Merge pull request #1881 from horis233/check-sa-owner

openshift-merge-robot · web-flow · commit cfda6a380580 · 2020-12-04T09:54:16.000-05:00
Bug 1857877: check the service account owner in the requirement
diff --git a/pkg/controller/operators/olm/operator_test.go b/pkg/controller/operators/olm/operator_test.go
@@ -34,6 +34,7 @@ import (
 	utilclock "k8s.io/apimachinery/pkg/util/clock"
 	"k8s.io/apimachinery/pkg/util/diff"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/wait"
 	k8sfake "k8s.io/client-go/kubernetes/fake"
@@ -513,6 +514,19 @@ func csvWithAnnotations(csv *v1alpha1.ClusterServiceVersion, annotations map[str
 	return withAnnotations(csv, annotations).(*v1alpha1.ClusterServiceVersion)
 }
 
+func withUID(obj runtime.Object, uid types.UID) runtime.Object {
+	meta, ok := obj.(metav1.Object)
+	if !ok {
+		panic("could not find metadata on object")
+	}
+	meta.SetUID(uid)
+	return meta.(runtime.Object)
+}
+
+func csvWithUID(csv *v1alpha1.ClusterServiceVersion, uid types.UID) *v1alpha1.ClusterServiceVersion {
+	return withUID(csv, uid).(*v1alpha1.ClusterServiceVersion)
+}
+
 func withLabels(obj runtime.Object, labels map[string]string) runtime.Object {
 	meta, ok := obj.(metav1.Object)
 	if !ok {
@@ -960,7 +974,7 @@ func TestTransitionCSV(t *testing.T) {
 			name: "SingleCSVPendingToFailed/BadStrategyPermissions",
 			initial: initial{
 				csvs: []runtime.Object{
-					csvWithAnnotations(csv("csv1",
+					csvWithUID(csvWithAnnotations(csv("csv1",
 						namespace,
 						"0.0.0",
 						"",
@@ -981,7 +995,7 @@ func TestTransitionCSV(t *testing.T) {
 						[]*apiextensionsv1.CustomResourceDefinition{crd("c1", "v1", "g1")},
 						[]*apiextensionsv1.CustomResourceDefinition{},
 						v1alpha1.CSVPhasePending,
-					), defaultTemplateAnnotations),
+					), defaultTemplateAnnotations), types.UID("csv-uid")),
 				},
 				clientObjs: []runtime.Object{addAnnotation(defaultOperatorGroup, v1.OperatorGroupProvidedAPIsAnnotationKey, "c1.v1.g1")},
 				crds: []runtime.Object{
@@ -992,6 +1006,12 @@ func TestTransitionCSV(t *testing.T) {
 						ObjectMeta: metav1.ObjectMeta{
 							Name:      "sa",
 							Namespace: namespace,
+							OwnerReferences: []metav1.OwnerReference{
+								{
+									Kind: v1alpha1.ClusterServiceVersionKind,
+									UID:  "csv-uid",
+								},
+							},
 						},
 					},
 				},
diff --git a/pkg/controller/operators/olm/operatorgroup.go b/pkg/controller/operators/olm/operatorgroup.go
@@ -432,7 +432,7 @@ func (a *Operator) ensureRBACInTargetNamespace(csv *v1alpha1.ClusterServiceVersi
 			strategyDetailsDeployment.ClusterPermissions = append(strategyDetailsDeployment.ClusterPermissions, p)
 		}
 		strategyDetailsDeployment.Permissions = nil
-		permMet, _, err := a.permissionStatus(strategyDetailsDeployment, ruleChecker, corev1.NamespaceAll, csv.GetNamespace())
+		permMet, _, err := a.permissionStatus(strategyDetailsDeployment, ruleChecker, corev1.NamespaceAll, csv)
 		if err != nil {
 			return err
 		}
@@ -669,7 +669,7 @@ func (a *Operator) ensureCSVsInNamespaces(csv *v1alpha1.ClusterServiceVersion, o
 	}
 	for _, ns := range targetNamespaces {
 		// create roles/rolebindings for each target namespace
-		permMet, _, err := a.permissionStatus(strategyDetailsDeployment, ruleChecker, ns, csv.GetNamespace())
+		permMet, _, err := a.permissionStatus(strategyDetailsDeployment, ruleChecker, ns, csv)
 		if err != nil {
 			logger.WithError(err).Debug("permission status")
 			return err
diff --git a/pkg/controller/operators/olm/requirements.go b/pkg/controller/operators/olm/requirements.go
@@ -5,15 +5,15 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/coreos/go-semver/semver"
 	"github.com/sirupsen/logrus"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	"github.com/coreos/go-semver/semver"
 	"github.com/operator-framework/api/pkg/operators/v1alpha1"
 	olmErrors "github.com/operator-framework/operator-lifecycle-manager/pkg/controller/errors"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/controller/install"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/ownerutil"
 )
 
