feat(controller): drop most legacy routes when ProxyClusterScoped is active (#674)

* chore: add golint and fix truthy

Signed-off-by: Oliver Bähler <[email protected]>

* fix(api): deprecate operations field

Signed-off-by: Oliver Bähler <[email protected]>

* test(e2e): add header test

Signed-off-by: Oliver Bähler <[email protected]>

* fix(controller): register dynamic clsuterresource paths for legacy proxysettings when enabled

Signed-off-by: Oliver Bähler <[email protected]>

* test(e2e): register dynamic clsuterresource paths for legacy proxysettings when enabled

Signed-off-by: Oliver Bähler <[email protected]>

---------

Signed-off-by: Oliver Bähler <[email protected]>

Author: oliverbaehler

.github/configs/lintconf.yaml

@@ -6,6 +6,11 @@ ignore:
 rules:
   truthy:
     level: warning
+    allowed-values:
+    - "true"
+    - "false"
+    - "on"
+    - "off"
     check-keys: false
   braces:
     min-spaces-inside: 0

.pre-commit-config.yaml

@@ -34,3 +34,8 @@ repos:
     entry: make helm-lint
     language: system
     files: ^charts/
+  - id: golangci-lint
+    name: Execute golangci-lint
+    entry: make golint
+    language: system
+    files: \.go$

api/v1beta1/clusterresoure.go

@@ -22,8 +22,9 @@ type ClusterResource struct {
 	Resources []string `json:"resources"`
 
 	// Operations which can be executed on the selected resources.
-	// +kubebuilder:default={List}
-	Operations []ClusterResourceOperation `json:"operations"`
+	// Deprecated: For all registered Routes only LIST ang GET requests will intercepted
+	// Other permissions must be implemented via kubernetes native RBAC
+	Operations []ClusterResourceOperation `json:"operations,omitempty"`
 
 	// Select all cluster scoped resources with the given label selector.
 	// Defining a selector which does not match any resources is considered not selectable (eg. using operation NotExists).

charts/capsule-proxy/crds/capsule.clastix.io_globalproxysettings.yaml

@@ -61,10 +61,10 @@ spec:
                               type: string
                             type: array
                           operations:
-                            default:
-                            - List
-                            description: Operations which can be executed on the selected
-                              resources.
+                            description: |-
+                              Operations which can be executed on the selected resources.
+                              Deprecated: For all registered Routes only LIST ang GET requests will intercepted
+                              Other permissions must be implemented via kubernetes native RBAC
                             items:
                               enum:
                               - List
@@ -128,7 +128,6 @@ spec:
                             x-kubernetes-map-type: atomic
                         required:
                         - apiGroups
-                        - operations
                         - resources
                         - selector
                         type: object

charts/capsule-proxy/crds/capsule.clastix.io_proxysettings.yaml

@@ -59,10 +59,10 @@ spec:
                               type: string
                             type: array
                           operations:
-                            default:
-                            - List
-                            description: Operations which can be executed on the selected
-                              resources.
+                            description: |-
+                              Operations which can be executed on the selected resources.
+                              Deprecated: For all registered Routes only LIST ang GET requests will intercepted
+                              Other permissions must be implemented via kubernetes native RBAC
                             items:
                               enum:
                               - List
@@ -126,7 +126,6 @@ spec:
                             x-kubernetes-map-type: atomic
                         required:
                         - apiGroups
-                        - operations
                         - resources
                         - selector
                         type: object

