resolve conflicts with develop branch

Author: russgold

kubernetes/internal/generate-security-policy.sh

@@ -111,6 +111,12 @@ rules:
 - apiGroups: ["extensions"]
   resources: ["ingresses"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"]
+- apiGroups: ["authentication.k8s.io"]
+  resources: ["tokenreviews"]
+  verbs: ["create"]
+- apiGroups: ["authorization.k8s.io"]
+  resources: ["selfsubjectaccessreviews", "localsubjectaccessreviews", "subjectaccessreviews", "selfsubjectrulesreviews"]
+  verbs: ["create"]
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -259,4 +265,4 @@ EOF
 #
 echo "Create the WebLogic Operator Security configuration using kubectl as follows: kubectl create -f ${SCRIPT}"
 #
-echo "Ensure you start the API server with the --authorization-mode=RBAC option."
+echo "Ensure you start the API server with the --authorization-mode=RBAC option."

operator/src/main/java/oracle/kubernetes/operator/Main.java

@@ -221,7 +221,7 @@ private static void begin() {
         HealthCheckHelper healthCheck = new HealthCheckHelper(namespace, targetNamespaces);
         version = healthCheck.performK8sVersionCheck();
         healthCheck.performNonSecurityChecks();
-        healthCheck.performSecurityChecks(serviceAccountName);
+        healthCheck.performSecurityChecks(version);
       } catch (ApiException e) {
         LOGGER.warning(MessageKeys.EXCEPTION, e);
       }

operator/src/main/java/oracle/kubernetes/operator/helpers/AuthenticationProxy.java

@@ -36,7 +36,7 @@ public V1TokenReviewStatus check(String principal, String token) {
     try {
       boolean allowed = authorizationProxy.check(principal,
           AuthorizationProxy.Operation.create,
-          AuthorizationProxy.Resource.tokenreviews,
+          AuthorizationProxy.Resource.TOKENREVIEWS,
           null,
           AuthorizationProxy.Scope.cluster,
           null);

operator/src/main/java/oracle/kubernetes/operator/helpers/AuthorizationProxy.java

@@ -8,6 +8,10 @@
 import io.kubernetes.client.ApiException;
 import io.kubernetes.client.models.V1ObjectMeta;
 import io.kubernetes.client.models.V1ResourceAttributes;
+import io.kubernetes.client.models.V1SelfSubjectAccessReview;
+import io.kubernetes.client.models.V1SelfSubjectAccessReviewSpec;
+import io.kubernetes.client.models.V1SelfSubjectRulesReview;
+import io.kubernetes.client.models.V1SelfSubjectRulesReviewSpec;
 import io.kubernetes.client.models.V1SubjectAccessReview;
 import io.kubernetes.client.models.V1SubjectAccessReviewSpec;
 import io.kubernetes.client.models.V1SubjectAccessReviewStatus;
@@ -37,18 +41,50 @@ public enum Operation {
   }
 
