VMIUpdate Admitter", func() {
|
|
Entry("Update by API",
|
|
map[string]string{v1.NodeNameLabel: "someValue"},
|
|
map[string]string{v1.NodeNameLabel: "someNewValue"},
|
|
- rbac.ApiServiceAccountName,
|
|
+ components.ApiServiceAccountName,
|
|
),
|
|
Entry("Update by Handler",
|
|
map[string]string{v1.NodeNameLabel: "someValue"},
|
|
map[string]string{v1.NodeNameLabel: "someNewValue"},
|
|
- rbac.HandlerServiceAccountName,
|
|
+ components.HandlerServiceAccountName,
|
|
),
|
|
Entry("Update by Controller",
|
|
map[string]string{v1.NodeNameLabel: "someValue"},
|
|
map[string]string{v1.NodeNameLabel: "someNewValue"},
|
|
- rbac.ControllerServiceAccountName,
|
|
+ components.ControllerServiceAccountName,
|
|
),
|
|
)
|
|
|
|
@@ -560,7 +560,7 @@ var _ = Describe("Validating VMIUpdate Admitter", func() {
|
|
resp := vmiUpdateAdmitter.Admit(ar)
|
|
Expect(resp.Allowed).To(expected)
|
|
},
|
|
- Entry("Should admit internal sa", "system:serviceaccount:kubevirt:"+rbac.ApiServiceAccountName, BeTrue()),
|
|
+ Entry("Should admit internal sa", "system:serviceaccount:kubevirt:"+components.ApiServiceAccountName, BeTrue()),
|
|
Entry("Should reject regular user", "system:serviceaccount:someNamespace:someUser", BeFalse()),
|
|
)
|
|
})
|
|
diff --git a/pkg/virt-operator/resource/generate/components/BUILD.bazel b/pkg/virt-operator/resource/generate/components/BUILD.bazel
|
|
index 583b63a04..22e1524c3 100644
|
|
--- a/pkg/virt-operator/resource/generate/components/BUILD.bazel
|
|
+++ b/pkg/virt-operator/resource/generate/components/BUILD.bazel
|
|
@@ -11,6 +11,7 @@ go_library(
|
|
"routes.go",
|
|
"scc.go",
|
|
"secrets.go",
|
|
+ "serviceaccountnames.go",
|
|
"validations_generated.go",
|
|
"webhooks.go",
|
|
],
|
|
@@ -21,7 +22,6 @@ go_library(
|
|
"//pkg/certificates/triple:go_default_library",
|
|
"//pkg/certificates/triple/cert:go_default_library",
|
|
"//pkg/virt-config:go_default_library",
|
|
- "//pkg/virt-operator/resource/generate/rbac:go_default_library",
|
|
"//pkg/virt-operator/util:go_default_library",
|
|
"//staging/src/kubevirt.io/api/clone:go_default_library",
|
|
"//staging/src/kubevirt.io/api/clone/v1alpha1:go_default_library",
|
|
diff --git a/pkg/virt-operator/resource/generate/components/daemonsets.go b/pkg/virt-operator/resource/generate/components/daemonsets.go
|
|
index 7524f7487..4717e4bec 100644
|
|
--- a/pkg/virt-operator/resource/generate/components/daemonsets.go
|
|
+++ b/pkg/virt-operator/resource/generate/components/daemonsets.go
|
|
@@ -13,7 +13,6 @@ import (
|
|
virtv1 "kubevirt.io/api/core/v1"
|
|
|
|
virtconfig "kubevirt.io/kubevirt/pkg/virt-config"
|
|
- "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac"
|
|
operatorutil "kubevirt.io/kubevirt/pkg/virt-operator/util"
|
|
)
|
|
|
|
@@ -81,7 +80,7 @@ func NewHandlerDaemonSet(namespace, repository, imagePrefix, version, launcherVe
|
|
}
|
|
|
|
pod := &daemonset.Spec.Template.Spec
|
|
- pod.ServiceAccountName = rbac.HandlerServiceAccountName
|
|
+ pod.ServiceAccountName = HandlerServiceAccountName
|
|
pod.HostPID = true
|
|
|
|
// nodelabeller currently only support x86
|
|
diff --git a/pkg/virt-operator/resource/generate/components/deployments.go b/pkg/virt-operator/resource/generate/components/deployments.go
|
|
index 9d5666def..8a900e7f0 100644
