Optimize health check using self subject rules review

Author: rjeberhard

operator/src/main/java/oracle/kubernetes/operator/Main.java

@@ -220,7 +220,7 @@ private static void begin() {
         HealthCheckHelper healthCheck = new HealthCheckHelper(namespace, targetNamespaces);
         version = healthCheck.performK8sVersionCheck();
         healthCheck.performNonSecurityChecks();
-        healthCheck.performSecurityChecks();
+        healthCheck.performSecurityChecks(version);
       } catch (ApiException e) {
         LOGGER.warning(MessageKeys.EXCEPTION, e);
       }

operator/src/main/java/oracle/kubernetes/operator/helpers/AuthorizationProxy.java

@@ -10,6 +10,8 @@
 import io.kubernetes.client.models.V1ResourceAttributes;
 import io.kubernetes.client.models.V1SelfSubjectAccessReview;
 import io.kubernetes.client.models.V1SelfSubjectAccessReviewSpec;
+import io.kubernetes.client.models.V1SelfSubjectRulesReview;
+import io.kubernetes.client.models.V1SelfSubjectRulesReviewSpec;
 import io.kubernetes.client.models.V1SubjectAccessReview;
 import io.kubernetes.client.models.V1SubjectAccessReviewSpec;
 import io.kubernetes.client.models.V1SubjectAccessReviewStatus;
@@ -232,4 +234,18 @@ private V1ResourceAttributes prepareResourceAttributes(Operation operation, Reso
     LOGGER.exiting(resourceAttributes);
     return resourceAttributes;
   }
+  
+  public V1SelfSubjectRulesReview review(String namespace) {
+    V1SelfSubjectRulesReview subjectRulesReview = new V1SelfSubjectRulesReview();
+    V1SelfSubjectRulesReviewSpec spec = new V1SelfSubjectRulesReviewSpec();
+    spec.setNamespace(namespace);
+    subjectRulesReview.setSpec(spec);
+    CallBuilderFactory factory = ContainerResolver.getInstance().getContainer().getSPI(CallBuilderFactory.class);
+    try {
+      return factory.create().createSelfSubjectRulesReview(subjectRulesReview);
+    } catch (ApiException e) {
+      LOGGER.warning(MessageKeys.EXCEPTION, e);
+      return null;
+    }
+  }
 }

operator/src/main/java/oracle/kubernetes/operator/helpers/CallBuilder.java

@@ -37,6 +37,7 @@
 import io.kubernetes.client.models.V1PodList;
 import io.kubernetes.client.models.V1Secret;
 import io.kubernetes.client.models.V1SelfSubjectAccessReview;
+import io.kubernetes.client.models.V1SelfSubjectRulesReview;
 import io.kubernetes.client.models.V1Service;
 import io.kubernetes.client.models.V1ServiceList;
 import io.kubernetes.client.models.V1Status;
@@ -1420,6 +1421,41 @@ public Step createSelfSubjectAccessReviewAsync(V1SelfSubjectAccessReview body, R
     return createRequestAsync(responseStep, new RequestParams("createSelfSubjectAccessReview", null, null, body), CREATE_SELFSUBJECTACCESSREVIEW);
   }
 
