Added project id to kubeadmin user for Kubernetes service

[parkinr]

Description

When Kubernetes cluster is created, a kubeadmin user is created without projectId. The cloudstack-secret created on the Kubernetes cluster can be used by all users with the same account. That could pose security issue with sharing api-key and secret-key. This PR added projectId to the kubeadmin user so that the api-key and secret-key will only be shared within the project.

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• build/CI
• test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

Created a Kubernetes cluster with the modified code. Made sure the kubeadmin user has the projectId included. Also checked cloudstack-secret on the Kubernetes cluster to make sure project id is part of the cloudstack-secret with api-key and secret-key.

How did you try to break this feature and the system with this change?

Without the change, the kubeadmin user can access resources from the account level. With this change, this kubeadmin user can only manage resources for that project.

[boring-cyborg]

Congratulations on your first Pull Request and welcome to the Apache CloudStack community! If you have any issues or are unsure about any anything please check our Contribution Guide (https://github.com/apache/cloudstack/blob/main/CONTRIBUTING.md)
Here are some useful points:

• In case of a new feature add useful documentation (raise doc PR at https://github.com/apache/cloudstack-documentation)
• Be patient and persistent. It might take some time to get a review or get the final approval from the committers.
• Pay attention to the quality of your code, ensure tests are passing and your PR doesn't have conflicts.
• Please follow ASF Code of Conduct for all communication including (but not limited to) comments on Pull Requests, Issues, Mailing list and Slack.
• Be sure to read the CloudStack Coding Conventions.
  Apache CloudStack is a community-driven project and together we are making it better 🚀.
  In case of doubts contact the developers at:
  Mailing List: dev@cloudstack.apache.org (https://cloudstack.apache.org/mailing-lists.html)
  Slack: https://apachecloudstack.slack.com/

[DaanHoogland]

does this mean accounts cannot have a kubernetes instance without being part of a project? I would expect something like

Suggested change

	String projectId = "default";
	Account account = ApiDBUtils.findAccountById(kubernetesCluster.getAccountId());
	Project project = ApiDBUtils.findProjectByProjectAccountId(account.getId());
	if ( project != null ) {
	projectId = project.getUuid();
	}
	String username = owner.getAccountName() + "-" + projectId + "-" + KUBEADMIN_ACCOUNT_NAME;
	String projectId = null;
	Account account = ApiDBUtils.findAccountById(kubernetesCluster.getAccountId());
	Project project = ApiDBUtils.findProjectByProjectAccountId(account.getId());
	if ( project != null ) {
	projectId = project.getUuid();
	}
	String username = owner.getAccountName() + (projectId == null ? : "" : "-" + projectId) + "-" + KUBEADMIN_ACCOUNT_NAME;

[parkinr]

That's a good idea. Will update the code as such. In our case, we always have projectId.

[weizhouapache]

@parkinr
can you explain more ?

• without this PR, what's the username ?
• with this PR, what's the username ?

[parkinr]

Without this PR, the username is: flexcloud-admin-account-kubeadmin
With this PR, the username is flexcloud-admin-account-f316789i-2bgg-4r87-95h7-58j5327892ef-kubeadmin with sample projectId=f316789i-2bgg-4r87-95h7-58j5327892ef. And you can see this projectId in cloudstack-secret on the Kubernetes cluster.

[weizhouapache]

thanks @parkinr for the reply.
However, the security issue is not resolved I think.

@DaanHoogland
we may need to treat this as a serious security issue.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 4.01%. Comparing base (a7beaaf) to head (69cd3b3).
Report is 28 commits behind head on main.

❗ There is a different number of reports uploaded between BASE (a7beaaf) and HEAD (69cd3b3). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (a7beaaf)	HEAD (69cd3b3)
unittests	1	0

Additional details and impacted files

@@              Coverage Diff              @@
##               main   #10362       +/-   ##
=============================================
- Coverage     16.08%    4.01%   -12.08%     
=============================================
  Files          5659      395     -5264     
  Lines        496856    32452   -464404     
  Branches      60168     5743    -54425     
=============================================
- Hits          79933     1302    -78631     
+ Misses       407978    31001   -376977     
+ Partials       8945      149     -8796     

Flag	Coverage Δ
uitests	4.01% <ø> (ø)
unittests	?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[weizhouapache]

@parkinr
thanks for raising the issue
I moved this PR to draft as I think this does not really fix the issue.

Since it is a serious issue, the community will work on a fix
if you have any concern or ideas, please let us know.