permissions preflight: enable implementation behind feature gate

joelanford · joelanford · commit c01f8248b406 · 2025-02-25T13:26:23.000-05:00
Signed-off-by: Joe Lanford &lt;joe.lanford@gmail.com&gt;
diff --git a/cmd/operator-controller/main.go b/cmd/operator-controller/main.go
@@ -32,6 +32,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
 	apiextensionsv1client "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/fields"
 	k8slabels "k8s.io/apimachinery/pkg/labels"
@@ -58,6 +59,7 @@ import (
 	"github.com/operator-framework/operator-controller/internal/operator-controller/action"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/applier"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/authentication"
+	"github.com/operator-framework/operator-controller/internal/operator-controller/authorization"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/catalogmetadata/cache"
 	catalogclient "github.com/operator-framework/operator-controller/internal/operator-controller/catalogmetadata/client"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/contentmanager"
@@ -201,8 +203,12 @@ func run() error {
 	setupLog.Info("set up manager")
 	cacheOptions := crcache.Options{
 		ByObject: map[client.Object]crcache.ByObject{
-			&ocv1.ClusterExtension{}: {Label: k8slabels.Everything()},
-			&ocv1.ClusterCatalog{}:   {Label: k8slabels.Everything()},
+			&ocv1.ClusterExtension{}:     {Label: k8slabels.Everything()},
+			&ocv1.ClusterCatalog{}:       {Label: k8slabels.Everything()},
+			&rbacv1.ClusterRole{}:        {Label: k8slabels.Everything()},
+			&rbacv1.ClusterRoleBinding{}: {Label: k8slabels.Everything()},
+			&rbacv1.Role{}:               {Namespaces: map[string]crcache.Config{}, Label: k8slabels.Everything()},
+			&rbacv1.RoleBinding{}:        {Namespaces: map[string]crcache.Config{}, Label: k8slabels.Everything()},
 		},
 		DefaultNamespaces: map[string]crcache.Config{
 			cfg.systemNamespace: {LabelSelector: k8slabels.Everything()},
@@ -409,6 +415,7 @@ func run() error {
 	helmApplier := &applier.Helm{
 		ActionClientGetter: acg,
 		Preflights:         preflights,
+		PreAuthorizer:      authorization.NewRBACPreAuthorizer(mgr.GetClient()),
 	}
 
 	cm := contentmanager.NewManager(clientRestConfigMapper, mgr.GetConfig(), mgr.GetRESTMapper())
diff --git a/config/base/operator-controller/rbac/role.yaml b/config/base/operator-controller/rbac/role.yaml
@@ -47,6 +47,16 @@ rules:
   verbs:
   - patch
   - update
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterrolebindings
+  - clusterroles
+  - rolebindings
+  - roles
+  verbs:
+  - list
+  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
diff --git a/internal/operator-controller/applier/helm.go b/internal/operator-controller/applier/helm.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
+	"slices"
 	"strings"
 
 	"helm.sh/helm/v3/pkg/action"
@@ -16,14 +17,17 @@ import (
 	"helm.sh/helm/v3/pkg/release"
 	"helm.sh/helm/v3/pkg/storage/driver"
 	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	apimachyaml "k8s.io/apimachinery/pkg/util/yaml"
+	"k8s.io/apiserver/pkg/authentication/user"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	helmclient "github.com/operator-framework/helm-operator-plugins/pkg/client"
 
 	ocv1 "github.com/operator-framework/operator-controller/api/v1"
+	"github.com/operator-framework/operator-controller/internal/operator-controller/authorization"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/features"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/convert"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/preflights/crdupgradesafety"
@@ -56,6 +60,7 @@ type Preflight interface {
 type Helm struct {
 	ActionClientGetter helmclient.ActionClientGetter
 	Preflights         []Preflight
+	PreAuthorizer      authorization.PreAuthorizer
 }
 
 // shouldSkipPreflight is a helper to determine if the preflight check is CRDUpgradeSafety AND
@@ -85,18 +90,46 @@ func (h *Helm) Apply(ctx context.Context, contentFS fs.FS, ext *ocv1.ClusterExte
 	}
 	values := chartutil.Values{}
 
