Fit ClusterRole and CRB into a manifest struct

Author: Weeblin

pkg/permissions/generate.go

@@ -2,89 +2,60 @@ package permissions
 
 import (
 	"fmt"
-	"strings"
 
 	"github.com/jetstack/preflight/pkg/agent"
 	"github.com/jetstack/preflight/pkg/datagatherer/k8s"
 	rbac "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-func Generate(dataGatherers []agent.DataGatherer) string {
-	var accumulator string = ""
-
-	for _, g := range dataGatherers {
-		if g.Kind != "k8s-dynamic" {
-			continue
-		}
-
-		genericConfig := g.Config
-		dyConfig := genericConfig.(*k8s.ConfigDynamic)
-
-		metaName := fmt.Sprint(dyConfig.GroupVersionResource.Resource)
-
-		accumulator = fmt.Sprintf(`%s
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: jetstack-secure-agent-%s-reader
-rules:
-- apiGroups: ["%s"]
-  resources: ["%s"]
-  verbs: ["get", "list", "watch"]
----`, accumulator, metaName, dyConfig.GroupVersionResource.Group, dyConfig.GroupVersionResource.Resource)
-	}
-
-	s := strings.TrimPrefix(accumulator, "\n")
-	ss := strings.TrimSuffix(s, "---")
-	return strings.TrimSuffix(ss, "\n")
+// AgentRBACManifests is a wrapper around the various RBAC structs needed to grant the agent fine-grained permissions as per its dg configs
+type AgentRBACManifests struct {
+	// ClusterRoles is a list of roles for resources the agent will collect
+	ClusterRoles []rbac.ClusterRole
+	// ClusterRoleBindings is a list of crbs for resources which have no include/exclude ns configured
+	ClusterRoleBindings []rbac.ClusterRoleBinding
+	// RoleBindings is a list of namespaced bindings to grant permissions when include/exclude ns set
+	RoleBindings []rbac.RoleBinding
 }
 
-func GenerateClusterRoles(dataGatherer []agent.DataGatherer) []rbac.ClusterRole {
-	out := []rbac.ClusterRole{}
+func GenerateAgentRBACManifests(dataGatherers []agent.DataGatherer) AgentRBACManifests {
+	// create a new AgentRBACManifest struct
+	var AgentRBACManifests AgentRBACManifests
 
-	for _, g := range dataGatherer {
-		if g.Kind != "k8s-dynamic" {
+	for _, dg := range dataGatherers {
+		if dg.Kind != "k8s-dynamic" {
 			continue
 		}
 
-		genericConfig := g.Config
-		dyConfig := genericConfig.(*k8s.ConfigDynamic)
-
-		metaName := dyConfig.GroupVersionResource.Resource
+		dyConfig := dg.Config.(*k8s.ConfigDynamic)
+		metadataName := fmt.Sprintf("jetstack-secure-agent-%s-reader", dyConfig.GroupVersionResource.Resource)
 
-		out = append(out, rbac.ClusterRole{
+		AgentRBACManifests.ClusterRoles = append(AgentRBACManifests.ClusterRoles, rbac.ClusterRole{
 			TypeMeta: metav1.TypeMeta{
 				Kind:       "ClusterRole",
 				APIVersion: "rbac.authorization.k8s.io/v1",
 			},
 			ObjectMeta: metav1.ObjectMeta{
-				Name: fmt.Sprintf("jetstack-secure-agent-%s-reader", metaName),
+				Name: metadataName,
 			},
 			Rules: []rbac.PolicyRule{
 				{
 					Verbs:     []string{"get", "list", "watch"},
 					APIGroups: []string{dyConfig.GroupVersionResource.Group},
-					Resources: []string{metaName},
+					Resources: []string{dyConfig.GroupVersionResource.Resource},
 				},
 			},
 		})
 
-	}
-	return out
-}
-
-func GenerateClusterRoleBindings(clusterRoles []rbac.ClusterRole) []rbac.ClusterRoleBinding {
-	out := []rbac.ClusterRoleBinding{}
-	for _, cr := range clusterRoles {
-		out = append(out, rbac.ClusterRoleBinding{
+		AgentRBACManifests.ClusterRoleBindings = append(AgentRBACManifests.ClusterRoleBindings, rbac.ClusterRoleBinding{
 			TypeMeta: metav1.TypeMeta{
 				Kind:       "ClusterRoleBinding",
 				APIVersion: "rbac.authorization.k8s.io/v1",
 			},
 