e2e/global_settings_test.go

@@ -161,4 +161,49 @@ var _ = Describe("GlobalProxySettings", func() {
 			return listClusterRoles(bobClient)
 		}).Should(Equal(expectedRoles), "Bob should only have access to the specified cluster roles")
 	})
+
+	It("Should only allow listing clusterroles, but deny create, update, delete", func() {
+		roleToCreate := &rbacv1.ClusterRole{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:   "unauthorized-clusterrole",
+				Labels: e2eLabels(),
+			},
+			Rules: []rbacv1.PolicyRule{
+				{
+					APIGroups: []string{""},
+					Resources: []string{"pods"},
+					Verbs:     []string{"get"},
+				},
+			},
+		}
+
+		attemptCreate := func(clientset *kubernetes.Clientset) error {
+			_, err := clientset.RbacV1().ClusterRoles().Create(context.Background(), roleToCreate, metav1.CreateOptions{})
+			return err
+		}
+
+		attemptUpdate := func(clientset *kubernetes.Clientset) error {
+			role, err := clientset.RbacV1().ClusterRoles().Get(context.Background(), "tenant-viewer", metav1.GetOptions{})
+			if err != nil {
+				return err
+			}
+			role.Annotations = map[string]string{"updated": "true"}
+			_, err = clientset.RbacV1().ClusterRoles().Update(context.Background(), role, metav1.UpdateOptions{})
+			return err
+		}
+
+		attemptDelete := func(clientset *kubernetes.Clientset) error {
+			return clientset.RbacV1().ClusterRoles().Delete(context.Background(), "tenant-viewer", metav1.DeleteOptions{})
+		}
+
+		By("Denying create/update/delete for Alice")
+		Expect(attemptCreate(aliceClient)).To(HaveOccurred(), "Alice should not be able to create ClusterRoles")
+		Expect(attemptUpdate(aliceClient)).To(HaveOccurred(), "Alice should not be able to update ClusterRoles")
+		Expect(attemptDelete(aliceClient)).To(HaveOccurred(), "Alice should not be able to delete ClusterRoles")
+
+		By("Denying create/update/delete for Bob")
+		Expect(attemptCreate(bobClient)).To(HaveOccurred(), "Bob should not be able to create ClusterRoles")
+		Expect(attemptUpdate(bobClient)).To(HaveOccurred(), "Bob should not be able to update ClusterRoles")
+		Expect(attemptDelete(bobClient)).To(HaveOccurred(), "Bob should not be able to delete ClusterRoles")
+	})
 })

e2e/namespace_test.go

@@ -0,0 +1,123 @@
+package e2e_test
+
+import (
+	"context"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+
+	capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
+)
+
+var _ = Describe("Namespaces", func() {
+	var aliceClient, bobClient *kubernetes.Clientset
+
+	// Create Global Proxy Settings
+	wind := &capsulev1beta2.Tenant{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:   "wind",
+			Labels: e2eLabels(),
+		},
+		Spec: capsulev1beta2.TenantSpec{
+			Owners: capsulev1beta2.OwnerListSpec{
+				{
+					Name: "alice",
+					Kind: "User",
+				},
+			},
+		},
+	}
+
+	// Create Global Proxy Settings
+	solar := &capsulev1beta2.Tenant{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:   "solar",
+			Labels: e2eLabels(),
+		},
+		Spec: capsulev1beta2.TenantSpec{
+			Owners: capsulev1beta2.OwnerListSpec{
+				{
+					Name: "bob",
+					Kind: "User",
+				},
+				{
+					Name: "alice",
+					Kind: "User",
+				},
+			},
+		},
+	}
+
+	BeforeEach(func() {
+		var err error
+
+		aliceClient, err = loadKubeConfig("alice")
+		Expect(err).ToNot(HaveOccurred())
+		bobClient, err = loadKubeConfig("bob")
+		Expect(err).ToNot(HaveOccurred())
+
+		for _, tnt := range []*capsulev1beta2.Tenant{solar, wind} {
+			Eventually(func() error {
+				tnt.ResourceVersion = ""
+
+				return k8sClient.Create(context.TODO(), tnt)
+			}).Should(Succeed())
+		}
+	})
+
+	JustAfterEach(func() {
+		for _, tnt := range []*capsulev1beta2.Tenant{solar, wind} {
+			Expect(k8sClient.Delete(context.TODO(), tnt)).Should(Succeed())
+		}
+	})
+
+	It("Should correctly list", func() {
+		nsAlice1 := NewNamespace("")
+		nsAlice1.Labels = map[string]string{
+			"capsule.clastix.io/tenant": "wind",
+		}
+		NamespaceCreation(nsAlice1, wind.Spec.Owners[0], defaultTimeoutInterval).Should(Succeed())
+
+		nsAlice2 := NewNamespace("")
+		nsAlice2.Labels = map[string]string{
+			"capsule.clastix.io/tenant": "wind",
+		}
+		NamespaceCreation(nsAlice2, wind.Spec.Owners[0], defaultTimeoutInterval).Should(Succeed())
+
+		listNamespaces := func(clientset *kubernetes.Clientset) ([]string, error) {
+			ns, err := clientset.CoreV1().Namespaces().List(context.Background(), metav1.ListOptions{})
+			if err != nil {
+				return nil, err
+			}
+			var nsNames []string
+			for _, name := range ns.Items {
+				nsNames = append(nsNames, name.Name)
+			}
+
+			return nsNames, nil
+		}
+
+		Eventually(func() ([]string, error) {
+			return listNamespaces(aliceClient)
+		}).Should(ConsistOf(nsAlice1.GetName(), nsAlice2.GetName()), "Alice should only have access to the expected namespaces, order does not matter")
+
+		nsBob1 := NewNamespace("")
+		nsBob1.Labels = map[string]string{
+			"capsule.clastix.io/tenant": "solar",
+		}
+		NamespaceCreation(nsBob1, solar.Spec.Owners[0], defaultTimeoutInterval).Should(Succeed())
+
+		nsBob2 := NewNamespace("")
+		nsBob2.Labels = map[string]string{
+			"capsule.clastix.io/tenant": "solar",
+		}
+		NamespaceCreation(nsBob2, solar.Spec.Owners[0], defaultTimeoutInterval).Should(Succeed())
+
+		Eventually(func() ([]string, error) {
+			return listNamespaces(bobClient)
+		}).Should(ConsistOf(nsBob1.GetName(), nsBob2.GetName()), "Alice should only have access to the expected namespaces, order does not matter")
+
+	})
+})

