limit secret permissions (#350)

Signed-off-by: Zhiwei Yin <[email protected]>

deploy/cluster-manager/config/rbac/cluster_role.yaml

@@ -5,8 +5,24 @@ metadata:
 rules:
 # Allow the registration-operator to create workload
 - apiGroups: [""]
-  resources: ["configmaps", "namespaces", "serviceaccounts", "services", "secrets"]
+  resources: ["configmaps", "namespaces", "serviceaccounts", "services"]
   verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list", "watch", "update", "patch", "delete"]
+  resourceNames:
+    - "signer-secret"
+    - "registration-webhook-serving-cert"
+    - "work-webhook-serving-cert"
+    - "registration-controller-sa-kubeconfig"
+    - "registration-webhook-sa-kubeconfig"
+    - "work-webhook-sa-kubeconfig"
+    - "placement-controller-sa-kubeconfig"
+    - "work-controller-sa-kubeconfig"
+    - "external-hub-kubeconfig"
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create"]
 - apiGroups: ["coordination.k8s.io"]
   resources: ["leases"]
   verbs: ["create", "get", "list", "update", "watch", "patch"]

deploy/cluster-manager/olm-catalog/cluster-manager/manifests/cluster-manager.clusterserviceversion.yaml

@@ -124,7 +124,6 @@ spec:
           - namespaces
           - serviceaccounts
           - services
-          - secrets
           verbs:
           - create
           - get
@@ -133,6 +132,33 @@ spec:
           - watch
           - patch
           - delete
+        - apiGroups:
+          - ""
+          resourceNames:
+          - signer-secret
+          - registration-webhook-serving-cert
+          - work-webhook-serving-cert
+          - registration-controller-sa-kubeconfig
+          - registration-webhook-sa-kubeconfig
+          - work-webhook-sa-kubeconfig
+          - placement-controller-sa-kubeconfig
+          - work-controller-sa-kubeconfig
+          - external-hub-kubeconfig
+          resources:
+          - secrets
+          verbs:
+          - get
+          - list
+          - watch
+          - update
+          - patch
+          - delete
+        - apiGroups:
+          - ""
+          resources:
+          - secrets
+          verbs:
+          - create
         - apiGroups:
           - coordination.k8s.io
           resources:

manifests/cluster-manager/hub/cluster-manager-addon-manager-clusterrolebinding.yaml

@@ -9,4 +9,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   namespace: {{ .ClusterManagerNamespace }}
-  name: {{ .ClusterManagerName }}-addon-manager-controller-sa
+  name: addon-manager-controller-sa

manifests/cluster-manager/hub/cluster-manager-addon-manager-serviceaccount.yaml

@@ -1,5 +1,5 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ .ClusterManagerName }}-addon-manager-controller-sa
+  name: addon-manager-controller-sa
   namespace: {{ .ClusterManagerNamespace }}

manifests/cluster-manager/hub/cluster-manager-manifestworkreplicaset-clusterrolebinding.yaml

@@ -9,4 +9,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   namespace: {{ .ClusterManagerNamespace }}
-  name: {{ .ClusterManagerName }}-work-controller-sa
+  name: work-controller-sa

manifests/cluster-manager/hub/cluster-manager-manifestworkreplicaset-serviceaccount.yaml

@@ -1,5 +1,5 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ .ClusterManagerName }}-work-controller-sa
+  name: work-controller-sa
   namespace: {{ .ClusterManagerNamespace }}

manifests/cluster-manager/hub/cluster-manager-placement-clusterrolebinding.yaml

@@ -9,4 +9,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   namespace: {{ .ClusterManagerNamespace }}
-  name: {{ .ClusterManagerName }}-placement-controller-sa
+  name: placement-controller-sa

manifests/cluster-manager/hub/cluster-manager-placement-serviceaccount.yaml

@@ -1,5 +1,5 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ .ClusterManagerName }}-placement-controller-sa
+  name: placement-controller-sa
   namespace: {{ .ClusterManagerNamespace }}

manifests/cluster-manager/hub/cluster-manager-registration-clusterrolebinding.yaml

