Implement certificate-based RBAC for WICD

**Certificate-Based Authentication:**
- Add certificate-based ClusterRole (system-wicd-nodes)
- Add ClusterRoleBinding that grants permissions to system:wicd-nodes group
- Certificate identity format: system:wicd-node:nodename

**RBAC Permissions:**
- Bootstrap ServiceAccount: Minimal permissions for CSR creation and ConfigMap access
- Certificate-based users: Enhanced permissions for node patching

**Security Model:**
1. ServiceAccount (bootstrap): Limited permissions during initial setup
2. CSR Controller: Validates certificate requests from nodes
3. Node-specific access enforced in a follow-up PR by webhook.

Author: mansikulkarni96

bundle/manifests/system-wicd-nodes_rbac.authorization.k8s.io_v1_clusterrole.yaml

@@ -0,0 +1,42 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  labels:
+    app.kubernetes.io/name: windows-machine-config-operator
+    app.kubernetes.io/part-of: wicd
+  name: system-wicd-nodes
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - list
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  - nodes/status
+  verbs:
+  - get
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - create
+  - get
+  - list
+  - watch

bundle/manifests/system-wicd-nodes_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml

@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  creationTimestamp: null
+  labels:
+    app.kubernetes.io/name: windows-machine-config-operator
+    app.kubernetes.io/part-of: wicd
+  name: system-wicd-nodes
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system-wicd-nodes
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:wicd-nodes

bundle/manifests/windows-instance-config-daemon-service-account.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: windows-instance-config-daemon 

bundle/manifests/windows-instance-config-daemon_rbac.authorization.k8s.io_v1_clusterrole.yaml

@@ -2,22 +2,33 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   creationTimestamp: null
+  labels:
+    app.kubernetes.io/name: windows-machine-config-operator
+    app.kubernetes.io/part-of: wicd
   name: windows-instance-config-daemon
 rules:
 - apiGroups:
   - ""
   resources:
-  - nodes
+  - configmaps
   verbs:
-  - list
-  - watch
   - get
-  - patch
-  - update
+  - list
 - apiGroups:
   - ""
   resources:
-  - nodes/status
+  - nodes
   verbs:
+  - get
+  - list
   - patch
   - update
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - create
+  - get
+  - list
+  - watch

bundle/manifests/windows-machine-config-operator.clusterserviceversion.yaml

@@ -265,6 +265,7 @@ spec:
           resources:
           - certificatesigningrequests
           verbs:
+          - create
           - get
           - list
           - watch
@@ -288,6 +289,14 @@ spec:
           - get
           - patch
           - update
+        - apiGroups:
+          - certificates.k8s.io
+          resourceNames:
+          - kubernetes.io/kube-apiserver-client
+          resources:
+          - signers
+          verbs:
+          - approve
         - apiGroups:
           - certificates.k8s.io
           resourceNames:

cmd/daemon/controller.go

@@ -21,6 +21,7 @@ package main
 import (
 	"flag"
 	"os"
+	"time"
 
 	"github.com/spf13/cobra"
 	"k8s.io/klog/v2"
@@ -40,6 +41,9 @@ var (
 	windowsService bool
 	logDir         string
 	caBundle       string
+	// Certificate-based authentication options
+	certDir      string
+	certDuration string
 )
 
 func init() {
@@ -50,6 +54,10 @@ func init() {
 		"Enables running as a Windows service")
 	controllerCmd.PersistentFlags().StringVar(&caBundle, "ca-bundle", "",
 		"the full path to CA bundle file containing certificates trusted by the cluster")
+	controllerCmd.PersistentFlags().StringVar(&certDir, "cert-dir", "C:\\k\\wicd-certs",
+		"Directory to store WICD client certificates")
+	controllerCmd.PersistentFlags().StringVar(&certDuration, "cert-duration", "1h",
+		"Duration for WICD certificates (e.g., 10m, 1h, 24h)")
 }
 
 func runControllerCmd(cmd *cobra.Command, args []string) {
@@ -60,6 +68,12 @@ func runControllerCmd(cmd *cobra.Command, args []string) {
 		fs.Set("logtostderr", "false")
 		fs.Set("log_dir", logDir)
 	}
+	duration, err := time.ParseDuration(certDuration)
+	if err != nil {
+		klog.Errorf("invalid cert-duration %s: %v", certDuration, err)
+		os.Exit(1)
+	}
+
 	ctx := ctrl.SetupSignalHandler()
 	if windowsService {
 		if err := initService(ctx); err != nil {
@@ -68,7 +82,7 @@ func runControllerCmd(cmd *cobra.Command, args []string) {
 		}
 	}
 	klog.Info("service controller running")
-	if err := controller.RunController(ctx, namespace, kubeconfig, caBundle); err != nil {
+	if err := controller.RunController(ctx, namespace, kubeconfig, caBundle, certDir, duration); err != nil {
 		klog.Error(err)
 		os.Exit(1)
 	}

cmd/operator/main.go

@@ -266,6 +266,16 @@ func main() {
 		os.Exit(1)
 	}
 
+	wicdCSRController, err := controllers.NewWICDCSRController(mgr, watchNamespace)
+	if err != nil {
+		setupLog.Error(err, "unable to create WICD CSR controller")
+		os.Exit(1)
+	}
+	if err = wicdCSRController.SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "WICD-CSR")
+		os.Exit(1)
+	}
+
 	mcReconciler, err := controllers.NewControllerConfigReconciler(mgr, clusterConfig, watchNamespace)
 	if err != nil {
 		setupLog.Error(err, "unable to create ControllerConfig reconciler")

config/rbac/kustomization.yaml

@@ -7,6 +7,8 @@ resources:
 # subjects if changing service account names.
 - role.yaml
 - role_binding.yaml
+- wicd-certificate-group-clusterrole.yaml
+- wicd-certificate-group-clusterrolebinding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
 # Comment the following 4 lines if you want to disable

config/rbac/role.yaml

@@ -107,6 +107,7 @@ rules:
   resources:
   - certificatesigningrequests
   verbs:
+  - create
   - get
   - list
   - watch
@@ -130,6 +131,14 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - certificates.k8s.io
+  resourceNames:
+  - kubernetes.io/kube-apiserver-client
+  resources:
+  - signers
+  verbs:
+  - approve
 - apiGroups:
   - certificates.k8s.io
   resourceNames:

config/rbac/wicd-certificate-group-clusterrole.yaml

@@ -0,0 +1,29 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system-wicd-nodes
+  labels:
+    app.kubernetes.io/name: "windows-machine-config-operator"
+    app.kubernetes.io/part-of: "wicd"
+rules:
+  # Allow reading ConfigMaps for bootstrap phase and cleanup
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get", "list"]
+  # Allow listing nodes for node discovery (no resourceNames restriction needed)
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["list"]
+  # WICD certificate-based approach: broader access than OVN due to Windows management needs
+  # Current implementation (Phase 1): Certificate authentication + group RBAC
+  # - CSR controller ensures only legitimate nodes get certificates
+  # - Certificate provides node-specific identity (system:wicd-node:nodename)
+  # - Group RBAC grants necessary permissions for Windows node configuration
+  # Future enhancement (Phase 2): Add admission webhook for operation-specific validation
+  - apiGroups: [""]
+    resources: ["nodes", "nodes/status"]
+    verbs: ["get", "patch", "update", "watch"]
+  # Allow creating CSRs for certificate renewal
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["certificatesigningrequests"]
+    verbs: ["create", "get", "list", "watch"]