e2e/suite_test.go

@@ -4,6 +4,7 @@ package e2e_test
 import (
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+	capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
 	"k8s.io/client-go/rest"
 	"k8s.io/kubectl/pkg/scheme"
 	"k8s.io/utils/ptr"
@@ -36,6 +37,7 @@ var _ = BeforeSuite(func() {
 	Expect(cfg).ToNot(BeNil())
 
 	Expect(v1beta1.AddToScheme(scheme.Scheme)).NotTo(HaveOccurred())
+	Expect(capsulev1beta2.AddToScheme(scheme.Scheme)).NotTo(HaveOccurred())
 
 	ctrlClient, err := client.New(cfg, client.Options{Scheme: scheme.Scheme})
 	Expect(err).ToNot(HaveOccurred())

e2e/utils_test.go

@@ -6,10 +6,16 @@ import (
 	"path/filepath"
 	"time"
 
+	. "github.com/onsi/gomega"
+	capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/util/rand"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/config"
 )
 
 const (
@@ -65,3 +71,40 @@ func loadKubeConfig(user string) (*kubernetes.Clientset, error) {
 
 	return clientset, nil
 }
+
+func NewNamespace(name string, labels ...map[string]string) *corev1.Namespace {
+	if len(name) == 0 {
+		name = rand.String(10)
+	}
+
+	var namespaceLabels map[string]string
+	if len(labels) > 0 {
+		namespaceLabels = labels[0]
+	}
+
+	return &corev1.Namespace{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:   name,
+			Labels: namespaceLabels,
+		},
+	}
+}
+
+func NamespaceCreation(ns *corev1.Namespace, owner capsulev1beta2.OwnerSpec, timeout time.Duration) AsyncAssertion {
+	cs := ownerClient(owner)
+	return Eventually(func() (err error) {
+		_, err = cs.CoreV1().Namespaces().Create(context.TODO(), ns, metav1.CreateOptions{})
+		return
+	}, timeout, defaultPollInterval)
+}
+
+func ownerClient(owner capsulev1beta2.OwnerSpec) (cs kubernetes.Interface) {
+	c, err := config.GetConfig()
+	Expect(err).ToNot(HaveOccurred())
+	c.Impersonate.Groups = []string{"projectcapsule.dev", owner.Name}
+	c.Impersonate.UserName = owner.Name
+	cs, err = kubernetes.NewForConfig(c)
+	Expect(err).ToNot(HaveOccurred())
+
+	return cs
+}

internal/modules/clusterscoped/get.go

@@ -2,6 +2,7 @@ package clusterscoped
 
 import (
 	"context"
+	"net/http"
 
 	"github.com/go-logr/logr"
 	"github.com/gorilla/mux"
@@ -60,14 +61,15 @@ func (g get) Handle(proxyTenants []*tenant.ProxyTenant, proxyRequest request.Req
 
 	gvk := utils.GetGVKFromURL(proxyRequest.GetHTTPRequest().URL.Path)
 
-	operations, requirements := utils.GetClusterScopeRequirements(gvk, proxyTenants)
+	_, requirements := utils.GetClusterScopeRequirements(gvk, proxyTenants)
+
 	if len(requirements) > 0 {
-		// Verify if the list operation is allowed
-		if utils.IsAllowed(operations, httpRequest) {
+		switch httpRequest.Method {
+		case http.MethodGet:
 			return g.handleSelector(httpRequest.Context(), gvk, requirements, mux.Vars(httpRequest)["name"])
+		default:
+			return nil, nil
 		}
-
-		return nil, errors.NewNotAllowed(gvk.GroupKind())
 	}
 
 	return