+  /* Self Subject Rules Review */
+  
+  /**
+   * Create self subject rules review
+   * @param body Body
+   * @return Created self subject rules review
+   * @throws ApiException API Exception
+   */
+  public V1SelfSubjectRulesReview createSelfSubjectRulesReview(V1SelfSubjectRulesReview body) throws ApiException {
+    ApiClient client = helper.take();
+    try {
+      return new AuthorizationV1Api(client).createSelfSubjectRulesReview(body, pretty);
+    } finally {
+      helper.recycle(client);
+    }
+  }
+
+  private com.squareup.okhttp.Call createSelfSubjectRulesReviewAsync(ApiClient client, V1SelfSubjectRulesReview body, ApiCallback<V1SelfSubjectRulesReview> callback) throws ApiException {
+    return new AuthorizationV1Api(client).createSelfSubjectRulesReviewAsync(body, pretty, callback);
+  }
+
+  private final CallFactory<V1SelfSubjectRulesReview> CREATE_SELFSUBJECTRULESREVIEW = (requestParams, usage, cont, callback) -> {
+    return createSelfSubjectRulesReviewAsync(usage, (V1SelfSubjectRulesReview) requestParams.body, callback);
+  };
+  
+  /**
+   * Asynchronous step for creating self subject rules review
+   * @param body Body
+   * @param responseStep Response step for when call completes
+   * @return Asynchronous step
+   */
+  public Step createSelfSubjectRulesReviewAsync(V1SelfSubjectRulesReview body, ResponseStep<V1SelfSubjectRulesReview> responseStep) {
+    return createRequestAsync(responseStep, new RequestParams("createSelfSubjectRulesReview", null, null, body), CREATE_SELFSUBJECTRULESREVIEW);
+  }
+  
   /* Token Review */
 
   /**

operator/src/main/java/oracle/kubernetes/operator/helpers/HealthCheckHelper.java

@@ -6,6 +6,9 @@
 import io.kubernetes.client.ApiException;
 import io.kubernetes.client.models.V1PersistentVolume;
 import io.kubernetes.client.models.V1PersistentVolumeList;
+import io.kubernetes.client.models.V1ResourceRule;
+import io.kubernetes.client.models.V1SelfSubjectRulesReview;
+import io.kubernetes.client.models.V1SubjectRulesReviewStatus;
 import io.kubernetes.client.models.VersionInfo;
 import oracle.kubernetes.weblogic.domain.v1.Domain;
 import oracle.kubernetes.weblogic.domain.v1.DomainList;
@@ -130,10 +133,10 @@ public void performNonSecurityChecks() throws ApiException {
 
   /**
    * Verify Access.
-   *
+   * @param version Kubernetes version
    * @throws ApiException exception for k8s API
    **/
-  public void performSecurityChecks() throws ApiException {
+  public void performSecurityChecks(KubernetesVersion version) throws ApiException {
 
     // Validate namespace
     if (DEFAULT_NAMESPACE.equals(operatorNamespace)) {
@@ -143,7 +146,51 @@ public void performSecurityChecks() throws ApiException {
     // Validate RBAC or ABAC policies allow service account to perform required operations
     AuthorizationProxy ap = new AuthorizationProxy();
     LOGGER.info(MessageKeys.VERIFY_ACCESS_START);
-
+    
+    if (version.major > 1 || version.minor >= 8) {
+      boolean rulesReviewSuccessful = true;
+      for (String ns : targetNamespaces) {
+        V1SelfSubjectRulesReview review = ap.review(ns);
+        if (review == null) {
+          rulesReviewSuccessful = false;
+          break;
+        }
+        
+        V1SubjectRulesReviewStatus status = review.getStatus();
+        List<V1ResourceRule> rules = status.getResourceRules();
+        
+        for (AuthorizationProxy.Resource r : namespaceAccessChecks.keySet()) {
+          for (AuthorizationProxy.Operation op : namespaceAccessChecks.get(r)) {
+            check(rules, r, op);
+          }
+        }
+        for (AuthorizationProxy.Resource r : clusterAccessChecks.keySet()) {
+          for (AuthorizationProxy.Operation op : clusterAccessChecks.get(r)) {
+            check(rules, r, op);
+          }
+        }
+      }
+      if (!targetNamespaces.contains("default")) {
+        V1SelfSubjectRulesReview review = ap.review("default");
+        if (review == null) {
+          rulesReviewSuccessful = false;
+        } else {
+          V1SubjectRulesReviewStatus status = review.getStatus();
+          List<V1ResourceRule> rules = status.getResourceRules();
+
+          for (AuthorizationProxy.Resource r : clusterAccessChecks.keySet()) {
+            for (AuthorizationProxy.Operation op : clusterAccessChecks.get(r)) {
+              check(rules, r, op);
+            }
+          }
+        }
+      }
+      
+      if (rulesReviewSuccessful) {
+        return;
+      }
+    }
+    
     for (AuthorizationProxy.Resource r : namespaceAccessChecks.keySet()) {
       for (AuthorizationProxy.Operation op : namespaceAccessChecks.get(r)) {
 