|
|
--- a/pkg/virt-operator/resource/generate/components/deployments.go
|
|
+++ b/pkg/virt-operator/resource/generate/components/deployments.go
|
|
@@ -35,7 +35,6 @@ import (
|
|
|
|
virtv1 "kubevirt.io/api/core/v1"
|
|
|
|
- "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac"
|
|
operatorutil "kubevirt.io/kubevirt/pkg/virt-operator/util"
|
|
)
|
|
|
|
@@ -326,7 +325,7 @@ func NewApiServerDeployment(namespace, repository, imagePrefix, version, product
|
|
attachProfileVolume(&deployment.Spec.Template.Spec)
|
|
|
|
pod := &deployment.Spec.Template.Spec
|
|
- pod.ServiceAccountName = rbac.ApiServiceAccountName
|
|
+ pod.ServiceAccountName = ApiServiceAccountName
|
|
pod.SecurityContext = &corev1.PodSecurityContext{
|
|
RunAsNonRoot: boolPtr(true),
|
|
SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
|
|
@@ -407,7 +406,7 @@ func NewControllerDeployment(namespace, repository, imagePrefix, controllerVersi
|
|
}
|
|
|
|
pod := &deployment.Spec.Template.Spec
|
|
- pod.ServiceAccountName = rbac.ControllerServiceAccountName
|
|
+ pod.ServiceAccountName = ControllerServiceAccountName
|
|
pod.SecurityContext = &corev1.PodSecurityContext{
|
|
RunAsNonRoot: boolPtr(true),
|
|
SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
|
|
@@ -645,7 +644,7 @@ func NewExportProxyDeployment(namespace, repository, imagePrefix, version, produ
|
|
attachProfileVolume(&deployment.Spec.Template.Spec)
|
|
|
|
pod := &deployment.Spec.Template.Spec
|
|
- pod.ServiceAccountName = rbac.ExportProxyServiceAccountName
|
|
+ pod.ServiceAccountName = ExportProxyServiceAccountName
|
|
pod.SecurityContext = &corev1.PodSecurityContext{
|
|
RunAsNonRoot: boolPtr(true),
|
|
}
|
|
diff --git a/pkg/virt-operator/resource/generate/components/serviceaccountnames.go b/pkg/virt-operator/resource/generate/components/serviceaccountnames.go
|
|
new file mode 100644
|
|
index 000000000..0948629bb
|
|
--- /dev/null
|
|
+++ b/pkg/virt-operator/resource/generate/components/serviceaccountnames.go
|
|
@@ -0,0 +1,9 @@
|
|
+package components
|
|
+
|
|
+const (
|
|
+ ApiServiceAccountName = "kubevirt-apiserver"
|
|
+ ControllerServiceAccountName = "kubevirt-controller"
|
|
+ ExportProxyServiceAccountName = "kubevirt-exportproxy"
|
|
+ HandlerServiceAccountName = "kubevirt-handler"
|
|
+ OperatorServiceAccountName = "kubevirt-operator"
|
|
+)
|
|
diff --git a/pkg/virt-operator/resource/generate/rbac/BUILD.bazel b/pkg/virt-operator/resource/generate/rbac/BUILD.bazel
|
|
index fb3952f7b..8de09055f 100644
|
|
--- a/pkg/virt-operator/resource/generate/rbac/BUILD.bazel
|
|
+++ b/pkg/virt-operator/resource/generate/rbac/BUILD.bazel
|
|
@@ -14,6 +14,7 @@ go_library(
|
|
importpath = "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac",
|
|
visibility = ["//visibility:public"],
|
|
deps = [
|
|
+ "//pkg/virt-operator/resource/generate/components:go_default_library",
|
|
"//staging/src/kubevirt.io/api/clone:go_default_library",
|
|
"//staging/src/kubevirt.io/api/core/v1:go_default_library",
|
|
"//staging/src/kubevirt.io/api/instancetype:go_default_library",
|
|
@@ -33,6 +34,7 @@ go_test(
|
|
],
|
|
embed = [":go_default_library"],
|
|
deps = [
|
|
+ "//pkg/virt-operator/resource/generate/components:go_default_library",
|
|
