wip

Massimiliano Giovagnoli · Massimiliano Giovagnoli · commit e2523497718f · 2022-08-15T20:34:26.000+02:00
Signed-off-by: Massimiliano Giovagnoli &lt;me@maxgio.it&gt;
diff --git a/api/v1beta1/owner_role.go b/api/v1beta1/owner_role.go
@@ -40,21 +40,30 @@ func (in OwnerSpec) GetRoles(tenant Tenant, index int) []string {
 
 	roles := []string{"admin", "capsule-namespace-deleter"}
 
+	if tenant.Spec.GitOpsReady {
+		roles = append(roles, in.getGitOpsRoles(tenant)...)
+	}
+
 	return roles
 }
 
 func (in OwnerSpec) GetClusterRoles(tenant Tenant) []string {
 	if tenant.Spec.GitOpsReady {
-		return in.getGitOpsRoles(tenant)
+		return in.getGitOpsClusterRoles(tenant)
 	}
 
 	return []string{}
 }
 
+func (in OwnerSpec) getGitOpsClusterRoles(tenant Tenant) []string {
+	return []string{
+		"capsule-tenant-impersonator-" + tenant.Name + "-" + in.Name,
+	}
+}
+
 func (in OwnerSpec) getGitOpsRoles(tenant Tenant) []string {
 	return []string{
 		"cluster-admin",
-		"capsule-tenant-impersonator-" + tenant.Name + "-" + in.Name,
 	}
 }
 