 			ObjectMeta: metav1.ObjectMeta{
-				Name: cr.ObjectMeta.Name,
+				Name: metadataName,
 			},
 
 			Subjects: []rbac.Subject{
@@ -97,11 +68,11 @@ func GenerateClusterRoleBindings(clusterRoles []rbac.ClusterRole) []rbac.Cluster
 
 			RoleRef: rbac.RoleRef{
 				Kind:     "ClusterRole",
-				Name:     cr.ObjectMeta.Name,
+				Name:     metadataName,
 				APIGroup: "rbac.authorization.k8s.io",
 			},
 		})
-
 	}
-	return out
+
+	return AgentRBACManifests
 }

pkg/permissions/generate_test.go

@@ -11,16 +11,14 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 )
 
-func TestGenerateRBAC(t *testing.T) {
-	// Use these test cases to check if Generate function is correct
+func TestGenerateAgentRBACManifests(t *testing.T) {
 	testCases := []struct {
-		expectedClusterRoles        []rbac.ClusterRole
-		expectedClusterRoleBindings []rbac.ClusterRoleBinding
-		dataGatherers               []agent.DataGatherer
-		description                 string
+		description                string
+		dataGatherers              []agent.DataGatherer
+		expectedAgentRBACManifests AgentRBACManifests
 	}{
 		{
-			description: "Generate RBAC struct for pods datagatherer",
+			description: "Generate ClusterRole and ClusterRoleBinding for simple pod dg case",
 			dataGatherers: []agent.DataGatherer{
 				{
 					Name: "k8s/pods",
@@ -32,151 +30,56 @@ func TestGenerateRBAC(t *testing.T) {
 						},
 					},
 				},
-				{
-					Name: "k8s/secrets",
-					Kind: "k8s-dynamic",
-					Config: &k8s.ConfigDynamic{
-						GroupVersionResource: schema.GroupVersionResource{
-							Version:  "v1",
-							Resource: "secrets",
-						},
-					},
-				},
-				{
-					Name: "k8s/awspcaissuer",
-					Kind: "k8s-dynamic",
-					Config: &k8s.ConfigDynamic{
-						GroupVersionResource: schema.GroupVersionResource{
-							Group:    "awspca.cert-manager.io",
-							Version:  "v1",
-							Resource: "awspcaissuers",
-						},
-					},
-				},
 			},
-			expectedClusterRoles: []rbac.ClusterRole{
-				{
-					TypeMeta: metav1.TypeMeta{
-						Kind:       "ClusterRole",
-						APIVersion: "rbac.authorization.k8s.io/v1",
-					},
-					ObjectMeta: metav1.ObjectMeta{
-						Name: "jetstack-secure-agent-pods-reader",
-					},
-					Rules: []rbac.PolicyRule{
-						{
-							Verbs:     []string{"get", "list", "watch"},
-							APIGroups: []string{""},
-							Resources: []string{"pods"},
+			expectedAgentRBACManifests: AgentRBACManifests{
+				ClusterRoles: []rbac.ClusterRole{
+					{
+						TypeMeta: metav1.TypeMeta{
+							Kind:       "ClusterRole",
+							APIVersion: "rbac.authorization.k8s.io/v1",
 						},
-					},
-				},
-				{
-					TypeMeta: metav1.TypeMeta{
-						Kind:       "ClusterRole",
-						APIVersion: "rbac.authorization.k8s.io/v1",
-					},
-					ObjectMeta: metav1.ObjectMeta{
-						Name: "jetstack-secure-agent-secrets-reader",
-					},
-					Rules: []rbac.PolicyRule{
-						{
-							Verbs:     []string{"get", "list", "watch"},
-							APIGroups: []string{""},
-							Resources: []string{"secrets"},
+						ObjectMeta: metav1.ObjectMeta{
+							Name: "jetstack-secure-agent-pods-reader",
 						},
-					},
-				},
-				{
-					TypeMeta: metav1.TypeMeta{
-						Kind:       "ClusterRole",
-						APIVersion: "rbac.authorization.k8s.io/v1",
-					},
-					ObjectMeta: metav1.ObjectMeta{
