Capsule user should be treated as a tenant owner (#19)

* Debug UserInfo * Debug UserInfo * Debug UserInfo * Set ServiceAccountName as env for Capsule pods * Add Stratio CICD Helm Chart integration * Add Stratio CICD Helm Chart integration * Use downward API to get Capsule's service account name * Force Deploy on PRs * Use downward API to get Capsule's service account name Co-authored-by: Unai Arrien <[email protected]>
Stratio · Jun 6, 2022 · 7213792 · 7213792
1 parent 86f7e69
commit 7213792
Show file tree

Hide file tree

Showing 6 changed files with 43 additions and 6 deletions.
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -7,8 +7,10 @@ hose {
     ANCHORE_POLICY = "production"
     VERSIONING_TYPE = 'stratioVersion-3-3'
     UPSTREAM_VERSION = '0.1.1'
+    DEPLOYONPRS = true
 
     DEV = { config ->
         doDocker(conf:config, image:'capsule')
+        doHelmChart(conf: config, helmTarget: "chart")
     }
 }
diff --git a/Makefile b/Makefile
@@ -209,3 +209,6 @@ e2e/%:
 # Stratio CICD flow
 change-version:
 	bin/change-version.sh $(version)
+
+chart:
+	bin/chart.sh $(version)
diff --git a/bin/chart.sh b/bin/chart.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+# exit immediately when a command fails
+set -e
+# only exit with zero if all commands of the pipeline exit successfully
+set -o pipefail
+
+NAME="capsule"
+VERSION="${1}"
+echo VERSION: ${VERSION}
+echo "Building HELM3 chart for ${NAME} ${VERSION} version"
+
+# Creating a new dir in the CI build environment
+CHART_TEMP_DIR="target"
+mkdir -p "${CHART_TEMP_DIR}"
+
+cp -R charts/${NAME} "${CHART_TEMP_DIR}/${NAME}"
+helm package "${CHART_TEMP_DIR}/${NAME}" --app-version=${VERSION} --version=${VERSION} --destination="${CHART_TEMP_DIR}"
diff --git a/charts/capsule/templates/deployment.yaml b/charts/capsule/templates/deployment.yaml
@@ -63,6 +63,10 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
+          - name: SERVICE_ACCOUNT_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: spec.serviceAccountName
           ports:
             - name: webhook-server
               containerPort: 9443

diff --git a/main.go b/main.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"os"
 	goRuntime "runtime"
+	"strings"
 
 	flag "github.com/spf13/pflag"
 	"go.uber.org/zap/zapcore"
@@ -72,7 +73,7 @@ func main() {
 	var metricsAddr string
 	var enableLeaderElection bool
 	var version bool
-	var namespace, configurationName string
+	var namespace, serviceAccountName, capsuleUserName, configurationName string
 	var goFlagSet goflag.FlagSet
 
 	flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
@@ -104,6 +105,13 @@ func main() {
 		os.Exit(1)
 	}
 
+	if serviceAccountName = os.Getenv("SERVICE_ACCOUNT_NAME"); len(serviceAccountName) == 0 {
+		setupLog.Error(fmt.Errorf("unable to determinate the Namespace Capsule is running on"), "unable to start manager")
+		os.Exit(1)
+	}
+
+	capsuleUserName = strings.Join([]string{"system:serviceaccount", namespace, serviceAccountName}, ":")
+
 	if len(configurationName) == 0 {
 		setupLog.Error(fmt.Errorf("missing CapsuleConfiguration resource name"), "unable to start manager")
 		os.Exit(1)
@@ -206,7 +214,7 @@ func main() {
 			route.Service(service.Handler()),
 			route.NetworkPolicy(utils.InCapsuleGroups(cfg, networkpolicy.Handler())),
 			route.Tenant(tenant.NameHandler(), tenant.RoleBindingRegexHandler(), tenant.IngressClassRegexHandler(), tenant.StorageClassRegexHandler(), tenant.ContainerRegistryRegexHandler(), tenant.HostnameRegexHandler(), tenant.FreezedEmitter(), tenant.ServiceAccountNameHandler()),
-			route.OwnerReference(utils.InCapsuleGroups(cfg, ownerreference.Handler(cfg))),
+			route.OwnerReference(utils.InCapsuleGroups(cfg, ownerreference.Handler(cfg, capsuleUserName))),
 			route.Cordoning(tenant.CordoningHandler(cfg), tenant.ResourceCounterHandler()),
 			route.Node(utils.InCapsuleGroups(cfg, node.UserMetadataHandler(cfg, kubeVersion))),
 		)

diff --git a/pkg/webhook/ownerreference/patching.go b/pkg/webhook/ownerreference/patching.go
@@ -27,12 +27,14 @@ import (
 )
 
 type handler struct {
-	cfg configuration.Configuration
+	cfg             configuration.Configuration
+	capsuleUserName string
 }
 
-func Handler(cfg configuration.Configuration) capsulewebhook.Handler {
+func Handler(cfg configuration.Configuration, capsuleUserName string) capsulewebhook.Handler {
 	return &handler{
-		cfg: cfg,
+		cfg:             cfg,
+		capsuleUserName: capsuleUserName,
 	}
 }
 
@@ -76,7 +78,7 @@ func (h *handler) setOwnerRef(ctx context.Context, req admission.Request, client
 			return &response
 		}
 		// Tenant owner must adhere to user that asked for NS creation
-		if !utils.IsTenantOwner(tnt.Spec.Owners, req.UserInfo) {
+		if !utils.IsTenantOwner(tnt.Spec.Owners, req.UserInfo) && req.UserInfo.Username != h.capsuleUserName {
 			recorder.Eventf(tnt, corev1.EventTypeWarning, "NonOwnedTenant", "Namespace %s cannot be assigned to the current Tenant", ns.GetName())
 
 			response := admission.Denied("Cannot assign the desired namespace to a non-owned Tenant")