 func (a *Operator) minKubeVersionStatus(name string, minKubeVersion string) (met bool, statuses []v1alpha1.RequirementStatus) {
@@ -237,7 +237,7 @@ func (a *Operator) requirementStatus(strategyDetailsDeployment *v1alpha1.Strateg
 }
 
 // permissionStatus checks whether the given CSV's RBAC requirements are met in its namespace
-func (a *Operator) permissionStatus(strategyDetailsDeployment *v1alpha1.StrategyDetailsDeployment, ruleChecker install.RuleChecker, targetNamespace, serviceAccountNamespace string) (bool, []v1alpha1.RequirementStatus, error) {
+func (a *Operator) permissionStatus(strategyDetailsDeployment *v1alpha1.StrategyDetailsDeployment, ruleChecker install.RuleChecker, targetNamespace string, csv *v1alpha1.ClusterServiceVersion) (bool, []v1alpha1.RequirementStatus, error) {
 	statusesSet := map[string]v1alpha1.RequirementStatus{}
 
 	checkPermissions := func(permissions []v1alpha1.StrategyDeploymentPermissions, namespace string) (bool, error) {
@@ -261,7 +261,7 @@ func (a *Operator) permissionStatus(strategyDetailsDeployment *v1alpha1.Strategy
 			}
 
 			// Ensure the ServiceAccount exists
-			sa, err := a.opClient.GetServiceAccount(serviceAccountNamespace, perm.ServiceAccountName)
+			sa, err := a.opClient.GetServiceAccount(csv.GetNamespace(), perm.ServiceAccountName)
 			if err != nil {
 				met = false
 				status.Status = v1alpha1.RequirementStatusReasonNotPresent
@@ -270,6 +270,15 @@ func (a *Operator) permissionStatus(strategyDetailsDeployment *v1alpha1.Strategy
 				continue
 			}
 
+			// Check if the ServiceAccount is owned by CSV
+			if len(sa.GetOwnerReferences()) != 0 && !ownerutil.IsOwnedBy(sa, csv) {
+				met = false
+				status.Status = v1alpha1.RequirementStatusReasonPresentNotSatisfied
+				status.Message = "Service account is not owned by this ClusterServiceVersion"
+				statusesSet[saName] = status
+				continue
+			}
+
 			// Check if PolicyRules are satisfied
 			for _, rule := range perm.Rules {
 				dependent := v1alpha1.DependentStatus{
@@ -365,7 +374,7 @@ func (a *Operator) requirementAndPermissionStatus(csv *v1alpha1.ClusterServiceVe
 	clusterRoleBindingLister := rbacLister.ClusterRoleBindingLister()
 
