OCPBUGS-31353: Minimize wildcard privileges

- Added operand namespaces in the operator payload to be able to create local roles.
- Added local roles and rolebinding in the operand namespaces to manage ingresscontrollers and canary.
- Limited cluster permissions on secret and configmap to resource names required for the certificate management.
- Limited cluster permissions on namespace resource to operand namespaces.

TODO: clusterroles/clusterrolebinding and roles/rolebindings.

Author: alebedev87

manifests/00-cluster-role.yaml

@@ -14,39 +14,59 @@ rules:
 - apiGroups:
   - ""
   resources:
-  - configmaps
-  - namespaces
-  - serviceaccounts
   - endpoints
   - services
-  - secrets
   - pods
   - events
   verbs:
   - "*"
 
+# Operand namespaces.
 - apiGroups:
   - ""
   resources:
-  - pods/eviction
+  - namespaces
+  resourceNames:
+  - openshift-ingress
+  - openshift-ingress-canary
   verbs:
-  - "create"
+  - "*"
 
+# Rules to manage router certificates.
+# The required secret and configmap reside in openshift-config-managed namespace
+# which does not exist at the moment of the operator installation.
+# Therefore the rules are in the cluster scope.
 - apiGroups:
   - ""
   resources:
-  - nodes
+  - secrets
+  resourceNames:
+  - router-certs
   verbs:
-  - list
-
+  - "*"
 - apiGroups:
-  - apps
+  - ""
   resources:
-  - deployments
-  - daemonsets
+  - configmaps
+  resourceNames:
+  - default-ingress-cert
   verbs:
   - "*"
 
+- apiGroups:
+  - ""
+  resources:
+  - pods/eviction
+  verbs:
+  - "create"
+
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - list
+
 - apiGroups:
   - policy
   resources:

manifests/00-operand-namespace.yaml

@@ -0,0 +1,40 @@
+# Define operand namespaces to be able to restrict the operator's RBAC permissions.
+# This enables limiting the access to sensitive resources (e.g., Secrets, ServiceAccounts, ConfigMaps)
+# from cluster-wide scope to specific namespaces.
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  annotations:
+    capability.openshift.io/name: Ingress
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+    openshift.io/node-selector: ""
+    workload.openshift.io/allowed: "management"
+  labels:
+    # allow openshift-monitoring to look for ServiceMonitor objects in this namespace
+    openshift.io/cluster-monitoring: "true"
+    name: openshift-ingress
+    # old and new forms of the label for matching with NetworkPolicy
+    network.openshift.io/policy-group: ingress
+    policy-group.network.openshift.io/ingress: ""
+    # Router deployment needs to allow privilege escalation, as well as host
+    # network and host ports for the "HostNetwork" endpoint publishing strategy,
+    # which is the default for on-premise platforms.
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged
+  name: openshift-ingress
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  annotations:
+    capability.openshift.io/name: Ingress
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+    openshift.io/node-selector: ""
+    workload.openshift.io/allowed: "management"
+  name: openshift-ingress-canary

manifests/01-role-binding.yaml

@@ -38,3 +38,45 @@ roleRef:
   kind: Role
   apiGroup: rbac.authorization.k8s.io
   name: ingress-operator
+---
+# RoleBinding for the operator to manage ingresscontrollers
+# in the openshift-ingress namespace.
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ingress-operator
+  namespace: openshift-ingress
+  annotations:
+    capability.openshift.io/name: Ingress
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+subjects:
+- kind: ServiceAccount
+  name: ingress-operator
+  namespace: openshift-ingress-operator
+roleRef:
+  kind: Role
+  apiGroup: rbac.authorization.k8s.io
+  name: ingress-operator
+---
+# RoleBinding for the operator to manage canary deployment
+# in the openshift-ingress-canary namespace.
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ingress-operator
+  namespace: openshift-ingress-canary
+  annotations:
+    capability.openshift.io/name: Ingress
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+subjects:
+- kind: ServiceAccount
+  name: ingress-operator
+  namespace: openshift-ingress-operator
+roleRef:
+  kind: Role
+  apiGroup: rbac.authorization.k8s.io
+  name: ingress-operator

manifests/01-role.yaml

@@ -58,3 +58,59 @@ rules:
   - rolebindings
   verbs:
   - delete
+---
+# Role for the operator to manage ingress controllers
+# in openshift-ingress namespace.
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ingress-operator
+  namespace: openshift-ingress
+  annotations:
+    capability.openshift.io/name: Ingress
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  - configmaps
+  - serviceaccounts
+  verbs:
+  - "*"
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - "*"
+---
+# Role for the operator to manage canary deployment
+# in openshift-ingress-canary namespace.
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ingress-operator
+  namespace: openshift-ingress-canary
+  annotations:
+    capability.openshift.io/name: Ingress
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  - configmaps
+  - serviceaccounts
+  verbs:
+  - "*"
+- apiGroups:
+  - apps
+  resources:
+  - daemonsets
+  verbs:
+  - "*"