"//staging/src/kubevirt.io/client-go/testutils:go_default_library",
|
|
"//vendor/github.com/onsi/ginkgo/v2:go_default_library",
|
|
"//vendor/github.com/onsi/gomega:go_default_library",
|
|
diff --git a/pkg/virt-operator/resource/generate/rbac/apiserver.go b/pkg/virt-operator/resource/generate/rbac/apiserver.go
|
|
index 7263471a6..932f7391e 100644
|
|
--- a/pkg/virt-operator/resource/generate/rbac/apiserver.go
|
|
+++ b/pkg/virt-operator/resource/generate/rbac/apiserver.go
|
|
@@ -26,6 +26,8 @@ import (
|
|
|
|
"kubevirt.io/api/instancetype"
|
|
|
|
+ "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components"
|
|
+
|
|
virtv1 "kubevirt.io/api/core/v1"
|
|
"kubevirt.io/api/migrations"
|
|
)
|
|
@@ -36,8 +38,6 @@ const (
|
|
GroupName = "kubevirt.io"
|
|
)
|
|
|
|
-const ApiServiceAccountName = "kubevirt-apiserver"
|
|
-
|
|
func GetAllApiServer(namespace string) []runtime.Object {
|
|
return []runtime.Object{
|
|
newApiServerServiceAccount(namespace),
|
|
@@ -57,7 +57,7 @@ func newApiServerServiceAccount(namespace string) *corev1.ServiceAccount {
|
|
},
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Namespace: namespace,
|
|
- Name: ApiServiceAccountName,
|
|
+ Name: components.ApiServiceAccountName,
|
|
Labels: map[string]string{
|
|
virtv1.AppLabel: "",
|
|
},
|
|
@@ -72,7 +72,7 @@ func newApiServerClusterRole() *rbacv1.ClusterRole {
|
|
Kind: "ClusterRole",
|
|
},
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
- Name: ApiServiceAccountName,
|
|
+ Name: components.ApiServiceAccountName,
|
|
Labels: map[string]string{
|
|
virtv1.AppLabel: "",
|
|
},
|
|
@@ -267,7 +267,7 @@ func newApiServerClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding
|
|
Kind: "ClusterRoleBinding",
|
|
},
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
- Name: ApiServiceAccountName,
|
|
+ Name: components.ApiServiceAccountName,
|
|
Labels: map[string]string{
|
|
virtv1.AppLabel: "",
|
|
},
|
|
@@ -275,13 +275,13 @@ func newApiServerClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding
|
|
RoleRef: rbacv1.RoleRef{
|
|
APIGroup: VersionName,
|
|
Kind: "ClusterRole",
|
|
- Name: ApiServiceAccountName,
|
|
+ Name: components.ApiServiceAccountName,
|
|
},
|
|
Subjects: []rbacv1.Subject{
|
|
{
|
|
Kind: "ServiceAccount",
|
|
Namespace: namespace,
|
|
- Name: ApiServiceAccountName,
|
|
+ Name: components.ApiServiceAccountName,
|
|
},
|
|
},
|
|
}
|
|
@@ -308,7 +308,7 @@ func newApiServerAuthDelegatorClusterRoleBinding(namespace string) *rbacv1.Clust
|
|
{
|
|
Kind: "ServiceAccount",
|
|
Namespace: namespace,
|
|
- Name: ApiServiceAccountName,
|
|
+ Name: components.ApiServiceAccountName,
|
|
},
|
|
},
|
|
}
|
|
@@ -322,7 +322,7 @@ func newApiServerRole(namespace string) *rbacv1.Role {
|
|
},
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Namespace: namespace,
|
|
- Name: ApiServiceAccountName,
|
|
+ Name: components.ApiServiceAccountName,
|
|
Labels: map[string]string{
|
|
virtv1.AppLabel: "",
|
|
},
|
|
@@ -351,7 +351,7 @@ func newApiServerRoleBinding(namespace string) *rbacv1.RoleBinding {
|
|
},
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Namespace: namespace,
|
|
- Name: ApiServiceAccountName,
|
|
+ Name: components.ApiServiceAccountName,
|
|
Labels: map[string]string{
|
|
virtv1.AppLabel: "",
|
|
