fix: Grant escalate and bind permission to role (#78)

Grant escalate and bind permission to role to make sure NamespaceScope operator can create any roles and create rolebinding for it.

Author: horis233

README.md

@@ -86,7 +86,20 @@ When the `NamespaceScope` CR is created/updated, it will:
       resources:
       - '*'
       verbs:
-      - '*'
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+    - apiGroups:
+      - rbac.authorization.k8s.io
+      resources:
+      - roles
+      verbs:
+      - escalate
+      - bind
     ---
     kind: RoleBinding
     apiVersion: rbac.authorization.k8s.io/v1

bundle-restricted/manifests/ibm-namespace-scope-operator-restricted.clusterserviceversion.yaml

@@ -150,6 +150,13 @@ spec:
           - patch
           - update
           - watch
+        - apiGroups:
+          - rbac.authorization.k8s.io
+          resources:
+          - roles
+          verbs:
+          - escalate
+          - bind
         serviceAccountName: ibm-namespace-scope-operator
     strategy: deployment
   installModes:

bundle/manifests/ibm-namespace-scope-operator.clusterserviceversion.yaml

@@ -54,7 +54,20 @@ spec:
           resources:
           - '*'
           verbs:
-          - '*'
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
+        - apiGroups:
+          - rbac.authorization.k8s.io
+          resources:
+          - roles
+          verbs:
+          - escalate
+          - bind
         serviceAccountName: ibm-namespace-scope-operator
       deployments:
       - name: ibm-namespace-scope-operator

config/rbac/role.yaml

@@ -8,4 +8,17 @@ rules:
     resources:
       - "*"
     verbs:
-      - "*"
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - roles
+    verbs:
+      - escalate
+      - bind

controllers/namespacescope_controller.go

@@ -358,10 +358,15 @@ func (r *NamespaceScopeReconciler) createRoleForNSS(labels map[string]string, fr
 		},
 		Rules: []rbacv1.PolicyRule{
 			{
-				Verbs:     []string{"*"},
+				Verbs:     []string{"create", "delete", "get", "list", "patch", "update", "watch"},
 				APIGroups: []string{"*"},
 				Resources: []string{"*"},
 			},
+			{
+				Verbs:     []string{"escalate", "bind"},
+				APIGroups: []string{"rbac.authorization.k8s.io"},
+				Resources: []string{"roles"},
+			},
 		},
 	}
 	if err := r.Create(ctx, role); err != nil {
@@ -668,24 +673,53 @@ func (r *NamespaceScopeReconciler) checkGetNSAuth() bool {
 
 // Check if operator has namespace admin permission
 func (r *NamespaceScopeReconciler) checkNamespaceAdminAuth(namespace string) bool {
-	sar := &authorizationv1.SelfSubjectAccessReview{
-		Spec: authorizationv1.SelfSubjectAccessReviewSpec{
-			ResourceAttributes: &authorizationv1.ResourceAttributes{
-				Namespace: namespace,
-				Verb:      "*",
-				Group:     "*",
-				Resource:  "*",
+	verbs := []string{"create", "delete", "get", "list", "patch", "update", "watch"}
+	for _, verb := range verbs {
+		sar := &authorizationv1.SelfSubjectAccessReview{
+			Spec: authorizationv1.SelfSubjectAccessReviewSpec{
+				ResourceAttributes: &authorizationv1.ResourceAttributes{
+					Namespace: namespace,
+					Verb:      verb,
+					Group:     "*",
+					Resource:  "*",
+				},
 			},
-		},
-	}
+		}
+		if err := r.Create(ctx, sar); err != nil {
+			klog.Errorf("Failed to check operator namespace permission: %v", err)
+			return false
+		}
 
-	if err := r.Create(ctx, sar); err != nil {
-		klog.Errorf("Failed to check operator namespace admin permission: %v", err)
-		return false
+		klog.V(2).Infof("Namespace admin permission in namespace %s, Allowed: %t, Denied: %t, Reason: %s", namespace, sar.Status.Allowed, sar.Status.Denied, sar.Status.Reason)
+
+		if !sar.Status.Allowed {
+			return false
+		}
 	}
+	roleVerbs := []string{"escalate", "bind"}
+	for _, verb := range roleVerbs {
+		sar := &authorizationv1.SelfSubjectAccessReview{
+			Spec: authorizationv1.SelfSubjectAccessReviewSpec{
+				ResourceAttributes: &authorizationv1.ResourceAttributes{
+					Namespace: namespace,
+					Verb:      verb,
+					Group:     "rbac.authorization.k8s.io",
+					Resource:  "roles",
+				},
+			},
+		}
+		if err := r.Create(ctx, sar); err != nil {
+			klog.Errorf("Failed to check operator namespace permission: %v", err)
+			return false
+		}
 
-	klog.V(2).Infof("Namespace admin permission in namesapce %s, Allowed: %t, Denied: %t, Reason: %s", namespace, sar.Status.Allowed, sar.Status.Denied, sar.Status.Reason)
-	return sar.Status.Allowed
+		klog.V(2).Infof("Namespace admin permission in namespace %s, Allowed: %t, Denied: %t, Reason: %s", namespace, sar.Status.Allowed, sar.Status.Denied, sar.Status.Reason)
+
+		if !sar.Status.Allowed {
+			return false
+		}
+	}
+	return true
 }
 
 func (r *NamespaceScopeReconciler) getValidatedNamespaces(instance *operatorv1.NamespaceScope) ([]string, error) {

deploy/role.yaml

@@ -10,4 +10,17 @@ rules:
   resources:
   - "*"
   verbs:
-  - "*"
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - roles
+  verbs:
+  - escalate
+  - bind

scripts/authorize-namespace.sh

@@ -141,7 +141,20 @@ rules:
   resources:
   - "*"
   verbs:
-  - "*"
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - roles
+  verbs:
+  - escalate
+  - bind
 EOF
 
 #