   public enum Resource {
-    pods,
-    services,
-    namespaces,
-    customresources,
-    customresourcedefinitions,
-    domains,
-    tokenreviews,
-    networkpolicies,
-    secrets,
-    persistentvolumes,
-    persistentvolumeclaims,
-    ingresses
+    CONFIGMAPS ("configmaps", ""),
+    PODS ("pods", ""),
+    LOGS ("pods", "logs", ""),
+    EXEC ("pods", "exec", ""),
+    PODTEMPLATES ("podtemplates", ""),
+    EVENTS ("events", ""),
+    SERVICES ("services", ""),
+    NAMESPACES ("namespaces", ""),
+    JOBS ("jobs", "batch"),
+    CRONJOBS ("cronjobs", "batch"),
+    CRDS ("customresourcedefinitions", "apiextensions.k8s.io"),
+    DOMAINS ("domains", "weblogic.oracle"),
+    DOMAINSTATUSS ("domains", "status", "weblogic.oracle"),
+    SUBJECTACCESSREVIEWS ("subjectaccessreviews", "authorization.k8s.io"),
+    SELFSUBJECTACCESSREVIEWS ("selfsubjectaccessreviews", "authorization.k8s.io"),
+    LOCALSUBJECTACCESSREVIEWS ("localsubjectaccessreviews", "authorization.k8s.io"),
+    SELFSUBJECTRULESREVIEWS ("selfsubjectrulesreviews", "authorization.k8s.io"),
+    TOKENREVIEWS ("tokenreviews", "authentication.k8s.io"),
+    SECRETS ("secrets", ""),
+    PERSISTENTVOLUMES ("persistentvolumes", ""),
+    PERSISTENTVOLUMECLAIMS ("persistentvolumeclaims", ""),
+    STORAGECLASSES ("storageclasses", "storage.k8s.io"),
+    PODPRESETS ("podpresets" , "settings.k8s.io"),
+    INGRESSES ("ingresses", "extensions"),
+    NETWORKPOLICIES ("networkpolicies", "extensions"),
+    PODSECURITYPOLICIES ("podsecuritypolicies", "extensions");
+    
+    private final String resource;
+    private final String subResource;
+    private final String apiGroup;
+    
+    Resource(String resource, String apiGroup) {
+      this(resource, "", apiGroup);
+    }
+    
+    Resource(String resource, String subResource, String apiGroup) {
+      this.resource = resource;
+      this.subResource = subResource;
+      this.apiGroup = apiGroup;
+    }
+    
+    public String getResource() { return resource; }
+    public String getSubResource() { return subResource; }
+    public String getAPIGroup() { return apiGroup; }
   }
 
   public enum Scope {
@@ -104,6 +140,24 @@ public boolean check(String principal, final List<String> groups, Operation oper
     return result;
   }
 
+  public boolean check(Operation operation, Resource resource, String resourceName, Scope scope, String namespaceName) {
+    LOGGER.entering();
+    V1SelfSubjectAccessReview subjectAccessReview = prepareSelfSubjectAccessReview(operation, resource, resourceName, scope, namespaceName);
+    try {
+      CallBuilderFactory factory = ContainerResolver.getInstance().getContainer().getSPI(CallBuilderFactory.class);
+      subjectAccessReview = factory.create().createSelfSubjectAccessReview(subjectAccessReview);
+    } catch (ApiException e) {
+      LOGGER.severe(MessageKeys.APIEXCEPTION_FROM_SUBJECT_ACCESS_REVIEW, e);
+      LOGGER.exiting(Boolean.FALSE);
+      return Boolean.FALSE;
+
+    }
+    V1SubjectAccessReviewStatus subjectAccessReviewStatus = subjectAccessReview.getStatus();
+    Boolean result = subjectAccessReviewStatus.isAllowed();
+    LOGGER.exiting(result);
+    return result;
+  }
+
   /**
    * Prepares an instance of SubjectAccessReview and returns same.
    *
@@ -133,6 +187,21 @@ private V1SubjectAccessReview prepareSubjectAccessReview(String principal, final
     return subjectAccessReview;
   }
 
+  private V1SelfSubjectAccessReview prepareSelfSubjectAccessReview(Operation operation, Resource resource, String resourceName, Scope scope, String namespaceName) {
+    LOGGER.entering();
+    V1SelfSubjectAccessReviewSpec subjectAccessReviewSpec = new V1SelfSubjectAccessReviewSpec();
+
+    subjectAccessReviewSpec.setResourceAttributes(prepareResourceAttributes(operation, resource, resourceName, scope, namespaceName));
+
+    V1SelfSubjectAccessReview subjectAccessReview = new V1SelfSubjectAccessReview();
+    subjectAccessReview.setApiVersion("authorization.k8s.io/v1");
+    subjectAccessReview.setKind("SelfSubjectAccessReview");
+    subjectAccessReview.setMetadata(new V1ObjectMeta());
+    subjectAccessReview.setSpec(subjectAccessReviewSpec);
+    LOGGER.exiting(subjectAccessReview);
+    return subjectAccessReview;
+  }
+
   /**
    * Prepares an instance of ResourceAttributes and returns same.
    *
@@ -150,12 +219,9 @@ private V1ResourceAttributes prepareResourceAttributes(Operation operation, Reso
       resourceAttributes.setVerb(operation.toString());
     }
     if (null != resource) {
-      resourceAttributes.setResource(resource.toString());
-    }
-
-    String apiGroup = getApiGroup(resource);
-    if (apiGroup != null) {
-      resourceAttributes.setGroup(apiGroup);
+      resourceAttributes.setResource(resource.resource);
+      resourceAttributes.setSubresource(resource.subResource);
+      resourceAttributes.setGroup(resource.apiGroup);
     }
 
