Merge branch 'develop' into feature/wdt

Author: rjeberhard

kubernetes/internal/generate-security-policy.sh

@@ -111,6 +111,12 @@ rules:
 - apiGroups: ["extensions"]
   resources: ["ingresses"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"]
+- apiGroups: ["authentication.k8s.io"]
+  resources: ["tokenreviews"]
+  verbs: ["create"]
+- apiGroups: ["authorization.k8s.io"]
+  resources: ["selfsubjectaccessreviews", "localsubjectaccessreviews", "subjectaccessreviews", "selfsubjectrulesreviews"]
+  verbs: ["create"]
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -259,4 +265,4 @@ EOF
 #
 echo "Create the WebLogic Operator Security configuration using kubectl as follows: kubectl create -f ${SCRIPT}"
 #
-echo "Ensure you start the API server with the --authorization-mode=RBAC option."
+echo "Ensure you start the API server with the --authorization-mode=RBAC option."

operator/src/main/java/oracle/kubernetes/operator/Main.java

@@ -220,7 +220,7 @@ private static void begin() {
         HealthCheckHelper healthCheck = new HealthCheckHelper(namespace, targetNamespaces);
         version = healthCheck.performK8sVersionCheck();
         healthCheck.performNonSecurityChecks();
-        healthCheck.performSecurityChecks(serviceAccountName);
+        healthCheck.performSecurityChecks(version);
       } catch (ApiException e) {
         LOGGER.warning(MessageKeys.EXCEPTION, e);
       }

operator/src/main/java/oracle/kubernetes/operator/helpers/AuthenticationProxy.java

@@ -36,7 +36,7 @@ public V1TokenReviewStatus check(String principal, String token) {
     try {
       boolean allowed = authorizationProxy.check(principal,
           AuthorizationProxy.Operation.create,
-          AuthorizationProxy.Resource.tokenreviews,
+          AuthorizationProxy.Resource.TOKENREVIEWS,
           null,
           AuthorizationProxy.Scope.cluster,
           null);

operator/src/main/java/oracle/kubernetes/operator/helpers/AuthorizationProxy.java

@@ -8,6 +8,10 @@
 import io.kubernetes.client.ApiException;
 import io.kubernetes.client.models.V1ObjectMeta;
 import io.kubernetes.client.models.V1ResourceAttributes;
+import io.kubernetes.client.models.V1SelfSubjectAccessReview;
+import io.kubernetes.client.models.V1SelfSubjectAccessReviewSpec;
+import io.kubernetes.client.models.V1SelfSubjectRulesReview;
+import io.kubernetes.client.models.V1SelfSubjectRulesReviewSpec;
 import io.kubernetes.client.models.V1SubjectAccessReview;
 import io.kubernetes.client.models.V1SubjectAccessReviewSpec;
 import io.kubernetes.client.models.V1SubjectAccessReviewStatus;
@@ -37,18 +41,50 @@ public enum Operation {
   }
 
   public enum Resource {
-    pods,
-    services,
-    namespaces,
-    customresources,
-    customresourcedefinitions,
-    domains,
-    tokenreviews,
-    networkpolicies,
-    secrets,
-    persistentvolumes,
-    persistentvolumeclaims,
-    ingresses
+    CONFIGMAPS ("configmaps", ""),
+    PODS ("pods", ""),
+    LOGS ("pods", "logs", ""),
+    EXEC ("pods", "exec", ""),
+    PODTEMPLATES ("podtemplates", ""),
+    EVENTS ("events", ""),
+    SERVICES ("services", ""),
+    NAMESPACES ("namespaces", ""),
+    JOBS ("jobs", "batch"),
+    CRONJOBS ("cronjobs", "batch"),
+    CRDS ("customresourcedefinitions", "apiextensions.k8s.io"),
+    DOMAINS ("domains", "weblogic.oracle"),
+    DOMAINSTATUSS ("domains", "status", "weblogic.oracle"),
+    SUBJECTACCESSREVIEWS ("subjectaccessreviews", "authorization.k8s.io"),
+    SELFSUBJECTACCESSREVIEWS ("selfsubjectaccessreviews", "authorization.k8s.io"),
+    LOCALSUBJECTACCESSREVIEWS ("localsubjectaccessreviews", "authorization.k8s.io"),
+    SELFSUBJECTRULESREVIEWS ("selfsubjectrulesreviews", "authorization.k8s.io"),
+    TOKENREVIEWS ("tokenreviews", "authentication.k8s.io"),
+    SECRETS ("secrets", ""),
+    PERSISTENTVOLUMES ("persistentvolumes", ""),
+    PERSISTENTVOLUMECLAIMS ("persistentvolumeclaims", ""),
+    STORAGECLASSES ("storageclasses", "storage.k8s.io"),
+    PODPRESETS ("podpresets" , "settings.k8s.io"),
+    INGRESSES ("ingresses", "extensions"),
+    NETWORKPOLICIES ("networkpolicies", "extensions"),
+    PODSECURITYPOLICIES ("podsecuritypolicies", "extensions");
+    
+    private final String resource;
+    private final String subResource;
+    private final String apiGroup;
+    
+    Resource(String resource, String apiGroup) {
+      this(resource, "", apiGroup);
+    }
+    
+    Resource(String resource, String subResource, String apiGroup) {
+      this.resource = resource;
+      this.subResource = subResource;
+      this.apiGroup = apiGroup;
+    }
+    
+    public String getResource() { return resource; }
+    public String getSubResource() { return subResource; }
+    public String getAPIGroup() { return apiGroup; }
   }
 