@@ -9,4 +9,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   namespace: {{ .ClusterManagerNamespace }}
-  name: {{ .ClusterManagerName }}-registration-controller-sa
+  name: registration-controller-sa

manifests/cluster-manager/hub/cluster-manager-registration-serviceaccount.yaml

@@ -1,5 +1,5 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ .ClusterManagerName }}-registration-controller-sa
+  name: registration-controller-sa
   namespace: {{ .ClusterManagerNamespace }}

manifests/cluster-manager/hub/cluster-manager-registration-webhook-clusterrolebinding.yaml

@@ -8,5 +8,5 @@ roleRef:
   name: open-cluster-management:{{ .ClusterManagerName }}-registration:webhook
 subjects:
   - kind: ServiceAccount
-    name: {{ .ClusterManagerName }}-registration-webhook-sa
+    name: registration-webhook-sa
     namespace: {{ .ClusterManagerNamespace }}

manifests/cluster-manager/hub/cluster-manager-registration-webhook-serviceaccount.yaml

@@ -1,5 +1,5 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ .ClusterManagerName }}-registration-webhook-sa
+  name: registration-webhook-sa
   namespace: {{ .ClusterManagerNamespace }}

manifests/cluster-manager/hub/cluster-manager-work-webhook-clusterrolebinding.yaml

@@ -8,5 +8,5 @@ roleRef:
   name: open-cluster-management:{{ .ClusterManagerName }}-work:webhook
 subjects:
   - kind: ServiceAccount
-    name: {{ .ClusterManagerName }}-work-webhook-sa
+    name: work-webhook-sa
     namespace: {{ .ClusterManagerNamespace }}

manifests/cluster-manager/hub/cluster-manager-work-webhook-serviceaccount.yaml

@@ -1,5 +1,5 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ .ClusterManagerName }}-work-webhook-sa
+  name: work-webhook-sa
   namespace: {{ .ClusterManagerNamespace }} 

manifests/cluster-manager/management/cluster-manager-addon-manager-deployment.yaml

@@ -37,7 +37,7 @@ spec:
                   values:
                   - clustermanager-addon-manager-controller
       {{ if not .HostedMode }}
-      serviceAccountName: {{ .ClusterManagerName }}-addon-manager-controller-sa
+      serviceAccountName: addon-manager-controller-sa
       {{ end }}
       containers:
       - name: addon-manager-controller
@@ -80,5 +80,5 @@ spec:
       volumes:
       - name: kubeconfig
         secret:
-          secretName: {{ .ClusterManagerName }}-addon-manager-controller-sa-kubeconfig
+          secretName: addon-manager-controller-sa-kubeconfig
       {{ end }}

manifests/cluster-manager/management/cluster-manager-manifestworkreplicaset-deployment.yaml

@@ -37,7 +37,7 @@ spec:
                   values:
                   - {{ .ClusterManagerName }}-work-controller
       {{ if not .HostedMode }}
-      serviceAccountName: {{ .ClusterManagerName }}-work-controller-sa
+      serviceAccountName: work-controller-sa
       {{ end }}
       containers:
       - name: {{ .ClusterManagerName }}-work-controller
@@ -83,5 +83,5 @@ spec:
       {{ if .HostedMode }}
       - name: kubeconfig
         secret:
-          secretName: {{ .ClusterManagerName }}-work-controller-sa-kubeconfig
+          secretName: work-controller-sa-kubeconfig
       {{ end }}

manifests/cluster-manager/management/cluster-manager-placement-deployment.yaml

@@ -37,7 +37,7 @@ spec:
                   values:
                   - clustermanager-placement-controller
       {{ if not .HostedMode }}
-      serviceAccountName: {{ .ClusterManagerName }}-placement-controller-sa
+      serviceAccountName: placement-controller-sa
       {{ end }}
       containers:
       - name: placement-controller
@@ -80,5 +80,5 @@ spec:
       volumes:
       - name: kubeconfig
         secret:
-          secretName: {{ .ClusterManagerName }}-placement-controller-sa-kubeconfig
+          secretName: placement-controller-sa-kubeconfig
       {{ end }}

manifests/cluster-manager/management/cluster-manager-registration-deployment.yaml

@@ -37,7 +37,7 @@ spec:
                   values:
                   - clustermanager-registration-controller
       {{ if not .HostedMode }}
-      serviceAccountName: {{ .ClusterManagerName }}-registration-controller-sa
+      serviceAccountName: registration-controller-sa
       {{ end }}
       containers:
       - name: hub-registration-controller
@@ -85,5 +85,5 @@ spec:
       volumes:
       - name: kubeconfig
         secret:
-          secretName: {{ .ClusterManagerName }}-registration-controller-sa-kubeconfig
+          secretName: registration-controller-sa-kubeconfig
       {{ end }}

manifests/cluster-manager/management/cluster-manager-registration-webhook-deployment.yaml

