From 83e3685e9fccd0a64e82c3ce3567653ee5a0e30e Mon Sep 17 00:00:00 2001 From: Mikhail Zholobov Date: Sun, 3 Nov 2024 22:49:13 +0100 Subject: [PATCH] fix: Replace wildcards in RBAC objects with explicit resources and verbs (#6129) * fix: Replace wildcards in RBAC objects with explicit resources and verbs Signed-off-by: Mikhail Zholobov * Update changelog Signed-off-by: Mikhail Zholobov * Revert the deletion of RBAC rule "allow to get any resource" Signed-off-by: Mikhail Zholobov * Rollback the RBAC rule for "*/scale" According to the PR review comment. Signed-off-by: Mikhail Zholobov --------- Signed-off-by: Mikhail Zholobov --- CHANGELOG.md | 1 + config/rbac/role.yaml | 63 ++++++++++++++++--- .../eventing/cloudeventsource_controller.go | 2 +- .../clustercloudeventsource_controller.go | 2 +- ...clustertriggerauthentication_controller.go | 2 +- controllers/keda/scaledjob_controller.go | 4 +- controllers/keda/scaledobject_controller.go | 8 +-- .../keda/triggerauthentication_controller.go | 2 +- 8 files changed, 64 insertions(+), 20 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7339f004a9c..31ea0d0ca26 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -59,6 +59,7 @@ To learn more about active deprecations, we recommend checking [GitHub Discussio - **General**: Add the generateEmbeddedObjectMeta flag to generate meta properties of JobTargetRef in ScaledJob ([#5908](https://github.com/kedacore/keda/issues/5908)) - **General**: Cache miss fallback in validating webhook for ScaledObjects with direct kubernetes client ([#5973](https://github.com/kedacore/keda/issues/5973)) +- **General**: Replace wildcards in RBAC objects with explicit resources and verbs ([#6129](https://github.com/kedacore/keda/pull/6129)) - **Azure Pipelines Scalar**: Print warning to log when Azure DevOps API Rate Limits are (nearly) reached ([#6284](https://github.com/kedacore/keda/issues/6284)) - **CloudEventSource**: Introduce ClusterCloudEventSource ([#3533](https://github.com/kedacore/keda/issues/3533)) - **CloudEventSource**: Provide ClusterCloudEventSource around the management of ScaledJobs resources ([#3523](https://github.com/kedacore/keda/issues/3523)) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index fd9cf99b941..f8bb706592c 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -18,7 +18,8 @@ rules: resources: - events verbs: - - '*' + - create + - patch - apiGroups: - "" resources: @@ -93,34 +94,58 @@ rules: resources: - horizontalpodautoscalers verbs: - - '*' + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - batch resources: - jobs verbs: - - '*' + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - eventing.keda.sh resources: - cloudeventsources - cloudeventsources/status verbs: - - '*' + - get + - list + - patch + - update + - watch - apiGroups: - eventing.keda.sh resources: - clustercloudeventsources - clustercloudeventsources/status verbs: - - '*' + - get + - list + - patch + - update + - watch - apiGroups: - keda.sh resources: - clustertriggerauthentications - clustertriggerauthentications/status verbs: - - '*' + - get + - list + - patch + - update + - watch - apiGroups: - keda.sh resources: @@ -128,7 +153,11 @@ rules: - scaledjobs/finalizers - scaledjobs/status verbs: - - '*' + - get + - list + - patch + - update + - watch - apiGroups: - keda.sh resources: @@ -136,14 +165,22 @@ rules: - scaledobjects/finalizers - scaledobjects/status verbs: - - '*' + - get + - list + - patch + - update + - watch - apiGroups: - keda.sh resources: - triggerauthentications - triggerauthentications/status verbs: - - '*' + - get + - list + - patch + - update + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -168,4 +205,10 @@ rules: resources: - leases verbs: - - '*' + - create + - delete + - get + - list + - patch + - update + - watch diff --git a/controllers/eventing/cloudeventsource_controller.go b/controllers/eventing/cloudeventsource_controller.go index 5bb78f5e9ca..0a4c2e6a523 100644 --- a/controllers/eventing/cloudeventsource_controller.go +++ b/controllers/eventing/cloudeventsource_controller.go @@ -54,7 +54,7 @@ func NewCloudEventSourceReconciler(c client.Client, e eventemitter.EventHandler) } } -// +kubebuilder:rbac:groups=eventing.keda.sh,resources=cloudeventsources;cloudeventsources/status,verbs="*" +// +kubebuilder:rbac:groups=eventing.keda.sh,resources=cloudeventsources;cloudeventsources/status,verbs=get;list;watch;update;patch // Reconcile performs reconciliation on the identified EventSource resource based on the request information passed, returns the result and an error (if any). diff --git a/controllers/eventing/clustercloudeventsource_controller.go b/controllers/eventing/clustercloudeventsource_controller.go index 0ccb26f811a..2204f18f0ca 100644 --- a/controllers/eventing/clustercloudeventsource_controller.go +++ b/controllers/eventing/clustercloudeventsource_controller.go @@ -54,7 +54,7 @@ func NewClusterCloudEventSourceReconciler(c client.Client, e eventemitter.EventH } } -// +kubebuilder:rbac:groups=eventing.keda.sh,resources=clustercloudeventsources;clustercloudeventsources/status,verbs="*" +// +kubebuilder:rbac:groups=eventing.keda.sh,resources=clustercloudeventsources;clustercloudeventsources/status,verbs=get;list;watch;update;patch // Reconcile performs reconciliation on the identified EventSource resource based on the request information passed, returns the result and an error (if any). func (r *ClusterCloudEventSourceReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { diff --git a/controllers/keda/clustertriggerauthentication_controller.go b/controllers/keda/clustertriggerauthentication_controller.go index aabab91c4c3..a8d7718416d 100644 --- a/controllers/keda/clustertriggerauthentication_controller.go +++ b/controllers/keda/clustertriggerauthentication_controller.go @@ -57,7 +57,7 @@ func init() { clusterTriggerAuthPromMetricsLock = &sync.Mutex{} } -// +kubebuilder:rbac:groups=keda.sh,resources=clustertriggerauthentications;clustertriggerauthentications/status,verbs="*" +// +kubebuilder:rbac:groups=keda.sh,resources=clustertriggerauthentications;clustertriggerauthentications/status,verbs=get;list;watch;update;patch // Reconcile performs reconciliation on the identified TriggerAuthentication resource based on the request information passed, returns the result and an error (if any). func (r *ClusterTriggerAuthenticationReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { diff --git a/controllers/keda/scaledjob_controller.go b/controllers/keda/scaledjob_controller.go index 4a145c7c024..fabc5d446c7 100755 --- a/controllers/keda/scaledjob_controller.go +++ b/controllers/keda/scaledjob_controller.go @@ -50,8 +50,8 @@ import ( "github.com/kedacore/keda/v2/pkg/util" ) -// +kubebuilder:rbac:groups=keda.sh,resources=scaledjobs;scaledjobs/finalizers;scaledjobs/status,verbs="*" -// +kubebuilder:rbac:groups=batch,resources=jobs,verbs="*" +// +kubebuilder:rbac:groups=keda.sh,resources=scaledjobs;scaledjobs/finalizers;scaledjobs/status,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;update;patch;create;delete // ScaledJobReconciler reconciles a ScaledJob object type ScaledJobReconciler struct { diff --git a/controllers/keda/scaledobject_controller.go b/controllers/keda/scaledobject_controller.go index b18c84ae61d..951dd80fbda 100755 --- a/controllers/keda/scaledobject_controller.go +++ b/controllers/keda/scaledobject_controller.go @@ -54,16 +54,16 @@ import ( "github.com/kedacore/keda/v2/pkg/util" ) -// +kubebuilder:rbac:groups=keda.sh,resources=scaledobjects;scaledobjects/finalizers;scaledobjects/status,verbs="*" -// +kubebuilder:rbac:groups=autoscaling,resources=horizontalpodautoscalers,verbs="*" +// +kubebuilder:rbac:groups=keda.sh,resources=scaledobjects;scaledobjects/finalizers;scaledobjects/status,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=autoscaling,resources=horizontalpodautoscalers,verbs=get;list;watch;update;patch;create;delete // +kubebuilder:rbac:groups="",resources=configmaps;configmaps/status,verbs=get;list;watch -// +kubebuilder:rbac:groups="",resources=events,verbs="*" +// +kubebuilder:rbac:groups="",resources=events,verbs=create;patch // +kubebuilder:rbac:groups="",resources=pods;services;services;secrets;external,verbs=get;list;watch // +kubebuilder:rbac:groups="*",resources="*/scale",verbs=get;list;watch;update;patch // +kubebuilder:rbac:groups="",resources="serviceaccounts",verbs=list;watch // +kubebuilder:rbac:groups="*",resources="*",verbs=get // +kubebuilder:rbac:groups="apps",resources=deployments;statefulsets,verbs=list;watch -// +kubebuilder:rbac:groups="coordination.k8s.io",namespace=keda,resources=leases,verbs="*" +// +kubebuilder:rbac:groups="coordination.k8s.io",namespace=keda,resources=leases,verbs=get;list;watch;update;patch;create;delete // +kubebuilder:rbac:groups="",resources="limitranges",verbs=list;watch // ScaledObjectReconciler reconciles a ScaledObject object diff --git a/controllers/keda/triggerauthentication_controller.go b/controllers/keda/triggerauthentication_controller.go index b5ab9e1bd82..2627c6683b1 100755 --- a/controllers/keda/triggerauthentication_controller.go +++ b/controllers/keda/triggerauthentication_controller.go @@ -58,7 +58,7 @@ func init() { triggerAuthPromMetricsLock = &sync.Mutex{} } -// +kubebuilder:rbac:groups=keda.sh,resources=triggerauthentications;triggerauthentications/status,verbs="*" +// +kubebuilder:rbac:groups=keda.sh,resources=triggerauthentications;triggerauthentications/status,verbs=get;list;watch;update;patch // Reconcile performs reconciliation on the identified TriggerAuthentication resource based on the request information passed, returns the result and an error (if any). func (r *TriggerAuthenticationReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {