From fcbf8b57159be121a7a0ebff41eaae4d3b8d31f8 Mon Sep 17 00:00:00 2001 From: "Christian M. Adams" Date: Tue, 14 Sep 2021 00:32:28 -0400 Subject: [PATCH 1/3] Reduce awx-operator service account permissions --- ansible/templates/role.yml.j2 | 28 +++++++++++++++++++++++++--- deploy/awx-operator.yaml | 28 +++++++++++++++++++++++++--- 2 files changed, 50 insertions(+), 6 deletions(-) diff --git a/ansible/templates/role.yml.j2 b/ansible/templates/role.yml.j2 index 391ec61b..60c12b0d 100644 --- a/ansible/templates/role.yml.j2 +++ b/ansible/templates/role.yml.j2 @@ -11,7 +11,13 @@ rules: - routes - routes/custom-host verbs: - - '*' + - get + - list + - create + - delete + - patch + - update + - watch - apiGroups: - "" - "rbac.authorization.k8s.io" @@ -28,7 +34,13 @@ rules: - roles - rolebindings verbs: - - '*' + - get + - list + - create + - delete + - patch + - update + - watch - apiGroups: - apps - networking.k8s.io @@ -39,7 +51,13 @@ rules: - statefulsets - ingresses verbs: - - '*' + - get + - list + - create + - delete + - patch + - update + - watch - apiGroups: - monitoring.coreos.com resources: @@ -66,6 +84,8 @@ rules: - "" resources: - pods/exec + - pods/attach + - pods/log # log & attach rules needed to be able to grant them to AWX service account verbs: - create - get @@ -75,6 +95,8 @@ rules: - replicasets verbs: - get + verbs: + - create - apiGroups: - awx.ansible.com resources: diff --git a/deploy/awx-operator.yaml b/deploy/awx-operator.yaml index 4fc65b80..286a537f 100644 --- a/deploy/awx-operator.yaml +++ b/deploy/awx-operator.yaml @@ -621,7 +621,13 @@ rules: - routes - routes/custom-host verbs: - - '*' + - get + - list + - create + - delete + - patch + - update + - watch - apiGroups: - "" - "rbac.authorization.k8s.io" @@ -638,7 +644,13 @@ rules: - roles - rolebindings verbs: - - '*' + - get + - list + - create + - delete + - patch + - update + - watch - apiGroups: - apps - networking.k8s.io @@ -649,7 +661,13 @@ rules: - statefulsets - ingresses verbs: - - '*' + - get + - list + - create + - delete + - patch + - update + - watch - apiGroups: - monitoring.coreos.com resources: @@ -676,6 +694,8 @@ rules: - "" resources: - pods/exec + - pods/attach + - pods/log # log & attach rules needed to be able to grant them to AWX service account verbs: - create - get @@ -685,6 +705,8 @@ rules: - replicasets verbs: - get + verbs: + - create - apiGroups: - awx.ansible.com resources: From 58c3ebf4b0e08d95814c2acd2f7b2c206dbcd9a2 Mon Sep 17 00:00:00 2001 From: "Christian M. Adams" Date: Wed, 15 Sep 2021 15:54:09 -0400 Subject: [PATCH 2/3] Move to a per-namespace deployment approach * This increases security, the awx-operator SA has less cluster-wide access * This means one operator can only deploy to a single namespace * If AWX deployments are needed in multiple namespaces, multiple awx-operators can be deployed to accomplish this. Signed-off-by: Christian M. Adams --- ansible/deploy-operator.yml | 2 +- ansible/templates/operator.yml.j2 | 6 ++++-- ansible/templates/role.yml.j2 | 3 +-- ansible/templates/role_binding.yml.j2 | 5 ++--- ansible/templates/service_account.yml.j2 | 1 - deploy/awx-operator.yaml | 15 +++++++-------- .../awx-operator.clusterserviceversion.yaml | 4 ++-- molecule/default/molecule.yml | 2 +- molecule/test-minikube/molecule.yml | 2 +- scripts/okd-console.yaml | 2 +- 10 files changed, 20 insertions(+), 22 deletions(-) diff --git a/ansible/deploy-operator.yml b/ansible/deploy-operator.yml index 6caaff16..6839af12 100644 --- a/ansible/deploy-operator.yml +++ b/ansible/deploy-operator.yml @@ -5,7 +5,7 @@ - name: Deploy Operator hosts: localhost vars: - k8s_namespace: "default" + k8s_namespace: "{{ namespace | default('default') }}" obliterate: no collections: diff --git a/ansible/templates/operator.yml.j2 b/ansible/templates/operator.yml.j2 index 786478d0..680042a3 100644 --- a/ansible/templates/operator.yml.j2 +++ b/ansible/templates/operator.yml.j2 @@ -22,9 +22,11 @@ spec: - mountPath: /tmp/ansible-operator/runner name: runner env: - # Watch all namespaces (cluster-scoped). + # Watch one namespace (namespace-scoped). - name: WATCH_NAMESPACE - value: "" + valueFrom: + fieldRef: + fieldPath: metadata.namespace - name: POD_NAME valueFrom: fieldRef: diff --git a/ansible/templates/role.yml.j2 b/ansible/templates/role.yml.j2 index 60c12b0d..adf9828f 100644 --- a/ansible/templates/role.yml.j2 +++ b/ansible/templates/role.yml.j2 @@ -1,6 +1,6 @@ --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: creationTimestamp: null name: awx-operator @@ -95,7 +95,6 @@ rules: - replicasets verbs: - get - verbs: - create - apiGroups: - awx.ansible.com diff --git a/ansible/templates/role_binding.yml.j2 b/ansible/templates/role_binding.yml.j2 index c2c64a87..e4e4ab9d 100644 --- a/ansible/templates/role_binding.yml.j2 +++ b/ansible/templates/role_binding.yml.j2 @@ -1,13 +1,12 @@ --- -kind: ClusterRoleBinding +kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: awx-operator subjects: - kind: ServiceAccount name: awx-operator - namespace: default roleRef: - kind: ClusterRole + kind: Role name: awx-operator apiGroup: rbac.authorization.k8s.io diff --git a/ansible/templates/service_account.yml.j2 b/ansible/templates/service_account.yml.j2 index 91d79652..c4d60043 100644 --- a/ansible/templates/service_account.yml.j2 +++ b/ansible/templates/service_account.yml.j2 @@ -3,4 +3,3 @@ apiVersion: v1 kind: ServiceAccount metadata: name: awx-operator - namespace: default diff --git a/deploy/awx-operator.yaml b/deploy/awx-operator.yaml index 286a537f..c56cd8b3 100644 --- a/deploy/awx-operator.yaml +++ b/deploy/awx-operator.yaml @@ -610,7 +610,7 @@ spec: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: creationTimestamp: null name: awx-operator @@ -705,7 +705,6 @@ rules: - replicasets verbs: - get - verbs: - create - apiGroups: - awx.ansible.com @@ -717,16 +716,15 @@ rules: - '*' --- -kind: ClusterRoleBinding +kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: awx-operator subjects: - kind: ServiceAccount name: awx-operator - namespace: default roleRef: - kind: ClusterRole + kind: Role name: awx-operator apiGroup: rbac.authorization.k8s.io @@ -735,7 +733,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: awx-operator - namespace: default --- apiVersion: apps/v1 @@ -761,9 +758,11 @@ spec: - mountPath: /tmp/ansible-operator/runner name: runner env: - # Watch all namespaces (cluster-scoped). + # Watch one namespace (namespace-scoped). - name: WATCH_NAMESPACE - value: "" + valueFrom: + fieldRef: + fieldPath: metadata.namespace - name: POD_NAME valueFrom: fieldRef: diff --git a/deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml b/deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml index 1c995743..9708fe98 100644 --- a/deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml +++ b/deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml @@ -755,11 +755,11 @@ spec: installModes: - supported: true type: OwnNamespace - - supported: true + - supported: false type: SingleNamespace - supported: false type: MultiNamespace - - supported: true + - supported: false type: AllNamespaces keywords: - awx diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 206e24ac..c110f12a 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -26,4 +26,4 @@ provisioner: inventory: group_vars: all: - operator_namespace: ${TEST_NAMESPACE:-default} + operator_namespace: ${TEST_NAMESPACE:-example-awx} diff --git a/molecule/test-minikube/molecule.yml b/molecule/test-minikube/molecule.yml index 5caefcc2..bde1c276 100644 --- a/molecule/test-minikube/molecule.yml +++ b/molecule/test-minikube/molecule.yml @@ -19,7 +19,7 @@ provisioner: inventory: group_vars: all: - operator_namespace: ${TEST_NAMESPACE:-default} + operator_namespace: ${TEST_NAMESPACE:-example-awx} env: ANSIBLE_ROLES_PATH: ${MOLECULE_PROJECT_DIRECTORY}/roles scenario: diff --git a/scripts/okd-console.yaml b/scripts/okd-console.yaml index deb0d361..b7dd08b8 100644 --- a/scripts/okd-console.yaml +++ b/scripts/okd-console.yaml @@ -1,6 +1,6 @@ ### Don't run this deployment in production ### The current configuration will run the -### OKD console without any autentication!!!! +### OKD console without any authentication!!!! ### ### A prerequisite is to install the OLM ### as instructed at https://olm.operatorframework.io/docs/getting-started/#install-released-olm From 8bd6cffd7bd8c5a3fbc959f89fc03d54aaaae01b Mon Sep 17 00:00:00 2001 From: "Christian M. Adams" Date: Mon, 20 Sep 2021 17:21:42 -0400 Subject: [PATCH 3/3] Add namespace-scoped upgrade docs & changelog entry --- CHANGELOG.md | 4 ++++ README.md | 5 +++++ 2 files changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index cd7b8234..ef5e35c4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ This is a list of high-level changes for each release of `awx-operator`. A full list of commits can be found at `https://github.com/ansible/awx-operator/releases/tag/`. +# 0.14.0 (TBA) + +- Starting with awx-operator 0.14.0, AWX can only be deployed in the namespace that the operator exists in. See [upgrade docs](#upgrading) for necessary cleanup actions. (Christian Adams) - 58c3ebf (breaking change) + # 0.10.0 (Jun 1, 2021) - Make tower_ingress_type to respect ClusterIP definition (Marcelo Moreira de Mello) - e37c091 (breaking_change) diff --git a/README.md b/README.md index ec85af54..e84997ac 100644 --- a/README.md +++ b/README.md @@ -795,6 +795,11 @@ To upgrade AWX, it is recommended to upgrade the awx-operator to the version tha Apply the awx-operator.yml for that release to upgrade the operator, and in turn also upgrade your AWX deployment. +**Cluster-scope to Namespace-scope considerations** + +Starting with awx-operator 0.14.0, AWX can only be deployed in the namespace that the operator exists in. This is called a namespace-scoped operator. If you are upgrading from an earlier version, you will want to +delete your existing `awx-operator` service account, role and role binding. + ## Contributing Please visit [our contributing guidelines](https://github.com/ansible/awx-operator/blob/devel/CONTRIBUTING.md).