-						Name: "jetstack-secure-agent-awspcaissuers-reader",
-					},
-					Rules: []rbac.PolicyRule{
-						{
-							Verbs:     []string{"get", "list", "watch"},
-							APIGroups: []string{"awspca.cert-manager.io"},
-							Resources: []string{"awspcaissuers"},
+						Rules: []rbac.PolicyRule{
+							{
+								Verbs:     []string{"get", "list", "watch"},
+								APIGroups: []string{""},
+								Resources: []string{"pods"},
+							},
 						},
 					},
 				},
-			},
-			expectedClusterRoleBindings: []rbac.ClusterRoleBinding{
-				{
-					TypeMeta: metav1.TypeMeta{
-						Kind:       "ClusterRoleBinding",
-						APIVersion: "rbac.authorization.k8s.io/v1",
-					},
-					ObjectMeta: metav1.ObjectMeta{
-						Name: "jetstack-secure-agent-pods-reader",
-					},
-					Subjects: []rbac.Subject{
-						{
-							Kind:      "ServiceAccount",
-							Name:      "agent",
-							Namespace: "jetstack-secure",
+				ClusterRoleBindings: []rbac.ClusterRoleBinding{
+					{
+						TypeMeta: metav1.TypeMeta{
+							Kind:       "ClusterRoleBinding",
+							APIVersion: "rbac.authorization.k8s.io/v1",
 						},
-					},
-					RoleRef: rbac.RoleRef{
-						Kind:     "ClusterRole",
-						Name:     "jetstack-secure-agent-pods-reader",
-						APIGroup: "rbac.authorization.k8s.io",
-					},
-				},
-				{
-					TypeMeta: metav1.TypeMeta{
-						Kind:       "ClusterRoleBinding",
-						APIVersion: "rbac.authorization.k8s.io/v1",
-					},
-					ObjectMeta: metav1.ObjectMeta{
-						Name: "jetstack-secure-agent-secrets-reader",
-					},
-					Subjects: []rbac.Subject{
-						{
-							Kind:      "ServiceAccount",
-							Name:      "agent",
-							Namespace: "jetstack-secure",
+						ObjectMeta: metav1.ObjectMeta{
+							Name: "jetstack-secure-agent-pods-reader",
 						},
-					},
-					RoleRef: rbac.RoleRef{
-						Kind:     "ClusterRole",
-						Name:     "jetstack-secure-agent-secrets-reader",
-						APIGroup: "rbac.authorization.k8s.io",
-					},
-				},
-				{
-					TypeMeta: metav1.TypeMeta{
-						Kind:       "ClusterRoleBinding",
-						APIVersion: "rbac.authorization.k8s.io/v1",
-					},
-					ObjectMeta: metav1.ObjectMeta{
-						Name: "jetstack-secure-agent-awspcaissuers-reader",
-					},
-					Subjects: []rbac.Subject{
-						{
-							Kind:      "ServiceAccount",
-							Name:      "agent",
-							Namespace: "jetstack-secure",
+						Subjects: []rbac.Subject{
+							{
+								Kind:      "ServiceAccount",
+								Name:      "agent",
+								Namespace: "jetstack-secure",
+							},
+						},
+						RoleRef: rbac.RoleRef{
+							Kind:     "ClusterRole",
+							Name:     "jetstack-secure-agent-pods-reader",
+							APIGroup: "rbac.authorization.k8s.io",
 						},
-					},
-					RoleRef: rbac.RoleRef{
-						Kind:     "ClusterRole",
-						Name:     "jetstack-secure-agent-awspcaissuers-reader",
-						APIGroup: "rbac.authorization.k8s.io",
 					},
 				},
 			},
 		},
 	}
 
 	for _, input := range testCases {
-		gotClusterRoles := GenerateClusterRoles(input.dataGatherers)
-		gotClusterRoleBindings := GenerateClusterRoleBindings(gotClusterRoles)
+		got := GenerateAgentRBACManifests(input.dataGatherers)
 
-		td.Cmp(t, input.expectedClusterRoles, gotClusterRoles)
-		td.Cmp(t, input.expectedClusterRoleBindings, gotClusterRoleBindings)
+		td.Cmp(t, input.expectedAgentRBACManifests, got)
 	}
 }