diff --git a/api/v1beta1/tenant_labels.go b/api/v1beta1/tenant_labels.go
@@ -24,6 +24,8 @@ func GetTypeLabel(t runtime.Object) (label string, err error) {
 		return "capsule.clastix.io/resource-quota", nil
 	case *rbacv1.RoleBinding:
 		return "capsule.clastix.io/role-binding", nil
+	case *rbacv1.ClusterRoleBinding:
+		return "capsule.clastix.io/cluster-role-binding", nil
 	default:
 		err = fmt.Errorf("type %T is not mapped as Capsule label recognized", v)
 	}
diff --git a/config/crd/bases/capsule.clastix.io_tenants.yaml b/config/crd/bases/capsule.clastix.io_tenants.yaml
@@ -654,6 +654,9 @@ spec:
                   allowedRegex:
                     type: string
                 type: object
+              gitOpsReady:
+                description: Configured RBAC for machine owners tailored for GitOps controllers.
+                type: boolean
               imagePullPolicies:
                 description: Specify the allowed values for the imagePullPolicies option in Pod resources. Capsule assures that all Pod resources created in the Tenant can use only one of the allowed policy. Optional.
                 items:
diff --git a/controllers/tenant/clusterrolebindings.go b/controllers/tenant/clusterrolebindings.go
@@ -0,0 +1,119 @@
+package tenant
+
+import (
+	"context"
+	"fmt"
+	"hash/fnv"
+
+	"golang.org/x/sync/errgroup"
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+
+	capsulev1beta1 "github.com/clastix/capsule/api/v1beta1"
+)
+
+// Sync the dynamic Tenant Owner specific cluster-roles and additional ClusterRole Bindings, which can be used in many ways:
+// applying Pod Security Policies or giving access to CRDs or specific API groups.
+func (r *Manager) syncClusterRoleBindings(ctx context.Context, tenant *capsulev1beta1.Tenant) (err error) {
+	// hashing the ClusterRoleBinding name due to DNS RFC-1123 applied to Kubernetes labels
+	hashFn := func(binding capsulev1beta1.AdditionalRoleBindingsSpec) string {
+		h := fnv.New64a()
+
+		_, _ = h.Write([]byte(binding.ClusterRoleName))
+
+		for _, sub := range binding.Subjects {
+			_, _ = h.Write([]byte(sub.Kind + sub.Name))
+		}
+
+		return fmt.Sprintf("%x", h.Sum64())
+	}
+	// getting requested Role Binding keys
+	keys := make([]string, 0, len(tenant.Spec.Owners))
+	// Generating for dynamic tenant owners cluster roles
+	for _, owner := range tenant.Spec.Owners {
+		for _, clusterRoleName := range owner.GetClusterRoles(*tenant) {
+
+			cr := r.ownerClusterRoleBindings(owner, clusterRoleName)
+
+			keys = append(keys, hashFn(cr))
+		}
+	}
+
+	group := new(errgroup.Group)
+
+	group.Go(func() error {
+		return r.syncAdditionalClusterRoleBinding(ctx, tenant, keys, hashFn)
+	})
+
+	return group.Wait()
+}
+
+func (r *Manager) syncAdditionalClusterRoleBinding(ctx context.Context, tenant *capsulev1beta1.Tenant, keys []string, hashFn func(binding capsulev1beta1.AdditionalRoleBindingsSpec) string) (err error) {
+
+	var tenantLabel string
+
+	var clusterRoleBindingLabel string
+
+	if tenantLabel, err = capsulev1beta1.GetTypeLabel(&capsulev1beta1.Tenant{}); err != nil {
+		return
+	}
+
+	if clusterRoleBindingLabel, err = capsulev1beta1.GetTypeLabel(&rbacv1.ClusterRoleBinding{}); err != nil {
+		return
+	}
+
+	if err = r.pruningResources(ctx, "capsule-system", keys, &rbacv1.ClusterRoleBinding{}); err != nil {
+		return
+	}
+
+	var clusterRoleBindings []capsulev1beta1.AdditionalRoleBindingsSpec
+
+	for _, owner := range tenant.Spec.Owners {
+		for _, clusterRoleName := range owner.GetClusterRoles(*tenant) {
+			clusterRoleBindings = append(clusterRoleBindings, r.ownerClusterRoleBindings(owner, clusterRoleName))
+		}
+	}
+
+	for i, clusterRoleBinding := range clusterRoleBindings {
+
+		clusterRoleBindingHashLabel := hashFn(clusterRoleBinding)
+
+		target := &rbacv1.ClusterRoleBinding{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: fmt.Sprintf("capsule-%s-%d-%s", tenant.Name, i, clusterRoleBinding.ClusterRoleName),
+			},
+		}
+
+		var res controllerutil.OperationResult
+		res, err = controllerutil.CreateOrUpdate(ctx, r.Client, target, func() error {
+			target.ObjectMeta.Labels = map[string]string{
+				tenantLabel: tenant.Name,
+
+				clusterRoleBindingLabel: clusterRoleBindingHashLabel,
+			}
+			target.RoleRef = rbacv1.RoleRef{
+				APIGroup: rbacv1.GroupName,
+				Kind:     "ClusterRole",
+				Name:     clusterRoleBinding.ClusterRoleName,
+			}
+			target.Subjects = clusterRoleBinding.Subjects
+
+			return controllerutil.SetControllerReference(tenant, target, r.Client.Scheme())
+		})
+
+		r.emitEvent(tenant, target.GetNamespace(), res, fmt.Sprintf("Ensuring ClusterRoleBinding %s", target.GetName()), err)
+
+		if err != nil {
+			r.Log.Error(err, "Cannot sync ClusterRoleBinding")
+		}
+
+		r.Log.Info(fmt.Sprintf("ClusterRoleBinding sync result: %s", string(res)), "name", target.Name, "namespace", target.Namespace)
+
+		if err != nil {
+			return
+		}
+	}
+
+	return nil
+}
diff --git a/controllers/tenant/clusterroles.go b/controllers/tenant/clusterroles.go
@@ -47,9 +47,6 @@ func (r *Manager) ensureOwnerClusterRole(ctx context.Context, tenant *capsulev1b
 		}
 
 		resourceName := owner.Name
-		if owner.Kind == capsulev1beta1.ServiceAccountOwner {
-			resourceName = owner.Name
-		}
 