@@ -37,7 +37,7 @@ spec:
                   values:
                   - {{ .ClusterManagerName }}-registration-webhook
       {{ if not .HostedMode }}
-      serviceAccountName: {{ .ClusterManagerName }}-registration-webhook-sa
+      serviceAccountName: registration-webhook-sa
       {{ end }}
       containers:
       - name: {{ .ClusterManagerName }}-webhook
@@ -100,5 +100,5 @@ spec:
       {{ if .HostedMode }}
       - name: kubeconfig
         secret:
-          secretName: {{ .ClusterManagerName }}-registration-webhook-sa-kubeconfig
+          secretName: registration-webhook-sa-kubeconfig
       {{ end }}

manifests/cluster-manager/management/cluster-manager-work-webhook-deployment.yaml

@@ -37,7 +37,7 @@ spec:
                   values:
                   - {{ .ClusterManagerName }}-work-webhook
       {{ if not .HostedMode }}
-      serviceAccountName: {{ .ClusterManagerName }}-work-webhook-sa
+      serviceAccountName: work-webhook-sa
       {{ end }}
       containers:
       - name: {{ .ClusterManagerName }}-webhook
@@ -97,5 +97,5 @@ spec:
       {{ if .HostedMode }}
       - name: kubeconfig
         secret:
-          secretName: {{ .ClusterManagerName }}-work-webhook-sa-kubeconfig
+          secretName: work-webhook-sa-kubeconfig
       {{ end }}

pkg/helpers/queuekey.go

@@ -39,6 +39,9 @@ const (
 	RegistrationWebhookService = "cluster-manager-registration-webhook"
 	WorkWebhookSecret          = "work-webhook-serving-cert" // #nosec G101
 	WorkWebhookService         = "cluster-manager-work-webhook"
+
+	SignerSecret      = "signer-secret"
+	CaBundleConfigmap = "ca-bundle-configmap"
 )
 
 func ClusterManagerNamespace(clustermanagername string, mode operatorapiv1.InstallMode) string {
@@ -131,7 +134,7 @@ func ClusterManagerDeploymentQueueKeyFunc(clusterManagerLister operatorlister.Cl
 	}
 }
 
-func ClusterManagerSecretQueueKeyFunc(clusterManagerLister operatorlister.ClusterManagerLister) factory.ObjectQueueKeyFunc {
+func ClusterManagerQueueKeyFunc(clusterManagerLister operatorlister.ClusterManagerLister) factory.ObjectQueueKeyFunc {
 	return clusterManagerByNamespaceQueueKeyFunc(clusterManagerLister)
 }
 

pkg/helpers/sa_syncer.go

@@ -73,6 +73,27 @@ func SATokenGetter(ctx context.Context, saName, saNamespace string, saClient kub
 	}
 }
 
+// SATokenCreater create the saToken of target sa.
+func SATokenCreater(ctx context.Context, saName, saNamespace string, saClient kubernetes.Interface) TokenGetterFunc {
+	return func() ([]byte, []byte, error) {
+		// 8640 hour
+		tr, err := saClient.CoreV1().ServiceAccounts(saNamespace).
+			CreateToken(ctx, saName, &authv1.TokenRequest{
+				Spec: authv1.TokenRequestSpec{
+					ExpirationSeconds: pointer.Int64Ptr(8640 * 3600),
+				},
+			}, metav1.CreateOptions{})
+		if err != nil {
+			return nil, nil, err
+		}
+		expiration, err := tr.Status.ExpirationTimestamp.MarshalText()
+		if err != nil {
+			return nil, nil, nil
+		}
+		return []byte(tr.Status.Token), expiration, nil
+	}
+}
+
 func SyncKubeConfigSecret(ctx context.Context, secretName, secretNamespace, kubeconfigPath string, templateKubeconfig *rest.Config, secretClient coreclientv1.SecretsGetter, tokenGetter TokenGetterFunc, recorder events.Recorder) error {
 	secret, err := secretClient.Secrets(secretNamespace).Get(ctx, secretName, metav1.GetOptions{})
 	switch {