Add webhook for Kubernetes components to validate permissions

amisevsk · amisevsk · commit d94ea4db4b7b · 2022-12-16T14:40:57.000-05:00
Add check on create/update DevWorkspaces to verify that user performing
the action has RBAC permissions to create/update/delete objects in that
Kubernetes type. If not, the operator is rejected.

For now, only inlined Kubernetes components are processed to avoid
having to always fetch from URI.

Signed-off-by: Angel Misevski &lt;amisevsk@redhat.com&gt;
diff --git a/webhook/workspace/handler/kubernetes.go b/webhook/workspace/handler/kubernetes.go
@@ -0,0 +1,141 @@
+// Copyright (c) 2019-2022 Red Hat, Inc.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package handler
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	dwv2 "github.com/devfile/api/v2/pkg/apis/workspaces/v1alpha2"
+	authv1 "k8s.io/api/authorization/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+	"sigs.k8s.io/yaml"
+)
+
+func (h *WebhookHandler) validateKubernetesObjectPermissionsOnCreate(ctx context.Context, req admission.Request, wksp *dwv2.DevWorkspace) error {
+	kubeComponents := getKubeComponentsFromWorkspace(wksp)
+	for componentName, component := range kubeComponents {
+		if component.Uri != "" {
+			return fmt.Errorf("kubenetes components specified via URI are unsupported")
+		}
+		if component.Inlined == "" {
+			return fmt.Errorf("kubernetes component does not define inlined content")
+		}
+		if err := h.validatePermissionsOnObject(ctx, req, componentName, component.Inlined); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (h *WebhookHandler) validateKubernetesObjectPermissionsOnUpdate(ctx context.Context, req admission.Request, newWksp, oldWksp *dwv2.DevWorkspace) error {
+	newKubeComponents := getKubeComponentsFromWorkspace(newWksp)
+	oldKubeComponents := getKubeComponentsFromWorkspace(oldWksp)
+
+	for componentName, newComponent := range newKubeComponents {
+		if newComponent.Uri != "" {
+			return fmt.Errorf("kubenetes components specified via URI are unsupported")
+		}
+		if newComponent.Inlined == "" {
+			return fmt.Errorf("kubernetes component does not define inlined content")
+		}
+
+		oldComponent, ok := oldKubeComponents[componentName]
+		if !ok || oldComponent.Inlined != newComponent.Inlined {
+			// Review new components
+			if err := h.validatePermissionsOnObject(ctx, req, componentName, newComponent.Inlined); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func (h *WebhookHandler) validatePermissionsOnObject(ctx context.Context, req admission.Request, componentName, component string) error {
+
+	typeMeta := &metav1.TypeMeta{}
+	if err := yaml.Unmarshal([]byte(component), typeMeta); err != nil {
+		return fmt.Errorf("failed to read content for component %s", componentName)
+	}
+	if typeMeta.Kind == "List" {
+		return fmt.Errorf("lists are not supported in Kubernetes or OpenShift components")
+	}
+
+	// Workaround to get the correct resource type for a given kind -- probably fragile
+	// Convert e.g. Pod -> pods, Deployment -> deployments
+	resourceType := fmt.Sprintf("%ss", strings.ToLower(typeMeta.Kind))
+
+	sar := &authv1.LocalSubjectAccessReview{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: req.Namespace,
+		},
+		Spec: authv1.SubjectAccessReviewSpec{
+			ResourceAttributes: &authv1.ResourceAttributes{
+				Namespace: req.Namespace,
+				Verb:      "*",
+				Group:     typeMeta.GroupVersionKind().Group,
+				Version:   typeMeta.GroupVersionKind().Version,
+				Resource:  resourceType,
+			},
+			User:   req.UserInfo.Username,
+			Groups: req.UserInfo.Groups,
+			UID:    req.UserInfo.UID,
+		},
+	}
+
+	err := h.Client.Create(ctx, sar)
+	if err != nil {
+		return fmt.Errorf("failed to create subjectaccessreview for request: %w", err)
+	}
+
+	username := req.UserInfo.Username
+	if username == "" {
+		username = req.UserInfo.UID
+	}
+
+	if !sar.Status.Allowed {
+		return fmt.Errorf("user %s does not have permissions to work with objects of kind %s defined in component %s", username, typeMeta.GroupVersionKind().String(), componentName)
+	}
+
+	return nil
+}
+
+// getKubeComponentsFromWorkspace returns the Kubernetes (and OpenShift) components in a workspace
+// in a map with component names as keys.
+func getKubeComponentsFromWorkspace(wksp *dwv2.DevWorkspace) map[string]dwv2.K8sLikeComponent {
+	kubeComponents := map[string]dwv2.K8sLikeComponent{}
+	for _, component := range wksp.Spec.Template.Components {
+		kubeComponent, err := getKubeLikeComponent(&component)
+		if err != nil {
+			continue
+		}
+		kubeComponents[component.Name] = *kubeComponent
+	}
+	return kubeComponents
+}
+
+// getKubeLikeComponent returns the definition of the Kubernetes or OpenShift
+// component defined by a general DevWorkspace Component. If the component does
+// not specify the Kubernetes or OpenShift field, an error is returned.
+func getKubeLikeComponent(component *dwv2.Component) (*dwv2.K8sLikeComponent, error) {
+	if component.Kubernetes != nil {
+		return &component.Kubernetes.K8sLikeComponent, nil
+	}
+	if component.Openshift != nil {
+		return &component.Openshift.K8sLikeComponent, nil
+	}
+	return nil, fmt.Errorf("component does not specify kubernetes or openshift fields")
+}
diff --git a/webhook/workspace/handler/workspace.go b/webhook/workspace/handler/workspace.go
@@ -54,6 +54,10 @@ func (h *WebhookHandler) MutateWorkspaceV1alpha2OnCreate(ctx context.Context, re
 		return admission.Denied(err.Error())
 	}
 
