Feat/add permissions boundaries (#10)

Author: matthieuJacquot-voodoo

.github/workflows/chart-release.yml

@@ -1,14 +1,11 @@
 name: Release Charts
 
-#on:
-#  push:
-#    branches: [ release ]
 on:
   push:
     paths:
       - 'config/helm/irsa/Chart.yaml'
-    branches:
-      - main
+        #    branches:
+        #      - main
 
 jobs:
   release:

Makefile

@@ -60,8 +60,6 @@ deploy: manifests kustomize
 
 gen-helm: manifests kustomize
 	$(KUSTOMIZE) build config/default > config/helm/irsa/templates/irsa-operator.yml
-	#echo version: ${CHART_VERSION} >> config/helm/Chart.yaml
-	#echo image: ${DOCKER_IMAGE}:${CHART_VERSION} >> config/helm/values.yaml
 
 # UnDeploy controller from the configured Kubernetes cluster in ~/.kube/config
 undeploy:

api/v1alpha1/role_types.go

@@ -56,10 +56,10 @@ func (r Role) IsPendingDeletion() bool {
 
 // RoleSpec defines the desired state of Role
 type RoleSpec struct {
-	ServiceAccountName string `json:"serviceAccountName"`
-
-	PolicyARN string `json:"policyarn,omitempty"`
-	RoleARN   string `json:"rolearn,omitempty"`
+	ServiceAccountName             string `json:"serviceAccountName"`
+	PolicyARN                      string `json:"policyarn,omitempty"`
+	RoleARN                        string `json:"rolearn,omitempty"`
+	PermissionsBoundariesPolicyArn string `json:"permissionsBoundariesPolicyARN,omitempty"`
 }
 
 // Validate returns an error if the RoleSpec is not valid

aws/aws.go

@@ -313,7 +313,7 @@ func (m RealAwsManager) GetAttachedRolePoliciesARNs(roleName string) ([]string,
 	return arns, nil
 }
 
-func (m RealAwsManager) CreateRole(role api.Role) error {
+func (m RealAwsManager) CreateRole(role api.Role, permissionsBoundariesPolicyARN string) error {
 	_ = m.log.WithName("aws").WithName("role")
 
 	roleDoc, err := NewAssumeRolePolicyDoc(role, m.oidcProviderArn)
@@ -323,11 +323,16 @@ func (m RealAwsManager) CreateRole(role api.Role) error {
 	}
 
 	rn := role.AwsName(m.clusterName)
-	if _, err := m.Client.CreateRole(&iam.CreateRoleInput{
+	roleInput := &iam.CreateRoleInput{
 		RoleName:                 &rn,
 		AssumeRolePolicyDocument: &roleDoc,
 		Description:              &desc,
-	}); err != nil {
+	}
+	if permissionsBoundariesPolicyARN != "" {
+		roleInput.PermissionsBoundary = &permissionsBoundariesPolicyARN
+	}
+
+	if _, err := m.Client.CreateRole(roleInput); err != nil {
 		if reqErr, ok := err.(awserr.RequestFailure); ok {
 			if reqErr.StatusCode() == http.StatusConflict {
 				// the role already exists, we return without error

aws/aws_test.go

@@ -9,6 +9,7 @@ import (
 var validPolicy = api.NewPolicy("name", "testns", []api.StatementSpec{
 	{Resource: "arn:aws:s3:::my_corporate_bucket/exampleobject.png", Action: []string{"an:action"}},
 })
+
 var _ = Describe("policy", func() {
 	It("given a valid policy", func() {
 
@@ -39,6 +40,7 @@ var _ = Describe("policy", func() {
 
 var _ = Describe("role", func() {
 	role := api.NewRole("name", "testns")
+
 	Context("given a valid role", func() {
 		It("doesn't exist yet", func() {
 			exists, err := awsmngr.RoleExists(role.AwsName(clusterName))
@@ -47,14 +49,23 @@ var _ = Describe("role", func() {
 		})
 
 		Context("creation", func() {
+			It("can create it without error without permissionsBoundariesPolicyARN", func() {
+				err := awsmngr.CreateRole(*role, "")
+				Expect(err).NotTo(HaveOccurred())
+			})
+		})
+
+		Context("creation", func() {
+			permissionsBoundariesPolicyARN := "arn:aws:iam::123456789012:policy/UsersManageOwnCredentials"
+
 			It("can create it without error", func() {
-				err := awsmngr.CreateRole(*role)
+				err := awsmngr.CreateRole(*role, permissionsBoundariesPolicyARN)
 				Expect(err).NotTo(HaveOccurred())
 			})
 