 		_, err = controllerutil.CreateOrUpdate(ctx, r.Client, clusterRole, func() error {
 			clusterRole.Rules = []rbacv1.PolicyRule{
diff --git a/controllers/tenant/manager.go b/controllers/tenant/manager.go
@@ -113,6 +113,14 @@ func (r Manager) Reconcile(ctx context.Context, request ctrl.Request) (result ct
 
 		return
 	}
+	// Ensuring ClusterRoleBindings resources
+	r.Log.Info("Ensuring ClusterRoleBindings for Owners and Tenant")
+
+	if err = r.syncClusterRoleBindings(ctx, instance); err != nil {
+		r.Log.Error(err, "Cannot sync ClusterRoleBindings items")
+
+		return
+	}
 	// Ensuring RoleBinding resources
 	r.Log.Info("Ensuring RoleBindings for Owners and Tenant")
 

Original file line number	Diff line number	Diff line change
`@@ -40,21 +40,30 @@ func (in OwnerSpec) GetRoles(tenant Tenant, index int) []string {`
`40`	`40`
`41`	`41`	`roles := []string{"admin", "capsule-namespace-deleter"}`
`42`	`42`
	`43`	`+ if tenant.Spec.GitOpsReady {`
	`44`	`+ roles = append(roles, in.getGitOpsRoles(tenant)...)`
	`45`	`+ }`
	`46`	`+`
`43`	`47`	`return roles`
`44`	`48`	`}`
`45`	`49`
`46`	`50`	`func (in OwnerSpec) GetClusterRoles(tenant Tenant) []string {`
`47`	`51`	`if tenant.Spec.GitOpsReady {`
`48`		`- return in.getGitOpsRoles(tenant)`
	`52`	`+ return in.getGitOpsClusterRoles(tenant)`
`49`	`53`	`}`
`50`	`54`
`51`	`55`	`return []string{}`
`52`	`56`	`}`
`53`	`57`
	`58`	`+func (in OwnerSpec) getGitOpsClusterRoles(tenant Tenant) []string {`
	`59`	`+ return []string{`
	`60`	`+ "capsule-tenant-impersonator-" + tenant.Name + "-" + in.Name,`
	`61`	`+ }`
	`62`	`+}`
	`63`	`+`
`54`	`64`	`func (in OwnerSpec) getGitOpsRoles(tenant Tenant) []string {`
`55`	`65`	`return []string{`
`56`	`66`	`"cluster-admin",`
`57`		`- "capsule-tenant-impersonator-" + tenant.Name + "-" + in.Name,`
`58`	`67`	`}`
`59`	`68`	`}`
`60`	`69`
Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,8 @@ func GetTypeLabel(t runtime.Object) (label string, err error) {`
`24`	`24`	`return "capsule.clastix.io/resource-quota", nil`
`25`	`25`	`case *rbacv1.RoleBinding:`
`26`	`26`	`return "capsule.clastix.io/role-binding", nil`
	`27`	`+ case *rbacv1.ClusterRoleBinding:`
	`28`	`+ return "capsule.clastix.io/cluster-role-binding", nil`
`27`	`29`	`default:`
`28`	`30`	`err = fmt.Errorf("type %T is not mapped as Capsule label recognized", v)`
`29`	`31`	`}`
Original file line number	Diff line number	Diff line change
`@@ -47,9 +47,6 @@ func (r Manager) ensureOwnerClusterRole(ctx context.Context, tenant capsulev1b`
`47`	`47`	`}`
`48`	`48`
`49`	`49`	`resourceName := owner.Name`
`50`		`- if owner.Kind == capsulev1beta1.ServiceAccountOwner {`
`51`		`- resourceName = owner.Name`
`52`		`- }`
`53`	`50`
`54`	`51`	`_, err = controllerutil.CreateOrUpdate(ctx, r.Client, clusterRole, func() error {`
`55`	`52`	`clusterRole.Rules = []rbacv1.PolicyRule{`