Extend kube component webhooks to DevWorkspaceTemplates as well

Add webhook checks to prevent creation/mutation of DevWorkspaceTemplates
that define Kubernetes components if the requesting user does not have
those permissions. This prevents working around RBAC checks in
DevWorkspaces by just creating a DevWorkspaceTemplate instead.

Note however that currently DWO does not check that a user creating a
workspace has permissions to reference this DevWorkspaceTemplate -- if a
user can reference a DWT, they will be able to create the objects
defined in that DWT via a DevWorkspace without further RBAC
verification.

Signed-off-by: Angel Misevski <[email protected]>

Author: amisevsk

webhook/workspace/handler/kubernetes.go

@@ -26,7 +26,7 @@ import (
 	"sigs.k8s.io/yaml"
 )
 
-func (h *WebhookHandler) validateKubernetesObjectPermissionsOnCreate(ctx context.Context, req admission.Request, wksp *dwv2.DevWorkspace) error {
+func (h *WebhookHandler) validateKubernetesObjectPermissionsOnCreate(ctx context.Context, req admission.Request, wksp *dwv2.DevWorkspaceTemplateSpec) error {
 	kubeComponents := getKubeComponentsFromWorkspace(wksp)
 	for componentName, component := range kubeComponents {
 		if component.Uri != "" {
@@ -42,7 +42,7 @@ func (h *WebhookHandler) validateKubernetesObjectPermissionsOnCreate(ctx context
 	return nil
 }
 
-func (h *WebhookHandler) validateKubernetesObjectPermissionsOnUpdate(ctx context.Context, req admission.Request, newWksp, oldWksp *dwv2.DevWorkspace) error {
+func (h *WebhookHandler) validateKubernetesObjectPermissionsOnUpdate(ctx context.Context, req admission.Request, newWksp, oldWksp *dwv2.DevWorkspaceTemplateSpec) error {
 	newKubeComponents := getKubeComponentsFromWorkspace(newWksp)
 	oldKubeComponents := getKubeComponentsFromWorkspace(oldWksp)
 
@@ -145,9 +145,9 @@ func (h *WebhookHandler) validatePermissionsOnObject(ctx context.Context, req ad
 
 // getKubeComponentsFromWorkspace returns the Kubernetes (and OpenShift) components in a workspace
 // in a map with component names as keys.
-func getKubeComponentsFromWorkspace(wksp *dwv2.DevWorkspace) map[string]dwv2.K8sLikeComponent {
+func getKubeComponentsFromWorkspace(wksp *dwv2.DevWorkspaceTemplateSpec) map[string]dwv2.K8sLikeComponent {
 	kubeComponents := map[string]dwv2.K8sLikeComponent{}
-	for _, component := range wksp.Spec.Template.Components {
+	for _, component := range wksp.Components {
 		kubeComponent, err := getKubeLikeComponent(&component)
 		if err != nil {
 			continue
@@ -170,7 +170,7 @@ func getKubeLikeComponent(component *dwv2.Component) (*dwv2.K8sLikeComponent, er
 	return nil, fmt.Errorf("component does not specify kubernetes or openshift fields")
 }
 
-func (h *WebhookHandler) validateKubernetesObjectPermissionsOnCreate_v1alpha1(ctx context.Context, req admission.Request, wksp *dwv1.DevWorkspace) error {
+func (h *WebhookHandler) validateKubernetesObjectPermissionsOnCreate_v1alpha1(ctx context.Context, req admission.Request, wksp *dwv1.DevWorkspaceTemplateSpec) error {
 	kubeComponents := getKubeComponentsFromWorkspace_v1alpha1(wksp)
 	for componentName, component := range kubeComponents {
 		if component.Uri != "" {
@@ -186,7 +186,7 @@ func (h *WebhookHandler) validateKubernetesObjectPermissionsOnCreate_v1alpha1(ct
 	return nil
 }
 