},
|
|
@@ -359,13 +359,13 @@ func newApiServerRoleBinding(namespace string) *rbacv1.RoleBinding {
|
|
RoleRef: rbacv1.RoleRef{
|
|
APIGroup: VersionName,
|
|
Kind: "Role",
|
|
- Name: ApiServiceAccountName,
|
|
+ Name: components.ApiServiceAccountName,
|
|
},
|
|
Subjects: []rbacv1.Subject{
|
|
{
|
|
Kind: "ServiceAccount",
|
|
Namespace: namespace,
|
|
- Name: ApiServiceAccountName,
|
|
+ Name: components.ApiServiceAccountName,
|
|
},
|
|
},
|
|
}
|
|
diff --git a/pkg/virt-operator/resource/generate/rbac/controller.go b/pkg/virt-operator/resource/generate/rbac/controller.go
|
|
index 2adb51225..9542a24fe 100644
|
|
--- a/pkg/virt-operator/resource/generate/rbac/controller.go
|
|
+++ b/pkg/virt-operator/resource/generate/rbac/controller.go
|
|
@@ -26,14 +26,14 @@ import (
|
|
|
|
"kubevirt.io/api/clone"
|
|
|
|
+ "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components"
|
|
+
|
|
"kubevirt.io/api/instancetype"
|
|
|
|
virtv1 "kubevirt.io/api/core/v1"
|
|
"kubevirt.io/api/migrations"
|
|
)
|
|
|
|
-const ControllerServiceAccountName = "kubevirt-controller"
|
|
-
|
|
func GetAllController(namespace string) []runtime.Object {
|
|
return []runtime.Object{
|
|
newControllerServiceAccount(namespace),
|
|
@@ -52,7 +52,7 @@ func newControllerServiceAccount(namespace string) *corev1.ServiceAccount {
|
|
},
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Namespace: namespace,
|
|
- Name: ControllerServiceAccountName,
|
|
+ Name: components.ControllerServiceAccountName,
|
|
Labels: map[string]string{
|
|
virtv1.AppLabel: "",
|
|
},
|
|
@@ -67,7 +67,7 @@ func newControllerRole(namespace string) *rbacv1.Role {
|
|
Kind: "Role",
|
|
},
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
- Name: ControllerServiceAccountName,
|
|
+ Name: components.ControllerServiceAccountName,
|
|
Namespace: namespace,
|
|
Labels: map[string]string{
|
|
virtv1.AppLabel: "",
|
|
@@ -124,7 +124,7 @@ func newControllerRoleBinding(namespace string) *rbacv1.RoleBinding {
|
|
Kind: "RoleBinding",
|
|
},
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
- Name: ControllerServiceAccountName,
|
|
+ Name: components.ControllerServiceAccountName,
|
|
Namespace: namespace,
|
|
Labels: map[string]string{
|
|
virtv1.AppLabel: "",
|
|
@@ -133,13 +133,13 @@ func newControllerRoleBinding(namespace string) *rbacv1.RoleBinding {
|
|
RoleRef: rbacv1.RoleRef{
|
|
APIGroup: VersionName,
|
|
Kind: "Role",
|
|
- Name: ControllerServiceAccountName,
|
|
+ Name: components.ControllerServiceAccountName,
|
|
},
|
|
Subjects: []rbacv1.Subject{
|
|
{
|
|
Kind: "ServiceAccount",
|
|
Namespace: namespace,
|
|
- Name: ControllerServiceAccountName,
|
|
+ Name: components.ControllerServiceAccountName,
|
|
},
|
|
},
|
|
}
|
|
@@ -152,7 +152,7 @@ func newControllerClusterRole() *rbacv1.ClusterRole {
|
|
Kind: "ClusterRole",
|
|
},
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
- Name: ControllerServiceAccountName,
|
|
+ Name: components.ControllerServiceAccountName,
|
|
Labels: map[string]string{
|
|
virtv1.AppLabel: "",
|
|
},
|
|
@@ -515,7 +515,7 @@ func newControllerClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBindin
|
|
Kind: "ClusterRoleBinding",
|
|
},
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
- Name: ControllerServiceAccountName,