   public enum Scope {
@@ -104,6 +140,24 @@ public boolean check(String principal, final List<String> groups, Operation oper
     return result;
   }
 
+  public boolean check(Operation operation, Resource resource, String resourceName, Scope scope, String namespaceName) {
+    LOGGER.entering();
+    V1SelfSubjectAccessReview subjectAccessReview = prepareSelfSubjectAccessReview(operation, resource, resourceName, scope, namespaceName);
+    try {
+      CallBuilderFactory factory = ContainerResolver.getInstance().getContainer().getSPI(CallBuilderFactory.class);
+      subjectAccessReview = factory.create().createSelfSubjectAccessReview(subjectAccessReview);
+    } catch (ApiException e) {
+      LOGGER.severe(MessageKeys.APIEXCEPTION_FROM_SUBJECT_ACCESS_REVIEW, e);
+      LOGGER.exiting(Boolean.FALSE);
+      return Boolean.FALSE;
+
+    }
+    V1SubjectAccessReviewStatus subjectAccessReviewStatus = subjectAccessReview.getStatus();
+    Boolean result = subjectAccessReviewStatus.isAllowed();
+    LOGGER.exiting(result);
+    return result;
+  }
+
   /**
    * Prepares an instance of SubjectAccessReview and returns same.
    *
@@ -133,6 +187,21 @@ private V1SubjectAccessReview prepareSubjectAccessReview(String principal, final
     return subjectAccessReview;
   }
 
+  private V1SelfSubjectAccessReview prepareSelfSubjectAccessReview(Operation operation, Resource resource, String resourceName, Scope scope, String namespaceName) {
+    LOGGER.entering();
+    V1SelfSubjectAccessReviewSpec subjectAccessReviewSpec = new V1SelfSubjectAccessReviewSpec();
+
+    subjectAccessReviewSpec.setResourceAttributes(prepareResourceAttributes(operation, resource, resourceName, scope, namespaceName));
+
+    V1SelfSubjectAccessReview subjectAccessReview = new V1SelfSubjectAccessReview();
+    subjectAccessReview.setApiVersion("authorization.k8s.io/v1");
+    subjectAccessReview.setKind("SelfSubjectAccessReview");
+    subjectAccessReview.setMetadata(new V1ObjectMeta());
+    subjectAccessReview.setSpec(subjectAccessReviewSpec);
+    LOGGER.exiting(subjectAccessReview);
+    return subjectAccessReview;
+  }
+
   /**
    * Prepares an instance of ResourceAttributes and returns same.
    *
@@ -150,12 +219,9 @@ private V1ResourceAttributes prepareResourceAttributes(Operation operation, Reso
       resourceAttributes.setVerb(operation.toString());
     }
     if (null != resource) {
-      resourceAttributes.setResource(resource.toString());
-    }
-
-    String apiGroup = getApiGroup(resource);
-    if (apiGroup != null) {
-      resourceAttributes.setGroup(apiGroup);
+      resourceAttributes.setResource(resource.resource);
+      resourceAttributes.setSubresource(resource.subResource);
+      resourceAttributes.setGroup(resource.apiGroup);
     }
 