+	if err := h.validateKubernetesObjectPermissionsOnCreate(ctx, req, wksp); err != nil {
+		return admission.Denied(err.Error())
+	}
+
 	if warnings := checkUnsupportedFeatures(wksp.Spec.Template); unsupportedWarningsPresent(warnings) {
 		return h.returnPatched(req, wksp).WithWarnings(formatUnsupportedFeaturesWarning(warnings))
 	}
@@ -154,6 +158,10 @@ func (h *WebhookHandler) MutateWorkspaceV1alpha2OnUpdate(ctx context.Context, re
 		return admission.Denied(err.Error())
 	}
 
+	if err := h.validateKubernetesObjectPermissionsOnUpdate(ctx, req, newWksp, oldWksp); err != nil {
+		return admission.Denied(err.Error())
+	}
+
 	oldCreator, found := oldWksp.Labels[constants.DevWorkspaceCreatorLabel]
 	if !found {
 		return admission.Denied(fmt.Sprintf("label '%s' is missing. Please recreate devworkspace to get it initialized", constants.DevWorkspaceCreatorLabel))

Original file line number	Diff line number	Diff line change
`@@ -54,6 +54,10 @@ func (h *WebhookHandler) MutateWorkspaceV1alpha2OnCreate(ctx context.Context, re`
`54`	`54`	`return admission.Denied(err.Error())`
`55`	`55`	`}`
`56`	`56`
	`57`	`+ if err := h.validateKubernetesObjectPermissionsOnCreate(ctx, req, wksp); err != nil {`
	`58`	`+ return admission.Denied(err.Error())`
	`59`	`+ }`
	`60`	`+`
`57`	`61`	`if warnings := checkUnsupportedFeatures(wksp.Spec.Template); unsupportedWarningsPresent(warnings) {`
`58`	`62`	`return h.returnPatched(req, wksp).WithWarnings(formatUnsupportedFeaturesWarning(warnings))`
`59`	`63`	`}`
`@@ -154,6 +158,10 @@ func (h *WebhookHandler) MutateWorkspaceV1alpha2OnUpdate(ctx context.Context, re`
`154`	`158`	`return admission.Denied(err.Error())`
`155`	`159`	`}`
`156`	`160`
	`161`	`+ if err := h.validateKubernetesObjectPermissionsOnUpdate(ctx, req, newWksp, oldWksp); err != nil {`
	`162`	`+ return admission.Denied(err.Error())`
	`163`	`+ }`
	`164`	`+`
`157`	`165`	`oldCreator, found := oldWksp.Labels[constants.DevWorkspaceCreatorLabel]`
`158`	`166`	`if !found {`
`159`	`167`	`return admission.Denied(fmt.Sprintf("label '%s' is missing. Please recreate devworkspace to get it initialized", constants.DevWorkspaceCreatorLabel))`