@@ -164,7 +211,38 @@ public void performSecurityChecks() throws ApiException {
       }
     }
   }
+  
+  private void check(List<V1ResourceRule> rules, AuthorizationProxy.Resource r, AuthorizationProxy.Operation op) {
+    String verb = op.name();
+    String apiGroup = r.getAPIGroup();
+    String resource = r.getResource();
+    String sub = r.getSubResource();
+    if (sub != null && !sub.isEmpty()) {
+      resource = resource + "/" + sub;
+    }
+    for (V1ResourceRule rule : rules) {
+      List<String> ruleApiGroups = rule.getApiGroups();
+      if (apiGroupMatch(ruleApiGroups, apiGroup)) {
+        List<String> ruleResources = rule.getResources();
+        if (ruleResources != null && ruleResources.contains(resource)) {
+          List<String> ruleVerbs = rule.getVerbs();
+          if (ruleVerbs != null && ruleVerbs.contains(verb)) {
+            return;
+          }
+        }
+      }
+    }
+    
+    LOGGER.warning(MessageKeys.VERIFY_ACCESS_DENIED, op, r.getResource());
+  }
 
+  private boolean apiGroupMatch(List<String> ruleApiGroups, String apiGroup) {
+    if (apiGroup == null || apiGroup.isEmpty()) {
+      return ruleApiGroups == null || ruleApiGroups.isEmpty() || ruleApiGroups.contains("");
+    }
+    return ruleApiGroups != null && ruleApiGroups.contains(apiGroup);
+  }
+  
   /**
    * Major and minor version of Kubernetes API Server
    * 

operator/src/test/java/oracle/kubernetes/operator/HealthCheckHelperTest.java

@@ -12,7 +12,10 @@
 import io.kubernetes.client.models.V1ServiceAccount;
 import io.kubernetes.client.models.V1beta1ClusterRole;
 import io.kubernetes.client.models.V1beta1ClusterRoleBinding;
+import io.kubernetes.client.models.V1beta1PolicyRule;
 import io.kubernetes.client.models.V1beta1RoleBinding;
+import io.kubernetes.client.models.V1beta1RoleRef;
+import io.kubernetes.client.models.V1beta1Subject;
 import io.kubernetes.client.util.ClientBuilder;
 import io.kubernetes.client.util.Config;
 import oracle.kubernetes.TestUtils;
@@ -25,6 +28,7 @@
 import oracle.kubernetes.operator.helpers.ClientFactory;
 import oracle.kubernetes.operator.helpers.ClientPool;
 import oracle.kubernetes.operator.helpers.HealthCheckHelper;
+import oracle.kubernetes.operator.helpers.HealthCheckHelper.KubernetesVersion;
 import oracle.kubernetes.operator.logging.LoggingFacade;
 import oracle.kubernetes.operator.logging.LoggingFactory;
 import oracle.kubernetes.operator.logging.LoggingFormatter;
@@ -51,6 +55,7 @@
 
 public class HealthCheckHelperTest {
 
+  private KubernetesVersion version;
   private HealthCheckHelper unitHealthCheckHelper;
 
   private final static String UNIT_NAMESPACE = "unit-test-namespace";
@@ -76,7 +81,7 @@ public void setUp() throws Exception {
     createNamespace(UNIT_NAMESPACE);
 
     unitHealthCheckHelper = new HealthCheckHelper(UNIT_NAMESPACE, Collections.singleton(UNIT_NAMESPACE));
-    
+
     userProjects = UserProjects.createUserProjectsDirectory();
   }
 