     if (null != resourceName) {
@@ -168,25 +234,18 @@ private V1ResourceAttributes prepareResourceAttributes(Operation operation, Reso
     LOGGER.exiting(resourceAttributes);
     return resourceAttributes;
   }
-
-  private String getApiGroup(Resource resource) {
-    if (resource == Resource.domains) {
-      return "weblogic.oracle";
-    }
-
-    if (resource == Resource.customresourcedefinitions) {
-      return "apiextensions.k8s.io";
-    }
-
-    if (resource == Resource.tokenreviews) {
-      return "authentication.k8s.io";
-    }
-    
-    if (resource == Resource.ingresses) {
-      return "extensions";
+  
+  public V1SelfSubjectRulesReview review(String namespace) {
+    V1SelfSubjectRulesReview subjectRulesReview = new V1SelfSubjectRulesReview();
+    V1SelfSubjectRulesReviewSpec spec = new V1SelfSubjectRulesReviewSpec();
+    spec.setNamespace(namespace);
+    subjectRulesReview.setSpec(spec);
+    CallBuilderFactory factory = ContainerResolver.getInstance().getContainer().getSPI(CallBuilderFactory.class);
+    try {
+      return factory.create().createSelfSubjectRulesReview(subjectRulesReview);
+    } catch (ApiException e) {
+      LOGGER.warning(MessageKeys.EXCEPTION, e);
+      return null;
     }
-
-    // TODO - do we need to specify the api group for any of the other Resource values?
-    return null;
   }
 }

operator/src/main/java/oracle/kubernetes/operator/helpers/CallBuilder.java

@@ -23,6 +23,8 @@
 import io.kubernetes.client.models.V1Pod;
 import io.kubernetes.client.models.V1PodList;
 import io.kubernetes.client.models.V1Secret;
+import io.kubernetes.client.models.V1SelfSubjectAccessReview;
+import io.kubernetes.client.models.V1SelfSubjectRulesReview;
 import io.kubernetes.client.models.V1Service;
 import io.kubernetes.client.models.V1ServiceList;
 import io.kubernetes.client.models.V1Status;
@@ -58,6 +60,10 @@ public class CallBuilder {
    * HTTP status code for "Not Found"
    */
   public static final int NOT_FOUND = 404;
+  /**
+   * HTTP status code for "Conflict"
+   */
+  public static final int CONFLICT = 409;
 
   public String pretty = "false";
   public String fieldSelector = "";
@@ -740,6 +746,91 @@ public V1SubjectAccessReview createSubjectAccessReview(V1SubjectAccessReview bod
     }
   }
 