     if (null != resourceName) {
@@ -168,25 +234,18 @@ private V1ResourceAttributes prepareResourceAttributes(Operation operation, Reso
     LOGGER.exiting(resourceAttributes);
     return resourceAttributes;
   }
-
-  private String getApiGroup(Resource resource) {
-    if (resource == Resource.domains) {
-      return "weblogic.oracle";
-    }
-
-    if (resource == Resource.customresourcedefinitions) {
-      return "apiextensions.k8s.io";
-    }
-
-    if (resource == Resource.tokenreviews) {
-      return "authentication.k8s.io";
-    }
-    
-    if (resource == Resource.ingresses) {
-      return "extensions";
+  
+  public V1SelfSubjectRulesReview review(String namespace) {
+    V1SelfSubjectRulesReview subjectRulesReview = new V1SelfSubjectRulesReview();
+    V1SelfSubjectRulesReviewSpec spec = new V1SelfSubjectRulesReviewSpec();
+    spec.setNamespace(namespace);
+    subjectRulesReview.setSpec(spec);
+    CallBuilderFactory factory = ContainerResolver.getInstance().getContainer().getSPI(CallBuilderFactory.class);
+    try {
+      return factory.create().createSelfSubjectRulesReview(subjectRulesReview);
+    } catch (ApiException e) {
+      LOGGER.warning(MessageKeys.EXCEPTION, e);
+      return null;
     }
-
-    // TODO - do we need to specify the api group for any of the other Resource values?
-    return null;
   }
 }

operator/src/main/java/oracle/kubernetes/operator/helpers/CallBuilder.java

@@ -40,6 +40,8 @@
 import io.kubernetes.client.models.V1Pod;
 import io.kubernetes.client.models.V1PodList;
 import io.kubernetes.client.models.V1Secret;
+import io.kubernetes.client.models.V1SelfSubjectAccessReview;
+import io.kubernetes.client.models.V1SelfSubjectRulesReview;
 import io.kubernetes.client.models.V1Service;
 import io.kubernetes.client.models.V1ServiceList;
 import io.kubernetes.client.models.V1Status;
@@ -1670,6 +1672,76 @@ public Step createSubjectAccessReviewAsync(V1SubjectAccessReview body, ResponseS
     return createRequestAsync(responseStep, new RequestParams("createSubjectAccessReview", null, null, body), CREATE_SUBJECTACCESSREVIEW);
   }
 
+  /* Self Subject Access Review */
+  
+  /**
+   * Create self subject access review
+   * @param body Body
+   * @return Created self subject access review
+   * @throws ApiException API Exception
+   */
+  public V1SelfSubjectAccessReview createSelfSubjectAccessReview(V1SelfSubjectAccessReview body) throws ApiException {
+    ApiClient client = helper.take();
+    try {
+      return new AuthorizationV1Api(client).createSelfSubjectAccessReview(body, pretty);
+    } finally {
+      helper.recycle(client);
+    }
+  }
+
+  private com.squareup.okhttp.Call createSelfSubjectAccessReviewAsync(ApiClient client, V1SelfSubjectAccessReview body, ApiCallback<V1SelfSubjectAccessReview> callback) throws ApiException {
+    return new AuthorizationV1Api(client).createSelfSubjectAccessReviewAsync(body, pretty, callback);
+  }
+
+  private final CallFactory<V1SelfSubjectAccessReview> CREATE_SELFSUBJECTACCESSREVIEW = (requestParams, usage, cont, callback) -> {
+    return createSelfSubjectAccessReviewAsync(usage, (V1SelfSubjectAccessReview) requestParams.body, callback);
+  };
+  
+  /**
+   * Asynchronous step for creating self subject access review
+   * @param body Body
+   * @param responseStep Response step for when call completes
+   * @return Asynchronous step
+   */
+  public Step createSelfSubjectAccessReviewAsync(V1SelfSubjectAccessReview body, ResponseStep<V1SelfSubjectAccessReview> responseStep) {
+    return createRequestAsync(responseStep, new RequestParams("createSelfSubjectAccessReview", null, null, body), CREATE_SELFSUBJECTACCESSREVIEW);
+  }
+  
+  /* Self Subject Rules Review */
+  
+  /**
+   * Create self subject rules review
+   * @param body Body
+   * @return Created self subject rules review
+   * @throws ApiException API Exception
+   */
+  public V1SelfSubjectRulesReview createSelfSubjectRulesReview(V1SelfSubjectRulesReview body) throws ApiException {
+    ApiClient client = helper.take();
+    try {
+      return new AuthorizationV1Api(client).createSelfSubjectRulesReview(body, pretty);
+    } finally {
+      helper.recycle(client);
+    }
+  }
+
+  private com.squareup.okhttp.Call createSelfSubjectRulesReviewAsync(ApiClient client, V1SelfSubjectRulesReview body, ApiCallback<V1SelfSubjectRulesReview> callback) throws ApiException {
+    return new AuthorizationV1Api(client).createSelfSubjectRulesReviewAsync(body, pretty, callback);
+  }
+
+  private final CallFactory<V1SelfSubjectRulesReview> CREATE_SELFSUBJECTRULESREVIEW = (requestParams, usage, cont, callback) -> {
+    return createSelfSubjectRulesReviewAsync(usage, (V1SelfSubjectRulesReview) requestParams.body, callback);
+  };
+  
+  /**
+   * Asynchronous step for creating self subject rules review
+   * @param body Body
+   * @param responseStep Response step for when call completes
+   * @return Asynchronous step
+   */
+  public Step createSelfSubjectRulesReviewAsync(V1SelfSubjectRulesReview body, ResponseStep<V1SelfSubjectRulesReview> responseStep) {
+    return createRequestAsync(responseStep, new RequestParams("createSelfSubjectRulesReview", null, null, body), CREATE_SELFSUBJECTRULESREVIEW);
+  }
+  
   /* Token Review */
 
