OCPBUGS-31353: Minimize wildcard privileges

alebedev87 · alebedev87 · commit b8c781ab44e8 · 2025-02-14T16:21:48.000+01:00
- Added operand namespaces in the operator payload to be able to create local roles.
- Added local roles and rolebinding in the operand namespaces to manage ingresscontrollers and canary.
- Added a local role for the certificate management in openshift-config-managed namespace.
- Limited cluster permissions on namespace resource to operand namespaces.
- Moved role and rolebinding permissions from cluster level to openshift-config local role.

TODO: clusterroles/clusterrolebinding.
diff --git a/manifests/00-cluster-role.yaml b/manifests/00-cluster-role.yaml
@@ -14,12 +14,8 @@ rules:
 - apiGroups:
   - ""
   resources:
-  - configmaps
-  - namespaces
-  - serviceaccounts
   - endpoints
   - services
-  - secrets
   - pods
   - events
   verbs:
@@ -28,24 +24,26 @@ rules:
 - apiGroups:
   - ""
   resources:
-  - pods/eviction
+  - namespaces
+  resourceNames:
+  - openshift-ingress
+  - openshift-ingress-canary
   verbs:
-  - "create"
+  - "*"
 
 - apiGroups:
   - ""
   resources:
-  - nodes
+  - pods/eviction
   verbs:
-  - list
+  - "create"
 
 - apiGroups:
-  - apps
+  - ""
   resources:
-  - deployments
-  - daemonsets
+  - nodes
   verbs:
-  - "*"
+  - list
 
 - apiGroups:
   - policy
@@ -68,8 +66,6 @@ rules:
   resources:
   - clusterroles
   - clusterrolebindings
-  - roles
-  - rolebindings
   verbs:
   - create
   - get
diff --git a/manifests/00-operand-namespace.yaml b/manifests/00-operand-namespace.yaml
@@ -0,0 +1,40 @@
+# Define operand namespaces to be able to restrict the operator's RBAC permissions.
+# This enables limiting the access to sensitive resources (e.g., Secrets, ServiceAccounts, ConfigMaps)
+# from cluster-wide scope to specific namespaces.
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  annotations:
+    capability.openshift.io/name: Ingress
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+    openshift.io/node-selector: ""
+    workload.openshift.io/allowed: "management"
+  labels:
+    # allow openshift-monitoring to look for ServiceMonitor objects in this namespace
+    openshift.io/cluster-monitoring: "true"
+    name: openshift-ingress
+    # old and new forms of the label for matching with NetworkPolicy
+    network.openshift.io/policy-group: ingress
+    policy-group.network.openshift.io/ingress: ""
+    # Router deployment needs to allow privilege escalation, as well as host
+    # network and host ports for the "HostNetwork" endpoint publishing strategy,
+    # which is the default for on-premise platforms.
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged
+  name: openshift-ingress
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  annotations:
+    capability.openshift.io/name: Ingress
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+    openshift.io/node-selector: ""
+    workload.openshift.io/allowed: "management"
+  name: openshift-ingress-canary
diff --git a/manifests/01-role-binding.yaml b/manifests/01-role-binding.yaml
@@ -38,3 +38,45 @@ roleRef:
   kind: Role
   apiGroup: rbac.authorization.k8s.io
   name: ingress-operator
+---
+# RoleBinding for the operator to manage ingresscontrollers
+# in the openshift-ingress namespace.
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ingress-operator
+  namespace: openshift-ingress
+  annotations:
+    capability.openshift.io/name: Ingress
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+subjects:
+- kind: ServiceAccount
+  name: ingress-operator
+  namespace: openshift-ingress-operator
+roleRef:
+  kind: Role
+  apiGroup: rbac.authorization.k8s.io
+  name: ingress-operator
+---
+# RoleBinding for the operator to manage canary deployment
+# in the openshift-ingress-canary namespace.
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ingress-operator
+  namespace: openshift-ingress-canary
+  annotations:
+    capability.openshift.io/name: Ingress
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+subjects:
+- kind: ServiceAccount
+  name: ingress-operator
+  namespace: openshift-ingress-operator
+roleRef:
+  kind: Role
+  apiGroup: rbac.authorization.k8s.io
+  name: ingress-operator
diff --git a/manifests/01-role.yaml b/manifests/01-role.yaml
@@ -58,3 +58,94 @@ rules:
   - rolebindings
   verbs:
   - delete
+  - create
+  - update
+  - get
+  - list
+  - watch
+---
+# Role for the operator to manage the router certificates
+# in openshift-config-managed namespace.
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ingress-operator
+  namespace: openshift-config-managed
+  annotations:
+    capability.openshift.io/name: Ingress
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - router-certs
+  verbs:
+  - "*"
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  resourceNames:
+  - default-ingress-cert
+  verbs:
+  - "*"
+---
+# Role for the operator to manage ingress controllers
+# in openshift-ingress namespace.
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ingress-operator
+  namespace: openshift-ingress
+  annotations:
+    capability.openshift.io/name: Ingress
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  - configmaps
+  - serviceaccounts
+  verbs:
+  - "*"
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - "*"
+---
+# Role for the operator to manage canary deployment
+# in openshift-ingress-canary namespace.
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ingress-operator
+  namespace: openshift-ingress-canary
+  annotations:
+    capability.openshift.io/name: Ingress
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  - configmaps
+  - serviceaccounts
+  verbs:
+  - "*"
+- apiGroups:
+  - apps
+  resources:
+  - daemonsets
+  verbs:
+  - "*"
