From 68c9fc1842d2bd6d997348b1a3feaddd6eb0831c Mon Sep 17 00:00:00 2001 From: Edison Cardenas Date: Tue, 23 May 2023 18:04:00 +1200 Subject: [PATCH 01/18] ARO-1422: UpgradeConfig Policy source codes --- .../aro-deny-upgradeconfig.tmpl | 28 ++ ..._user_create_managed_upgrade_operator.yaml | 49 ++++ ..._user_delete_managed_upgrade_operator.yaml | 49 ++++ ..._user_update_managed_upgrade_operator.yaml | 39 +++ ..._user_create_managed_upgrade_operator.yaml | 49 ++++ ..._user_delete_managed_upgrade_operator.yaml | 49 ++++ ..._user_update_managed_upgrade_operator.yaml | 39 +++ ..._user_create_managed_upgrade_operator.yaml | 49 ++++ ..._user_delete_managed_upgrade_operator.yaml | 49 ++++ ..._user_update_managed_upgrade_operator.yaml | 39 +++ .../aro-deny-upgradeconfig/src.rego | 22 ++ .../aro-deny-upgradeconfig/src_test.rego | 159 +++++++++++ .../aro-deny-upgradeconfig/suite.yaml | 45 +++ .../gktemplates/aro-deny-upgradeconfig.yaml | 270 ++++++++++++++++++ 14 files changed, 935 insertions(+) create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/aro-deny-upgradeconfig.tmpl create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_regular_user_create_managed_upgrade_operator.yaml create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_regular_user_delete_managed_upgrade_operator.yaml create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_regular_user_update_managed_upgrade_operator.yaml create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_create_managed_upgrade_operator.yaml create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_delete_managed_upgrade_operator.yaml create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_update_managed_upgrade_operator.yaml create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_create_managed_upgrade_operator.yaml create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_delete_managed_upgrade_operator.yaml create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_update_managed_upgrade_operator.yaml create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src.rego create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src_test.rego create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/suite.yaml create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-upgradeconfig.yaml diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/aro-deny-upgradeconfig.tmpl b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/aro-deny-upgradeconfig.tmpl new file mode 100644 index 00000000000..9862a0971f8 --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/aro-deny-upgradeconfig.tmpl @@ -0,0 +1,28 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: aroupgradeconfig + annotations: + metadata.gatekeeper.sh/title: "UpgradeConfig" + metadata.gatekeeper.sh/version: 1.0.0 + description: >- + Disallows editing UpgradeConfig by regular users if there is a "cloud.openshift.com" entry in "openshift-config/pull-secret". + +spec: + crd: + spec: + names: + kind: AROUpgradeConfig + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Disallows editing UpgradeConfig by regular users if there is a "cloud.openshift.com" entry in "openshift-config/pull-secret". + targets: + - target: admission.k8s.gatekeeper.sh + rego: | +{{ file.Read "gktemplates-src/aro-deny-upgradeconfig/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} + libs: + - | +{{ file.Read "gktemplates-src/library/common.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_regular_user_create_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_regular_user_create_managed_upgrade_operator.yaml new file mode 100644 index 00000000000..503f181feca --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_regular_user_create_managed_upgrade_operator.yaml @@ -0,0 +1,49 @@ +apiVersion: admission.k8s.io/v1 +kind: AdmissionReview +request: + dryRun: true + kind: + group: "" + kind: ConfigMap + version: v1 + object: + apiVersion: v1 + data: + config.yaml: "configManager:\n source: LOCAL\n ocmBaseUrl: https://api.openshift.com\n + \ \n watchInterval: 60\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n + \ controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: + ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: + 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n + \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n + \ ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n + \ - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n + \ - openshift-azure-logging\n" + kind: ConfigMap + metadata: + creationTimestamp: "2023-05-21T09:48:14Z" + name: managed-upgrade-operator-config + namespace: openshift-managed-upgrade-operator + ownerReferences: + - apiVersion: aro.openshift.io/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: Cluster + name: cluster + uid: c89909e5-3f29-482e-8f8e-50851fc85459 + resourceVersion: "404152" + uid: 2e349cc1-034e-4f8b-9377-34ba9620c418 + oldObject: null + operation: CREATE + options: null + requestKind: + group: "" + kind: ConfigMap + version: v1 + resource: + group: "" + resource: ConfigMap + version: v1 + uid: d7d1754c-510c-4c1d-8352-25a6a265b2c5 + userInfo: + uid: cbf07b83-0a79-4979-9d57-ca8a0d150dcf + username: fake-k8s-regular-user diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_regular_user_delete_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_regular_user_delete_managed_upgrade_operator.yaml new file mode 100644 index 00000000000..803d04233b4 --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_regular_user_delete_managed_upgrade_operator.yaml @@ -0,0 +1,49 @@ +apiVersion: admission.k8s.io/v1 +kind: AdmissionReview +request: + dryRun: true + kind: + group: "" + kind: ConfigMap + version: v1 + object: null + oldObject: + apiVersion: v1 + data: + config.yaml: "configManager:\n source: LOCAL\n ocmBaseUrl: https://api.openshift.com\n + \ \n watchInterval: 60\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n + \ controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: + ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: + 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n + \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n + \ ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n + \ - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n + \ - openshift-azure-logging\n" + kind: ConfigMap + metadata: + creationTimestamp: "2023-05-21T09:48:14Z" + name: managed-upgrade-operator-config-old + namespace: openshift-managed-upgrade-operator + ownerReferences: + - apiVersion: aro.openshift.io/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: Cluster + name: cluster + uid: c89909e5-3f29-482e-8f8e-50851fc85459 + resourceVersion: "404152" + uid: 2e349cc1-034e-4f8b-9377-34ba9620c418 + operation: DELETE + options: null + requestKind: + group: "" + kind: ConfigMap + version: v1 + resource: + group: "" + resource: ConfigMap + version: v1 + uid: 2ed5686f-74cd-41e2-96a2-afcf766fae51 + userInfo: + uid: 1527f3d6-2e89-4b5f-a4bf-8953365c2016 + username: fake-k8s-regular-user diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_regular_user_update_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_regular_user_update_managed_upgrade_operator.yaml new file mode 100644 index 00000000000..cfe4a12a050 --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_regular_user_update_managed_upgrade_operator.yaml @@ -0,0 +1,39 @@ +apiVersion: v1 +data: + config.yaml: "configManager:\n source: LOCAL\n ocmBaseUrl: https://api.openshift.com\n + \ \n watchInterval: 60\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n + \ controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: + ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: + 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n + \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n + \ ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n + \ - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n + \ - openshift-azure-logging\n" +kind: ConfigMap +metadata: + creationTimestamp: "2023-05-25T09:48:14Z" + name: managed-upgrade-operator-config-old + namespace: openshift-managed-upgrade-operator + ownerReferences: + - apiVersion: aro.openshift.io/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: Cluster + name: cluster + uid: c89909e5-3f29-482e-8f8e-50851fc85459 + resourceVersion: "404152" + uid: 2e349cc1-034e-4f8b-9377-34ba9620c418 +operation: UPDATE +options: null +requestKind: + group: "" + kind: ConfigMap + version: v1 +resource: + group: "" + resource: ConfigMap + version: v1 +uid: 0dc3dee4-fed8-42c8-a089-a6d36477c1c4 +userInfo: + uid: 5b7bbd66-0563-4c18-b66b-2771a47959f9 + username: fake-k8s-regular-user diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_create_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_create_managed_upgrade_operator.yaml new file mode 100644 index 00000000000..13960a821cd --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_create_managed_upgrade_operator.yaml @@ -0,0 +1,49 @@ +apiVersion: admission.k8s.io/v1 +kind: AdmissionReview +request: + dryRun: true + kind: + group: "" + kind: ConfigMap + version: v1 + object: + apiVersion: v1 + data: + config.yaml: "configManager:\n source: OCM\n ocmBaseUrl: https://api.openshift.com\n + \ \n watchInterval: 60\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n + \ controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: + ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: + 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n + \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n + \ ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n + \ - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n + \ - openshift-azure-logging\n" + kind: ConfigMap + metadata: + creationTimestamp: "2023-05-21T09:48:14Z" + name: managed-upgrade-operator-config + namespace: openshift-managed-upgrade-operator + ownerReferences: + - apiVersion: aro.openshift.io/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: Cluster + name: cluster + uid: c89909e5-3f29-482e-8f8e-50851fc85459 + resourceVersion: "404152" + uid: 2e349cc1-034e-4f8b-9377-34ba9620c418 + oldObject: null + operation: CREATE + options: null + requestKind: + group: "" + kind: ConfigMap + version: v1 + resource: + group: "" + resource: ConfigMap + version: v1 + uid: d7d1754c-510c-4c1d-8352-25a6a265b2c5 + userInfo: + uid: cbf07b83-0a79-4979-9d57-ca8a0d150dcf + username: system diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_delete_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_delete_managed_upgrade_operator.yaml new file mode 100644 index 00000000000..61e1d831179 --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_delete_managed_upgrade_operator.yaml @@ -0,0 +1,49 @@ +apiVersion: admission.k8s.io/v1 +kind: AdmissionReview +request: + dryRun: true + kind: + group: "" + kind: ConfigMap + version: v1 + object: null + oldObject: + apiVersion: v1 + data: + config.yaml: "configManager:\n source: OCM\n ocmBaseUrl: https://api.openshift.com\n + \ \n watchInterval: 60\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n + \ controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: + ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: + 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n + \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n + \ ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n + \ - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n + \ - openshift-azure-logging\n" + kind: ConfigMap + metadata: + creationTimestamp: "2023-05-21T09:48:14Z" + name: managed-upgrade-operator-config-old + namespace: openshift-managed-upgrade-operator + ownerReferences: + - apiVersion: aro.openshift.io/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: Cluster + name: cluster + uid: c89909e5-3f29-482e-8f8e-50851fc85459 + resourceVersion: "404152" + uid: 2e349cc1-034e-4f8b-9377-34ba9620c418 + operation: DELETE + options: null + requestKind: + group: "" + kind: ConfigMap + version: v1 + resource: + group: "" + resource: ConfigMap + version: v1 + uid: 2ed5686f-74cd-41e2-96a2-afcf766fae51 + userInfo: + uid: 1527f3d6-2e89-4b5f-a4bf-8953365c2016 + username: system \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_update_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_update_managed_upgrade_operator.yaml new file mode 100644 index 00000000000..803f08ba206 --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_update_managed_upgrade_operator.yaml @@ -0,0 +1,39 @@ +apiVersion: v1 +data: + config.yaml: "configManager:\n source: OCM\n ocmBaseUrl: https://api.openshift.com\n + \ \n watchInterval: 60\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n + \ controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: + ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: + 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n + \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n + \ ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n + \ - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n + \ - openshift-azure-logging\n" +kind: ConfigMap +metadata: + creationTimestamp: "2023-05-25T09:48:14Z" + name: managed-upgrade-operator-config-old + namespace: openshift-managed-upgrade-operator + ownerReferences: + - apiVersion: aro.openshift.io/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: Cluster + name: cluster + uid: c89909e5-3f29-482e-8f8e-50851fc85459 + resourceVersion: "404152" + uid: 2e349cc1-034e-4f8b-9377-34ba9620c418 +operation: UPDATE +options: null +requestKind: + group: "" + kind: ConfigMap + version: v1 +resource: + group: "" + resource: ConfigMap + version: v1 +uid: 0dc3dee4-fed8-42c8-a089-a6d36477c1c4 +userInfo: + uid: 5b7bbd66-0563-4c18-b66b-2771a47959f9 + username: system diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_create_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_create_managed_upgrade_operator.yaml new file mode 100644 index 00000000000..b8161e550c9 --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_create_managed_upgrade_operator.yaml @@ -0,0 +1,49 @@ +apiVersion: admission.k8s.io/v1 +kind: AdmissionReview +request: + dryRun: true + kind: + group: "" + kind: ConfigMap + version: v1 + object: + apiVersion: v1 + data: + config.yaml: "configManager:\n source: OCM\n ocmBaseUrl: https://api.openshift.com\n + \ \n watchInterval: 60\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n + \ controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: + ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: + 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n + \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n + \ ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n + \ - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n + \ - openshift-azure-logging\n" + kind: ConfigMap + metadata: + creationTimestamp: "2023-05-21T09:48:14Z" + name: managed-upgrade-operator-config + namespace: openshift-managed-upgrade-operator + ownerReferences: + - apiVersion: aro.openshift.io/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: Cluster + name: cluster + uid: c89909e5-3f29-482e-8f8e-50851fc85459 + resourceVersion: "404152" + uid: 2e349cc1-034e-4f8b-9377-34ba9620c418 + oldObject: null + operation: CREATE + options: null + requestKind: + group: "" + kind: ConfigMap + version: v1 + resource: + group: "" + resource: ConfigMap + version: v1 + uid: d7d1754c-510c-4c1d-8352-25a6a265b2c5 + userInfo: + uid: cbf07b83-0a79-4979-9d57-ca8a0d150dcf + username: fake-k8s-admin-review diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_delete_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_delete_managed_upgrade_operator.yaml new file mode 100644 index 00000000000..cce57fb9fd6 --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_delete_managed_upgrade_operator.yaml @@ -0,0 +1,49 @@ +apiVersion: admission.k8s.io/v1 +kind: AdmissionReview +request: + dryRun: true + kind: + group: "" + kind: ConfigMap + version: v1 + object: null + oldObject: + apiVersion: v1 + data: + config.yaml: "configManager:\n source: OCM\n ocmBaseUrl: https://api.openshift.com\n + \ \n watchInterval: 60\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n + \ controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: + ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: + 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n + \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n + \ ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n + \ - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n + \ - openshift-azure-logging\n" + kind: ConfigMap + metadata: + creationTimestamp: "2023-05-21T09:48:14Z" + name: managed-upgrade-operator-config-old + namespace: openshift-managed-upgrade-operator + ownerReferences: + - apiVersion: aro.openshift.io/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: Cluster + name: cluster + uid: c89909e5-3f29-482e-8f8e-50851fc85459 + resourceVersion: "404152" + uid: 2e349cc1-034e-4f8b-9377-34ba9620c418 + operation: DELETE + options: null + requestKind: + group: "" + kind: ConfigMap + version: v1 + resource: + group: "" + resource: ConfigMap + version: v1 + uid: 2ed5686f-74cd-41e2-96a2-afcf766fae51 + userInfo: + uid: 1527f3d6-2e89-4b5f-a4bf-8953365c2016 + username: fake-k8s-regular-user diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_update_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_update_managed_upgrade_operator.yaml new file mode 100644 index 00000000000..46502d63c86 --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_update_managed_upgrade_operator.yaml @@ -0,0 +1,39 @@ +apiVersion: v1 +data: + config.yaml: "configManager:\n source: OCM\n ocmBaseUrl: https://api.openshift.com\n + \ \n watchInterval: 60\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n + \ controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: + ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: + 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n + \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n + \ ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n + \ - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n + \ - openshift-azure-logging\n" +kind: ConfigMap +metadata: + creationTimestamp: "2023-05-25T09:48:14Z" + name: managed-upgrade-operator-config-old + namespace: openshift-managed-upgrade-operator + ownerReferences: + - apiVersion: aro.openshift.io/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: Cluster + name: cluster + uid: c89909e5-3f29-482e-8f8e-50851fc85459 + resourceVersion: "404152" + uid: 2e349cc1-034e-4f8b-9377-34ba9620c418 +operation: UPDATE +options: null +requestKind: + group: "" + kind: ConfigMap + version: v1 +resource: + group: "" + resource: ConfigMap + version: v1 +uid: 0dc3dee4-fed8-42c8-a089-a6d36477c1c4 +userInfo: + uid: 5b7bbd66-0563-4c18-b66b-2771a47959f9 + username: fake-k8s-regular-user diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src.rego b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src.rego new file mode 100644 index 00000000000..44c189371aa --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src.rego @@ -0,0 +1,22 @@ +package arodenyupgradeconfig + +import future.keywords.in + +violation[{"msg": msg}] { + input.review.operation in ["CREATE", "UPDATE", "DELETE"] + name := input.review.object.metadata.name + + ## Check user type + not is_exempted_account(input.review) + + ## If regular user and + ## has NO cloud.openshift.com entry in openshift-config/pull-secret Secret + ## ALLOW EDITING + + ## If regular user and + ## HAS cloud.openshift.com entry (`source: OCM` indicates pull-secret exists) in openshift-config/pull-secret Secret + ## NOT ALLOWED + config_data := input.review.data["config.yaml"] + regex.match("source: OCM", config_data) + msg := "Modifying the UpgradeConfig is not allowed for regular users. This can include creating, deleting, and updating UpgradeConfig." +} diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src_test.rego b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src_test.rego new file mode 100644 index 00000000000..82522fe1dfe --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src_test.rego @@ -0,0 +1,159 @@ +package arodenyupgradeconfig + +test_input_allowed_regular_user_update_upgradeconfig { + input := { "review": fake_ocm_upgradeconfig("regular-user","test","UPDATE") } + results := violation with input as input + count(results) == 0 +} + +test_input_disallowed_regular_user_update_upgradeconfig { + input := { "review": fake_ocm_upgradeconfig("regular-user","test","UPDATE") } + results := violation with input as input + count(results) == 1 +} + +test_input_allowed_system_user_update_upgradeconfig { + input := { "review": fake_ocm_upgradeconfig("system:admin","test","UPDATE") } + results := violation with input as input + count(results) == 0 +} + +test_allowed_regular_user_delete_upgradeconfig { + input := { "review": fake_local_upgradeconfig("regular-user","test","DELETE") } + results := violation with input as input + count(results) == 0 +} + +test_disallowed_regular_user_delete_upgradeconfig { + input := { "review": fake_ocm_upgradeconfig("regular-user","test","DELETE") } + results := violation with input as input + count(results) == 1 +} + +test_allowed_system_user_delete_upgradeconfig { + input := { "review": fake_ocm_upgradeconfig("system:admin","test","DELETE") } + results := violation with input as input + count(results) == 0 +} + +test_allowed_regular_user_create_upgradeconfig { + input := { "review": fake_local_upgradeconfig("regular-user","test","CREATE") } + results := violation with input as input + count(results) == 0 +} + +test_disallowed_regular_user_create_upgradeconfig { + input := { "review": fake_ocm_upgradeconfig("regular-user","test","CREATE") } + results := violation with input as input + count(results) == 1 +} + +test_create_allowed_system_user_create_upgradeconfig { + input := { "review": fake_ocm_upgradeconfig("system:admin","test","CREATE") } + results := violation with input as input + count(results) == 0 +} + +fake_ocm_upgradeconfig(group, username, operation) = output { + output = { + { + "apiVersion": "v1", + "data": { + "config.yaml": "configManager:\n source: OCM\n ocmBaseUrl: https://api.openshift.com\n \n watchInterval: 60\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n - openshift-azure-logging\n" + }, + "kind": "ConfigMap", + "metadata": { + "creationTimestamp": "2023-05-25T09:48:14Z", + "name": "managed-upgrade-operator-config-old", + "namespace": "openshift-managed-upgrade-operator", + "ownerReferences": [ + { + "apiVersion": "aro.openshift.io/v1alpha1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "Cluster", + "name": "cluster", + "uid": "c89909e5-3f29-482e-8f8e-50851fc85459" + } + ], + "resourceVersion": "404152", + "uid": "2e349cc1-034e-4f8b-9377-34ba9620c418" + }, + "operation": operation, + "options": null, + "requestKind": { + "group": "", + "kind": "ConfigMap", + "version": "v1" + }, + "resource": { + "group": "", + "resource": "ConfigMap", + "version": "v1" + }, + "uid": "0dc3dee4-fed8-42c8-a089-a6d36477c1c4", + "userInfo": { + "uid": "5b7bbd66-0563-4c18-b66b-2771a47959f9", + "username": username + } + } + } +} + +fake_local_upgradeconfig(group, username, operation) = output { + output = { + { + "apiVersion": "admission.k8s.io/v1", + "kind": "AdmissionReview", + "request": { + "dryRun": true, + "kind": { + "group": "", + "kind": "ConfigMap", + "version": "v1" + }, + "object": { + "apiVersion": "v1", + "data": { + "config.yaml": "configManager:\n source: LOCAL\n ocmBaseUrl: https://api.openshift.com\n \n watchInterval: 60\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n - openshift-azure-logging\n" + }, + "kind": "ConfigMap", + "metadata": { + "creationTimestamp": "2023-05-21T09:48:14Z", + "name": "managed-upgrade-operator-config", + "namespace": "openshift-managed-upgrade-operator", + "ownerReferences": [ + { + "apiVersion": "aro.openshift.io/v1alpha1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "Cluster", + "name": "cluster", + "uid": "c89909e5-3f29-482e-8f8e-50851fc85459" + } + ], + "resourceVersion": "404152", + "uid": "2e349cc1-034e-4f8b-9377-34ba9620c418" + } + }, + "oldObject": null, + "operation": operation, + "options": null, + "requestKind": { + "group": "", + "kind": "ConfigMap", + "version": "v1" + }, + "resource": { + "group": "", + "resource": "ConfigMap", + "version": "v1" + }, + "uid": "080407a7-d907-4c9a-8b17-67b637b97dce", + "userInfo": { + "uid": "0e4ced82-9535-4eaf-b65c-b091754cbd20", + "username": username + } + } + } + } \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/suite.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/suite.yaml new file mode 100644 index 00000000000..6fd8faadd7a --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/suite.yaml @@ -0,0 +1,45 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: upgradeconfig +tests: +- name: upgradeconfig-tests + template: ../../gktemplates/aro-deny-upgradeconfig.yaml + constraint: ../../gkconstraints-test/aro-upgradeconfig.yaml + cases: + - name: create-upgradeconfig-allowed-regular-user + object: gator-test/allow_regular_user_create_managed_upgrade_operator.yaml + assertions: + - violations: no + - name: create-upgradeconfig-allowed-system-user + object: gator-test/allow_system_user_create_managed_upgrade_operator.yaml + assertions: + - violations: no + - name: create-upgradeconfig-not-allowed-regular-user + object: gator-test/not_allow_regular_user_create_managed_upgrade_operator.yaml + assertions: + - violations: yes + - name: update-upgradeconfig-allowed-regular-user + object: gator-test/allow_regular_user_update_managed_upgrade_operator.yaml + assertions: + - violations: no + - name: update-upgradeconfig-allowed-system-user + object: gator-test/allow_system_user_update_managed_upgrade_operator.yaml + assertions: + - violations: no + - name: update-upgradeconfig-allowed-regular-user + object: gator-test/not_allow_regular_user_update_managed_upgrade_operator.yaml + assertions: + - violations: yes + - name: delete-upgradeconfig-allowed-regular-user + object: gator-test/allow_regular_user_delete_managed_upgrade_operator.yaml + assertions: + - violations: no + - name: delete-upgradeconfig-allowed-system-user + object: gator-test/allow_system_user_delete_managed_upgrade_operator.yaml + assertions: + - violations: no + - name: delete-upgradeconfig-allowed-regular-user + object: gator-test/not_allow_regular_user_delete_managed_upgrade_operator.yaml + assertions: + - violations: yes \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-upgradeconfig.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-upgradeconfig.yaml new file mode 100644 index 00000000000..9cce77057b9 --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-upgradeconfig.yaml @@ -0,0 +1,270 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: aroupgradeconfig + annotations: + metadata.gatekeeper.sh/title: "UpgradeConfig" + metadata.gatekeeper.sh/version: 1.0.0 + description: >- + Disallows editing UpgradeConfig by regular users if there is a "cloud.openshift.com" entry in "openshift-config/pull-secret". + +spec: + crd: + spec: + names: + kind: AROUpgradeConfig + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Disallows editing UpgradeConfig by regular users if there is a "cloud.openshift.com" entry in "openshift-config/pull-secret". + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package arodenyupgradeconfig + + import future.keywords.in + + violation[{"msg": msg}] { + input.review.operation in ["CREATE", "UPDATE", "DELETE"] + name := input.review.object.metadata.name + + ## Check user type + not is_exempted_account(input.review) + + ## If regular user and + ## has NO cloud.openshift.com entry in openshift-config/pull-secret Secret + ## ALLOW EDITING + + ## If regular user and + ## HAS cloud.openshift.com entry (`source: OCM` indicates pull-secret exists) in openshift-config/pull-secret Secret + ## NOT ALLOWED + config_data := input.review.data["config.yaml"] + regex.match("source: OCM", config_data) + msg := "Modifying the UpgradeConfig is not allowed for regular users. This can include creating, deleting, and updating UpgradeConfig." + } + libs: + - | + package lib.common + import future.keywords.in + + # shared structures, functions, etc. + + is_priv_namespace(ns) { + privileged_ns[ns] + } + + privileged_ns = { + # Kubernetes specific namespaces + "kube-node-lease", + "kube-public", + "kube-system", + + # ARO specific namespaces + "openshift-azure-logging", + "openshift-azure-operator", + "openshift-managed-upgrade-operator", + + # OCP namespaces + "openshift", + "openshift-apiserver", + "openshift-apiserver-operator", + "openshift-authentication-operator", + "openshift-cloud-controller-manager", + "openshift-cloud-controller-manager-operator", + "openshift-cloud-credential-operator", + "openshift-cluster-csi-drivers", + "openshift-cluster-machine-approver", + "openshift-cluster-node-tuning-operator", + "openshift-cluster-samples-operator", + "openshift-cluster-storage-operator", + "openshift-cluster-version", + "openshift-config", + "openshift-config-managed", + "openshift-config-operator", + "openshift-console", + "openshift-console-operator", + "openshift-console-user-settings", + "openshift-controller-manager", + "openshift-controller-manager-operator", + "openshift-dns", + "openshift-dns-operator", + "openshift-etcd", + "openshift-etcd-operator", + "openshift-host-network", + "openshift-image-registry", + "openshift-ingress", + "openshift-ingress-canary", + "openshift-ingress-operator", + "openshift-insights", + "openshift-kni-infra", + "openshift-kube-apiserver", + "openshift-kube-apiserver-operator", + "openshift-kube-controller-manager", + "openshift-kube-controller-manager-operator", + "openshift-kube-scheduler", + "openshift-kube-scheduler-operator", + "openshift-kube-storage-version-migrator", + "openshift-kube-storage-version-migrator-operator", + "openshift-machine-api", + "openshift-machine-config-operator", + "openshift-marketplace", + "openshift-monitoring", + "openshift-multus", + "openshift-network-diagnostics", + "openshift-network-operator", + "openshift-oauth-apiserver", + "openshift-openstack-infra", + "openshift-operators", + "openshift-operator-lifecycle-manager", + "openshift-ovirt-infra", + "openshift-sdn", + "openshift-service-ca", + "openshift-service-ca-operator" + } + + exempted_service_account = { + "default", + "aro-sre", + "openshift-apiserver-operator", + "openshift-apiserver-sa", + "authentication-operator", + "geneva", + "aro-operator-worker", + "cluster-cloud-controller-manager", + "cloud-credential-operator", + "azure-disk-csi-driver-controller-sa", + "azure-disk-csi-driver-node-sa", + "azure-disk-csi-driver-operator", + "machine-approver-sa", + "cluster-node-tuning-operator", + "tuned", + "cluster-samples-operator", + "cluster-storage-operator", + "csi-snapshot-controller", + "csi-snapshot-controller-operator", + "openshift-config-operator", + "console-operator", + "console", + "openshift-controller-manager-operator", + "openshift-controller-manager-sa", + "dns-operator", + "dns", + "node-resolver", + "etcd-operator", + "cluster-image-registry-operator", + "registry", + "node-ca", + "ingress-operator", + "router", + "operator", + "kube-apiserver-operator", + "kube-controller-manager-operator", + "openshift-kube-scheduler-operator", + "kube-storage-version-migrator-operator", + "kube-storage-version-migrator-sa", + "cluster-autoscaler-operator", + "cluster-baremetal-operator", + "cluster-baremetal-operator", + "machine-api-controllers", + "machine-api-operator", + "machine-config-controller", + "machine-config-daemon", + "machine-config-server", + "managed-upgrade-operator", + "marketplace-operator", + "alertmanager-main", + "cluster-monitoring-operator", + "grafana", + "kube-state-metrics", + "node-exporter", + "openshift-state-metrics", + "prometheus-adapter", + "prometheus-k8s", + "prometheus-operator", + "thanos-querier", + "multus", + "metrics-daemon-sa", + "network-diagnostics", + "oauth-apiserver-sa", + "collect-profiles", + "olm-operator-serviceaccount", + "sdn", + "sdn-controller", + "service-ca-operator", + "service-ca", + "pruner", + "machine-api-termination-handler", + "aro-operator-master", + "installer-sa" + } + + get_service_account(obj) = spec { + obj.kind == "Pod" + spec := obj.spec.serviceAccountName + } { + obj.kind == "CronJob" + spec := obj.spec.jobTemplate.spec.template.spec.serviceAccountName + } { + obj.kind in ["ReplicationController","ReplicaSet","Deployment","StatefulSet","DaemonSet","Job"] + spec := obj.spec.template.spec.serviceAccountName + } + + has_service_account(obj) { + obj.kind in ["Pod","CronJob","ReplicationController","ReplicaSet","Deployment","StatefulSet","DaemonSet","Job"] + } + + get_user_info(review) = info { + has_field(review.userInfo, "username") + username := get_user(review) + info := sprintf("user name %v", [username]) + } { + not has_field(review.userInfo, "username") + has_service_account(review.object) + sa := get_service_account(review.object) + info := sprintf("service account %v", [sa]) + } + + # this setup is to handle below case: + # user default::notfound not allowed to operate in namespace openshift-kube-scheduler + # + # assume for cmdline operations, userInfo is always present, which is the only key for user identity + # while for serviceAccount operations, no userInfo is present, and we have to rely on the serviceAccountName field in the object + + is_exempted_account(review) { + has_field(review.userInfo, "username") + username := get_user(review) + is_exempted_user(username) + print("exempted user:", username) + } { + not has_field(review.userInfo, "username") + sa := get_service_account(review.object) + is_exempted_service_account(sa) + print("exempted account:", sa) + } + + is_exempted_service_account(user) { + exempted_service_account[user] + } + + get_user(review) = name { + not has_field(review.userInfo, "username") + name = "notfound" + } { + has_field(review.userInfo, "username") + name = review.userInfo.username + print(name) + } + + has_field(object, field) = true { + object[field] + } + + is_exempted_user(user) { + exempted_user[user] + } + + exempted_user = { + "system:admin" # comment out temporarily for testing in console + } From 9f1b11c6457cfabc127ae10663bc2b89e0cd6e18 Mon Sep 17 00:00:00 2001 From: Edison Cardenas Date: Thu, 25 May 2023 17:31:36 +1200 Subject: [PATCH 02/18] ARO-1422: Update opa and gator tests. Add documentation to run opa docker container. --- .../controllers/guardrails/policies/README.md | 11 + ..._user_update_managed_upgrade_operator.yaml | 87 +++-- ..._user_create_managed_upgrade_operator.yaml | 2 +- ..._user_delete_managed_upgrade_operator.yaml | 2 +- ..._user_update_managed_upgrade_operator.yaml | 87 +++-- ..._user_create_managed_upgrade_operator.yaml | 2 +- ..._user_update_managed_upgrade_operator.yaml | 113 ++++-- .../aro-deny-upgradeconfig/src.rego | 26 +- .../aro-deny-upgradeconfig/src_test.rego | 342 ++++++++++++------ .../aro-deny-upgradeconfig/suite.yaml | 2 +- .../gktemplates/aro-deny-upgradeconfig.yaml | 26 +- 11 files changed, 472 insertions(+), 228 deletions(-) diff --git a/pkg/operator/controllers/guardrails/policies/README.md b/pkg/operator/controllers/guardrails/policies/README.md index 143aa48c01a..9ddb90c4415 100644 --- a/pkg/operator/controllers/guardrails/policies/README.md +++ b/pkg/operator/controllers/guardrails/policies/README.md @@ -146,6 +146,17 @@ spec: opa test ../library/common.rego *.rego [-v] #-v for verbose ``` +* Using docker, get the OPA docker image - https://hub.docker.com/r/openpolicyagent/opa/. + Run the test as: +```sh +#### Format #### +docker run -it ::Z openpolicyagent/opa test [/*.rego] /src.rego /src_test.rego + + +##### Example ##### +$ docker run -it -v /home/ecardena/dev/ARO-RP/pkg/operator/controllers/guardrails/policies/gktemplates-src:/gktemplates-src:Z openpolicyagent/opa test /gktemplates-src/library/common.rego /gktemplates-src/aro-deny-upgradeconfig/src.rego /gktemplates-src/aro-deny-upgradeconfig/src_test.rego -v +``` + ## Generate the Constraint Templates * install gomplate which is used by generate.sh, see https://docs.gomplate.ca/installing/ diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_regular_user_update_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_regular_user_update_managed_upgrade_operator.yaml index cfe4a12a050..3801a313b96 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_regular_user_update_managed_upgrade_operator.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_regular_user_update_managed_upgrade_operator.yaml @@ -1,39 +1,48 @@ -apiVersion: v1 -data: - config.yaml: "configManager:\n source: LOCAL\n ocmBaseUrl: https://api.openshift.com\n - \ \n watchInterval: 60\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n - \ controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: - ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: - 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n - \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n - \ ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n - \ - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n - \ - openshift-azure-logging\n" -kind: ConfigMap -metadata: - creationTimestamp: "2023-05-25T09:48:14Z" - name: managed-upgrade-operator-config-old - namespace: openshift-managed-upgrade-operator - ownerReferences: - - apiVersion: aro.openshift.io/v1alpha1 - blockOwnerDeletion: true - controller: true - kind: Cluster - name: cluster - uid: c89909e5-3f29-482e-8f8e-50851fc85459 - resourceVersion: "404152" - uid: 2e349cc1-034e-4f8b-9377-34ba9620c418 -operation: UPDATE -options: null -requestKind: - group: "" - kind: ConfigMap - version: v1 -resource: - group: "" - resource: ConfigMap - version: v1 -uid: 0dc3dee4-fed8-42c8-a089-a6d36477c1c4 -userInfo: - uid: 5b7bbd66-0563-4c18-b66b-2771a47959f9 - username: fake-k8s-regular-user +apiVersion: admission.k8s.io/v1 +kind: AdmissionReview +request: + dryRun: true + kind: + group: "" + kind: ConfigMap + version: v1 + object: + apiVersion: v1 + data: + config.yaml: "configManager:\n source: LOCAL\n \n localConfigName: managed-upgrade-config\n + \ watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n + \ controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: + ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: + 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n + \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n + \ ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n + \ - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n + \ - openshift-azure-logging\n" + kind: ConfigMap + metadata: + creationTimestamp: "2023-06-17T23:51:02Z" + name: managed-upgrade-operator-config + namespace: openshift-managed-upgrade-operator + ownerReferences: + - apiVersion: aro.openshift.io/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: Cluster + name: cluster + uid: a7ed5f21-7396-46f5-92a8-62a282ab84a3 + resourceVersion: "29355" + uid: e9072b15-9119-4ef9-a7fe-c187ba03dde7 + operation: UPDATE + options: null + requestKind: + group: "" + kind: ConfigMap + version: v1 + resource: + group: "" + resource: ConfigMap + version: v1 + uid: fe8e8b30-14c3-4192-8d78-9c53caebce55 + userInfo: + uid: 23e15c39-db6a-403b-83da-17389de821d5 + username: fake-k8s-regular-user diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_create_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_create_managed_upgrade_operator.yaml index 13960a821cd..a151d55a4c9 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_create_managed_upgrade_operator.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_create_managed_upgrade_operator.yaml @@ -46,4 +46,4 @@ request: uid: d7d1754c-510c-4c1d-8352-25a6a265b2c5 userInfo: uid: cbf07b83-0a79-4979-9d57-ca8a0d150dcf - username: system + username: system:admin diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_delete_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_delete_managed_upgrade_operator.yaml index 61e1d831179..f06001fab38 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_delete_managed_upgrade_operator.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_delete_managed_upgrade_operator.yaml @@ -46,4 +46,4 @@ request: uid: 2ed5686f-74cd-41e2-96a2-afcf766fae51 userInfo: uid: 1527f3d6-2e89-4b5f-a4bf-8953365c2016 - username: system \ No newline at end of file + username: system:admin \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_update_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_update_managed_upgrade_operator.yaml index 803f08ba206..930fe405c97 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_update_managed_upgrade_operator.