+	post := &postrenderer{
+		labels: objectLabels,
+	}
+
+	if features.OperatorControllerFeatureGate.Enabled(features.PreflightPermissions) {
+		tmplRel, err := h.template(ctx, ext, chrt, values, post)
+		if err != nil {
+			return nil, "", fmt.Errorf("failed to get release state using client-only dry-run: %w", err)
+		}
+
+		ceServiceAccount := user.DefaultInfo{Name: fmt.Sprintf("system:serviceaccount:%s:%s", ext.Spec.Namespace, ext.Spec.ServiceAccount.Name)}
+		missingRules, err := h.PreAuthorizer.PreAuthorize(ctx, &ceServiceAccount, strings.NewReader(tmplRel.Manifest))
+
+		var preAuthErrors []error
+		if len(missingRules) > 0 {
+			var missingRuleDescriptions []string
+			for ns, policyRules := range missingRules {
+				for _, rule := range policyRules {
+					missingRuleDescriptions = append(missingRuleDescriptions, ruleDescription(ns, rule))
+				}
+			}
+			slices.Sort(missingRuleDescriptions)
+			preAuthErrors = append(preAuthErrors, fmt.Errorf("service account lacks permission to manage cluster extension:\n  %s", strings.Join(missingRuleDescriptions, "\n  ")))
+		}
+		if err != nil {
+			preAuthErrors = append(preAuthErrors, fmt.Errorf("authorization evaluation error: %w", err))
+		}
+		if len(preAuthErrors) > 0 {
+			return nil, "", fmt.Errorf("pre-authorization failed: %v", preAuthErrors)
+		}
+	}
+
 	ac, err := h.ActionClientGetter.ActionClientFor(ctx, ext)
 	if err != nil {
 		return nil, "", err
 	}
 
-	post := &postrenderer{
-		labels: objectLabels,
-	}
-
 	rel, desiredRel, state, err := h.getReleaseState(ac, ext, chrt, values, post)
 	if err != nil {
-		return nil, "", err
+		return nil, "", fmt.Errorf("failed to get release state using server-side dry-run: %w", err)
 	}
 
 	for _, preflight := range h.Preflights {
@@ -152,6 +185,34 @@ func (h *Helm) Apply(ctx context.Context, contentFS fs.FS, ext *ocv1.ClusterExte
 	return relObjects, state, nil
 }
 
+func (h *Helm) template(ctx context.Context, ext *ocv1.ClusterExtension, chrt *chart.Chart, values chartutil.Values, post postrender.PostRenderer) (*release.Release, error) {
+	// We need to get a separate action client because our template call below
+	// permanently modifies the underlying action.Configuration for ClientOnly mode.
+	ac, err := h.ActionClientGetter.ActionClientFor(ctx, ext)
+	if err != nil {
+		return nil, err
+	}
+
+	isUpgrade := false
+	currentRelease, err := ac.Get(ext.GetName())
+	if err != nil && !errors.Is(err, driver.ErrReleaseNotFound) {
+		return nil, err
+	}
+	if currentRelease != nil {
+		isUpgrade = true
+	}
+
+	return ac.Install(ext.GetName(), ext.Spec.Namespace, chrt, values, func(i *action.Install) error {
+		i.DryRun = true
+		i.ReleaseName = ext.GetName()
+		i.Replace = true
+		i.ClientOnly = true
+		i.IncludeCRDs = true
+		i.IsUpgrade = isUpgrade
+		return nil
+	}, helmclient.AppendInstallPostRenderer(post))
+}
+
 func (h *Helm) getReleaseState(cl helmclient.ActionInterface, ext *ocv1.ClusterExtension, chrt *chart.Chart, values chartutil.Values, post postrender.PostRenderer) (*release.Release, *release.Release, string, error) {
 	currentRelease, err := cl.Get(ext.GetName())
 	if errors.Is(err, driver.ErrReleaseNotFound) {
@@ -161,10 +222,6 @@ func (h *Helm) getReleaseState(cl helmclient.ActionInterface, ext *ocv1.ClusterE
 			return nil
 		}, helmclient.AppendInstallPostRenderer(post))
 		if err != nil {
-			if features.OperatorControllerFeatureGate.Enabled(features.PreflightPermissions) {
-				_ = struct{}{} // minimal no-op to satisfy linter
-				// probably need to break out this error as it's the one for helm dry-run as opposed to any returned later
-			}
 			return nil, nil, StateError, err
 		}
 		return nil, desiredRelease, StateNeedsInstall, nil
@@ -220,3 +277,25 @@ func (p *postrenderer) Run(renderedManifests *bytes.Buffer) (*bytes.Buffer, erro
 	}
 	return &buf, nil
 }
+
+func ruleDescription(ns string, rule rbacv1.PolicyRule) string {
+	var sb strings.Builder
+	sb.WriteString(fmt.Sprintf("Namespace:%q", ns))
+
+	if len(rule.APIGroups) > 0 {
+		sb.WriteString(fmt.Sprintf(" APIGroups:[%s]", strings.Join(rule.APIGroups, ",")))
+	}
+	if len(rule.Resources) > 0 {
+		sb.WriteString(fmt.Sprintf(" Resources:[%s]", strings.Join(rule.Resources, ",")))
+	}
+	if len(rule.ResourceNames) > 0 {
+		sb.WriteString(fmt.Sprintf(" ResourceNames:[%s]", strings.Join(rule.ResourceNames, ",")))
+	}
+	if len(rule.Verbs) > 0 {
+		sb.WriteString(fmt.Sprintf(" Verbs:[%s]", strings.Join(rule.Verbs, ",")))
+	}
+	if len(rule.NonResourceURLs) > 0 {
+		sb.WriteString(fmt.Sprintf(" NonResourceURLs:[%s]", strings.Join(rule.NonResourceURLs, ",")))
+	}
+	return sb.String()
+}
diff --git a/internal/operator-controller/applier/helm_test.go b/internal/operator-controller/applier/helm_test.go
@@ -13,14 +13,12 @@ import (
 	"helm.sh/helm/v3/pkg/chart"
 	"helm.sh/helm/v3/pkg/release"
 	"helm.sh/helm/v3/pkg/storage/driver"
-	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	helmclient "github.com/operator-framework/helm-operator-plugins/pkg/client"
 