-func (h *WebhookHandler) validateKubernetesObjectPermissionsOnUpdate_v1alpha1(ctx context.Context, req admission.Request, newWksp, oldWksp *dwv1.DevWorkspace) error {
+func (h *WebhookHandler) validateKubernetesObjectPermissionsOnUpdate_v1alpha1(ctx context.Context, req admission.Request, newWksp, oldWksp *dwv1.DevWorkspaceTemplateSpec) error {
 	newKubeComponents := getKubeComponentsFromWorkspace_v1alpha1(newWksp)
 	oldKubeComponents := getKubeComponentsFromWorkspace_v1alpha1(oldWksp)
 
@@ -209,9 +209,9 @@ func (h *WebhookHandler) validateKubernetesObjectPermissionsOnUpdate_v1alpha1(ct
 	return nil
 }
 
-func getKubeComponentsFromWorkspace_v1alpha1(wksp *dwv1.DevWorkspace) map[string]dwv1.K8sLikeComponent {
+func getKubeComponentsFromWorkspace_v1alpha1(wksp *dwv1.DevWorkspaceTemplateSpec) map[string]dwv1.K8sLikeComponent {
 	kubeComponents := map[string]dwv1.K8sLikeComponent{}
-	for _, component := range wksp.Spec.Template.Components {
+	for _, component := range wksp.Components {
 		kubeComponent, err := getKubeLikeComponent_v1alpha1(&component)
 		if err != nil {
 			continue

webhook/workspace/handler/template.go

@@ -0,0 +1,101 @@
+// Copyright (c) 2019-2022 Red Hat, Inc.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package handler
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+
+	dwv1 "github.com/devfile/api/v2/pkg/apis/workspaces/v1alpha1"
+	dwv2 "github.com/devfile/api/v2/pkg/apis/workspaces/v1alpha2"
+	"github.com/devfile/devworkspace-operator/pkg/constants"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+)
+
+func (h *WebhookHandler) MutateWorkspaceTemplateV1alpha1OnCreate(ctx context.Context, req admission.Request) admission.Response {
+	wksp := &dwv1.DevWorkspaceTemplate{}
+	err := h.Decoder.Decode(req, wksp)
+	if err != nil {
+		return admission.Errored(http.StatusBadRequest, err)
+	}
+
+	if err := h.validateKubernetesObjectPermissionsOnCreate_v1alpha1(ctx, req, &wksp.Spec); err != nil {
+		return admission.Denied(err.Error())
+	}
+
+	return h.returnPatched(req, wksp)
+}
+
+func (h *WebhookHandler) MutateWorkspaceTemplateV1alpha2OnCreate(ctx context.Context, req admission.Request) admission.Response {
+	wksp := &dwv2.DevWorkspaceTemplate{}
+	err := h.Decoder.Decode(req, wksp)
+	if err != nil {
+		return admission.Errored(http.StatusBadRequest, err)
+	}
+
+	if err := h.validateKubernetesObjectPermissionsOnCreate(ctx, req, &wksp.Spec); err != nil {
+		return admission.Denied(err.Error())
+	}
+
+	return h.returnPatched(req, wksp)
+}
+
+func (h *WebhookHandler) MutateWorkspaceTemplateV1alpha1OnUpdate(ctx context.Context, req admission.Request) admission.Response {
+	newWksp := &dwv1.DevWorkspaceTemplate{}
+	oldWksp := &dwv1.DevWorkspaceTemplate{}
+	err := h.parse(req, oldWksp, newWksp)
+	if err != nil {
+		return admission.Errored(http.StatusBadRequest, err)
+	}
+
+	if err := h.validateKubernetesObjectPermissionsOnUpdate_v1alpha1(ctx, req, &newWksp.Spec, &oldWksp.Spec); err != nil {
+		return admission.Denied(err.Error())
+	}
+
+	oldCreator, found := oldWksp.Labels[constants.DevWorkspaceCreatorLabel]
+	if !found {
+		return admission.Denied(fmt.Sprintf("label '%s' is missing. Please recreate devworkspace to get it initialized", constants.DevWorkspaceCreatorLabel))
+	}
+
+	newCreator, found := newWksp.Labels[constants.DevWorkspaceCreatorLabel]
+	if !found {
+		if newWksp.Labels == nil {
+			newWksp.Labels = map[string]string{}
+		}
+		newWksp.Labels[constants.DevWorkspaceCreatorLabel] = oldCreator
+		return h.returnPatched(req, newWksp)
+	}
+
+	if newCreator != oldCreator {
+		return admission.Denied(fmt.Sprintf("label '%s' is assigned once devworkspace is created and is immutable", constants.DevWorkspaceCreatorLabel))
+	}
+
+	return admission.Allowed("new devworkspace has the same devworkspace creator as old one")
+}
+
+func (h *WebhookHandler) MutateWorkspaceTemplateV1alpha2OnUpdate(ctx context.Context, req admission.Request) admission.Response {
+	newWksp := &dwv2.DevWorkspaceTemplate{}
+	oldWksp := &dwv2.DevWorkspaceTemplate{}
+	err := h.parse(req, oldWksp, newWksp)
+	if err != nil {
+		return admission.Errored(http.StatusBadRequest, err)
+	}
+
+	if err := h.validateKubernetesObjectPermissionsOnUpdate(ctx, req, &newWksp.Spec, &oldWksp.Spec); err != nil {
+		return admission.Denied(err.Error())
+	}
+
+	return admission.Allowed("new workspace has the same devworkspace as old one")
+}