 			Context("idempotency", func() {
 				It("creation is idempotent", func() {
-					err := awsmngr.CreateRole(*role)
+					err := awsmngr.CreateRole(*role, permissionsBoundariesPolicyARN)
 					Expect(err).NotTo(HaveOccurred())
 				})
 

aws/types.go

@@ -28,6 +28,7 @@ func (s Statement) ToSpec() api.StatementSpec {
 
 type StatementEffect string
 
+// todo : remove this
 const (
 	StatementAllow StatementEffect = "Allow"
 	StatementDeny  StatementEffect = "Deny"

config/crd/bases/irsa.voodoo.io_roles.yaml

@@ -36,6 +36,8 @@ spec:
           spec:
             description: RoleSpec defines the desired state of Role
             properties:
+              permissionsBoundariesPolicyARN:
+                type: string
               policyarn:
                 type: string
               rolearn:

config/default/manager_auth_proxy_patch.yaml

@@ -26,3 +26,4 @@ spec:
         - "--leader-elect"
         - "--cluster-name={{ .Values.clusterName }}"
         - "--oidc-provider-arn={{ .Values.oidcProviderARN }}"
+        - "--permissions-boundaries-policy-arn={{ .Values.permissionsBoundariesPolicyARN }}"

config/helm/irsa/Chart.yaml

@@ -1,3 +1,3 @@
 apiVersion: "v1"
 name: irsa-operator 
-version: 0.0.5
+version: 0.0.6-rc.1

config/helm/irsa/templates/irsa-operator.yml

@@ -192,6 +192,8 @@ spec:
           spec:
             description: RoleSpec defines the desired state of Role
             properties:
+              permissionsBoundariesPolicyARN:
+                type: string
               policyarn:
                 type: string
               rolearn:
@@ -228,7 +230,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   annotations:
-    eks.amazonaws.com/role-arn: '{{ .Values.rolearn }}'
+    eks.amazonaws.com/role-arn: '{{ .Values.roleARN }}'
   name: irsa-operator-oidc-sa
   namespace: irsa-operator-system
 ---
@@ -489,6 +491,7 @@ spec:
         - --leader-elect
         - --cluster-name={{ .Values.clusterName }}
         - --oidc-provider-arn={{ .Values.oidcProviderARN }}
+        - --permissions-boundaries-policy-arn={{ .Values.permissionsBoundariesPolicyARN }}
         command:
         - /manager
         image: ghcr.io/voodooteam/irsa-operator:v{{ .Chart.Version }}

config/helm/irsa/values.yaml

@@ -1,3 +1,4 @@
 clusterName:
-rolearn: 
+roleARN: 
 oidcProviderARN:
+permissionsBoundariesPolicyARN: ""

config/manager/manager.yaml

@@ -10,7 +10,7 @@ kind: ServiceAccount
 metadata:
   name: oidc-sa
   annotations:
-    eks.amazonaws.com/role-arn: '{{ .Values.rolearn }}'
+    eks.amazonaws.com/role-arn: '{{ .Values.roleARN }}'
 ---
 apiVersion: apps/v1
 kind: Deployment

config/samples/irsa_v1alpha1_iamroleserviceaccount.yaml

@@ -1,9 +1,8 @@
 apiVersion: irsa.voodoo.io/v1alpha1
 kind: IamRoleServiceAccount
 metadata:
-  name: iamroleserviceaccount-test-sample
+  name: s3put 
 spec:
-  serviceAccountName: s3put
   policy: 
     statement:
       - resource: "arn:aws:s3:::test-irsa-4gkut9fl"

controllers/aws.go

@@ -20,7 +20,7 @@ type AwsPolicyManager interface {
 
 type AwsRoleManager interface {
 	RoleExists(roleName string) (bool, error)
-	CreateRole(api.Role) error
+	CreateRole(role api.Role, permissionsBoundariesPolicyARN string) error
 	DeleteRole(roleName string) error
 	AttachRolePolicy(roleName, policyARN string) error
 	GetAttachedRolePoliciesARNs(roleName string) ([]string, error)

controllers/aws_test.go

@@ -29,9 +29,10 @@ type awsStack struct {
 }
 
 type awsRole struct {
-	name             string
-	arn              string
-	attachedPolicies []string
+	name                           string
+	arn                            string
+	attachedPolicies               []string
+	permissionsBoundariesPolicyARN string
 }
 
 type awsMethod string
@@ -143,7 +144,7 @@ func (s *awsFake) GetStatement(arn string) ([]api.StatementSpec, error) {
 	return stack.(awsStack).policy.Statement, nil
 }
 
-func (s *awsFake) CreateRole(r api.Role) error {
+func (s *awsFake) CreateRole(r api.Role, permissionsBoundariesPolicyARN string) error {
 	n := r.ObjectMeta.Name
 	if err := s.shouldFailAt(n, createRole); err != nil {
 		return err
@@ -155,7 +156,7 @@ func (s *awsFake) CreateRole(r api.Role) error {
 	}
 
 	stack := raw.(awsStack)
-	stack.role = awsRole{name: roleName(r), arn: roleArn(r), attachedPolicies: []string{}}
+	stack.role = awsRole{name: roleName(r), arn: roleArn(r), attachedPolicies: []string{}, permissionsBoundariesPolicyARN: permissionsBoundariesPolicyARN}
 	s.stacks.Store(n, stack)
 	return nil
 }

controllers/helper.go

@@ -1,6 +1,8 @@
 package controllers
 
-import "fmt"
+import (
+	"fmt"
+)
 
 type completed bool
 
@@ -24,6 +26,33 @@ func removeString(slice []string, s string) (result []string) {
 	return
 }
 