   /**

operator/src/main/java/oracle/kubernetes/operator/helpers/ClientFactory.java

@@ -0,0 +1,12 @@
+// Copyright 2018, Oracle Corporation and/or its affiliates.  All rights reserved.
+// Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl.
+
+package oracle.kubernetes.operator.helpers;
+
+import java.util.function.Supplier;
+
+import io.kubernetes.client.ApiClient;
+
+public interface ClientFactory extends Supplier<ApiClient> {
+
+}

operator/src/main/java/oracle/kubernetes/operator/helpers/ClientPool.java

@@ -9,15 +9,18 @@
 import oracle.kubernetes.operator.logging.LoggingFacade;
 import oracle.kubernetes.operator.logging.LoggingFactory;
 import oracle.kubernetes.operator.logging.MessageKeys;
+import oracle.kubernetes.operator.work.Container;
+import oracle.kubernetes.operator.work.ContainerResolver;
 
+import java.io.IOException;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicBoolean;
 
 public class ClientPool extends Pool<ApiClient> {
   private static final LoggingFacade LOGGER = LoggingFactory.getLogger("Operator", "Operator");
   private static final ClientPool SINGLETON = new ClientPool();
-
-  private final AtomicBoolean first = new AtomicBoolean(true);
+  
+  private static final DefaultClientFactory FACTORY = new DefaultClientFactory();
 
   public static ClientPool getInstance() {
     return SINGLETON;
@@ -37,10 +40,16 @@ private ApiClient getApiClient() {
     ApiClient client = null;
     LOGGER.fine(MessageKeys.CREATING_API_CLIENT);
     try {
-      client = Config.defaultClient();
-      if (first.getAndSet(false)) {
-        Configuration.setDefaultApiClient(client);
+      ClientFactory factory = null;
+      Container c = ContainerResolver.getInstance().getContainer();
+      if (c != null) {
+        factory = c.getSPI(ClientFactory.class);
+      }
+      if (factory == null) {
+        factory = FACTORY;
       }
+      
+      client = factory.get();
     } catch (Throwable e) {
       LOGGER.warning(MessageKeys.EXCEPTION, e);
     }
@@ -53,4 +62,22 @@ private ApiClient getApiClient() {
     return client;
   }
 
+  private static class DefaultClientFactory implements ClientFactory {
+    private final AtomicBoolean first = new AtomicBoolean(true);
+
+    @Override
+    public ApiClient get() {
+      ApiClient client;
+      try {
+        client = Config.defaultClient();
+        if (first.getAndSet(false)) {
+          Configuration.setDefaultApiClient(client);
+        }
+        return client;
+      } catch (IOException e) {
+        throw new RuntimeException(e);
+      }
+    }
+    
+  }
 }