|
|
+ Name: components.ControllerServiceAccountName,
|
|
Labels: map[string]string{
|
|
virtv1.AppLabel: "",
|
|
},
|
|
@@ -523,13 +523,13 @@ func newControllerClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBindin
|
|
RoleRef: rbacv1.RoleRef{
|
|
APIGroup: "rbac.authorization.k8s.io",
|
|
Kind: "ClusterRole",
|
|
- Name: ControllerServiceAccountName,
|
|
+ Name: components.ControllerServiceAccountName,
|
|
},
|
|
Subjects: []rbacv1.Subject{
|
|
{
|
|
Kind: "ServiceAccount",
|
|
Namespace: namespace,
|
|
- Name: ControllerServiceAccountName,
|
|
+ Name: components.ControllerServiceAccountName,
|
|
},
|
|
},
|
|
}
|
|
diff --git a/pkg/virt-operator/resource/generate/rbac/handler.go b/pkg/virt-operator/resource/generate/rbac/handler.go
|
|
index c47adc28a..e55a4044e 100644
|
|
--- a/pkg/virt-operator/resource/generate/rbac/handler.go
|
|
+++ b/pkg/virt-operator/resource/generate/rbac/handler.go
|
|
@@ -27,9 +27,9 @@ import (
|
|
|
|
virtv1 "kubevirt.io/api/core/v1"
|
|
"kubevirt.io/api/migrations"
|
|
-)
|
|
|
|
-const HandlerServiceAccountName = "kubevirt-handler"
|
|
+ "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components"
|
|
+)
|
|
|
|
func GetAllHandler(namespace string) []runtime.Object {
|
|
return []runtime.Object{
|
|
@@ -49,7 +49,7 @@ func newHandlerServiceAccount(namespace string) *corev1.ServiceAccount {
|
|
},
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Namespace: namespace,
|
|
- Name: HandlerServiceAccountName,
|
|
+ Name: components.HandlerServiceAccountName,
|
|
Labels: map[string]string{
|
|
virtv1.AppLabel: "",
|
|
},
|
|
@@ -64,7 +64,7 @@ func newHandlerClusterRole() *rbacv1.ClusterRole {
|
|
Kind: "ClusterRole",
|
|
},
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
- Name: HandlerServiceAccountName,
|
|
+ Name: components.HandlerServiceAccountName,
|
|
Labels: map[string]string{
|
|
virtv1.AppLabel: "",
|
|
},
|
|
@@ -167,7 +167,7 @@ func newHandlerClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding {
|
|
Kind: "ClusterRoleBinding",
|
|
},
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
- Name: HandlerServiceAccountName,
|
|
+ Name: components.HandlerServiceAccountName,
|
|
Labels: map[string]string{
|
|
virtv1.AppLabel: "",
|
|
},
|
|
@@ -175,13 +175,13 @@ func newHandlerClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding {
|
|
RoleRef: rbacv1.RoleRef{
|
|
APIGroup: "rbac.authorization.k8s.io",
|
|
Kind: "ClusterRole",
|
|
- Name: HandlerServiceAccountName,
|
|
+ Name: components.HandlerServiceAccountName,
|
|
},
|
|
Subjects: []rbacv1.Subject{
|
|
{
|
|
Kind: "ServiceAccount",
|
|
Namespace: namespace,
|
|
- Name: HandlerServiceAccountName,
|
|
+ Name: components.HandlerServiceAccountName,
|
|
},
|
|
},
|
|
}
|
|
@@ -195,7 +195,7 @@ func newHandlerRole(namespace string) *rbacv1.Role {
|
|
},
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Namespace: namespace,
|
|
- Name: HandlerServiceAccountName,
|
|
+ Name: components.HandlerServiceAccountName,
|
|
Labels: map[string]string{
|
|
virtv1.AppLabel: "",
|
|
},
|
|
@@ -224,7 +224,7 @@ func newHandlerRoleBinding(namespace string) *rbacv1.RoleBinding {
|
|
},
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Namespace: namespace,
|
|
- Name: HandlerServiceAccountName,