-func (r *RoleReconciler) logExtErr(err error, msg string) {
-	r.log.Info(fmt.Sprintf("%s : %s", msg, err))
+func newMsg(msg string) Event {
+	return Event{
+		msg: msg,
+	}
+}
+
+func newErr(msg string, err error) Event {
+	return Event{
+		msg: msg,
+		err: err,
+	}
+}
+
+type Event struct {
+	msg string
+	err error
+}
+
+func (e Event) String() string {
+	if e.err != nil {
+		return fmt.Sprintf("%s (%s)", e.msg, e.err)
+	}
+	return e.msg
+}
+
+func scope(sc string) func(string) string {
+	return func(s string) string {
+		return sc + ": " + s
+	}
 }

controllers/iamroleserviceaccount_controller.go

@@ -16,8 +16,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 
-	"time"
-
 	api "github.com/VoodooTeam/irsa-operator/api/v1alpha1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -37,8 +35,6 @@ type IamRoleServiceAccountReconciler struct {
 	log         logr.Logger
 	scheme      *runtime.Scheme
 	finalizerID string
-
-	TestingDelay *time.Duration
 }
 
 // +kubebuilder:rbac:groups=irsa.voodoo.io,resources=iamroleserviceaccounts,verbs=get;list;watch;create;update;delete
@@ -50,10 +46,6 @@ type IamRoleServiceAccountReconciler struct {
 func (r *IamRoleServiceAccountReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	_ = r.log.WithValues("iamroleserviceaccount", req.NamespacedName)
 
-	{ // a processing delay can be set to ensure the testing framework sees every transitionnal state
-		r.waitIfTesting()
-	}
-
 	var irsa *api.IamRoleServiceAccount
 	{ // extract role from the request
 		var ok completed
@@ -456,12 +448,6 @@ func (r *IamRoleServiceAccountReconciler) updateStatus(ctx context.Context, obj
 	return r.Status().Update(ctx, obj)
 }
 
-func (r *IamRoleServiceAccountReconciler) waitIfTesting() {
-	if r.TestingDelay != nil {
-		time.Sleep(*r.TestingDelay)
-	}
-}
-
 func (r *IamRoleServiceAccountReconciler) registerFinalizerIfNeeded(role *api.IamRoleServiceAccount) completed {
 	if !containsString(role.ObjectMeta.Finalizers, r.finalizerID) {
 		// the finalizer isn't registered yet

controllers/model_test.go

@@ -42,10 +42,22 @@ func run(irsaName string, wg *sync.WaitGroup) {
 	// will log in case of failure the final state and the events that lead there
 	defer func(iE map[awsMethod]struct{}) {
 		if recover() != nil {
-			log.Println(">>> inital errors :")
+			log.Println(">>>")
+			log.Println("inital errors :")
 			spew.Dump(iE)
-			log.Println(">>> ended up with stack state :")
+			log.Println("<<<")
+
+			log.Println("ended up with stack state :")
+			log.Println(">>>")
 			spew.Dump(stack)
+			log.Println("<<<")
+
+			log.Println("k8s resources")
+			log.Println(">>>")
+			spew.Dump(getRole(irsaName, testns))
+			spew.Dump(getPolicy(irsaName, testns))
+			spew.Dump(getIrsa(irsaName, testns))
+			log.Println("<<<")
 
 			GinkgoT().FailNow()
 		}
@@ -130,7 +142,8 @@ func getInitialErrs() map[awsMethod]struct{} {
 		deleteRole,
 		roleExists,
 		getRoleARN,
-		getAttachedRolePoliciesARNs}
+		getAttachedRolePoliciesARNs,
+	}
 
 	errs := make(map[awsMethod]struct{})
 	for _, m := range methods {

controllers/policy_controller.go

@@ -3,7 +3,6 @@ package controllers
 import (
 	"context"
 	"fmt"
-	"time"
 
 	"github.com/go-logr/logr"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -36,8 +35,6 @@ type PolicyReconciler struct {
 
 	finalizerID string
 	clusterName string
-
-	TestingDelay *time.Duration
 }
 
 // +kubebuilder:rbac:groups=irsa.voodoo.io,resources=policies,verbs=get;list;watch;create;update;patch;delete
@@ -48,10 +45,6 @@ type PolicyReconciler struct {
 func (r *PolicyReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	_ = r.log.WithValues("policy", req.NamespacedName)
 
-	{ // a processing delay can be set to ensure the testing framework sees every transitionnal state
-		r.waitIfTesting()
-	}
-
 	var policy *api.Policy
 	{ // extract policy from the request
 		var ok completed
@@ -205,11 +198,6 @@ func (r *PolicyReconciler) executeFinalizerIfPresent(policy *api.Policy) complet
 
 	return true
 }
-func (r *PolicyReconciler) waitIfTesting() {
-	if r.TestingDelay != nil {
-		time.Sleep(*r.TestingDelay)
-	}
-}
 
 // helper function to update a Policy status
 func (r *PolicyReconciler) updateStatus(ctx context.Context, Policy *api.Policy, status api.PolicyStatus) error {