Browse Source

Add readonly ServiceAccount in Sonobuoy chart

Using this readonly ServiceAccount enables plugins
to use a Kubernetes client with different permissions
than the Sonobuoy ServiceAccount, which has full
permissions on the cluster.

This ServiceAccount enables get/list/watch on all resource types in all
API groups.

The reason the secret is used to mount the service account token because
there is not a way to specify a service account from just a container
spec [1]. Sonobuoy doesn't provide access to the pod spec for plugins,
so we are limited to the container spec.

[1] https://github.com/kubernetes/kubernetes/issues/66020

Change-Id: I69aeaaedf1fb7672f7167c83b220cf6abb890cb5
Dustin Specker 6 months ago
parent
commit
1765e62acb
2 changed files with 109 additions and 0 deletions
  1. 108
    0
      sonobuoy/templates/serviceaccount-readonly.yaml
  2. 1
    0
      sonobuoy/values.yaml

+ 108
- 0
sonobuoy/templates/serviceaccount-readonly.yaml View File

@@ -0,0 +1,108 @@
1
+{{/*
2
+Copyright 2019 The Openstack-Helm Authors.
3
+
4
+Licensed under the Apache License, Version 2.0 (the "License");
5
+you may not use this file except in compliance with the License.
6
+You may obtain a copy of the License at
7
+
8
+   http://www.apache.org/licenses/LICENSE-2.0
9
+
10
+Unless required by applicable law or agreed to in writing, software
11
+distributed under the License is distributed on an "AS IS" BASIS,
12
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
+See the License for the specific language governing permissions and
14
+limitations under the License.
15
+*/}}
16
+
17
+{{/*
18
+Enabling this manifest enables the usage of a ServiceAccount with
19
+readonly permissions for Sonobuoy plugins that mount the created
20
+token.
21
+
22
+To use this readonly ServiceAccount mount the ServiceAccountToken in
23
+`values.yaml` like:
24
+
25
+```
26
+conf:
27
+  plugins:
28
+    - name: plugin-needing-readonly.yaml
29
+      data: |
30
+        sonobuoy-config:
31
+          driver: Job
32
+          plugin-name: plugin-needing-readonly
33
+          result-type: plugin-needing-readonly
34
+        spec:
35
+          name: plugin-needing-readonly
36
+          image: "plugin-needing-readonly:latest"
37
+          imagePullPolicy: "IfNotPresent"
38
+          volumeMounts:
39
+          - mountPath: /tmp/results
40
+            name: results
41
+            readOnly: false
42
+          - name: readonly-token
43
+            # It's recommended to use this mountPath to overwrite the
44
+            # Sonobuoy service account credentials that are mounted
45
+            # by default in the plugin containers to prevent plugins
46
+            # from accidentally using credentials with full permissions.
47
+            mountPath: /var/run/secrets/kubernetes.io/serviceaccount
48
+        extra-volumes:
49
+        - name: readonly-token
50
+          secret:
51
+            secretName: sonobuoy-readonly-serviceaccount-token-secret
52
+```
53
+
54
+After mounting the readonly token, the example at
55
+https://github.com/kubernetes-client/python/tree/3fb2be14e18d84edef094bbd908b6bb3e39aafe6#example
56
+may be referenced to list pods, etc.
57
+*/}}
58
+
59
+{{- if .Values.manifests.serviceaccount_readonly }}
60
+{{- $envAll := . }}
61
+
62
+{{- $serviceAccountName := "sonobuoy-readonly-serviceaccount" }}
63
+{{ tuple $envAll "sonobuoy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
64
+---
65
+apiVersion: rbac.authorization.k8s.io/v1
66
+kind: ClusterRole
67
+metadata:
68
+  name: sonobuoy-readonly-clusterrole
69
+rules:
70
+- apiGroups:
71
+  - "*"
72
+  resources:
73
+  - "*"
74
+  verbs:
75
+  - "get"
76
+  - "list"
77
+  - "watch"
78
+---
79
+apiVersion: rbac.authorization.k8s.io/v1
80
+kind: ClusterRoleBinding
81
+metadata:
82
+  name: sonobuoy-readonly-clusterrolebinding
83
+roleRef:
84
+  apiGroup: rbac.authorization.k8s.io
85
+  kind: ClusterRole
86
+  name: sonobuoy-readonly-clusterrole
87
+subjects:
88
+- kind: ServiceAccount
89
+  name: {{ $serviceAccountName }}
90
+  namespace: {{ .Release.Namespace }}
91
+---
92
+apiVersion: v1
93
+kind: Secret
94
+type: kubernetes.io/service-account-token
95
+metadata:
96
+  name: {{ $serviceAccountName }}-token-secret
97
+  namespace: {{ .Release.Namespace }}
98
+  annotations:
99
+    kubernetes.io/service-account.name: {{ $serviceAccountName }}
100
+    {{/*
101
+    post-install hook is required to cause ServiceAccount to be deployed
102
+    before creating a secret token for it. By default helm deploys secrets
103
+    before ServiceAccounts which causes this secret to not exist since the
104
+    ServiceAccount is missing.
105
+    */}}
106
+    "helm.sh/hook": "post-install"
107
+---
108
+{{- end }}

+ 1
- 0
sonobuoy/values.yaml View File

@@ -97,6 +97,7 @@ manifests:
97 97
   pod_api: true
98 98
   secret_etc: true
99 99
   secret_keystone: true
100
+  serviceaccount_readonly: false
100 101
 
101 102
 conf:
102 103
   publish_results: true

Loading…
Cancel
Save