|
|
+ Name: components.HandlerServiceAccountName,
|
|
Labels: map[string]string{
|
|
virtv1.AppLabel: "",
|
|
},
|
|
@@ -232,13 +232,13 @@ func newHandlerRoleBinding(namespace string) *rbacv1.RoleBinding {
|
|
RoleRef: rbacv1.RoleRef{
|
|
APIGroup: "rbac.authorization.k8s.io",
|
|
Kind: "Role",
|
|
- Name: HandlerServiceAccountName,
|
|
+ Name: components.HandlerServiceAccountName,
|
|
},
|
|
Subjects: []rbacv1.Subject{
|
|
{
|
|
Kind: "ServiceAccount",
|
|
Namespace: namespace,
|
|
- Name: HandlerServiceAccountName,
|
|
+ Name: components.HandlerServiceAccountName,
|
|
},
|
|
},
|
|
}
|
|
diff --git a/pkg/virt-operator/resource/generate/rbac/operator.go b/pkg/virt-operator/resource/generate/rbac/operator.go
|
|
index 29ec8c85a..f15dfa554 100644
|
|
--- a/pkg/virt-operator/resource/generate/rbac/operator.go
|
|
+++ b/pkg/virt-operator/resource/generate/rbac/operator.go
|
|
@@ -26,6 +26,8 @@ import (
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
|
|
virtv1 "kubevirt.io/api/core/v1"
|
|
+
|
|
+ "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components"
|
|
)
|
|
|
|
const (
|
|
@@ -33,7 +35,6 @@ const (
|
|
GroupNameRoute = "route.openshift.io"
|
|
serviceAccountFmt = "%s:%s:%s"
|
|
)
|
|
-const OperatorServiceAccountName = "kubevirt-operator"
|
|
|
|
// Used for manifest generation only, not by the operator itself
|
|
func GetAllOperator(namespace string) []interface{} {
|
|
@@ -54,7 +55,7 @@ func newOperatorServiceAccount(namespace string) *corev1.ServiceAccount {
|
|
},
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Namespace: namespace,
|
|
- Name: OperatorServiceAccountName,
|
|
+ Name: components.OperatorServiceAccountName,
|
|
Labels: map[string]string{
|
|
virtv1.AppLabel: "",
|
|
},
|
|
@@ -74,7 +75,7 @@ func NewOperatorClusterRole() *rbacv1.ClusterRole {
|
|
Kind: "ClusterRole",
|
|
},
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
- Name: OperatorServiceAccountName,
|
|
+ Name: components.OperatorServiceAccountName,
|
|
Labels: map[string]string{
|
|
virtv1.AppLabel: "",
|
|
},
|
|
@@ -396,7 +397,7 @@ func newOperatorClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding
|
|
Kind: "ClusterRoleBinding",
|
|
},
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
- Name: OperatorServiceAccountName,
|
|
+ Name: components.OperatorServiceAccountName,
|
|
Labels: map[string]string{
|
|
virtv1.AppLabel: "",
|
|
},
|
|
@@ -404,13 +405,13 @@ func newOperatorClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding
|
|
RoleRef: rbacv1.RoleRef{
|
|
APIGroup: VersionName,
|
|
Kind: "ClusterRole",
|
|
- Name: OperatorServiceAccountName,
|
|
+ Name: components.OperatorServiceAccountName,
|
|
},
|
|
Subjects: []rbacv1.Subject{
|
|
{
|
|
Kind: "ServiceAccount",
|
|
Namespace: namespace,
|
|
- Name: OperatorServiceAccountName,
|
|
+ Name: components.OperatorServiceAccountName,
|
|
},
|
|
},
|
|
}
|
|
@@ -432,13 +433,13 @@ func newOperatorRoleBinding(namespace string) *rbacv1.RoleBinding {
|
|
RoleRef: rbacv1.RoleRef{
|
|
APIGroup: VersionName,
|
|
Kind: "Role",
|
|
- Name: OperatorServiceAccountName,
|
|
+ Name: components.OperatorServiceAccountName,
|
|
},
|
|
Subjects: []rbacv1.Subject{
|
|
{
|
|
Kind: "ServiceAccount",
|
|
Namespace: namespace,
|
|
- Name: OperatorServiceAccountName,