@@ -115,6 +120,8 @@ public void testAccountNoPrivs() throws Exception {
     String token = new String(secret.getData().get("token"), StandardCharsets.UTF_8);
     */
 
+    applyMinimumSecurity(apiClient, UNIT_NAMESPACE, "alice");
+
     ContainerResolver.getInstance().getContainer().getComponents().put(
         ProcessingConstants.MAIN_COMPONENT_NAME,
         Component.createFor(
@@ -136,7 +143,8 @@ public ApiClient get() {
 
     ClientPool.getInstance().drain();
 
-    unitHealthCheckHelper.performSecurityChecks();
+    version = unitHealthCheckHelper.performK8sVersionCheck();
+    unitHealthCheckHelper.performSecurityChecks(version);
     hdlr.flush();
     String logOutput = bos.toString();
 
@@ -186,7 +194,8 @@ public ApiClient get() {
 
     ClientPool.getInstance().drain();
 
-    unitHealthCheckHelper.performSecurityChecks();
+    version = unitHealthCheckHelper.performK8sVersionCheck();
+    unitHealthCheckHelper.performSecurityChecks(version);
     hdlr.flush();
     String logOutput = bos.toString();
 
@@ -195,6 +204,46 @@ public ApiClient get() {
     bos.reset();
   }
 
+  private void applyMinimumSecurity(ApiClient apiClient, String namespace, String sa) throws Exception {
+    V1beta1ClusterRole clusterRole = new V1beta1ClusterRole();
+    clusterRole.setMetadata(new V1ObjectMeta()
+        .name("test-role")
+        .putLabelsItem("weblogic.operatorName", namespace));
+    clusterRole.addRulesItem(new V1beta1PolicyRule().addNonResourceURLsItem("/version/*").addVerbsItem("get"));
+    clusterRole.addRulesItem(new V1beta1PolicyRule().addResourcesItem("selfsubjectrulesreviews")
+        .addApiGroupsItem("authorization.k8s.io").addVerbsItem("create"));
+    V1beta1ClusterRoleBinding clusterRoleBinding = new V1beta1ClusterRoleBinding();
+    clusterRoleBinding.setMetadata(new V1ObjectMeta()
+        .name(namespace + "-test-role")
+        .putLabelsItem("weblogic.operatorName", namespace));
+    clusterRoleBinding.addSubjectsItem(new V1beta1Subject()
+        .kind("ServiceAccount")
+        .apiGroup("")
+        .name(sa).namespace(namespace));
+    clusterRoleBinding.roleRef(new V1beta1RoleRef()
+        .kind("ClusterRole")
+        .apiGroup("rbac.authorization.k8s.io")
+        .name("test-role"));
+    RbacAuthorizationV1beta1Api rbac = new RbacAuthorizationV1beta1Api(apiClient);
+
+    try {
+      rbac.createClusterRole(clusterRole, "false");
+    } catch (ApiException api) {
+      if (api.getCode() != CallBuilder.CONFLICT) {
+        throw api;
+      }
+      rbac.replaceClusterRole(clusterRole.getMetadata().getName(), clusterRole, "false");
+    }
+    try {
+      rbac.createClusterRoleBinding(clusterRoleBinding, "false");
+    } catch (ApiException api) {
+      if (api.getCode() != CallBuilder.CONFLICT) {
+        throw api;
+      }
+      rbac.replaceClusterRoleBinding(clusterRoleBinding.getMetadata().getName(), clusterRoleBinding, "false");
+    }
+  }
+  
   private void applySecurity(ApiClient apiClient, String namespace, String sa) throws Exception {
     CreateOperatorInputs inputs = readDefaultInputsFile()
         .namespace(namespace)