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_update_managed_upgrade_operator.yaml @@ -1,39 +1,48 @@ -apiVersion: v1 -data: - config.yaml: "configManager:\n source: OCM\n ocmBaseUrl: https://api.openshift.com\n - \ \n watchInterval: 60\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n - \ controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: - ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: - 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n - \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n - \ ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n - \ - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n - \ - openshift-azure-logging\n" -kind: ConfigMap -metadata: - creationTimestamp: "2023-05-25T09:48:14Z" - name: managed-upgrade-operator-config-old - namespace: openshift-managed-upgrade-operator - ownerReferences: - - apiVersion: aro.openshift.io/v1alpha1 - blockOwnerDeletion: true - controller: true - kind: Cluster - name: cluster - uid: c89909e5-3f29-482e-8f8e-50851fc85459 - resourceVersion: "404152" - uid: 2e349cc1-034e-4f8b-9377-34ba9620c418 -operation: UPDATE -options: null -requestKind: - group: "" - kind: ConfigMap - version: v1 -resource: - group: "" - resource: ConfigMap - version: v1 -uid: 0dc3dee4-fed8-42c8-a089-a6d36477c1c4 -userInfo: - uid: 5b7bbd66-0563-4c18-b66b-2771a47959f9 - username: system +apiVersion: admission.k8s.io/v1 +kind: AdmissionReview +request: + dryRun: true + kind: + group: "" + kind: ConfigMap + version: v1 + object: + apiVersion: v1 + data: + config.yaml: "configManager:\n source: LOCAL\n \n localConfigName: managed-upgrade-config\n + \ watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n + \ controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: + ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: + 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n + \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n + \ ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n + \ - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n + \ - openshift-azure-logging\n" + kind: ConfigMap + metadata: + creationTimestamp: "2023-06-17T23:51:02Z" + name: managed-upgrade-operator-config + namespace: openshift-managed-upgrade-operator + ownerReferences: + - apiVersion: aro.openshift.io/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: Cluster + name: cluster + uid: a7ed5f21-7396-46f5-92a8-62a282ab84a3 + resourceVersion: "29355" + uid: e9072b15-9119-4ef9-a7fe-c187ba03dde7 + operation: UPDATE + options: null + requestKind: + group: "" + kind: ConfigMap + version: v1 + resource: + group: "" + resource: ConfigMap + version: v1 + uid: fe8e8b30-14c3-4192-8d78-9c53caebce55 + userInfo: + uid: 23e15c39-db6a-403b-83da-17389de821d5 + username: system:admin diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_create_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_create_managed_upgrade_operator.yaml index b8161e550c9..f3a858f7fc4 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_create_managed_upgrade_operator.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_create_managed_upgrade_operator.yaml @@ -46,4 +46,4 @@ request: uid: d7d1754c-510c-4c1d-8352-25a6a265b2c5 userInfo: uid: cbf07b83-0a79-4979-9d57-ca8a0d150dcf - username: fake-k8s-admin-review + username: fake-k8s-regular-user diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_update_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_update_managed_upgrade_operator.yaml index 46502d63c86..e9f00f600d9 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_update_managed_upgrade_operator.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_update_managed_upgrade_operator.yaml @@ -1,39 +1,74 @@ -apiVersion: v1 -data: - config.yaml: "configManager:\n source: OCM\n ocmBaseUrl: https://api.openshift.com\n - \ \n watchInterval: 60\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n - \ controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: - ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: - 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n - \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n - \ ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n - \ - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n - \ - openshift-azure-logging\n" -kind: ConfigMap -metadata: - creationTimestamp: "2023-05-25T09:48:14Z" - name: managed-upgrade-operator-config-old - namespace: openshift-managed-upgrade-operator - ownerReferences: - - apiVersion: aro.openshift.io/v1alpha1 - blockOwnerDeletion: true - controller: true - kind: Cluster - name: cluster - uid: c89909e5-3f29-482e-8f8e-50851fc85459 - resourceVersion: "404152" - uid: 2e349cc1-034e-4f8b-9377-34ba9620c418 -operation: UPDATE -options: null -requestKind: - group: "" - kind: ConfigMap - version: v1 -resource: - group: "" - resource: ConfigMap - version: v1 -uid: 0dc3dee4-fed8-42c8-a089-a6d36477c1c4 -userInfo: - uid: 5b7bbd66-0563-4c18-b66b-2771a47959f9 - username: fake-k8s-regular-user +apiVersion: admission.k8s.io/v1 +kind: AdmissionReview +request: + dryRun: true + kind: + group: "" + kind: ConfigMap + version: v1 + object: + apiVersion: v1 + data: + config.yaml: "configManager:\n source: OCM\n \n localConfigName: managed-upgrade-config\n + \ watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n + \ controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: + ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: + 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n + \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n + \ ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n + \ - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n + \ - openshift-azure-logging\n" + kind: ConfigMap + metadata: + creationTimestamp: "2023-05-17T23:51:02Z" + name: managed-upgrade-operator-config + namespace: openshift-managed-upgrade-operator + ownerReferences: + - apiVersion: aro.openshift.io/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: Cluster + name: cluster + uid: a7ed5f21-7396-46f5-92a8-62a282ab84a3 + resourceVersion: "29355" + uid: e9072b15-9119-4ef9-a7fe-c187ba03dde7 + oldObject: + apiVersion: v1 + data: + config.yaml: "configManager:\n source: OCM\n \n localConfigName: managed-upgrade-config\n + \ watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n + \ controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: + ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: + 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n + \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n + \ ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n + \ - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n + \ - openshift-azure-logging\n" + kind: ConfigMap + metadata: + creationTimestamp: "2023-05-17T23:51:02Z" + name: managed-upgrade-operator-config-old + namespace: openshift-managed-upgrade-operator + ownerReferences: + - apiVersion: aro.openshift.io/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: Cluster + name: cluster + uid: a7ed5f21-7396-46f5-92a8-62a282ab84a3 + resourceVersion: "29355" + uid: e9072b15-9119-4ef9-a7fe-c187ba03dde7 + operation: UPDATE + options: null + requestKind: + group: "" + kind: ConfigMap + version: v1 + resource: + group: "" + resource: ConfigMap + version: v1 + uid: d4cb640e-dc2f-42b0-95e2-c2f91dbc74d9 + userInfo: + uid: 109561ea-68ee-45ca-82be-96733b504593 + username: fake-k8s-regular-user diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src.rego b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src.rego index 44c189371aa..7e7521e0fbc 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src.rego +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src.rego @@ -1,9 +1,11 @@ package arodenyupgradeconfig +import data.lib.common.is_exempted_account import future.keywords.in +# Use object violation[{"msg": msg}] { - input.review.operation in ["CREATE", "UPDATE", "DELETE"] + input.review.operation in ["CREATE"] name := input.review.object.metadata.name ## Check user type @@ -16,7 +18,27 @@ violation[{"msg": msg}] { ## If regular user and ## HAS cloud.openshift.com entry (`source: OCM` indicates pull-secret exists) in openshift-config/pull-secret Secret ## NOT ALLOWED - config_data := input.review.data["config.yaml"] + config_data := input.review.object.data["config.yaml"] regex.match("source: OCM", config_data) msg := "Modifying the UpgradeConfig is not allowed for regular users. This can include creating, deleting, and updating UpgradeConfig." } + +# Use oldObject +violation[{"msg": msg}] { + input.review.operation in ["UPDATE", "DELETE"] + name := input.review.object.metadata.name + + ## Check user type + not is_exempted_account(input.review) + + ## If regular user and + ## has NO cloud.openshift.com entry in openshift-config/pull-secret Secret + ## ALLOW EDITING + + ## If regular user and + ## HAS cloud.openshift.com entry (`source: OCM` indicates pull-secret exists) in openshift-config/pull-secret Secret + ## NOT ALLOWED + config_data := input.review.oldObject.data["config.yaml"] + regex.match("source: OCM", config_data) + msg := "Modifying the UpgradeConfig is not allowed for regular users. This can include creating, deleting, and updating UpgradeConfig." +} \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src_test.rego b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src_test.rego index 82522fe1dfe..b8e9822a71b 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src_test.rego +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src_test.rego @@ -1,159 +1,295 @@ package arodenyupgradeconfig test_input_allowed_regular_user_update_upgradeconfig { - input := { "review": fake_ocm_upgradeconfig("regular-user","test","UPDATE") } + input := { "review": fake_local_update_delete_upgradeconfig("regular-user","regular-user","UPDATE") } results := violation with input as input count(results) == 0 } test_input_disallowed_regular_user_update_upgradeconfig { - input := { "review": fake_ocm_upgradeconfig("regular-user","test","UPDATE") } + input := { "review": fake_ocm_update_delete_upgradeconfig("regular-user","regular-user","UPDATE") } results := violation with input as input count(results) == 1 } test_input_allowed_system_user_update_upgradeconfig { - input := { "review": fake_ocm_upgradeconfig("system:admin","test","UPDATE") } + input := { "review": fake_ocm_update_delete_upgradeconfig("system:admin","system:admin","UPDATE") } results := violation with input as input count(results) == 0 } test_allowed_regular_user_delete_upgradeconfig { - input := { "review": fake_local_upgradeconfig("regular-user","test","DELETE") } + input := { "review": fake_local_update_delete_upgradeconfig("regular-user","regular-user","DELETE") } results := violation with input as input count(results) == 0 } test_disallowed_regular_user_delete_upgradeconfig { - input := { "review": fake_ocm_upgradeconfig("regular-user","test","DELETE") } + input := { "review": fake_ocm_update_delete_upgradeconfig("regular-user","regular-user","DELETE") } results := violation with input as input count(results) == 1 } test_allowed_system_user_delete_upgradeconfig { - input := { "review": fake_ocm_upgradeconfig("system:admin","test","DELETE") } + input := { "review": fake_ocm_update_delete_upgradeconfig("system:admin","system:admin","DELETE") } results := violation with input as input count(results) == 0 } test_allowed_regular_user_create_upgradeconfig { - input := { "review": fake_local_upgradeconfig("regular-user","test","CREATE") } + input := { "review": fake_local_upgradeconfig("regular-user","regular-user","CREATE") } results := violation with input as input count(results) == 0 } test_disallowed_regular_user_create_upgradeconfig { - input := { "review": fake_ocm_upgradeconfig("regular-user","test","CREATE") } + input := { "review": fake_ocm_upgradeconfig("regular-user","regular-user","CREATE") } results := violation with input as input count(results) == 1 } test_create_allowed_system_user_create_upgradeconfig { - input := { "review": fake_ocm_upgradeconfig("system:admin","test","CREATE") } + input := { "review": fake_ocm_upgradeconfig("system:admin","system:admin","CREATE") } results := violation with input as input count(results) == 0 } fake_ocm_upgradeconfig(group, username, operation) = output { - output = { - { - "apiVersion": "v1", - "data": { - "config.yaml": "configManager:\n source: OCM\n ocmBaseUrl: https://api.openshift.com\n \n watchInterval: 60\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n - openshift-azure-logging\n" - }, - "kind": "ConfigMap", - "metadata": { - "creationTimestamp": "2023-05-25T09:48:14Z", - "name": "managed-upgrade-operator-config-old", - "namespace": "openshift-managed-upgrade-operator", - "ownerReferences": [ - { - "apiVersion": "aro.openshift.io/v1alpha1", - "blockOwnerDeletion": true, - "controller": true, - "kind": "Cluster", - "name": "cluster", - "uid": "c89909e5-3f29-482e-8f8e-50851fc85459" - } - ], - "resourceVersion": "404152", - "uid": "2e349cc1-034e-4f8b-9377-34ba9620c418" - }, - "operation": operation, - "options": null, - "requestKind": { - "group": "", - "kind": "ConfigMap", - "version": "v1" - }, - "resource": { - "group": "", - "resource": "ConfigMap", - "version": "v1" - }, - "uid": "0dc3dee4-fed8-42c8-a089-a6d36477c1c4", - "userInfo": { - "uid": "5b7bbd66-0563-4c18-b66b-2771a47959f9", - "username": username + output = { + "object": { + "apiVersion": "v1", + "data": { + "config.yaml": "configManager:\n source: OCM\n \n localConfigName: managed-upgrade-config\n\n watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType:\nARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut:\n45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n\n - openshift-azure-logging\n" + }, + "kind": "ConfigMap", + "metadata": { + "creationTimestamp": "2023-05-17T23:51:02Z", + "name": "managed-upgrade-operator-config", + "namespace": "openshift-managed-upgrade-operator", + "ownerReferences": [ + { + "apiVersion": "aro.openshift.io/v1alpha1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "Cluster", + "name": "cluster", + "uid": "a7ed5f21-7396-46f5-92a8-62a282ab84a3" + } + ], + "resourceVersion": "29355", + "uid": "e9072b15-9119-4ef9-a7fe-c187ba03dde7" + } + }, + "oldObject": null, + "operation": operation, + "options": null, + "requestKind": { + "group": "", + "kind": "ConfigMap", + "version": "v1" + }, + "resource": { + "group": "", + "resource": "ConfigMap", + "version": "v1" + }, + "uid": "b65854be-5d3f-4e79-959c-3055d7cc530a", + "userInfo": { + "uid": "ada3819c-bb2b-46c8-8b80-7073c379ba4b", + "username": username + } + } } + + + +fake_ocm_update_delete_upgradeconfig(group, username, operation) = output { + output = { + "object": { + "apiVersion": "v1", + "data": { + "config.yaml": "configManager:\n source: OCM\n \n localConfigName: managed-upgrade-config\n\n watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType:\nARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut:\n45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n\n - openshift-azure-logging\n" + }, + "kind": "ConfigMap", + "metadata": { + "creationTimestamp": "2023-05-17T23:51:02Z", + "name": "managed-upgrade-operator-config", + "namespace": "openshift-managed-upgrade-operator", + "ownerReferences": [ + { + "apiVersion": "aro.openshift.io/v1alpha1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "Cluster", + "name": "cluster", + "uid": "a7ed5f21-7396-46f5-92a8-62a282ab84a3" + } + ], + "resourceVersion": "29355", + "uid": "e9072b15-9119-4ef9-a7fe-c187ba03dde7" + } + }, + "oldObject": { + "apiVersion": "v1", + "data": { + "config.yaml": "configManager:\n source: OCM\n \n localConfigName: managed-upgrade-config\n\n watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType:\nARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut:\n45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n\n - openshift-azure-logging\n" + }, + "kind": "ConfigMap", + "metadata": { + "creationTimestamp": "2023-05-17T23:51:02Z", + "name": "managed-upgrade-operator-config-old", + "namespace": "openshift-managed-upgrade-operator", + "ownerReferences": [ + { + "apiVersion": "aro.openshift.io/v1alpha1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "Cluster", + "name": "cluster", + "uid": "a7ed5f21-7396-46f5-92a8-62a282ab84a3" + } + ], + "resourceVersion": "29355", + "uid": "e9072b15-9119-4ef9-a7fe-c187ba03dde7" + } + }, + "operation": operation, + "options": null, + "requestKind": { + "group": "", + "kind": "ConfigMap", + "version": "v1" + }, + "resource": { + "group": "", + "resource": "ConfigMap", + "version": "v1" + }, + "uid": "d4cb640e-dc2f-42b0-95e2-c2f91dbc74d9", + "userInfo": { + "uid": "109561ea-68ee-45ca-82be-96733b504593", + "username": username + } + } } - } -} + + + +fake_local_update_delete_upgradeconfig(group, username, operation) = output { + output = { + "object": { + "apiVersion": "v1", + "data": { + "config.yaml": "configManager:\n source: LOCAL\n \n localConfigName: managed-upgrade-config\n\n watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType:\nARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut:\n45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n\n - openshift-azure-logging\n" + }, + "kind": "ConfigMap", + "metadata": { + "creationTimestamp": "2023-05-17T23:51:02Z", + "name": "managed-upgrade-operator-config", + "namespace": "openshift-managed-upgrade-operator", + "ownerReferences": [ + { + "apiVersion": "aro.openshift.io/v1alpha1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "Cluster", + "name": "cluster", + "uid": "a7ed5f21-7396-46f5-92a8-62a282ab84a3" + } + ], + "resourceVersion": "29355", + "uid": "e9072b15-9119-4ef9-a7fe-c187ba03dde7" + } + }, + "oldObject": { + "apiVersion": "v1", + "data": { + "config.yaml": "configManager:\n source: LOCAL\n \n localConfigName: managed-upgrade-config\n\n watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType:\nARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut:\n45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n\n - openshift-azure-logging\n" + }, + "kind": "ConfigMap", + "metadata": { + "creationTimestamp": "2023-05-17T23:51:02Z", + "name": "managed-upgrade-operator-config-old", + "namespace": "openshift-managed-upgrade-operator", + "ownerReferences": [ + { + "apiVersion": "aro.openshift.io/v1alpha1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "Cluster", + "name": "cluster", + "uid": "a7ed5f21-7396-46f5-92a8-62a282ab84a3" + } + ], + "resourceVersion": "29355", + "uid": "e9072b15-9119-4ef9-a7fe-c187ba03dde7" + } + }, + "operation": operation, + "options": null, + "requestKind": { + "group": "", + "kind": "ConfigMap", + "version": "v1" + }, + "resource": { + "group": "", + "resource": "ConfigMap", + "version": "v1" + }, + "uid": "d4cb640e-dc2f-42b0-95e2-c2f91dbc74d9", + "userInfo": { + "uid": "109561ea-68ee-45ca-82be-96733b504593", + "username": username + } + } + } + + fake_local_upgradeconfig(group, username, operation) = output { output = { - { - "apiVersion": "admission.k8s.io/v1", - "kind": "AdmissionReview", - "request": { - "dryRun": true, - "kind": { - "group": "", - "kind": "ConfigMap", - "version": "v1" - }, - "object": { - "apiVersion": "v1", - "data": { - "config.yaml": "configManager:\n source: LOCAL\n ocmBaseUrl: https://api.openshift.com\n \n watchInterval: 60\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n - openshift-azure-logging\n" - }, - "kind": "ConfigMap", - "metadata": { - "creationTimestamp": "2023-05-21T09:48:14Z", - "name": "managed-upgrade-operator-config", - "namespace": "openshift-managed-upgrade-operator", - "ownerReferences": [ - { - "apiVersion": "aro.openshift.io/v1alpha1", - "blockOwnerDeletion": true, - "controller": true, - "kind": "Cluster", - "name": "cluster", - "uid": "c89909e5-3f29-482e-8f8e-50851fc85459" + "object": { + "apiVersion": "v1", + "data": { + "config.yaml": "configManager:\n source: LOCAL\n \n localConfigName: managed-upgrade-config\n\n watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType:\nARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut:\n45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n\n - openshift-azure-logging\n" + }, + "kind": "ConfigMap", + "metadata": { + "creationTimestamp": "2023-05-17T23:51:02Z", + "name": "managed-upgrade-operator-config", + "namespace": "openshift-managed-upgrade-operator", + "ownerReferences": [ + { + "apiVersion": "aro.openshift.io/v1alpha1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "Cluster", + "name": "cluster", + "uid": "a7ed5f21-7396-46f5-92a8-62a282ab84a3" + } + ], + "resourceVersion": "29355", + "uid": "e9072b15-9119-4ef9-a7fe-c187ba03dde7" } - ], - "resourceVersion": "404152", - "uid": "2e349cc1-034e-4f8b-9377-34ba9620c418" - } - }, - "oldObject": null, - "operation": operation, - "options": null, - "requestKind": { - "group": "", - "kind": "ConfigMap", - "version": "v1" - }, - "resource": { - "group": "", - "resource": "ConfigMap", - "version": "v1" - }, - "uid": "080407a7-d907-4c9a-8b17-67b637b97dce", - "userInfo": { - "uid": "0e4ced82-9535-4eaf-b65c-b091754cbd20", - "username": username + }, + "oldObject": null, + "operation": operation, + "options": null, + "requestKind": { + "group": "", + "kind": "ConfigMap", + "version": "v1" + }, + "resource": { + "group": "", + "resource": "ConfigMap", + "version": "v1" + }, + "uid": "b65854be-5d3f-4e79-959c-3055d7cc530a", + "userInfo": { + "uid": "ada3819c-bb2b-46c8-8b80-7073c379ba4b", + "username": username + } } } - } - } \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/suite.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/suite.yaml index 6fd8faadd7a..5d46ae5cfd5 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/suite.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/suite.yaml @@ -27,7 +27,7 @@ tests: object: gator-test/allow_system_user_update_managed_upgrade_operator.yaml assertions: - violations: no - - name: update-upgradeconfig-allowed-regular-user + - name: update-upgradeconfig-not-allowed-regular-user object: gator-test/not_allow_regular_user_update_managed_upgrade_operator.yaml assertions: - violations: yes diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-upgradeconfig.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-upgradeconfig.yaml index 9cce77057b9..d4b103f9410 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-upgradeconfig.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-upgradeconfig.yaml @@ -24,10 +24,12 @@ spec: rego: | package arodenyupgradeconfig + import data.lib.common.is_exempted_account import future.keywords.in + # Use object violation[{"msg": msg}] { - input.review.operation in ["CREATE", "UPDATE", "DELETE"] + input.review.operation in ["CREATE"] name := input.review.object.metadata.name ## Check user type @@ -40,7 +42,27 @@ spec: ## If regular user and ## HAS cloud.openshift.com entry (`source: OCM` indicates pull-secret exists) in openshift-config/pull-secret Secret ## NOT ALLOWED - config_data := input.review.data["config.yaml"] + config_data := input.review.object.data["config.yaml"] + regex.match("source: OCM", config_data) + msg := "Modifying the UpgradeConfig is not allowed for regular users. This can include creating, deleting, and updating UpgradeConfig." + } + + # Use oldObject + violation[{"msg": msg}] { + input.review.operation in ["UPDATE", "DELETE"] + name := input.review.object.metadata.name + + ## Check user type + not is_exempted_account(input.review) + + ## If regular user and + ## has NO cloud.openshift.com entry in openshift-config/pull-secret Secret + ## ALLOW EDITING + + ## If regular user and + ## HAS cloud.openshift.com entry (`source: OCM` indicates pull-secret exists) in openshift-config/pull-secret Secret + ## NOT ALLOWED + config_data := input.review.oldObject.data["config.yaml"] regex.match("source: OCM", config_data) msg := "Modifying the UpgradeConfig is not allowed for regular users. This can include creating, deleting, and updating UpgradeConfig." } From 943adcf2ca2c8613884371431d46f86423d105a8 Mon Sep 17 00:00:00 2001 From: Edison Cardenas Date: Fri, 26 May 2023 17:42:15 +1200 Subject: [PATCH 03/18] ARO-1422: Update names and add missing constraint for UpgradeConfig policy --- .../gkconstraints/aro-upgradeconfig-deny.yaml | 13 +++++++++++++ .../aro-deny-upgradeconfig.tmpl | 4 ++-- .../gktemplates-src/aro-deny-upgradeconfig/src.rego | 4 +--- .../aro-deny-upgradeconfig/suite.yaml | 4 ++-- .../gktemplates/aro-deny-upgradeconfig.yaml | 4 ++-- 5 files changed, 20 insertions(+), 9 deletions(-) create mode 100644 pkg/operator/controllers/guardrails/policies/gkconstraints/aro-upgradeconfig-deny.yaml diff --git a/pkg/operator/controllers/guardrails/policies/gkconstraints/aro-upgradeconfig-deny.yaml b/pkg/operator/controllers/guardrails/policies/gkconstraints/aro-upgradeconfig-deny.yaml new file mode 100644 index 00000000000..7c805d4422b --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gkconstraints/aro-upgradeconfig-deny.yaml @@ -0,0 +1,13 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: ARODenyUpgradeConfig +metadata: + name: aro-deny-upgradeconfig-modification +spec: + enforcementAction: {{.Enforcement}} + match: + namespaces: ["openshift-managed-upgrade-operator"] + kinds: + - apiGroups: [""] + kinds: ["ConfigMap"] + - apiGroups: ["upgrade.managed.openshift.io"] + kinds: ["UpgradeConfig"] diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/aro-deny-upgradeconfig.tmpl b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/aro-deny-upgradeconfig.tmpl index 9862a0971f8..6d1a1af4c1c 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/aro-deny-upgradeconfig.tmpl +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/aro-deny-upgradeconfig.tmpl @@ -1,7 +1,7 @@ apiVersion: templates.gatekeeper.sh/v1 kind: ConstraintTemplate metadata: - name: aroupgradeconfig + name: arodenyupgradeconfig annotations: metadata.gatekeeper.sh/title: "UpgradeConfig" metadata.gatekeeper.sh/version: 1.0.0 @@ -12,7 +12,7 @@ spec: crd: spec: names: - kind: AROUpgradeConfig + kind: ARODenyUpgradeConfig validation: # Schema for the `parameters` field openAPIV3Schema: diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src.rego b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src.rego index 7e7521e0fbc..b46ec164ffb 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src.rego +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src.rego @@ -6,7 +6,6 @@ import future.keywords.in # Use object violation[{"msg": msg}] { input.review.operation in ["CREATE"] - name := input.review.object.metadata.name ## Check user type not is_exempted_account(input.review) @@ -26,8 +25,7 @@ violation[{"msg": msg}] { # Use oldObject violation[{"msg": msg}] { input.review.operation in ["UPDATE", "DELETE"] - name := input.review.object.metadata.name - + ## Check user type not is_exempted_account(input.review) diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/suite.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/suite.yaml index 5d46ae5cfd5..5041164d3d9 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/suite.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/suite.yaml @@ -4,8 +4,8 @@ metadata: name: upgradeconfig tests: - name: upgradeconfig-tests - template: ../../gktemplates/aro-deny-upgradeconfig.yaml - constraint: ../../gkconstraints-test/aro-upgradeconfig.yaml + template: ../../gktemplates/aro-upgradeconfig-deny.yaml + constraint: ../../gkconstraints-test/aro-upgradeconfig-deny.yaml cases: - name: create-upgradeconfig-allowed-regular-user object: gator-test/allow_regular_user_create_managed_upgrade_operator.yaml diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-upgradeconfig.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-upgradeconfig.yaml index d4b103f9410..43929b10efd 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-upgradeconfig.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-upgradeconfig.yaml @@ -1,7 +1,7 @@ apiVersion: templates.gatekeeper.sh/v1 kind: ConstraintTemplate metadata: - name: aroupgradeconfig + name: arodenyupgradeconfig annotations: metadata.gatekeeper.sh/title: "UpgradeConfig" metadata.gatekeeper.sh/version: 1.0.0 @@ -12,7 +12,7 @@ spec: crd: spec: names: - kind: AROUpgradeConfig + kind: ARODenyUpgradeConfig validation: # Schema for the `parameters` field openAPIV3Schema: From e69d5e7da033a7225145c7338ace6bc46434172d Mon Sep 17 00:00:00 2001 From: Edison Cardenas Date: Tue, 30 May 2023 19:30:23 +1200 Subject: [PATCH 04/18] ARO-1422: Add logic to retrieve data.inventory --- .../aro-deny-upgradeconfig/src.rego | 43 +++++---------- .../aro-deny-upgradeconfig/src_test.rego | 53 ++++++++++--------- 2 files changed, 42 insertions(+), 54 deletions(-) diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src.rego b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src.rego index b46ec164ffb..1e72f479f43 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src.rego +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src.rego @@ -3,40 +3,25 @@ package arodenyupgradeconfig import data.lib.common.is_exempted_account import future.keywords.in + # Use object +# To retrieve from a different resource, data.inventory.namespace["openshift-managed-upgrade-operator"]["v1"]["ConfigMap"]["managed-upgrade-operator-config"]["data"]["config.yaml"] violation[{"msg": msg}] { - input.review.operation in ["CREATE"] + input.review.operation in ["CREATE", "UPDATE", "DELETE"] - ## Check user type + # ## Check user type not is_exempted_account(input.review) - ## If regular user and - ## has NO cloud.openshift.com entry in openshift-config/pull-secret Secret - ## ALLOW EDITING - - ## If regular user and - ## HAS cloud.openshift.com entry (`source: OCM` indicates pull-secret exists) in openshift-config/pull-secret Secret - ## NOT ALLOWED - config_data := input.review.object.data["config.yaml"] - regex.match("source: OCM", config_data) - msg := "Modifying the UpgradeConfig is not allowed for regular users. This can include creating, deleting, and updating UpgradeConfig." -} - -# Use oldObject -violation[{"msg": msg}] { - input.review.operation in ["UPDATE", "DELETE"] - - ## Check user type - not is_exempted_account(input.review) + # ## If regular user and + # ## has NO cloud.openshift.com entry in openshift-config/pull-secret Secret + # ## ALLOW EDITING - ## If regular user and - ## has NO cloud.openshift.com entry in openshift-config/pull-secret Secret - ## ALLOW EDITING + # ## If regular user and + # ## HAS cloud.openshift.com entry (`source: OCM` indicates pull-secret exists) in openshift-config/pull-secret Secret + # ## NOT ALLOWED + # config_data := data.inventory.namespace["openshift-managed-upgrade-operator"]["v1"]["ConfigMap"]["managed-upgrade-operator-config"]["data"]["config.yaml"] + # regex.match("source: OCM", config_data) + # msg := "Modifying the UpgradeConfig is not allowed for regular users. This includes attempting to create, edit, or delete the UpgradeConfig." + msg := data.inventory.namespace["openshift-managed-upgrade-operator"]["v1"]["ConfigMap"] - ## If regular user and - ## HAS cloud.openshift.com entry (`source: OCM` indicates pull-secret exists) in openshift-config/pull-secret Secret - ## NOT ALLOWED - config_data := input.review.oldObject.data["config.yaml"] - regex.match("source: OCM", config_data) - msg := "Modifying the UpgradeConfig is not allowed for regular users. This can include creating, deleting, and updating UpgradeConfig." } \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src_test.rego b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src_test.rego index b8e9822a71b..3b2d333eabb 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src_test.rego +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src_test.rego @@ -8,10 +8,34 @@ test_input_allowed_regular_user_update_upgradeconfig { test_input_disallowed_regular_user_update_upgradeconfig { input := { "review": fake_ocm_update_delete_upgradeconfig("regular-user","regular-user","UPDATE") } - results := violation with input as input + inv := ocm_inventory_data([]) + results := violation with input as input with data.inventory as inv count(results) == 1 } +ocm_inventory_data([]) = out { + out = { + "namespace": { + "openshift-managed-upgrade-operator": { + "v1": { + "data": { + "config.yaml": "configManager:\n source: OCM\n ocmBaseUrl: https://api.openshift.com\n \n watchInterval: 60\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n - openshift-azure-logging\n" + }, + "kind": "ConfigMap", + } + } + } + { + "apiVersion": "v1", + "data": { + "config.yaml": "configManager:\n source: OCM\n ocmBaseUrl: https://api.openshift.com\n \n watchInterval: 60\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n - openshift-azure-logging\n" + }, + "kind": "ConfigMap" + } + } + } +} + test_input_allowed_system_user_update_upgradeconfig { input := { "review": fake_ocm_update_delete_upgradeconfig("system:admin","system:admin","UPDATE") } results := violation with input as input @@ -56,31 +80,10 @@ test_create_allowed_system_user_create_upgradeconfig { fake_ocm_upgradeconfig(group, username, operation) = output { output = { - "object": { - "apiVersion": "v1", - "data": { - "config.yaml": "configManager:\n source: OCM\n \n localConfigName: managed-upgrade-config\n\n watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType:\nARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut:\n45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n\n - openshift-azure-logging\n" - }, - "kind": "ConfigMap", - "metadata": { - "creationTimestamp": "2023-05-17T23:51:02Z", - "name": "managed-upgrade-operator-config", - "namespace": "openshift-managed-upgrade-operator", - "ownerReferences": [ - { - "apiVersion": "aro.openshift.io/v1alpha1", - "blockOwnerDeletion": true, - "controller": true, - "kind": "Cluster", - "name": "cluster", - "uid": "a7ed5f21-7396-46f5-92a8-62a282ab84a3" - } - ], - "resourceVersion": "29355", - "uid": "e9072b15-9119-4ef9-a7fe-c187ba03dde7" - } + + "data": { + "config.yaml": "configManager:\n source: OCM\n ocmBaseUrl: https://api.openshift.com\n \n watchInterval: 60\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n - openshift-azure-logging\n" }, - "oldObject": null, "operation": operation, "options": null, "requestKind": { From 1063b0f70f2896820f1d7d094c66249ef06ad91b Mon Sep 17 00:00:00 2001 From: Edison Cardenas Date: Wed, 31 May 2023 19:06:33 +1200 Subject: [PATCH 05/18] ARO-1422: Update implementation to retrieve from data.inventory document. Includes gator and opa tests --- .../aro-deny-upgradeconfig/README.md | 3 + .../gatekeeper-config.yaml | 17 + ..._user_create_managed_upgrade_operator.yaml | 49 --- ..._user_delete_managed_upgrade_operator.yaml | 49 --- ..._user_update_managed_upgrade_operator.yaml | 48 --- ..._user_create_managed_upgrade_operator.yaml | 49 --- ..._user_delete_managed_upgrade_operator.yaml | 49 --- ..._user_update_managed_upgrade_operator.yaml | 48 --- .../gator-test/inventory_config_local.yaml | 16 + .../gator-test/inventory_config_ocm.yaml | 16 + ..._user_create_managed_upgrade_operator.yaml | 49 --- ..._user_delete_managed_upgrade_operator.yaml | 49 --- ..._user_update_managed_upgrade_operator.yaml | 74 ----- ..._user_create_managed_upgrade_operator.yaml | 36 +++ ..._user_delete_managed_upgrade_operator.yaml | 36 +++ ..._user_update_managed_upgrade_operator.yaml | 48 +++ ..._user_create_managed_upgrade_operator.yaml | 36 +++ ..._user_delete_managed_upgrade_operator.yaml | 36 +++ ..._user_update_managed_upgrade_operator.yaml | 48 +++ .../aro-deny-upgradeconfig/src.rego | 8 +- .../aro-deny-upgradeconfig/src_test.rego | 290 +++--------------- .../aro-deny-upgradeconfig/suite.yaml | 64 +++- .../gktemplates/aro-deny-upgradeconfig.yaml | 43 +-- .../gk_audit_controller_deployment.yaml | 1 + 24 files changed, 407 insertions(+), 755 deletions(-) create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/README.md create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gatekeeper-config.yaml delete mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_regular_user_create_managed_upgrade_operator.yaml delete mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_regular_user_delete_managed_upgrade_operator.yaml delete mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_regular_user_update_managed_upgrade_operator.yaml delete mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_create_managed_upgrade_operator.yaml delete mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_delete_managed_upgrade_operator.yaml delete mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_update_managed_upgrade_operator.yaml create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/inventory_config_local.yaml create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/inventory_config_ocm.yaml delete mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_create_managed_upgrade_operator.yaml delete mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_delete_managed_upgrade_operator.yaml delete mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_update_managed_upgrade_operator.yaml create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/regular_user_create_managed_upgrade_operator.yaml create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/regular_user_delete_managed_upgrade_operator.yaml create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/regular_user_update_managed_upgrade_operator.yaml create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/system_user_create_managed_upgrade_operator.yaml create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/system_user_delete_managed_upgrade_operator.yaml create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/system_user_update_managed_upgrade_operator.yaml diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/README.md b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/README.md new file mode 100644 index 00000000000..9db82fbbdd1 --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/README.md @@ -0,0 +1,3 @@ +# UpgradeConfig Policy + +This policy needs the 'gatekeeper-config.yaml' installed to the cluster in order to retrieve data from data.inventory document. \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gatekeeper-config.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gatekeeper-config.yaml new file mode 100644 index 00000000000..6aeaf287afd --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gatekeeper-config.yaml @@ -0,0 +1,17 @@ +apiVersion: config.gatekeeper.sh/v1alpha1 +kind: Config +metadata: + name: config + namespace: "openshift-azure-guardrails" +spec: + match: + - excludedNamespaces: ["kube-*","openshift-kube-*","openshift","openshift-etcd*","openshift-monitoring","default","gatekeeper-system","openshift-apiserver*","openshift-authentication*","openshift-logging","openshift-redhat-marketplace","openshift-operators","openshift-user-workload-monitoring","openshift-pipelines","openshift-marketplace","openshift-multus","openshift-network*","openshift-vsphere-*","openshift-config-*","openshift-console","openshift-service-ca*","openshift-azure*","openshift-cloud*","openshift-sdn"] + processes: ["*"] + sync: + syncOnly: + - group: "" + version: "v1" + kind: "ConfigMap" + - group: "" + version: "v1" + kind: "Namespace" \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_regular_user_create_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_regular_user_create_managed_upgrade_operator.yaml deleted file mode 100644 index 503f181feca..00000000000 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_regular_user_create_managed_upgrade_operator.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: admission.k8s.io/v1 -kind: AdmissionReview -request: - dryRun: true - kind: - group: "" - kind: ConfigMap - version: v1 - object: - apiVersion: v1 - data: - config.yaml: "configManager:\n source: LOCAL\n ocmBaseUrl: https://api.openshift.com\n - \ \n watchInterval: 60\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n - \ controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: - ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: - 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n - \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n - \ ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n - \ - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n - \ - openshift-azure-logging\n" - kind: ConfigMap - metadata: - creationTimestamp: "2023-05-21T09:48:14Z" - name: managed-upgrade-operator-config - namespace: openshift-managed-upgrade-operator - ownerReferences: - - apiVersion: aro.openshift.io/v1alpha1 - blockOwnerDeletion: true - controller: true - kind: Cluster - name: cluster - uid: c89909e5-3f29-482e-8f8e-50851fc85459 - resourceVersion: "404152" - uid: 2e349cc1-034e-4f8b-9377-34ba9620c418 - oldObject: null - operation: CREATE - options: null - requestKind: - group: "" - kind: ConfigMap - version: v1 - resource: - group: "" - resource: ConfigMap - version: v1 - uid: d7d1754c-510c-4c1d-8352-25a6a265b2c5 - userInfo: - uid: cbf07b83-0a79-4979-9d57-ca8a0d150dcf - username: fake-k8s-regular-user diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_regular_user_delete_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_regular_user_delete_managed_upgrade_operator.yaml deleted file mode 100644 index 803d04233b4..00000000000 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_regular_user_delete_managed_upgrade_operator.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: admission.k8s.io/v1 -kind: AdmissionReview -request: - dryRun: true - kind: - group: "" - kind: ConfigMap - version: v1 - object: null - oldObject: - apiVersion: v1 - data: - config.yaml: "configManager:\n source: LOCAL\n ocmBaseUrl: https://api.openshift.com\n - \ \n watchInterval: 60\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n - \ controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: - ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: - 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n - \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n - \ ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n - \ - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n - \ - openshift-azure-logging\n" - kind: ConfigMap - metadata: - creationTimestamp: "2023-05-21T09:48:14Z" - name: managed-upgrade-operator-config-old - namespace: openshift-managed-upgrade-operator - ownerReferences: - - apiVersion: aro.openshift.io/v1alpha1 - blockOwnerDeletion: true - controller: true - kind: Cluster - name: cluster - uid: c89909e5-3f29-482e-8f8e-50851fc85459 - resourceVersion: "404152" - uid: 2e349cc1-034e-4f8b-9377-34ba9620c418 - operation: DELETE - options: null - requestKind: - group: "" - kind: ConfigMap - version: v1 - resource: - group: "" - resource: ConfigMap - version: v1 - uid: 2ed5686f-74cd-41e2-96a2-afcf766fae51 - userInfo: - uid: 1527f3d6-2e89-4b5f-a4bf-8953365c2016 - username: fake-k8s-regular-user diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_regular_user_update_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_regular_user_update_managed_upgrade_operator.yaml deleted file mode 100644 index 3801a313b96..00000000000 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_regular_user_update_managed_upgrade_operator.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: admission.k8s.io/v1 -kind: AdmissionReview -request: - dryRun: true - kind: - group: "" - kind: ConfigMap - version: v1 - object: - apiVersion: v1 - data: - config.yaml: "configManager:\n source: LOCAL\n \n localConfigName: managed-upgrade-config\n - \ watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n - \ controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: - ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: - 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n - \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n - \ ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n - \ - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n - \ - openshift-azure-logging\n" - kind: ConfigMap - metadata: - creationTimestamp: "2023-06-17T23:51:02Z" - name: managed-upgrade-operator-config - namespace: openshift-managed-upgrade-operator - ownerReferences: - - apiVersion: aro.openshift.io/v1alpha1 - blockOwnerDeletion: true - controller: true - kind: Cluster - name: cluster - uid: a7ed5f21-7396-46f5-92a8-62a282ab84a3 - resourceVersion: "29355" - uid: e9072b15-9119-4ef9-a7fe-c187ba03dde7 - operation: UPDATE - options: null - requestKind: - group: "" - kind: ConfigMap - version: v1 - resource: - group: "" - resource: ConfigMap - version: v1 - uid: fe8e8b30-14c3-4192-8d78-9c53caebce55 - userInfo: - uid: 23e15c39-db6a-403b-83da-17389de821d5 - username: fake-k8s-regular-user diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_create_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_create_managed_upgrade_operator.yaml deleted file mode 100644 index a151d55a4c9..00000000000 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_create_managed_upgrade_operator.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: admission.k8s.io/v1 -kind: AdmissionReview -request: - dryRun: true - kind: - group: "" - kind: ConfigMap - version: v1 - object: - apiVersion: v1 - data: - config.yaml: "configManager:\n source: OCM\n ocmBaseUrl: https://api.openshift.com\n - \ \n watchInterval: 60\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n - \ controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: - ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: - 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n - \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n - \ ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n - \ - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n - \ - openshift-azure-logging\n" - kind: ConfigMap - metadata: - creationTimestamp: "2023-05-21T09:48:14Z" - name: managed-upgrade-operator-config - namespace: openshift-managed-upgrade-operator - ownerReferences: - - apiVersion: aro.openshift.io/v1alpha1 - blockOwnerDeletion: true - controller: true - kind: Cluster - name: cluster - uid: c89909e5-3f29-482e-8f8e-50851fc85459 - resourceVersion: "404152" - uid: 2e349cc1-034e-4f8b-9377-34ba9620c418 - oldObject: null - operation: CREATE - options: null - requestKind: - group: "" - kind: ConfigMap - version: v1 - resource: - group: "" - resource: ConfigMap - version: v1 - uid: d7d1754c-510c-4c1d-8352-25a6a265b2c5 - userInfo: - uid: cbf07b83-0a79-4979-9d57-ca8a0d150dcf - username: system:admin diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_delete_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_delete_managed_upgrade_operator.yaml deleted file mode 100644 index f06001fab38..00000000000 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_delete_managed_upgrade_operator.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: admission.k8s.io/v1 -kind: AdmissionReview -request: - dryRun: true - kind: - group: "" - kind: ConfigMap - version: v1 - object: null - oldObject: - apiVersion: v1 - data: - config.yaml: "configManager:\n source: OCM\n ocmBaseUrl: https://api.openshift.com\n - \ \n watchInterval: 60\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n - \ controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: - ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: - 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n - \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n - \ ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n - \ - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n - \ - openshift-azure-logging\n" - kind: ConfigMap - metadata: - creationTimestamp: "2023-05-21T09:48:14Z" - name: managed-upgrade-operator-config-old - namespace: openshift-managed-upgrade-operator - ownerReferences: - - apiVersion: aro.openshift.io/v1alpha1 - blockOwnerDeletion: true - controller: true - kind: Cluster - name: cluster - uid: c89909e5-3f29-482e-8f8e-50851fc85459 - resourceVersion: "404152" - uid: 2e349cc1-034e-4f8b-9377-34ba9620c418 - operation: DELETE - options: null - requestKind: - group: "" - kind: ConfigMap - version: v1 - resource: - group: "" - resource: ConfigMap - version: v1 - uid: 2ed5686f-74cd-41e2-96a2-afcf766fae51 - userInfo: - uid: 1527f3d6-2e89-4b5f-a4bf-8953365c2016 - username: system:admin \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_update_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_update_managed_upgrade_operator.yaml deleted file mode 100644 index 930fe405c97..00000000000 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/allow_system_user_update_managed_upgrade_operator.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: admission.k8s.io/v1 -kind: AdmissionReview -request: - dryRun: true - kind: - group: "" - kind: ConfigMap - version: v1 - object: - apiVersion: v1 - data: - config.yaml: "configManager:\n source: LOCAL\n \n localConfigName: managed-upgrade-config\n - \ watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n - \ controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: - ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: - 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n - \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n - \ ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n - \ - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n - \ - openshift-azure-logging\n" - kind: ConfigMap - metadata: - creationTimestamp: "2023-06-17T23:51:02Z" - name: managed-upgrade-operator-config - namespace: openshift-managed-upgrade-operator - ownerReferences: - - apiVersion: aro.openshift.io/v1alpha1 - blockOwnerDeletion: true - controller: true - kind: Cluster - name: cluster - uid: a7ed5f21-7396-46f5-92a8-62a282ab84a3 - resourceVersion: "29355" - uid: e9072b15-9119-4ef9-a7fe-c187ba03dde7 - operation: UPDATE - options: null - requestKind: - group: "" - kind: ConfigMap - version: v1 - resource: - group: "" - resource: ConfigMap - version: v1 - uid: fe8e8b30-14c3-4192-8d78-9c53caebce55 - userInfo: - uid: 23e15c39-db6a-403b-83da-17389de821d5 - username: system:admin diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/inventory_config_local.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/inventory_config_local.yaml new file mode 100644 index 00000000000..c73a4648ba4 --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/inventory_config_local.yaml @@ -0,0 +1,16 @@ +kind: ConfigMap +metadata: + creationTimestamp: "2023-05-31T03:24:37Z" + name: managed-upgrade-operator-config + namespace: openshift-managed-upgrade-operator +apiVersion: v1 +name: managed-upgrade-operator-config +data: + config.yaml: "configManager:\n source: LOCAL\n \n localConfigName: managed-upgrade-config\n + \ watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n + \ controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: + ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: + 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n + \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n ignoredNamespaces:\n + \ - openshift-logging\n - openshift-redhat-marketplace\n - openshift-operators\n + \ - openshift-user-workload-monitoring\n - openshift-pipelines\n - openshift-azure-logging\n" diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/inventory_config_ocm.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/inventory_config_ocm.yaml new file mode 100644 index 00000000000..77ecb689c39 --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/inventory_config_ocm.yaml @@ -0,0 +1,16 @@ +kind: ConfigMap +metadata: + creationTimestamp: "2023-05-31T03:24:37Z" + name: managed-upgrade-operator-config + namespace: openshift-managed-upgrade-operator +apiVersion: v1 +name: managed-upgrade-operator-config +data: + config.yaml: "configManager:\n source: OCM\n \n localConfigName: managed-upgrade-config\n + \ watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n + \ controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: + ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: + 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n + \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n ignoredNamespaces:\n + \ - openshift-logging\n - openshift-redhat-marketplace\n - openshift-operators\n + \ - openshift-user-workload-monitoring\n - openshift-pipelines\n - openshift-azure-logging\n" diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_create_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_create_managed_upgrade_operator.yaml deleted file mode 100644 index f3a858f7fc4..00000000000 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_create_managed_upgrade_operator.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: admission.k8s.io/v1 -kind: AdmissionReview -request: - dryRun: true - kind: - group: "" - kind: ConfigMap - version: v1 - object: - apiVersion: v1 - data: - config.yaml: "configManager:\n source: OCM\n ocmBaseUrl: https://api.openshift.com\n - \ \n watchInterval: 60\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n - \ controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: - ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: - 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n - \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n - \ ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n - \ - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n - \ - openshift-azure-logging\n" - kind: ConfigMap - metadata: - creationTimestamp: "2023-05-21T09:48:14Z" - name: managed-upgrade-operator-config - namespace: openshift-managed-upgrade-operator - ownerReferences: - - apiVersion: aro.openshift.io/v1alpha1 - blockOwnerDeletion: true - controller: true - kind: Cluster - name: cluster - uid: c89909e5-3f29-482e-8f8e-50851fc85459 - resourceVersion: "404152" - uid: 2e349cc1-034e-4f8b-9377-34ba9620c418 - oldObject: null - operation: CREATE - options: null - requestKind: - group: "" - kind: ConfigMap - version: v1 - resource: - group: "" - resource: ConfigMap - version: v1 - uid: d7d1754c-510c-4c1d-8352-25a6a265b2c5 - userInfo: - uid: cbf07b83-0a79-4979-9d57-ca8a0d150dcf - username: fake-k8s-regular-user diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_delete_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_delete_managed_upgrade_operator.yaml deleted file mode 100644 index cce57fb9fd6..00000000000 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_delete_managed_upgrade_operator.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: admission.k8s.io/v1 -kind: AdmissionReview -request: - dryRun: true - kind: - group: "" - kind: ConfigMap - version: v1 - object: null - oldObject: - apiVersion: v1 - data: - config.yaml: "configManager:\n source: OCM\n ocmBaseUrl: https://api.openshift.com\n - \ \n watchInterval: 60\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n - \ controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: - ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: - 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n - \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n - \ ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n - \ - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n - \ - openshift-azure-logging\n" - kind: ConfigMap - metadata: - creationTimestamp: "2023-05-21T09:48:14Z" - name: managed-upgrade-operator-config-old - namespace: openshift-managed-upgrade-operator - ownerReferences: - - apiVersion: aro.openshift.io/v1alpha1 - blockOwnerDeletion: true - controller: true - kind: Cluster - name: cluster - uid: c89909e5-3f29-482e-8f8e-50851fc85459 - resourceVersion: "404152" - uid: 2e349cc1-034e-4f8b-9377-34ba9620c418 - operation: DELETE - options: null - requestKind: - group: "" - kind: ConfigMap - version: v1 - resource: - group: "" - resource: ConfigMap - version: v1 - uid: 2ed5686f-74cd-41e2-96a2-afcf766fae51 - userInfo: - uid: 1527f3d6-2e89-4b5f-a4bf-8953365c2016 - username: fake-k8s-regular-user diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_update_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_update_managed_upgrade_operator.yaml deleted file mode 100644 index e9f00f600d9..00000000000 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/not_allow_regular_user_update_managed_upgrade_operator.yaml +++ /dev/null @@ -1,74 +0,0 @@ -apiVersion: admission.k8s.io/v1 -kind: AdmissionReview -request: - dryRun: true - kind: - group: "" - kind: ConfigMap - version: v1 - object: - apiVersion: v1 - data: - config.yaml: "configManager:\n source: OCM\n \n localConfigName: managed-upgrade-config\n - \ watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n - \ controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: - ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: - 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n - \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n - \ ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n - \ - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n - \ - openshift-azure-logging\n" - kind: ConfigMap - metadata: - creationTimestamp: "2023-05-17T23:51:02Z" - name: managed-upgrade-operator-config - namespace: openshift-managed-upgrade-operator - ownerReferences: - - apiVersion: aro.openshift.io/v1alpha1 - blockOwnerDeletion: true - controller: true - kind: Cluster - name: cluster - uid: a7ed5f21-7396-46f5-92a8-62a282ab84a3 - resourceVersion: "29355" - uid: e9072b15-9119-4ef9-a7fe-c187ba03dde7 - oldObject: - apiVersion: v1 - data: - config.yaml: "configManager:\n source: OCM\n \n localConfigName: managed-upgrade-config\n - \ watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n - \ controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: - ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: - 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n - \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n - \ ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n - \ - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n - \ - openshift-azure-logging\n" - kind: ConfigMap - metadata: - creationTimestamp: "2023-05-17T23:51:02Z" - name: managed-upgrade-operator-config-old - namespace: openshift-managed-upgrade-operator - ownerReferences: - - apiVersion: aro.openshift.io/v1alpha1 - blockOwnerDeletion: true - controller: true - kind: Cluster - name: cluster - uid: a7ed5f21-7396-46f5-92a8-62a282ab84a3 - resourceVersion: "29355" - uid: e9072b15-9119-4ef9-a7fe-c187ba03dde7 - operation: UPDATE - options: null - requestKind: - group: "" - kind: ConfigMap - version: v1 - resource: - group: "" - resource: ConfigMap - version: v1 - uid: d4cb640e-dc2f-42b0-95e2-c2f91dbc74d9 - userInfo: - uid: 109561ea-68ee-45ca-82be-96733b504593 - username: fake-k8s-regular-user diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/regular_user_create_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/regular_user_create_managed_upgrade_operator.yaml new file mode 100644 index 00000000000..9ad08e0b884 --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/regular_user_create_managed_upgrade_operator.yaml @@ -0,0 +1,36 @@ +apiVersion: admission.k8s.io/v1 +kind: AdmissionReview +request: + dryRun: true + kind: + group: "" + kind: UpgradeConfig + version: upgrade.managed.openshift.io/v1alpha1 + object: + apiVersion: upgrade.managed.openshift.io/v1alpha1 + kind: UpgradeConfig + metadata: + name: managed-upgrade-config + namespace: openshift-managed-upgrade-operator + spec: + PDBForceDrainTimeout: 60 + desired: + channel: stable-4.10 + version: 4.10.55 + type: ARO + upgradeAt: "2023-05-29T10:00:00Z" + oldObject: null + operation: CREATE + options: null + requestKind: + group: "" + kind: UpgradeConfig + version: upgrade.managed.openshift.io/v1alpha1 + resource: + group: "" + resource: UpgradeConfig + version: upgrade.managed.openshift.io/v1alpha1 + uid: e952ffa6-fd19-4d17-a7da-a98cb510c061 + userInfo: + uid: eed44a0f-c0e7-469c-a489-9c3970988f2c + username: fake-k8s-regular-user \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/regular_user_delete_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/regular_user_delete_managed_upgrade_operator.yaml new file mode 100644 index 00000000000..69d964352ec --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/regular_user_delete_managed_upgrade_operator.yaml @@ -0,0 +1,36 @@ +apiVersion: admission.k8s.io/v1 +kind: AdmissionReview +request: + dryRun: true + kind: + group: "" + kind: UpgradeConfig + version: upgrade.managed.openshift.io/v1alpha1 + object: null + oldObject: + apiVersion: upgrade.managed.openshift.io/v1alpha1 + kind: UpgradeConfig + metadata: + name: managed-upgrade-config-old + namespace: openshift-managed-upgrade-operator + spec: + PDBForceDrainTimeout: 60 + desired: + channel: stable-4.10 + version: 4.10.55 + type: ARO + upgradeAt: "2023-05-29T10:00:00Z" + operation: DELETE + options: null + requestKind: + group: "" + kind: UpgradeConfig + version: upgrade.managed.openshift.io/v1alpha1 + resource: + group: "" + resource: UpgradeConfig + version: upgrade.managed.openshift.io/v1alpha1 + uid: 8142ab84-2f03-4508-a20d-39629e4ed52c + userInfo: + uid: a076564f-f9f9-4b08-9d8f-8231c89b9d20 + username: fake-k8s-regular-user diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/regular_user_update_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/regular_user_update_managed_upgrade_operator.yaml new file mode 100644 index 00000000000..6acb5bfa40b --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/regular_user_update_managed_upgrade_operator.yaml @@ -0,0 +1,48 @@ +apiVersion: admission.k8s.io/v1 +kind: AdmissionReview +request: + dryRun: true + kind: + group: "" + kind: UpgradeConfig + version: upgrade.managed.openshift.io/v1alpha1 + object: + apiVersion: upgrade.managed.openshift.io/v1alpha1 + kind: UpgradeConfig + metadata: + name: managed-upgrade-config + namespace: openshift-managed-upgrade-operator + spec: + PDBForceDrainTimeout: 60 + desired: + channel: stable-4.10 + version: 4.10.55 + type: ARO + upgradeAt: "2023-05-29T10:00:00Z" + oldObject: + apiVersion: upgrade.managed.openshift.io/v1alpha1 + kind: UpgradeConfig + metadata: + name: managed-upgrade-config-old + namespace: openshift-managed-upgrade-operator + spec: + PDBForceDrainTimeout: 60 + desired: + channel: stable-4.10 + version: 4.10.55 + type: ARO + upgradeAt: "2023-05-29T10:00:00Z" + operation: UPDATE + options: null + requestKind: + group: "" + kind: UpgradeConfig + version: upgrade.managed.openshift.io/v1alpha1 + resource: + group: "" + resource: UpgradeConfig + version: upgrade.managed.openshift.io/v1alpha1 + uid: 42bc7c7d-cde2-43ad-afe0-42c7db2e2923 + userInfo: + uid: 85c23dfa-51a2-4481-beb1-c92848b2730a + username: fake-k8s-regular-user diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/system_user_create_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/system_user_create_managed_upgrade_operator.yaml new file mode 100644 index 00000000000..4a3ce3d1ea3 --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/system_user_create_managed_upgrade_operator.yaml @@ -0,0 +1,36 @@ +apiVersion: admission.k8s.io/v1 +kind: AdmissionReview +request: + dryRun: true + kind: + group: "" + kind: UpgradeConfig + version: upgrade.managed.openshift.io/v1alpha1 + object: + apiVersion: upgrade.managed.openshift.io/v1alpha1 + kind: UpgradeConfig + metadata: + name: managed-upgrade-config + namespace: openshift-managed-upgrade-operator + spec: + PDBForceDrainTimeout: 60 + desired: + channel: stable-4.10 + version: 4.10.55 + type: ARO + upgradeAt: "2023-05-29T10:00:00Z" + oldObject: null + operation: CREATE + options: null + requestKind: + group: "" + kind: UpgradeConfig + version: upgrade.managed.openshift.io/v1alpha1 + resource: + group: "" + resource: UpgradeConfig + version: upgrade.managed.openshift.io/v1alpha1 + uid: e952ffa6-fd19-4d17-a7da-a98cb510c061 + userInfo: + uid: eed44a0f-c0e7-469c-a489-9c3970988f2c + username: system:admin \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/system_user_delete_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/system_user_delete_managed_upgrade_operator.yaml new file mode 100644 index 00000000000..ff8af3eff7b --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/system_user_delete_managed_upgrade_operator.yaml @@ -0,0 +1,36 @@ +apiVersion: admission.k8s.io/v1 +kind: AdmissionReview +request: + dryRun: true + kind: + group: "" + kind: UpgradeConfig + version: upgrade.managed.openshift.io/v1alpha1 + object: null + oldObject: + apiVersion: upgrade.managed.openshift.io/v1alpha1 + kind: UpgradeConfig + metadata: + name: managed-upgrade-config-old + namespace: openshift-managed-upgrade-operator + spec: + PDBForceDrainTimeout: 60 + desired: + channel: stable-4.10 + version: 4.10.55 + type: ARO + upgradeAt: "2023-05-29T10:00:00Z" + operation: DELETE + options: null + requestKind: + group: "" + kind: UpgradeConfig + version: upgrade.managed.openshift.io/v1alpha1 + resource: + group: "" + resource: UpgradeConfig + version: upgrade.managed.openshift.io/v1alpha1 + uid: 8142ab84-2f03-4508-a20d-39629e4ed52c + userInfo: + uid: a076564f-f9f9-4b08-9d8f-8231c89b9d20 + username: system:admin diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/system_user_update_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/system_user_update_managed_upgrade_operator.yaml new file mode 100644 index 00000000000..d337a2071ff --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/system_user_update_managed_upgrade_operator.yaml @@ -0,0 +1,48 @@ +apiVersion: admission.k8s.io/v1 +kind: AdmissionReview +request: + dryRun: true + kind: + group: "" + kind: UpgradeConfig + version: upgrade.managed.openshift.io/v1alpha1 + object: + apiVersion: upgrade.managed.openshift.io/v1alpha1 + kind: UpgradeConfig + metadata: + name: managed-upgrade-config + namespace: openshift-managed-upgrade-operator + spec: + PDBForceDrainTimeout: 60 + desired: + channel: stable-4.10 + version: 4.10.55 + type: ARO + upgradeAt: "2023-05-29T10:00:00Z" + oldObject: + apiVersion: upgrade.managed.openshift.io/v1alpha1 + kind: UpgradeConfig + metadata: + name: managed-upgrade-config-old + namespace: openshift-managed-upgrade-operator + spec: + PDBForceDrainTimeout: 60 + desired: + channel: stable-4.10 + version: 4.10.55 + type: ARO + upgradeAt: "2023-05-29T10:00:00Z" + operation: UPDATE + options: null + requestKind: + group: "" + kind: UpgradeConfig + version: upgrade.managed.openshift.io/v1alpha1 + resource: + group: "" + resource: UpgradeConfig + version: upgrade.managed.openshift.io/v1alpha1 + uid: 42bc7c7d-cde2-43ad-afe0-42c7db2e2923 + userInfo: + uid: 85c23dfa-51a2-4481-beb1-c92848b2730a + username: system:admin diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src.rego b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src.rego index 1e72f479f43..56a140d8fda 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src.rego +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src.rego @@ -19,9 +19,7 @@ violation[{"msg": msg}] { # ## If regular user and # ## HAS cloud.openshift.com entry (`source: OCM` indicates pull-secret exists) in openshift-config/pull-secret Secret # ## NOT ALLOWED - # config_data := data.inventory.namespace["openshift-managed-upgrade-operator"]["v1"]["ConfigMap"]["managed-upgrade-operator-config"]["data"]["config.yaml"] - # regex.match("source: OCM", config_data) - # msg := "Modifying the UpgradeConfig is not allowed for regular users. This includes attempting to create, edit, or delete the UpgradeConfig." - msg := data.inventory.namespace["openshift-managed-upgrade-operator"]["v1"]["ConfigMap"] - + config_data := data.inventory.namespace["openshift-managed-upgrade-operator"]["v1"]["ConfigMap"]["managed-upgrade-operator-config"]["data"]["config.yaml"] + regex.match("source: OCM", config_data) + msg := "Modifying the UpgradeConfig is not allowed for regular users. This includes attempting to create, edit, or delete the UpgradeConfig." } \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src_test.rego b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src_test.rego index 3b2d333eabb..f86302cc925 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src_test.rego +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src_test.rego @@ -1,173 +1,74 @@ package arodenyupgradeconfig test_input_allowed_regular_user_update_upgradeconfig { - input := { "review": fake_local_update_delete_upgradeconfig("regular-user","regular-user","UPDATE") } - results := violation with input as input + input := { "review": input_configmap("regular-user","regular-user","UPDATE") } + inv := inv_data(create_data_local([])) + results := violation with input as input with data.inventory as inv count(results) == 0 } test_input_disallowed_regular_user_update_upgradeconfig { - input := { "review": fake_ocm_update_delete_upgradeconfig("regular-user","regular-user","UPDATE") } - inv := ocm_inventory_data([]) + input := { "review": input_configmap("regular-user","regular-user","UPDATE") } + inv := inv_data(create_data_ocm([])) results := violation with input as input with data.inventory as inv + print("Input: ",input) + print("Inventory: ",inv) count(results) == 1 } -ocm_inventory_data([]) = out { - out = { - "namespace": { - "openshift-managed-upgrade-operator": { - "v1": { - "data": { - "config.yaml": "configManager:\n source: OCM\n ocmBaseUrl: https://api.openshift.com\n \n watchInterval: 60\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n - openshift-azure-logging\n" - }, - "kind": "ConfigMap", - } - } - } - { - "apiVersion": "v1", - "data": { - "config.yaml": "configManager:\n source: OCM\n ocmBaseUrl: https://api.openshift.com\n \n watchInterval: 60\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n - openshift-azure-logging\n" - }, - "kind": "ConfigMap" - } - } - } -} - test_input_allowed_system_user_update_upgradeconfig { - input := { "review": fake_ocm_update_delete_upgradeconfig("system:admin","system:admin","UPDATE") } - results := violation with input as input + input := { "review": input_configmap("system:admin","system:admin","UPDATE") } + inv := inv_data(create_data_ocm([])) + results := violation with input as input with data.inventory as inv count(results) == 0 } test_allowed_regular_user_delete_upgradeconfig { - input := { "review": fake_local_update_delete_upgradeconfig("regular-user","regular-user","DELETE") } - results := violation with input as input + input := { "review": input_configmap("regular-user","regular-user","DELETE") } + inv := inv_data(create_data_local([])) + results := violation with input as input with data.inventory as inv count(results) == 0 } test_disallowed_regular_user_delete_upgradeconfig { - input := { "review": fake_ocm_update_delete_upgradeconfig("regular-user","regular-user","DELETE") } - results := violation with input as input + input := { "review": input_configmap("regular-user","regular-user","DELETE") } + inv := inv_data(create_data_ocm([])) + results := violation with input as input with data.inventory as inv count(results) == 1 } test_allowed_system_user_delete_upgradeconfig { - input := { "review": fake_ocm_update_delete_upgradeconfig("system:admin","system:admin","DELETE") } - results := violation with input as input + input := { "review": input_configmap("system:admin","system:admin","DELETE") } + inv := inv_data(create_data_ocm([])) + results := violation with input as input with data.inventory as inv count(results) == 0 } test_allowed_regular_user_create_upgradeconfig { - input := { "review": fake_local_upgradeconfig("regular-user","regular-user","CREATE") } - results := violation with input as input + input := { "review": input_configmap("regular-user","regular-user","CREATE") } + inv := inv_data(create_data_local([])) + results := violation with input as input with data.inventory as inv count(results) == 0 } test_disallowed_regular_user_create_upgradeconfig { - input := { "review": fake_ocm_upgradeconfig("regular-user","regular-user","CREATE") } - results := violation with input as input + input := { "review": input_configmap("regular-user","regular-user","CREATE") } + inv := inv_data(create_data_ocm([])) + results := violation with input as input with data.inventory as inv count(results) == 1 } test_create_allowed_system_user_create_upgradeconfig { - input := { "review": fake_ocm_upgradeconfig("system:admin","system:admin","CREATE") } - results := violation with input as input + input := { "review": input_configmap("system:admin","system:admin","CREATE") } + inv := inv_data(create_data_ocm([])) + results := violation with input as input with data.inventory as inv count(results) == 0 } -fake_ocm_upgradeconfig(group, username, operation) = output { - output = { - - "data": { - "config.yaml": "configManager:\n source: OCM\n ocmBaseUrl: https://api.openshift.com\n \n watchInterval: 60\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n - openshift-azure-logging\n" - }, - "operation": operation, - "options": null, - "requestKind": { - "group": "", - "kind": "ConfigMap", - "version": "v1" - }, - "resource": { - "group": "", - "resource": "ConfigMap", - "version": "v1" - }, - "uid": "b65854be-5d3f-4e79-959c-3055d7cc530a", - "userInfo": { - "uid": "ada3819c-bb2b-46c8-8b80-7073c379ba4b", - "username": username - } - } - } - - -fake_ocm_update_delete_upgradeconfig(group, username, operation) = output { +input_configmap(group, username, operation) = output { output = { - "object": { - "apiVersion": "v1", - "data": { - "config.yaml": "configManager:\n source: OCM\n \n localConfigName: managed-upgrade-config\n\n watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType:\nARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut:\n45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n\n - openshift-azure-logging\n" - }, - "kind": "ConfigMap", - "metadata": { - "creationTimestamp": "2023-05-17T23:51:02Z", - "name": "managed-upgrade-operator-config", - "namespace": "openshift-managed-upgrade-operator", - "ownerReferences": [ - { - "apiVersion": "aro.openshift.io/v1alpha1", - "blockOwnerDeletion": true, - "controller": true, - "kind": "Cluster", - "name": "cluster", - "uid": "a7ed5f21-7396-46f5-92a8-62a282ab84a3" - } - ], - "resourceVersion": "29355", - "uid": "e9072b15-9119-4ef9-a7fe-c187ba03dde7" - } - }, - "oldObject": { - "apiVersion": "v1", - "data": { - "config.yaml": "configManager:\n source: OCM\n \n localConfigName: managed-upgrade-config\n\n watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType:\nARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut:\n45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n\n - openshift-azure-logging\n" - }, - "kind": "ConfigMap", - "metadata": { - "creationTimestamp": "2023-05-17T23:51:02Z", - "name": "managed-upgrade-operator-config-old", - "namespace": "openshift-managed-upgrade-operator", - "ownerReferences": [ - { - "apiVersion": "aro.openshift.io/v1alpha1", - "blockOwnerDeletion": true, - "controller": true, - "kind": "Cluster", - "name": "cluster", - "uid": "a7ed5f21-7396-46f5-92a8-62a282ab84a3" - } - ], - "resourceVersion": "29355", - "uid": "e9072b15-9119-4ef9-a7fe-c187ba03dde7" - } - }, "operation": operation, - "options": null, - "requestKind": { - "group": "", - "kind": "ConfigMap", - "version": "v1" - }, - "resource": { - "group": "", - "resource": "ConfigMap", - "version": "v1" - }, "uid": "d4cb640e-dc2f-42b0-95e2-c2f91dbc74d9", "userInfo": { "uid": "109561ea-68ee-45ca-82be-96733b504593", @@ -176,123 +77,30 @@ fake_ocm_update_delete_upgradeconfig(group, username, operation) = output { } } +inv_data(obj) = output { + output := {"namespace": {"openshift-managed-upgrade-operator": {obj.apiVersion: {obj.kind: obj}}}} +} - -fake_local_update_delete_upgradeconfig(group, username, operation) = output { +create_data_ocm([]) = output { output = { - "object": { - "apiVersion": "v1", - "data": { - "config.yaml": "configManager:\n source: LOCAL\n \n localConfigName: managed-upgrade-config\n\n watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType:\nARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut:\n45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n\n - openshift-azure-logging\n" - }, - "kind": "ConfigMap", - "metadata": { - "creationTimestamp": "2023-05-17T23:51:02Z", - "name": "managed-upgrade-operator-config", - "namespace": "openshift-managed-upgrade-operator", - "ownerReferences": [ - { - "apiVersion": "aro.openshift.io/v1alpha1", - "blockOwnerDeletion": true, - "controller": true, - "kind": "Cluster", - "name": "cluster", - "uid": "a7ed5f21-7396-46f5-92a8-62a282ab84a3" - } - ], - "resourceVersion": "29355", - "uid": "e9072b15-9119-4ef9-a7fe-c187ba03dde7" - } - }, - "oldObject": { "apiVersion": "v1", - "data": { - "config.yaml": "configManager:\n source: LOCAL\n \n localConfigName: managed-upgrade-config\n\n watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType:\nARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut:\n45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n\n - openshift-azure-logging\n" + "managed-upgrade-operator-config" : { + "data": { + "config.yaml": "configManager:\n source: OCM\n \n localConfigName: managed-upgrade-config\n\n watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType:\nARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut:\n45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n\n - openshift-azure-logging\n" + } }, - "kind": "ConfigMap", - "metadata": { - "creationTimestamp": "2023-05-17T23:51:02Z", - "name": "managed-upgrade-operator-config-old", - "namespace": "openshift-managed-upgrade-operator", - "ownerReferences": [ - { - "apiVersion": "aro.openshift.io/v1alpha1", - "blockOwnerDeletion": true, - "controller": true, - "kind": "Cluster", - "name": "cluster", - "uid": "a7ed5f21-7396-46f5-92a8-62a282ab84a3" - } - ], - "resourceVersion": "29355", - "uid": "e9072b15-9119-4ef9-a7fe-c187ba03dde7" - } - }, - "operation": operation, - "options": null, - "requestKind": { - "group": "", - "kind": "ConfigMap", - "version": "v1" - }, - "resource": { - "group": "", - "resource": "ConfigMap", - "version": "v1" - }, - "uid": "d4cb640e-dc2f-42b0-95e2-c2f91dbc74d9", - "userInfo": { - "uid": "109561ea-68ee-45ca-82be-96733b504593", - "username": username - } - } - } - - + "kind": "ConfigMap" + } +} -fake_local_upgradeconfig(group, username, operation) = output { - output = { - "object": { +create_data_local([]) = output { + output = { "apiVersion": "v1", - "data": { - "config.yaml": "configManager:\n source: LOCAL\n \n localConfigName: managed-upgrade-config\n\n watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType:\nARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut:\n45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n\n - openshift-azure-logging\n" + "managed-upgrade-operator-config" : { + "data": { + "config.yaml": "configManager:\n source: LOCAL\n \n localConfigName: managed-upgrade-config\n\n watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType:\nARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut:\n45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n\n - openshift-azure-logging\n" + } }, - "kind": "ConfigMap", - "metadata": { - "creationTimestamp": "2023-05-17T23:51:02Z", - "name": "managed-upgrade-operator-config", - "namespace": "openshift-managed-upgrade-operator", - "ownerReferences": [ - { - "apiVersion": "aro.openshift.io/v1alpha1", - "blockOwnerDeletion": true, - "controller": true, - "kind": "Cluster", - "name": "cluster", - "uid": "a7ed5f21-7396-46f5-92a8-62a282ab84a3" - } - ], - "resourceVersion": "29355", - "uid": "e9072b15-9119-4ef9-a7fe-c187ba03dde7" - } - }, - "oldObject": null, - "operation": operation, - "options": null, - "requestKind": { - "group": "", - "kind": "ConfigMap", - "version": "v1" - }, - "resource": { - "group": "", - "resource": "ConfigMap", - "version": "v1" - }, - "uid": "b65854be-5d3f-4e79-959c-3055d7cc530a", - "userInfo": { - "uid": "ada3819c-bb2b-46c8-8b80-7073c379ba4b", - "username": username - } - } - } + "kind": "ConfigMap" + } +} \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/suite.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/suite.yaml index 5041164d3d9..16db8417cc8 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/suite.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/suite.yaml @@ -4,42 +4,78 @@ metadata: name: upgradeconfig tests: - name: upgradeconfig-tests - template: ../../gktemplates/aro-upgradeconfig-deny.yaml + template: ../../gktemplates/aro-deny-upgradeconfig.yaml constraint: ../../gkconstraints-test/aro-upgradeconfig-deny.yaml cases: - name: create-upgradeconfig-allowed-regular-user - object: gator-test/allow_regular_user_create_managed_upgrade_operator.yaml + object: gator-test/regular_user_create_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_local.yaml assertions: - violations: no - - name: create-upgradeconfig-allowed-system-user - object: gator-test/allow_system_user_create_managed_upgrade_operator.yaml + - name: create-upgradeconfig-allowed-system-user-local + object: gator-test/system_user_create_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_local.yaml + assertions: + - violations: no + - name: create-upgradeconfig-allowed-system-user-ocm + object: gator-test/system_user_create_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_ocm.yaml assertions: - violations: no - name: create-upgradeconfig-not-allowed-regular-user - object: gator-test/not_allow_regular_user_create_managed_upgrade_operator.yaml + object: /gator-test/regular_user_create_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_ocm.yaml assertions: - violations: yes - name: update-upgradeconfig-allowed-regular-user - object: gator-test/allow_regular_user_update_managed_upgrade_operator.yaml + object: gator-test/regular_user_update_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_local.yaml + assertions: + - violations: no + - name: update-upgradeconfig-allowed-system-user-local + object: gator-test/system_user_update_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_local.yaml assertions: - violations: no - - name: update-upgradeconfig-allowed-system-user - object: gator-test/allow_system_user_update_managed_upgrade_operator.yaml + - name: update-upgradeconfig-allowed-system-user-local + object: gator-test/system_user_update_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_ocm.yaml assertions: - violations: no - name: update-upgradeconfig-not-allowed-regular-user - object: gator-test/not_allow_regular_user_update_managed_upgrade_operator.yaml + object: /gator-test/regular_user_update_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_ocm.yaml assertions: - violations: yes - name: delete-upgradeconfig-allowed-regular-user - object: gator-test/allow_regular_user_delete_managed_upgrade_operator.yaml + object: gator-test/regular_user_delete_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_local.yaml assertions: - violations: no - - name: delete-upgradeconfig-allowed-system-user - object: gator-test/allow_system_user_delete_managed_upgrade_operator.yaml + - name: delete-upgradeconfig-allowed-system-user-local + object: gator-test/system_user_delete_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_local.yaml assertions: - violations: no - - name: delete-upgradeconfig-allowed-regular-user - object: gator-test/not_allow_regular_user_delete_managed_upgrade_operator.yaml + - name: delete-upgradeconfig-allowed-system-user-ocm + object: gator-test/system_user_delete_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_ocm.yaml + assertions: + - violations: no + - name: delete-upgradeconfig-not-allowed-regular-user + object: gator-test/regular_user_delete_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_ocm.yaml assertions: - violations: yes \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-upgradeconfig.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-upgradeconfig.yaml index 43929b10efd..2e8c9ef27c9 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-upgradeconfig.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-upgradeconfig.yaml @@ -27,44 +27,25 @@ spec: import data.lib.common.is_exempted_account import future.keywords.in - # Use object - violation[{"msg": msg}] { - input.review.operation in ["CREATE"] - name := input.review.object.metadata.name - - ## Check user type - not is_exempted_account(input.review) - - ## If regular user and - ## has NO cloud.openshift.com entry in openshift-config/pull-secret Secret - ## ALLOW EDITING - ## If regular user and - ## HAS cloud.openshift.com entry (`source: OCM` indicates pull-secret exists) in openshift-config/pull-secret Secret - ## NOT ALLOWED - config_data := input.review.object.data["config.yaml"] - regex.match("source: OCM", config_data) - msg := "Modifying the UpgradeConfig is not allowed for regular users. This can include creating, deleting, and updating UpgradeConfig." - } - - # Use oldObject + # Use object + # To retrieve from a different resource, data.inventory.namespace["openshift-managed-upgrade-operator"]["v1"]["ConfigMap"]["managed-upgrade-operator-config"]["data"]["config.yaml"] violation[{"msg": msg}] { - input.review.operation in ["UPDATE", "DELETE"] - name := input.review.object.metadata.name + input.review.operation in ["CREATE", "UPDATE", "DELETE"] - ## Check user type + # ## Check user type not is_exempted_account(input.review) - ## If regular user and - ## has NO cloud.openshift.com entry in openshift-config/pull-secret Secret - ## ALLOW EDITING + # ## If regular user and + # ## has NO cloud.openshift.com entry in openshift-config/pull-secret Secret + # ## ALLOW EDITING - ## If regular user and - ## HAS cloud.openshift.com entry (`source: OCM` indicates pull-secret exists) in openshift-config/pull-secret Secret - ## NOT ALLOWED - config_data := input.review.oldObject.data["config.yaml"] + # ## If regular user and + # ## HAS cloud.openshift.com entry (`source: OCM` indicates pull-secret exists) in openshift-config/pull-secret Secret + # ## NOT ALLOWED + config_data := data.inventory.namespace["openshift-managed-upgrade-operator"]["v1"]["ConfigMap"]["managed-upgrade-operator-config"]["data"]["config.yaml"] regex.match("source: OCM", config_data) - msg := "Modifying the UpgradeConfig is not allowed for regular users. This can include creating, deleting, and updating UpgradeConfig." + msg := "Modifying the UpgradeConfig is not allowed for regular users. This includes attempting to create, edit, or delete the UpgradeConfig." } libs: - | diff --git a/pkg/operator/controllers/guardrails/staticresources/gk_audit_controller_deployment.yaml b/pkg/operator/controllers/guardrails/staticresources/gk_audit_controller_deployment.yaml index f4965d9ae05..bf8bdb74880 100644 --- a/pkg/operator/controllers/guardrails/staticresources/gk_audit_controller_deployment.yaml +++ b/pkg/operator/controllers/guardrails/staticresources/gk_audit_controller_deployment.yaml @@ -24,6 +24,7 @@ spec: automountServiceAccountToken: true containers: - args: + - --audit-from-cache=true - --operation=audit - --operation=status - --operation=mutation-status From beb28ee0381913976ac4b77be37e9c17e18cca38 Mon Sep 17 00:00:00 2001 From: Edison Cardenas Date: Thu, 1 Jun 2023 17:23:47 +1200 Subject: [PATCH 06/18] ARO-1422: Fixed formatting and removed unnecessary print statemenets. --- .../gatekeeper-config.yaml | 30 +++- ..._user_create_managed_upgrade_operator.yaml | 2 +- ..._user_create_managed_upgrade_operator.yaml | 2 +- .../aro-deny-upgradeconfig/src.rego | 3 +- .../aro-deny-upgradeconfig/src_test.rego | 111 +++++++------ .../aro-deny-upgradeconfig/suite.yaml | 152 +++++++++--------- .../gktemplates/aro-deny-upgradeconfig.yaml | 1 - 7 files changed, 161 insertions(+), 140 deletions(-) diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gatekeeper-config.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gatekeeper-config.yaml index 6aeaf287afd..ca9ac638a0d 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gatekeeper-config.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gatekeeper-config.yaml @@ -5,7 +5,33 @@ metadata: namespace: "openshift-azure-guardrails" spec: match: - - excludedNamespaces: ["kube-*","openshift-kube-*","openshift","openshift-etcd*","openshift-monitoring","default","gatekeeper-system","openshift-apiserver*","openshift-authentication*","openshift-logging","openshift-redhat-marketplace","openshift-operators","openshift-user-workload-monitoring","openshift-pipelines","openshift-marketplace","openshift-multus","openshift-network*","openshift-vsphere-*","openshift-config-*","openshift-console","openshift-service-ca*","openshift-azure*","openshift-cloud*","openshift-sdn"] + - excludedNamespaces: + [ + "kube-*", + "openshift-kube-*", + "openshift", + "openshift-etcd*", + "openshift-monitoring", + "default", + "gatekeeper-system", + "openshift-apiserver*", + "openshift-authentication*", + "openshift-logging", + "openshift-redhat-marketplace", + "openshift-operators", + "openshift-user-workload-monitoring", + "openshift-pipelines", + "openshift-marketplace", + "openshift-multus", + "openshift-network*", + "openshift-vsphere-*", + "openshift-config-*", + "openshift-console", + "openshift-service-ca*", + "openshift-azure*", + "openshift-cloud*", + "openshift-sdn", + ] processes: ["*"] sync: syncOnly: @@ -14,4 +40,4 @@ spec: kind: "ConfigMap" - group: "" version: "v1" - kind: "Namespace" \ No newline at end of file + kind: "Namespace" diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/regular_user_create_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/regular_user_create_managed_upgrade_operator.yaml index 9ad08e0b884..9210727106e 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/regular_user_create_managed_upgrade_operator.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/regular_user_create_managed_upgrade_operator.yaml @@ -33,4 +33,4 @@ request: uid: e952ffa6-fd19-4d17-a7da-a98cb510c061 userInfo: uid: eed44a0f-c0e7-469c-a489-9c3970988f2c - username: fake-k8s-regular-user \ No newline at end of file + username: fake-k8s-regular-user diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/system_user_create_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/system_user_create_managed_upgrade_operator.yaml index 4a3ce3d1ea3..fa0e379f38a 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/system_user_create_managed_upgrade_operator.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/system_user_create_managed_upgrade_operator.yaml @@ -33,4 +33,4 @@ request: uid: e952ffa6-fd19-4d17-a7da-a98cb510c061 userInfo: uid: eed44a0f-c0e7-469c-a489-9c3970988f2c - username: system:admin \ No newline at end of file + username: system:admin diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src.rego b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src.rego index 56a140d8fda..5b9b80fa270 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src.rego +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src.rego @@ -3,7 +3,6 @@ package arodenyupgradeconfig import data.lib.common.is_exempted_account import future.keywords.in - # Use object # To retrieve from a different resource, data.inventory.namespace["openshift-managed-upgrade-operator"]["v1"]["ConfigMap"]["managed-upgrade-operator-config"]["data"]["config.yaml"] violation[{"msg": msg}] { @@ -22,4 +21,4 @@ violation[{"msg": msg}] { config_data := data.inventory.namespace["openshift-managed-upgrade-operator"]["v1"]["ConfigMap"]["managed-upgrade-operator-config"]["data"]["config.yaml"] regex.match("source: OCM", config_data) msg := "Modifying the UpgradeConfig is not allowed for regular users. This includes attempting to create, edit, or delete the UpgradeConfig." -} \ No newline at end of file +} diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src_test.rego b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src_test.rego index f86302cc925..2fc1008de5a 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src_test.rego +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src_test.rego @@ -1,106 +1,103 @@ package arodenyupgradeconfig test_input_allowed_regular_user_update_upgradeconfig { - input := { "review": input_configmap("regular-user","regular-user","UPDATE") } - inv := inv_data(create_data_local([])) - results := violation with input as input with data.inventory as inv - count(results) == 0 + input := {"review": input_configmap("regular-user", "regular-user", "UPDATE")} + inv := inv_data(create_data_local([])) + results := violation with input as input with data.inventory as inv + count(results) == 0 } test_input_disallowed_regular_user_update_upgradeconfig { - input := { "review": input_configmap("regular-user","regular-user","UPDATE") } - inv := inv_data(create_data_ocm([])) - results := violation with input as input with data.inventory as inv - print("Input: ",input) - print("Inventory: ",inv) - count(results) == 1 + input := {"review": input_configmap("regular-user", "regular-user", "UPDATE")} + inv := inv_data(create_data_ocm([])) + results := violation with input as input with data.inventory as inv + count(results) == 1 } test_input_allowed_system_user_update_upgradeconfig { - input := { "review": input_configmap("system:admin","system:admin","UPDATE") } - inv := inv_data(create_data_ocm([])) - results := violation with input as input with data.inventory as inv - count(results) == 0 + input := {"review": input_configmap("system:admin", "system:admin", "UPDATE")} + inv := inv_data(create_data_ocm([])) + results := violation with input as input with data.inventory as inv + count(results) == 0 } test_allowed_regular_user_delete_upgradeconfig { - input := { "review": input_configmap("regular-user","regular-user","DELETE") } - inv := inv_data(create_data_local([])) - results := violation with input as input with data.inventory as inv - count(results) == 0 + input := {"review": input_configmap("regular-user", "regular-user", "DELETE")} + inv := inv_data(create_data_local([])) + results := violation with input as input with data.inventory as inv + count(results) == 0 } test_disallowed_regular_user_delete_upgradeconfig { - input := { "review": input_configmap("regular-user","regular-user","DELETE") } - inv := inv_data(create_data_ocm([])) - results := violation with input as input with data.inventory as inv - count(results) == 1 + input := {"review": input_configmap("regular-user", "regular-user", "DELETE")} + inv := inv_data(create_data_ocm([])) + results := violation with input as input with data.inventory as inv + count(results) == 1 } test_allowed_system_user_delete_upgradeconfig { - input := { "review": input_configmap("system:admin","system:admin","DELETE") } - inv := inv_data(create_data_ocm([])) - results := violation with input as input with data.inventory as inv - count(results) == 0 + input := {"review": input_configmap("system:admin", "system:admin", "DELETE")} + inv := inv_data(create_data_ocm([])) + results := violation with input as input with data.inventory as inv + count(results) == 0 } test_allowed_regular_user_create_upgradeconfig { - input := { "review": input_configmap("regular-user","regular-user","CREATE") } - inv := inv_data(create_data_local([])) - results := violation with input as input with data.inventory as inv - count(results) == 0 + input := {"review": input_configmap("regular-user", "regular-user", "CREATE")} + inv := inv_data(create_data_local([])) + results := violation with input as input with data.inventory as inv + count(results) == 0 } test_disallowed_regular_user_create_upgradeconfig { - input := { "review": input_configmap("regular-user","regular-user","CREATE") } - inv := inv_data(create_data_ocm([])) - results := violation with input as input with data.inventory as inv - count(results) == 1 + input := {"review": input_configmap("regular-user", "regular-user", "CREATE")} + inv := inv_data(create_data_ocm([])) + results := violation with input as input with data.inventory as inv + count(results) == 1 } test_create_allowed_system_user_create_upgradeconfig { - input := { "review": input_configmap("system:admin","system:admin","CREATE") } - inv := inv_data(create_data_ocm([])) - results := violation with input as input with data.inventory as inv - count(results) == 0 + input := {"review": input_configmap("system:admin", "system:admin", "CREATE")} + inv := inv_data(create_data_ocm([])) + results := violation with input as input with data.inventory as inv + count(results) == 0 } - input_configmap(group, username, operation) = output { - output = { - "operation": operation, - "uid": "d4cb640e-dc2f-42b0-95e2-c2f91dbc74d9", - "userInfo": { - "uid": "109561ea-68ee-45ca-82be-96733b504593", - "username": username - } - } - } + output = { + "operation": operation, + "uid": "d4cb640e-dc2f-42b0-95e2-c2f91dbc74d9", + "userInfo": { + "uid": "109561ea-68ee-45ca-82be-96733b504593", + "username": username + } + } +} inv_data(obj) = output { - output := {"namespace": {"openshift-managed-upgrade-operator": {obj.apiVersion: {obj.kind: obj}}}} + output := {"namespace": {"openshift-managed-upgrade-operator": {obj.apiVersion: {obj.kind: obj}}}} } create_data_ocm([]) = output { - output = { - "apiVersion": "v1", + output = { + "apiVersion": "v1", "managed-upgrade-operator-config" : { "data": { "config.yaml": "configManager:\n source: OCM\n \n localConfigName: managed-upgrade-config\n\n watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType:\nARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut:\n45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n\n - openshift-azure-logging\n" } }, - "kind": "ConfigMap" - } + "kind": "ConfigMap" + } } create_data_local([]) = output { - output = { - "apiVersion": "v1", + output = { + "apiVersion": "v1", "managed-upgrade-operator-config" : { "data": { "config.yaml": "configManager:\n source: LOCAL\n \n localConfigName: managed-upgrade-config\n\n watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType:\nARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut:\n45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n\n - openshift-azure-logging\n" } }, "kind": "ConfigMap" - } -} \ No newline at end of file + } +} diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/suite.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/suite.yaml index 16db8417cc8..11650860826 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/suite.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/suite.yaml @@ -3,79 +3,79 @@ apiVersion: test.gatekeeper.sh/v1alpha1 metadata: name: upgradeconfig tests: -- name: upgradeconfig-tests - template: ../../gktemplates/aro-deny-upgradeconfig.yaml - constraint: ../../gkconstraints-test/aro-upgradeconfig-deny.yaml - cases: - - name: create-upgradeconfig-allowed-regular-user - object: gator-test/regular_user_create_managed_upgrade_operator.yaml - inventory: - - gator-test/inventory_config_local.yaml - assertions: - - violations: no - - name: create-upgradeconfig-allowed-system-user-local - object: gator-test/system_user_create_managed_upgrade_operator.yaml - inventory: - - gator-test/inventory_config_local.yaml - assertions: - - violations: no - - name: create-upgradeconfig-allowed-system-user-ocm - object: gator-test/system_user_create_managed_upgrade_operator.yaml - inventory: - - gator-test/inventory_config_ocm.yaml - assertions: - - violations: no - - name: create-upgradeconfig-not-allowed-regular-user - object: /gator-test/regular_user_create_managed_upgrade_operator.yaml - inventory: - - gator-test/inventory_config_ocm.yaml - assertions: - - violations: yes - - name: update-upgradeconfig-allowed-regular-user - object: gator-test/regular_user_update_managed_upgrade_operator.yaml - inventory: - - gator-test/inventory_config_local.yaml - assertions: - - violations: no - - name: update-upgradeconfig-allowed-system-user-local - object: gator-test/system_user_update_managed_upgrade_operator.yaml - inventory: - - gator-test/inventory_config_local.yaml - assertions: - - violations: no - - name: update-upgradeconfig-allowed-system-user-local - object: gator-test/system_user_update_managed_upgrade_operator.yaml - inventory: - - gator-test/inventory_config_ocm.yaml - assertions: - - violations: no - - name: update-upgradeconfig-not-allowed-regular-user - object: /gator-test/regular_user_update_managed_upgrade_operator.yaml - inventory: - - gator-test/inventory_config_ocm.yaml - assertions: - - violations: yes - - name: delete-upgradeconfig-allowed-regular-user - object: gator-test/regular_user_delete_managed_upgrade_operator.yaml - inventory: - - gator-test/inventory_config_local.yaml - assertions: - - violations: no - - name: delete-upgradeconfig-allowed-system-user-local - object: gator-test/system_user_delete_managed_upgrade_operator.yaml - inventory: - - gator-test/inventory_config_local.yaml - assertions: - - violations: no - - name: delete-upgradeconfig-allowed-system-user-ocm - object: gator-test/system_user_delete_managed_upgrade_operator.yaml - inventory: - - gator-test/inventory_config_ocm.yaml - assertions: - - violations: no - - name: delete-upgradeconfig-not-allowed-regular-user - object: gator-test/regular_user_delete_managed_upgrade_operator.yaml - inventory: - - gator-test/inventory_config_ocm.yaml - assertions: - - violations: yes \ No newline at end of file + - name: upgradeconfig-tests + template: ../../gktemplates/aro-deny-upgradeconfig.yaml + constraint: ../../gkconstraints-test/aro-upgradeconfig-deny.yaml + cases: + - name: create-upgradeconfig-allowed-regular-user + object: gator-test/regular_user_create_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_local.yaml + assertions: + - violations: no + - name: create-upgradeconfig-allowed-system-user-local + object: gator-test/system_user_create_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_local.yaml + assertions: + - violations: no + - name: create-upgradeconfig-allowed-system-user-ocm + object: gator-test/system_user_create_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_ocm.yaml + assertions: + - violations: no + - name: create-upgradeconfig-not-allowed-regular-user + object: /gator-test/regular_user_create_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_ocm.yaml + assertions: + - violations: yes + - name: update-upgradeconfig-allowed-regular-user + object: gator-test/regular_user_update_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_local.yaml + assertions: + - violations: no + - name: update-upgradeconfig-allowed-system-user-local + object: gator-test/system_user_update_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_local.yaml + assertions: + - violations: no + - name: update-upgradeconfig-allowed-system-user-local + object: gator-test/system_user_update_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_ocm.yaml + assertions: + - violations: no + - name: update-upgradeconfig-not-allowed-regular-user + object: /gator-test/regular_user_update_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_ocm.yaml + assertions: + - violations: yes + - name: delete-upgradeconfig-allowed-regular-user + object: gator-test/regular_user_delete_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_local.yaml + assertions: + - violations: no + - name: delete-upgradeconfig-allowed-system-user-local + object: gator-test/system_user_delete_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_local.yaml + assertions: + - violations: no + - name: delete-upgradeconfig-allowed-system-user-ocm + object: gator-test/system_user_delete_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_ocm.yaml + assertions: + - violations: no + - name: delete-upgradeconfig-not-allowed-regular-user + object: gator-test/regular_user_delete_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_ocm.yaml + assertions: + - violations: yes diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-upgradeconfig.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-upgradeconfig.yaml index 2e8c9ef27c9..8b1f4d778de 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-upgradeconfig.