|
|
+ Name: components.OperatorServiceAccountName,
|
|
},
|
|
},
|
|
}
|
|
@@ -452,7 +453,7 @@ func NewOperatorRole(namespace string) *rbacv1.Role {
|
|
Kind: "Role",
|
|
},
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
- Name: OperatorServiceAccountName,
|
|
+ Name: components.OperatorServiceAccountName,
|
|
Namespace: namespace,
|
|
Labels: map[string]string{
|
|
virtv1.AppLabel: "",
|
|
@@ -466,6 +467,16 @@ func NewOperatorRole(namespace string) *rbacv1.Role {
|
|
Resources: []string{
|
|
"secrets",
|
|
},
|
|
+ ResourceNames: []string{
|
|
+ components.KubeVirtCASecretName,
|
|
+ components.KubeVirtExportCASecretName,
|
|
+ components.VirtHandlerCertSecretName,
|
|
+ components.VirtHandlerServerCertSecretName,
|
|
+ components.VirtOperatorCertSecretName,
|
|
+ components.VirtApiCertSecretName,
|
|
+ components.VirtControllerCertSecretName,
|
|
+ components.VirtExportProxyCertSecretName,
|
|
+ },
|
|
Verbs: []string{
|
|
"create",
|
|
"get",
|
|
@@ -526,10 +537,10 @@ func GetKubevirtComponentsServiceAccounts(namespace string) map[string]bool {
|
|
usermap := make(map[string]bool)
|
|
|
|
prefix := "system:serviceaccount"
|
|
- usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, HandlerServiceAccountName)] = true
|
|
- usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, ApiServiceAccountName)] = true
|
|
- usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, ControllerServiceAccountName)] = true
|
|
- usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, OperatorServiceAccountName)] = true
|
|
+ usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, components.HandlerServiceAccountName)] = true
|
|
+ usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, components.ApiServiceAccountName)] = true
|
|
+ usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, components.ControllerServiceAccountName)] = true
|
|
+ usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, components.OperatorServiceAccountName)] = true
|
|
|
|
return usermap
|
|
}
|
|
diff --git a/pkg/virt-operator/resource/generate/rbac/operator_test.go b/pkg/virt-operator/resource/generate/rbac/operator_test.go
|
|
index 701a8c4f5..51bd479cc 100644
|
|
--- a/pkg/virt-operator/resource/generate/rbac/operator_test.go
|
|
+++ b/pkg/virt-operator/resource/generate/rbac/operator_test.go
|
|
@@ -26,6 +26,8 @@ import (
|
|
. "github.com/onsi/gomega"
|
|
v1 "k8s.io/api/core/v1"
|
|
rbacv1 "k8s.io/api/rbac/v1"
|
|
+
|
|
+ "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components"
|
|
)
|
|
|
|
var _ = Describe("RBAC", func() {
|
|
@@ -75,10 +77,10 @@ var _ = Describe("RBAC", func() {
|
|
func(name string) {
|
|
Expect(serviceAccounts).To(HaveKey(MatchRegexp(fmt.Sprintf(".*%s.*", name))))
|
|
},
|
|
- Entry("for Handler", HandlerServiceAccountName),
|
|
- Entry("for Api", ApiServiceAccountName),
|
|
- Entry("for Controller", ControllerServiceAccountName),
|
|
- Entry("for Operator", OperatorServiceAccountName),
|
|
+ Entry("for Handler", components.HandlerServiceAccountName),
|
|
+ Entry("for Api", components.ApiServiceAccountName),
|
|
+ Entry("for Controller", components.ControllerServiceAccountName),
|
|
+ Entry("for Operator", components.OperatorServiceAccountName),
|
|
)
|
|
|
|
})
|
|
--
|
|
2.39.2
|
|
|