 	ocv1 "github.com/operator-framework/operator-controller/api/v1"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/applier"
-	"github.com/operator-framework/operator-controller/internal/operator-controller/features"
 )
 
 type mockPreflight struct {
@@ -228,71 +226,6 @@ func TestApply_Installation(t *testing.T) {
 	})
 }
 
-func TestApply_InstallationWithPreflightPermissionsEnabled(t *testing.T) {
-	featuregatetesting.SetFeatureGateDuringTest(t, features.OperatorControllerFeatureGate, features.PreflightPermissions, true)
-
-	t.Run("fails during dry-run installation", func(t *testing.T) {
-		mockAcg := &mockActionGetter{
-			getClientErr:     driver.ErrReleaseNotFound,
-			dryRunInstallErr: errors.New("failed attempting to dry-run install chart"),
-		}
-		helmApplier := applier.Helm{ActionClientGetter: mockAcg}
-
-		objs, state, err := helmApplier.Apply(context.TODO(), validFS, testCE, testObjectLabels, testStorageLabels)
-		require.Error(t, err)
-		require.ErrorContains(t, err, "attempting to dry-run install chart")
-		require.Nil(t, objs)
-		require.Empty(t, state)
-	})
-
-	t.Run("fails during pre-flight installation", func(t *testing.T) {
-		mockAcg := &mockActionGetter{
-			getClientErr: driver.ErrReleaseNotFound,
-			installErr:   errors.New("failed installing chart"),
-		}
-		mockPf := &mockPreflight{installErr: errors.New("failed during install pre-flight check")}
-		helmApplier := applier.Helm{ActionClientGetter: mockAcg, Preflights: []applier.Preflight{mockPf}}
-
-		objs, state, err := helmApplier.Apply(context.TODO(), validFS, testCE, testObjectLabels, testStorageLabels)
-		require.Error(t, err)
-		require.ErrorContains(t, err, "install pre-flight check")
-		require.Equal(t, applier.StateNeedsInstall, state)
-		require.Nil(t, objs)
-	})
-
-	t.Run("fails during installation", func(t *testing.T) {
-		mockAcg := &mockActionGetter{
-			getClientErr: driver.ErrReleaseNotFound,
-			installErr:   errors.New("failed installing chart"),
-		}
-		helmApplier := applier.Helm{ActionClientGetter: mockAcg}
-
-		objs, state, err := helmApplier.Apply(context.TODO(), validFS, testCE, testObjectLabels, testStorageLabels)
-		require.Error(t, err)
-		require.ErrorContains(t, err, "installing chart")
-		require.Equal(t, applier.StateNeedsInstall, state)
-		require.Nil(t, objs)
-	})
-
-	t.Run("successful installation", func(t *testing.T) {
-		mockAcg := &mockActionGetter{
-			getClientErr: driver.ErrReleaseNotFound,
-			desiredRel: &release.Release{
-				Info:     &release.Info{Status: release.StatusDeployed},
-				Manifest: validManifest,
-			},
-		}
-		helmApplier := applier.Helm{ActionClientGetter: mockAcg}
-
-		objs, state, err := helmApplier.Apply(context.TODO(), validFS, testCE, testObjectLabels, testStorageLabels)
-		require.NoError(t, err)
-		require.Equal(t, applier.StateNeedsInstall, state)
-		require.NotNil(t, objs)
-		assert.Equal(t, "service-a", objs[0].GetName())
-		assert.Equal(t, "service-b", objs[1].GetName())
-	})
-}
-
 func TestApply_Upgrade(t *testing.T) {
 	testCurrentRelease := &release.Release{
 		Info: &release.Info{Status: release.StatusDeployed},
diff --git a/internal/operator-controller/controllers/clusterextension_controller.go b/internal/operator-controller/controllers/clusterextension_controller.go
@@ -96,6 +96,7 @@ type InstalledBundleGetter interface {
 //+kubebuilder:rbac:namespace=system,groups=core,resources=secrets,verbs=create;update;patch;delete;deletecollection;get;list;watch
 //+kubebuilder:rbac:groups=core,resources=serviceaccounts/token,verbs=create
 //+kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings;roles;rolebindings,verbs=list;watch
 
 //+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clustercatalogs,verbs=list;watch
 