webhook/workspace/handler/workspace.go

@@ -38,7 +38,7 @@ func (h *WebhookHandler) MutateWorkspaceV1alpha1OnCreate(ctx context.Context, re
 
 	wksp.Labels = maputils.Append(wksp.Labels, constants.DevWorkspaceCreatorLabel, req.UserInfo.UID)
 
-	if err := h.validateKubernetesObjectPermissionsOnCreate_v1alpha1(ctx, req, wksp); err != nil {
+	if err := h.validateKubernetesObjectPermissionsOnCreate_v1alpha1(ctx, req, &wksp.Spec.Template); err != nil {
 		return admission.Denied(err.Error())
 	}
 
@@ -58,7 +58,7 @@ func (h *WebhookHandler) MutateWorkspaceV1alpha2OnCreate(ctx context.Context, re
 		return admission.Denied(err.Error())
 	}
 
-	if err := h.validateKubernetesObjectPermissionsOnCreate(ctx, req, wksp); err != nil {
+	if err := h.validateKubernetesObjectPermissionsOnCreate(ctx, req, &wksp.Spec.Template); err != nil {
 		return admission.Denied(err.Error())
 	}
 
@@ -86,7 +86,7 @@ func (h *WebhookHandler) MutateWorkspaceV1alpha1OnUpdate(ctx context.Context, re
 		return admission.Denied(msg)
 	}
 
-	if err := h.validateKubernetesObjectPermissionsOnUpdate_v1alpha1(ctx, req, newWksp, oldWksp); err != nil {
+	if err := h.validateKubernetesObjectPermissionsOnUpdate_v1alpha1(ctx, req, &newWksp.Spec.Template, &oldWksp.Spec.Template); err != nil {
 		return admission.Denied(err.Error())
 	}
 
@@ -166,7 +166,7 @@ func (h *WebhookHandler) MutateWorkspaceV1alpha2OnUpdate(ctx context.Context, re
 		return admission.Denied(err.Error())
 	}
 
-	if err := h.validateKubernetesObjectPermissionsOnUpdate(ctx, req, newWksp, oldWksp); err != nil {
+	if err := h.validateKubernetesObjectPermissionsOnUpdate(ctx, req, &newWksp.Spec.Template, &oldWksp.Spec.Template); err != nil {
 		return admission.Denied(err.Error())
 	}