 	ruleChecker := install.NewCSVRuleChecker(roleLister, roleBindingLister, clusterRoleLister, clusterRoleBindingLister, csv)
-	permMet, permStatuses, err := a.permissionStatus(strategyDetailsDeployment, ruleChecker, csv.GetNamespace(), csv.GetNamespace())
+	permMet, permStatuses, err := a.permissionStatus(strategyDetailsDeployment, ruleChecker, csv.GetNamespace(), csv)
 	if err != nil {
 		return false, nil, err
 	}
diff --git a/pkg/controller/operators/olm/requirements_test.go b/pkg/controller/operators/olm/requirements_test.go
@@ -35,7 +35,7 @@ func TestRequirementAndPermissionStatus(t *testing.T) {
 	}{
 		{
 			description: "AllPermissionsMet",
-			csv: csv("csv1",
+			csv: csvWithUID(csv("csv1",
 				namespace,
 				"0.0.0",
 				"",
@@ -68,13 +68,19 @@ func TestRequirementAndPermissionStatus(t *testing.T) {
 				nil,
 				nil,
 				v1alpha1.CSVPhasePending,
-			),
+			), types.UID("csv-uid")),
 			existingObjs: []runtime.Object{
 				&corev1.ServiceAccount{
 					ObjectMeta: metav1.ObjectMeta{
 						Name:      "sa",
 						Namespace: namespace,
 						UID:       types.UID("sa"),
+						OwnerReferences: []metav1.OwnerReference{
+							{
+								Kind: v1alpha1.ClusterServiceVersionKind,
+								UID:  "csv-uid",
+							},
+						},
 					},
 				},
 				&rbacv1.Role{
@@ -173,7 +179,7 @@ func TestRequirementAndPermissionStatus(t *testing.T) {
 		},
 		{
 			description: "OnePermissionNotMet",
-			csv: csv("csv1",
+			csv: csvWithUID(csv("csv1",
 				namespace,
 				"0.0.0",
 				"",
@@ -206,13 +212,19 @@ func TestRequirementAndPermissionStatus(t *testing.T) {
 				nil,
 				nil,
 				v1alpha1.CSVPhasePending,
-			),
+			), types.UID("csv-uid")),
 			existingObjs: []runtime.Object{
 				&corev1.ServiceAccount{
 					ObjectMeta: metav1.ObjectMeta{
 						Name:      "sa",
 						Namespace: namespace,
 						UID:       types.UID("sa"),
+						OwnerReferences: []metav1.OwnerReference{
+							{
+								Kind: v1alpha1.ClusterServiceVersionKind,
+								UID:  "csv-uid",
+							},
+						},
 					},
 				},
 				&rbacv1.Role{
@@ -309,9 +321,142 @@ func TestRequirementAndPermissionStatus(t *testing.T) {
 			},
 			expectedError: nil,
 		},
+		{
+			description: "RequirementNotMet/ServiceAccountOwnerConflict",
+			csv: csvWithUID(csv("csv1",
+				namespace,
+				"0.0.0",
+				"",
+				installStrategy(
+					"csv1-dep",
+					[]v1alpha1.StrategyDeploymentPermissions{
+						{
+							ServiceAccountName: "sa",
+							Rules: []rbacv1.PolicyRule{
+								{
+									APIGroups: []string{""},
+									Verbs:     []string{"*"},
+									Resources: []string{"donuts"},
+								},
+							},
+						},
+					},
+					[]v1alpha1.StrategyDeploymentPermissions{
+						{
+							ServiceAccountName: "sa",
+							Rules: []rbacv1.PolicyRule{
+								{
+									Verbs:           []string{"get"},
+									NonResourceURLs: []string{"/osbs"},
+								},
+							},
+						},
+					},
+				),
+				nil,
+				nil,
+				v1alpha1.CSVPhasePending,
+			), types.UID("csv-uid")),
+			existingObjs: []runtime.Object{
+				&corev1.ServiceAccount{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "sa",
+						Namespace: namespace,
+						UID:       types.UID("sa"),
+						OwnerReferences: []metav1.OwnerReference{
+							{
+								Kind: v1alpha1.ClusterServiceVersionKind,
+								UID:  "csv-uid-other",
+							},
+						},
+					},
+				},
+				&rbacv1.Role{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "role",
+						Namespace: namespace,
+					},
+					Rules: []rbacv1.PolicyRule{
+						{
+							APIGroups: []string{""},
+							Verbs:     []string{"*"},
+							Resources: []string{"donuts"},
+						},
+					},
+				},
+				&rbacv1.RoleBinding{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "roleBinding",
+						Namespace: namespace,
+					},
+					Subjects: []rbacv1.Subject{
+						{
+							Kind:      "ServiceAccount",
+							APIGroup:  "",
+							Name:      "sa",
+							Namespace: namespace,
+						},
+					},
+					RoleRef: rbacv1.RoleRef{
+						APIGroup: "rbac.authorization.k8s.io",
+						Kind:     "Role",
+						Name:     "role",
+					},
+				},
+				&rbacv1.ClusterRole{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "clusterRole",
+					},
+					Rules: []rbacv1.PolicyRule{
+						{
+							Verbs:           []string{"get"},
+							NonResourceURLs: []string{"/osbs"},
+						},
+					},
+				},
+				&rbacv1.ClusterRoleBinding{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "clusterRoleBinding",
+					},
+					Subjects: []rbacv1.Subject{
+						{
+							Kind:      "ServiceAccount",
+							APIGroup:  "",
+							Name:      "sa",
+							Namespace: namespace,
+						},
+					},
+					RoleRef: rbacv1.RoleRef{
+						APIGroup: "rbac.authorization.k8s.io",
+						Kind:     "ClusterRole",
+						Name:     "clusterRole",
+					},
+				},
+			},
+			existingExtObjs: nil,
+			met:             false,
+			expectedRequirementStatuses: map[gvkn]v1alpha1.RequirementStatus{
+				{"", "v1", "ServiceAccount", "sa"}: {
+					Group:   "",
+					Version: "v1",
+					Kind:    "ServiceAccount",
+					Name:    "sa",
+					Status:  v1alpha1.RequirementStatusReasonPresentNotSatisfied,
+					Dependents: []v1alpha1.DependentStatus{},
+				},
+				{"operators.coreos.com", "v1alpha1", "ClusterServiceVersion", "csv1"}: {
+					Group:   "operators.coreos.com",
+					Version: "v1alpha1",
+					Kind:    "ClusterServiceVersion",
+					Name:    "csv1",
+					Status:  v1alpha1.RequirementStatusReasonPresent,
+				},
+			},
+			expectedError: nil,
+		},
 		{
 			description: "AllRequirementsMet",
-			csv: csv("csv1",
+			csv: csvWithUID(csv("csv1",
 				namespace,
 				"0.0.0",
 				"",
@@ -334,13 +479,19 @@ func TestRequirementAndPermissionStatus(t *testing.T) {
 				[]*apiextensionsv1.CustomResourceDefinition{crd("c1", "v1", "g1")},
 				[]*apiextensionsv1.CustomResourceDefinition{crd("c2", "v1", "g2")},
 				v1alpha1.CSVPhasePending,
-			),
+			), types.UID("csv-uid")),
 			existingObjs: []runtime.Object{
 				&corev1.ServiceAccount{
 					ObjectMeta: metav1.ObjectMeta{
 						Name:      "sa",
 						Namespace: namespace,
 						UID:       types.UID("sa"),
+						OwnerReferences: []metav1.OwnerReference{
+							{
+								Kind: v1alpha1.ClusterServiceVersionKind,
+								UID:  "csv-uid",
+							},
+						},
 					},
 				},
 				&rbacv1.Role{
diff --git a/test/e2e/csv_e2e_test.go b/test/e2e/csv_e2e_test.go

