Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] OCPBUGS-31353: Minimize wildcard privileges for secrets, configmaps and service accounts #1171

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 0 additions & 3 deletions manifests/00-cluster-role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,9 @@ rules:
- apiGroups:
- ""
resources:
- configmaps
- namespaces
- serviceaccounts
- endpoints
- services
- secrets
- pods
- events
verbs:
Expand Down
40 changes: 40 additions & 0 deletions manifests/00-operand-namespace.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
# Define operand namespaces to be able to restrict the operator's RBAC permissions.
# This enables limiting the access to sensitive resources (e.g., Secrets, ServiceAccounts, ConfigMaps)
# from cluster-wide scope to specific namespaces.
---
kind: Namespace
apiVersion: v1
metadata:
annotations:
capability.openshift.io/name: Ingress
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
openshift.io/node-selector: ""
workload.openshift.io/allowed: "management"
labels:
# allow openshift-monitoring to look for ServiceMonitor objects in this namespace
openshift.io/cluster-monitoring: "true"
name: openshift-ingress
# old and new forms of the label for matching with NetworkPolicy
network.openshift.io/policy-group: ingress
policy-group.network.openshift.io/ingress: ""
# Router deployment needs to allow privilege escalation, as well as host
# network and host ports for the "HostNetwork" endpoint publishing strategy,
# which is the default for on-premise platforms.
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/warn: privileged
name: openshift-ingress
---
kind: Namespace
apiVersion: v1
metadata:
annotations:
capability.openshift.io/name: Ingress
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
openshift.io/node-selector: ""
workload.openshift.io/allowed: "management"
name: openshift-ingress-canary
74 changes: 74 additions & 0 deletions manifests/01-role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -58,3 +58,77 @@ rules:
- rolebindings
verbs:
- delete
---
# Role for the operator to manage the router certificates
# in openshift-config-managed namespace.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ingress-operator
namespace: openshift-config-manager
annotations:
capability.openshift.io/name: Ingress
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
rules:
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- router-certs
verbs:
- "*"
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
- default-ingress-cert
verbs:
- "*"
---
# Role for the operator to manage ingress controllers
# in openshift-ingress namespace.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ingress-operator
namespace: openshift-ingress
annotations:
capability.openshift.io/name: Ingress
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
rules:
- apiGroups:
- ""
resources:
- secrets
- configmaps
- serviceaccounts
verbs:
- "*"
---
# Role for the operator to manage canary deployment
# in openshift-ingressi-canary namespace.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ingress-operator
namespace: openshift-ingress-canary
annotations:
capability.openshift.io/name: Ingress
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
rules:
- apiGroups:
- ""
resources:
- secrets
- configmaps
- serviceaccounts
verbs:
- "*"