+  private com.squareup.okhttp.Call createSubjectAccessReviewAsync(ApiClient client, V1SubjectAccessReview body, ApiCallback<V1SubjectAccessReview> callback) throws ApiException {
+    return new AuthorizationV1Api(client).createSubjectAccessReviewAsync(body, pretty, callback);
+  }
+
+  private final CallFactory<V1SubjectAccessReview> CREATE_SUBJECTACCESSREVIEW = (requestParams, usage, cont, callback)
+        -> wrap(createSubjectAccessReviewAsync(usage, (V1SubjectAccessReview) requestParams.body, callback));
+  
+  /**
+   * Asynchronous step for creating subject access review
+   * @param body Body
+   * @param responseStep Response step for when call completes
+   * @return Asynchronous step
+   */
+  public Step createSubjectAccessReviewAsync(V1SubjectAccessReview body, ResponseStep<V1SubjectAccessReview> responseStep) {
+    return createRequestAsync(responseStep, new RequestParams("createSubjectAccessReview", null, null, body), CREATE_SUBJECTACCESSREVIEW);
+  }
+  
+  /* Self Subject Access Review */
+  
+  /**
+   * Create self subject access review
+   * @param body Body
+   * @return Created self subject access review
+   * @throws ApiException API Exception
+   */
+  public V1SelfSubjectAccessReview createSelfSubjectAccessReview(V1SelfSubjectAccessReview body) throws ApiException {
+    ApiClient client = helper.take();
+    try {
+      return new AuthorizationV1Api(client).createSelfSubjectAccessReview(body, pretty);
+    } finally {
+      helper.recycle(client);
+    }
+  }
+
+  private com.squareup.okhttp.Call createSelfSubjectAccessReviewAsync(ApiClient client, V1SelfSubjectAccessReview body, ApiCallback<V1SelfSubjectAccessReview> callback) throws ApiException {
+    return new AuthorizationV1Api(client).createSelfSubjectAccessReviewAsync(body, pretty, callback);
+  }
+
+  private final CallFactory<V1SelfSubjectAccessReview> CREATE_SELFSUBJECTACCESSREVIEW = (requestParams, usage, cont, callback)
+        -> wrap(createSelfSubjectAccessReviewAsync(usage, (V1SelfSubjectAccessReview) requestParams.body, callback));
+  
+  /**
+   * Asynchronous step for creating self subject access review
+   * @param body Body
+   * @param responseStep Response step for when call completes
+   * @return Asynchronous step
+   */
+  public Step createSelfSubjectAccessReviewAsync(V1SelfSubjectAccessReview body, ResponseStep<V1SelfSubjectAccessReview> responseStep) {
+    return createRequestAsync(responseStep, new RequestParams("createSelfSubjectAccessReview", null, null, body), CREATE_SELFSUBJECTACCESSREVIEW);
+  }
+  
+  /* Self Subject Rules Review */
+  
+  /**
+   * Create self subject rules review
+   * @param body Body
+   * @return Created self subject rules review
+   * @throws ApiException API Exception
+   */
+  public V1SelfSubjectRulesReview createSelfSubjectRulesReview(V1SelfSubjectRulesReview body) throws ApiException {
+    ApiClient client = helper.take();
+    try {
+      return new AuthorizationV1Api(client).createSelfSubjectRulesReview(body, pretty);
+    } finally {
+      helper.recycle(client);
+    }
+  }
+
+  private com.squareup.okhttp.Call createSelfSubjectRulesReviewAsync(ApiClient client, V1SelfSubjectRulesReview body, ApiCallback<V1SelfSubjectRulesReview> callback) throws ApiException {
+    return new AuthorizationV1Api(client).createSelfSubjectRulesReviewAsync(body, pretty, callback);
+  }
+
+  private final CallFactory<V1SelfSubjectRulesReview> CREATE_SELFSUBJECTRULESREVIEW = (requestParams, usage, cont, callback)
+        -> wrap(createSelfSubjectRulesReviewAsync(usage, (V1SelfSubjectRulesReview) requestParams.body, callback));
+  
+  /**
+   * Asynchronous step for creating self subject rules review
+   * @param body Body
+   * @param responseStep Response step for when call completes
+   * @return Asynchronous step
+   */
+  public Step createSelfSubjectRulesReviewAsync(V1SelfSubjectRulesReview body, ResponseStep<V1SelfSubjectRulesReview> responseStep) {
+    return createRequestAsync(responseStep, new RequestParams("createSelfSubjectRulesReview", null, null, body), CREATE_SELFSUBJECTRULESREVIEW);
+  }
+  
   /* Token Review */
 
   /**

operator/src/main/java/oracle/kubernetes/operator/helpers/ClientFactory.java

@@ -0,0 +1,12 @@
+// Copyright 2018, Oracle Corporation and/or its affiliates.  All rights reserved.
+// Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl.
+
+package oracle.kubernetes.operator.helpers;
+
+import java.util.function.Supplier;
+
+import io.kubernetes.client.ApiClient;
+
+public interface ClientFactory extends Supplier<ApiClient> {
+
+}