Original file line number	Diff line number	Diff line change
`@@ -432,7 +432,7 @@ func (a Operator) ensureRBACInTargetNamespace(csv v1alpha1.ClusterServiceVersi`
`432`	`432`	`strategyDetailsDeployment.ClusterPermissions = append(strategyDetailsDeployment.ClusterPermissions, p)`
`433`	`433`	`}`
`434`	`434`	`strategyDetailsDeployment.Permissions = nil`
`435`		`- permMet, _, err := a.permissionStatus(strategyDetailsDeployment, ruleChecker, corev1.NamespaceAll, csv.GetNamespace())`
	`435`	`+ permMet, _, err := a.permissionStatus(strategyDetailsDeployment, ruleChecker, corev1.NamespaceAll, csv)`
`436`	`436`	`if err != nil {`
`437`	`437`	`return err`
`438`	`438`	`}`
`@@ -669,7 +669,7 @@ func (a Operator) ensureCSVsInNamespaces(csv v1alpha1.ClusterServiceVersion, o`
`669`	`669`	`}`
`670`	`670`	`for _, ns := range targetNamespaces {`
`671`	`671`	`// create roles/rolebindings for each target namespace`
`672`		`- permMet, _, err := a.permissionStatus(strategyDetailsDeployment, ruleChecker, ns, csv.GetNamespace())`
	`672`	`+ permMet, _, err := a.permissionStatus(strategyDetailsDeployment, ruleChecker, ns, csv)`
`673`	`673`	`if err != nil {`
`674`	`674`	`logger.WithError(err).Debug("permission status")`
`675`	`675`	`return err`