From 774fe9fd74d890d9c1bfbd097e44295ece44ac03 Mon Sep 17 00:00:00 2001
From: Jon Donovan <jondonovan@google.com>
Date: Wed, 25 Mar 2020 13:55:47 -0700
Subject: [PATCH] Restrict RBAC for Operator using role aggregation.

By using the escalate verb on clusterroles, we allow the Operator
to have the ability to create any clusterrole. This prevents us from
needing to grant it cluster-admin.

Additionally, by having the Operator create an aggregated clusterrole
for itself (aggregating all clusteroles created by Knative Serving),
we pick up any permissions that the upstream dictate as necessary
by any component.

Any roles that are not created by upstream, but which are bound as
part of install are added with the bind verb to allow the Operator
to bind them without necessarily having the permissions they grant.

Some other permissions are needed to support controller infra
and are explicitly included, as well as some specific to the Operator
itself. An attempt at grouping these by sections is included, though
may be slightly out of sync (in particular: Controller infra / Specific
to this Operator may overlap).

Overall, this should keep the Operator roughly operating only on
Knative Serving resources (or things which can be operated
on by upstream).

This also minimizes the diff between eventing and serving RBAC.
---
 config/role.yaml         | 177 ++++++++++++++++++++++++++++++++-------
 config/role_binding.yaml |  17 ++--
 2 files changed, 154 insertions(+), 40 deletions(-)

diff --git a/config/role.yaml b/config/role.yaml
index 36923e7e..37dfd335 100644
--- a/config/role.yaml
+++ b/config/role.yaml
@@ -11,23 +11,99 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
+kind: ClusterRole
+metadata:
+  name: knative-serving-operator-aggregated
+aggregationRule:
+  clusterRoleSelectors:
+# This (along with escalate below) allows the Operator to pick up any
+# roles that are provided to the admin of the cluster by knative serving
+# automatically.
+  - matchExpressions:
+      - {key: serving.knative.dev/release, operator: Exists}
+rules: [] # Rules are automatically filled in by the controller manager.
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  creationTimestamp: null
   name: knative-serving-operator
 rules:
+- apiGroups:
+  - operator.knative.dev
+  resources:
+  - '*'
+  verbs:
+  - '*'
+# Bootstrapping permissions.
+# Roles that are explicitly bound buch which are specified by this Operator
+# MUST be specified here with 'get' and 'bind'.
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterroles
+  resourceNames:
+  - system:auth-delegator
+  verbs:
+  - bind
+  - get
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - roles
+  resourceNames:
+  - extension-apiserver-authentication-reader
+  verbs:
+  - bind
+  - get
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterroles
+  - roles
+  verbs:
+  - create
+  - delete
+# Escalate is necessary in order to create a role using cluster role aggregation,
+# and to allow the Operator to bootstrap itself into the necessary set of
+# permissions, even as those continue to evolve upstream.
+  - escalate
+  - get
+  - list
+  - update
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterrolebindings
+  - rolebindings
+  verbs:
+  - create
+  - delete
+  - list
+  - get
+  - update
+# Permissions required for Knative controller
+# infra.
+- apiGroups:
+  - apiregistration.k8s.io
+  resources:
+  - apiservices
+  verbs:
+  - update
 - apiGroups:
   - ""
   resources:
-  - pods
   - services
-  - endpoints
-  - persistentvolumeclaims
-  - events
-  - configmaps
-  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - watch
+- apiGroups:
+  - caching.internal.knative.dev
+  resources:
+  - images
   verbs:
   - '*'
 - apiGroups:
@@ -36,6 +112,26 @@ rules:
   - namespaces
   verbs:
   - get
+  - update
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - create
+  - update
+  - patch
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - watch
 - apiGroups:
   - apps
   resources:
@@ -44,41 +140,58 @@ rules:
   - replicasets
   - statefulsets
   verbs:
-  - '*'
+  - create
+  - delete
+  - get
+  - list
+  - watch
 - apiGroups:
-  - monitoring.coreos.com
+  - apiregistration.k8s.io
   resources:
-  - servicemonitors
+  - apiservices
   verbs:
-  - get
   - create
+  - delete
+  - get
+  - list
 - apiGroups:
-  - apps
-  resourceNames:
-  - knative-serving-operator
+  - autoscaling
   resources:
-  - deployments/finalizers
+  - horizontalpodautoscalers
   verbs:
-  - update
+  - create
+  - delete
+  - get
+  - list
 - apiGroups:
-  - operator.knative.dev
+  - coordination.k8s.io
   resources:
-  - '*'
+  - leases
   verbs:
   - '*'
 - apiGroups:
-  - coordination.k8s.io
+  - apiextensions.k8s.io
   resources:
-  - leases
+  - customresourcedefinitions
   verbs:
   - '*'
----
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: knative-serving-operator
-# This is necessary in order to use cluster role aggregation.
-rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["*"]
+# Old resources that need cleaning up that are not in the knative-serving
+# namespace.
+- apiGroups:
+  - ""
+  resources:
+  - services
+  - deployments
+  - horizontalpodautoscalers
+  resourceNames:
+  - knative-ingressgateway
+  verbs:
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  resourceNames:
+  - config-controller
+  verbs:
+  - delete
diff --git a/config/role_binding.yaml b/config/role_binding.yaml
index a0a17f49..4a93d376 100644
--- a/config/role_binding.yaml
+++ b/config/role_binding.yaml
@@ -11,27 +11,28 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
-kind: RoleBinding
+# TODO: Consider restriction of non-aggregated role to knativeservings namespaces.
 apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
 metadata:
   name: knative-serving-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: knative-serving-operator
 subjects:
 - kind: ServiceAccount
   name: knative-serving-operator
-roleRef:
-  kind: Role
-  name: knative-serving-operator
-  apiGroup: rbac.authorization.k8s.io
+  namespace: default
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: knative-serving-operator
+  name: knative-serving-operator-aggregated
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: knative-serving-operator
+  name: knative-serving-operator-aggregated
 subjects:
 - kind: ServiceAccount
   name: knative-serving-operator