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-upgradeconfig.yaml @@ -27,7 +27,6 @@ spec: import data.lib.common.is_exempted_account import future.keywords.in - # Use object # To retrieve from a different resource, data.inventory.namespace["openshift-managed-upgrade-operator"]["v1"]["ConfigMap"]["managed-upgrade-operator-config"]["data"]["config.yaml"] violation[{"msg": msg}] { From 363cd48fa11037f9549b56c93c039e3a08600aa9 Mon Sep 17 00:00:00 2001 From: Edison Cardenas Date: Thu, 1 Jun 2023 18:33:21 +1200 Subject: [PATCH 07/18] ARO-1422: Document process of syncing data into OPA and testing your policy. --- .../controllers/guardrails/policies/README.md | 153 ++++++++++++++++++ 1 file changed, 153 insertions(+) diff --git a/pkg/operator/controllers/guardrails/policies/README.md b/pkg/operator/controllers/guardrails/policies/README.md index 9ddb90c4415..47dd12821d8 100644 --- a/pkg/operator/controllers/guardrails/policies/README.md +++ b/pkg/operator/controllers/guardrails/policies/README.md @@ -137,6 +137,122 @@ spec: kinds: ["PodDisruptionBudget"] ``` +## Syncing of data into OPA using `data.inventory` + +* Not all data you need are found on the `'input.review'` object. For example, if your policy is for blocking modification of the UpgradeConfig, and you need to check if the cluster is connected to OCM via the ConfigMap of `'openshift-managed-upgrade-operator'`, the info you need will not available on the `'input.review'` object because it only contains data from the UpgradeConfig the user is trying to modify. In this case, you need to sync data of the ConfigMap into OPA via `'data.inventory'` document so your rule can access it. In order to create such policies, you need to follow the steps below: + + * Set the `'audit-from-cache'` flag to true in ".../gktemplates/aro-deny-upgradeconfig.yaml". + ```yaml + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + control-plane: audit-controller + gatekeeper.sh/operation: audit + gatekeeper.sh/system: "yes" + name: gatekeeper-audit + namespace: {{.Namespace}} + spec: + replicas: 1 + selector: + matchLabels: + control-plane: audit-controller + gatekeeper.sh/operation: audit + gatekeeper.sh/system: "yes" + template: + metadata: + labels: + control-plane: audit-controller + gatekeeper.sh/operation: audit + gatekeeper.sh/system: "yes" + spec: + automountServiceAccountToken: true + containers: + - args: + - --audit-from-cache=true ----->>>>>SET THIS FLAG TO TRUE + ``` + * Create and apply the sync config resource to the cluster. Only resources in syncOnly will be synced into OPA. See template below. For more info, please check https://open-policy-agent.github.io/gatekeeper/website/docs/v3.10.x/exempt-namespaces + + ```yaml + apiVersion: config.gatekeeper.sh/v1alpha1 + kind: Config + metadata: + name: config + namespace: "openshift-azure-guardrails" + spec: + match: + - excludedNamespaces: [""] # Namespaces to exclude from the sync data. It is always best to remove any data that is not needed for your policy + processes: [""] # Includes all processes + sync: + syncOnly: + - group: "" # Populate as needed + version: "" # Populate as needed + kind: "" # Populate as needed + # Add resources as needed + ``` + * Below is a sample implementation of a sync config resource which allows syncing data of all ConfigMap and Namespace resources with the version `v1`, and with namespace that is not part of the `excludedNamespaces`. + ```yaml + apiVersion: config.gatekeeper.sh/v1alpha1 + kind: Config + metadata: + name: config + namespace: "openshift-azure-guardrails" + spec: + match: + - excludedNamespaces: + [ + "kube-*", + "openshift-kube-*", + "openshift", + "openshift-etcd*", + "openshift-monitoring", + "default", + "gatekeeper-system", + "openshift-apiserver*", + "openshift-authentication*", + "openshift-logging", + "openshift-redhat-marketplace", + "openshift-operators", + "openshift-user-workload-monitoring", + "openshift-pipelines", + "openshift-marketplace", + "openshift-multus", + "openshift-network*", + "openshift-vsphere-*", + "openshift-config-*", + "openshift-console", + "openshift-service-ca*", + "openshift-azure*", + "openshift-cloud*", + "openshift-sdn", + ] + processes: ["*"] + sync: + syncOnly: + - group: "" + version: "v1" + kind: "ConfigMap" + - group: "" + version: "v1" + kind: "Namespace" + + ``` + + * Write your rego rule. To access data from `'data.inventory'`, follow the format below: + + * For cluster-scoped objects: `'data.inventory.cluster[][][]'`. Example below. + + ```Rego + data.inventory.cluster["v1"].Namespace["gatekeeper"] + ``` + * For namespace-scoped objects: `'data.inventory.namespace[][groupVersion][][]'`. Example below. + + ```Rego + data.inventory.namespace["openshift-managed-upgrade-operator"]["v1"]["ConfigMap"]["managed-upgrade-operator-config"]["data"]["config.yaml"] + ``` + + * For more info on syncing your data into OPA, please check the official Gatekeeper documentation https://open-policy-agent.github.io/gatekeeper/website/docs/v3.10.x/sync + ## Test the rego * install opa cli, refer https://github.com/open-policy-agent/opa/releases/ @@ -157,6 +273,21 @@ docker run -it ::Z openpolicy $ docker run -it -v /home/ecardena/dev/ARO-RP/pkg/operator/controllers/guardrails/policies/gktemplates-src:/gktemplates-src:Z openpolicyagent/opa test /gktemplates-src/library/common.rego /gktemplates-src/aro-deny-upgradeconfig/src.rego /gktemplates-src/aro-deny-upgradeconfig/src_test.rego -v ``` + +### Testing rego using `data.inventory` + +When checking for violation on your test case, append `'with data.inventory as '`. For example, on your src_test.rego: + +```Rego +test_input_allowed_system_user_update_upgradeconfig { + input := {"review": input_configmap("system:admin", "system:admin", "UPDATE")} + inv := inv_data(create_data_ocm([])) + results := violation with input as input with data.inventory as inv + count(results) == 0 +} +``` + + ## Generate the Constraint Templates * install gomplate which is used by generate.sh, see https://docs.gomplate.ca/installing/ @@ -236,3 +367,25 @@ or below cmd after test.sh has been executed: ```sh gator verify . [-v] #-v for verbose ``` +
+ +### Gator test your policy using `data.inventory` +* In order to test your rego policy that's using `data.inventory`, you need to add `'inventory: '`. For example: + +```yaml +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: upgradeconfig +tests: + - name: upgradeconfig-tests + template: ../../gktemplates/aro-deny-upgradeconfig.yaml + constraint: ../../gkconstraints-test/aro-upgradeconfig-deny.yaml + cases: + - name: create-upgradeconfig-allowed-regular-user + object: gator-test/regular_user_create_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_local.yaml + assertions: + - violations: no +``` \ No newline at end of file From 8bbcd65c601c8a9a2ec43126532a9a3830c6c278 Mon Sep 17 00:00:00 2001 From: Edison Cardenas Date: Tue, 6 Jun 2023 15:56:04 +1200 Subject: [PATCH 08/18] ARO-1423: Create rego src, templates, and tests --- .../aro-clusterversion-deny.yaml | 10 + .../aro-deny-clusterversion.tmpl | 28 ++ .../gator-test/inventory_config_local.yaml | 16 + .../gator-test/inventory_config_ocm.yaml | 16 + .../regular_user_create_clusterversion.yaml | 189 ++++++++++ .../regular_user_delete_clusterversion.yaml | 189 ++++++++++ .../regular_user_update_clusterversion.yaml | 354 ++++++++++++++++++ .../system_user_create_clusterversion.yaml | 189 ++++++++++ .../system_user_delete_clusterversion.yaml | 189 ++++++++++ .../system_user_update_clusterversion.yaml | 354 ++++++++++++++++++ .../aro-deny-clusterversion/src.rego | 24 ++ .../aro-deny-clusterversion/src_test.rego | 103 +++++ .../aro-deny-clusterversion/suite.yaml | 81 ++++ .../aro-deny-clusterversion/sync.yaml | 40 ++ .../gktemplates/aro-deny-clusterversion.yaml | 265 +++++++++++++ 15 files changed, 2047 insertions(+) create mode 100644 pkg/operator/controllers/guardrails/policies/gkconstraints/aro-clusterversion-deny.yaml create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/aro-deny-clusterversion.tmpl create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/inventory_config_local.yaml create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/inventory_config_ocm.yaml create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/regular_user_create_clusterversion.yaml create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/regular_user_delete_clusterversion.yaml create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/regular_user_update_clusterversion.yaml create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/system_user_create_clusterversion.yaml create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/system_user_delete_clusterversion.yaml create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/system_user_update_clusterversion.yaml create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/src.rego create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/src_test.rego create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/suite.yaml create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/sync.yaml create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-clusterversion.yaml diff --git a/pkg/operator/controllers/guardrails/policies/gkconstraints/aro-clusterversion-deny.yaml b/pkg/operator/controllers/guardrails/policies/gkconstraints/aro-clusterversion-deny.yaml new file mode 100644 index 00000000000..92558144e99 --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gkconstraints/aro-clusterversion-deny.yaml @@ -0,0 +1,10 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: ARODenyClusterVersion +metadata: + name: aro-deny-clusterversion-modification +spec: + enforcementAction: {{.Enforcement}} + match: + kinds: + - apiGroups: ["config.openshift.io"] + kinds: ["ClusterVersion"] \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/aro-deny-clusterversion.tmpl b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/aro-deny-clusterversion.tmpl new file mode 100644 index 00000000000..fa3b6d1834a --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/aro-deny-clusterversion.tmpl @@ -0,0 +1,28 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: arodenyclusterversion + annotations: + metadata.gatekeeper.sh/title: "ClusterVersion" + metadata.gatekeeper.sh/version: 1.0.0 + description: >- + Disallows editing ClusterVersion by regular users if there is a "cloud.openshift.com" entry in "openshift-config/pull-secret". + +spec: + crd: + spec: + names: + kind: ARODenyClusterVersion + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Disallows editing ClusterVersion by regular users if there is a "cloud.openshift.com" entry in "openshift-config/pull-secret". + targets: + - target: admission.k8s.gatekeeper.sh + rego: | +{{ file.Read "gktemplates-src/aro-deny-clusterversion/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} + libs: + - | +{{ file.Read "gktemplates-src/library/common.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/inventory_config_local.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/inventory_config_local.yaml new file mode 100644 index 00000000000..69a8ae11317 --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/inventory_config_local.yaml @@ -0,0 +1,16 @@ +kind: ConfigMap +metadata: + creationTimestamp: "2023-06-31T03:24:37Z" + name: managed-upgrade-operator-config + namespace: openshift-managed-upgrade-operator +apiVersion: v1 +name: managed-upgrade-operator-config +data: + config.yaml: "configManager:\n source: LOCAL\n \n localConfigName: managed-upgrade-config\n + \ watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n + \ controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: + ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: + 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n + \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n ignoredNamespaces:\n + \ - openshift-logging\n - openshift-redhat-marketplace\n - openshift-operators\n + \ - openshift-user-workload-monitoring\n - openshift-pipelines\n - openshift-azure-logging\n" \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/inventory_config_ocm.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/inventory_config_ocm.yaml new file mode 100644 index 00000000000..114a6efc4fa --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/inventory_config_ocm.yaml @@ -0,0 +1,16 @@ +kind: ConfigMap +metadata: + creationTimestamp: "2023-06-31T03:24:37Z" + name: managed-upgrade-operator-config + namespace: openshift-managed-upgrade-operator +apiVersion: v1 +name: managed-upgrade-operator-config +data: + config.yaml: "configManager:\n source: OCM\n \n localConfigName: managed-upgrade-config\n + \ watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n + \ controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType: + ARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut: + 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n + \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n ignoredNamespaces:\n + \ - openshift-logging\n - openshift-redhat-marketplace\n - openshift-operators\n + \ - openshift-user-workload-monitoring\n - openshift-pipelines\n - openshift-azure-logging\n" \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/regular_user_create_clusterversion.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/regular_user_create_clusterversion.yaml new file mode 100644 index 00000000000..456c00e9174 --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/regular_user_create_clusterversion.yaml @@ -0,0 +1,189 @@ +apiVersion: admission.k8s.io/v1 +kind: AdmissionReview +request: + dryRun: true + kind: + group: "" + kind: ClusterVersion + version: config.openshift.io/v1 + object: + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + metadata: + creationTimestamp: "2023-06-06T00:55:30Z" + generation: 4 + managedFields: + - apiVersion: config.openshift.io/v1 + fieldsType: FieldsV1 + fieldsV1: + f:spec: + .: {} + f:clusterID: {} + manager: cluster-bootstrap + operation: Update + time: "2023-06-06T00:55:30Z" + - apiVersion: config.openshift.io/v1 + fieldsType: FieldsV1 + fieldsV1: + f:spec: + f:channel: {} + manager: Mozilla + operation: Update + time: "2023-06-06T02:11:08Z" + - apiVersion: config.openshift.io/v1 + fieldsType: FieldsV1 + fieldsV1: + f:status: + .: {} + f:availableUpdates: {} + f:conditions: {} + f:desired: + .: {} + f:channels: {} + f:image: {} + f:url: {} + f:version: {} + f:history: {} + f:observedGeneration: {} + f:versionHash: {} + manager: cluster-version-operator + operation: Update + subresource: status + time: "2023-06-06T02:11:08Z" + name: version + resourceVersion: "47134" + uid: c0e0056b-1fd6-40d8-8f76-f66a94d0d890 + spec: + channel: stable-4.10 + clusterID: 19dc3852-f044-4183-beff-58c1a9fae0c5 + status: + availableUpdates: + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:d6efa3107f28b3eab7d44034e52a94296027ecf5d84826bc69ad6f91f006186c + url: https://access.redhat.com/errata/RHBA-2023:3217 + version: 4.10.60 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:0a737fac208f55a5d031b58adfb76fdafa7d129ee86552745fe3ff8de29c5ebc + url: https://access.redhat.com/errata/RHBA-2023:2018 + version: 4.10.59 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:7c2f759d9b8c42fa6f94ea1c0807a6418ad6d5fa904ab69ffaf05bc1c2a86c14 + url: https://access.redhat.com/errata/RHBA-2023:1867 + version: 4.10.58 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:744f7f457a8fa55c441bc05f89e651d24b1b263c3fca57dc7cf60228045ec646 + url: https://access.redhat.com/errata/RHBA-2023:1782 + version: 4.10.57 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:60f6c51a852f084a020c3dc32b92cbd91ed293b82c6c5b48aac51460566688c7 + url: https://access.redhat.com/errata/RHSA-2023:1656 + version: 4.10.56 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:ab559ed58d816f63af34735a7542864d9e41af3c75a7abe731e0526fbce80d5e + url: https://access.redhat.com/errata/RHSA-2023:1392 + version: 4.10.55 + conditions: + - lastTransitionTime: "2023-06-06T02:11:08Z" + status: "True" + type: RetrievedUpdates + - lastTransitionTime: "2023-06-06T00:55:30Z" + message: Payload loaded version="4.10.54" image="quay.io/openshift-release-dev/ocp-release@sha256:7e44fa5f6aa15f9492341c4714bba4dc5089c968f2bf77fb8d4cdf189634f8f5" + reason: PayloadLoaded + status: "True" + type: ReleaseAccepted + - lastTransitionTime: "2023-06-06T01:21:51Z" + message: Done applying 4.10.54 + status: "True" + type: Available + - lastTransitionTime: "2023-06-06T01:21:51Z" + status: "False" + type: Failing + - lastTransitionTime: "2023-06-06T01:21:51Z" + message: Cluster version is 4.10.54 + status: "False" + type: Progressing + desired: + channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:7e44fa5f6aa15f9492341c4714bba4dc5089c968f2bf77fb8d4cdf189634f8f5 + url: https://access.redhat.com/errata/RHSA-2023:1154 + version: 4.10.54 + history: + - completionTime: "2023-06-06T01:21:51Z" + image: quay.io/openshift-release-dev/ocp-release@sha256:7e44fa5f6aa15f9492341c4714bba4dc5089c968f2bf77fb8d4cdf189634f8f5 + startedTime: "2023-06-06T00:55:30Z" + state: Completed + verified: false + version: 4.10.54 + observedGeneration: 4 + versionHash: EkwGzQA2IU4= + oldObject: null + operation: CREATE + options: null + requestKind: + group: "" + kind: ClusterVersion + version: config.openshift.io/v1 + resource: + group: "" + resource: ClusterVersion + version: config.openshift.io/v1 + uid: ddc9ff1c-913f-4421-8b78-f512a839da45 + userInfo: + uid: bc164435-e066-42f9-ae3e-e21164ebb1c0 + username: fake-k8s-regular-user diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/regular_user_delete_clusterversion.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/regular_user_delete_clusterversion.yaml new file mode 100644 index 00000000000..e417373d9a2 --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/regular_user_delete_clusterversion.yaml @@ -0,0 +1,189 @@ +apiVersion: admission.k8s.io/v1 +kind: AdmissionReview +request: + dryRun: true + kind: + group: "" + kind: ClusterVersion + version: config.openshift.io/v1 + object: null + oldObject: + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + metadata: + creationTimestamp: "2023-06-06T00:55:30Z" + generation: 4 + managedFields: + - apiVersion: config.openshift.io/v1 + fieldsType: FieldsV1 + fieldsV1: + f:spec: + .: {} + f:clusterID: {} + manager: cluster-bootstrap + operation: Update + time: "2023-06-06T00:55:30Z" + - apiVersion: config.openshift.io/v1 + fieldsType: FieldsV1 + fieldsV1: + f:spec: + f:channel: {} + manager: Mozilla + operation: Update + time: "2023-06-06T02:11:08Z" + - apiVersion: config.openshift.io/v1 + fieldsType: FieldsV1 + fieldsV1: + f:status: + .: {} + f:availableUpdates: {} + f:conditions: {} + f:desired: + .: {} + f:channels: {} + f:image: {} + f:url: {} + f:version: {} + f:history: {} + f:observedGeneration: {} + f:versionHash: {} + manager: cluster-version-operator + operation: Update + subresource: status + time: "2023-06-06T02:11:08Z" + name: version-old + resourceVersion: "47134" + uid: c0e0056b-1fd6-40d8-8f76-f66a94d0d890 + spec: + channel: stable-4.10 + clusterID: 19dc3852-f044-4183-beff-58c1a9fae0c5 + status: + availableUpdates: + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:d6efa3107f28b3eab7d44034e52a94296027ecf5d84826bc69ad6f91f006186c + url: https://access.redhat.com/errata/RHBA-2023:3217 + version: 4.10.60 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:0a737fac208f55a5d031b58adfb76fdafa7d129ee86552745fe3ff8de29c5ebc + url: https://access.redhat.com/errata/RHBA-2023:2018 + version: 4.10.59 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:7c2f759d9b8c42fa6f94ea1c0807a6418ad6d5fa904ab69ffaf05bc1c2a86c14 + url: https://access.redhat.com/errata/RHBA-2023:1867 + version: 4.10.58 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:744f7f457a8fa55c441bc05f89e651d24b1b263c3fca57dc7cf60228045ec646 + url: https://access.redhat.com/errata/RHBA-2023:1782 + version: 4.10.57 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:60f6c51a852f084a020c3dc32b92cbd91ed293b82c6c5b48aac51460566688c7 + url: https://access.redhat.com/errata/RHSA-2023:1656 + version: 4.10.56 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:ab559ed58d816f63af34735a7542864d9e41af3c75a7abe731e0526fbce80d5e + url: https://access.redhat.com/errata/RHSA-2023:1392 + version: 4.10.55 + conditions: + - lastTransitionTime: "2023-06-06T02:11:08Z" + status: "True" + type: RetrievedUpdates + - lastTransitionTime: "2023-06-06T00:55:30Z" + message: Payload loaded version="4.10.54" image="quay.io/openshift-release-dev/ocp-release@sha256:7e44fa5f6aa15f9492341c4714bba4dc5089c968f2bf77fb8d4cdf189634f8f5" + reason: PayloadLoaded + status: "True" + type: ReleaseAccepted + - lastTransitionTime: "2023-06-06T01:21:51Z" + message: Done applying 4.10.54 + status: "True" + type: Available + - lastTransitionTime: "2023-06-06T01:21:51Z" + status: "False" + type: Failing + - lastTransitionTime: "2023-06-06T01:21:51Z" + message: Cluster version is 4.10.54 + status: "False" + type: Progressing + desired: + channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:7e44fa5f6aa15f9492341c4714bba4dc5089c968f2bf77fb8d4cdf189634f8f5 + url: https://access.redhat.com/errata/RHSA-2023:1154 + version: 4.10.54 + history: + - completionTime: "2023-06-06T01:21:51Z" + image: quay.io/openshift-release-dev/ocp-release@sha256:7e44fa5f6aa15f9492341c4714bba4dc5089c968f2bf77fb8d4cdf189634f8f5 + startedTime: "2023-06-06T00:55:30Z" + state: Completed + verified: false + version: 4.10.54 + observedGeneration: 4 + versionHash: EkwGzQA2IU4= + operation: DELETE + options: null + requestKind: + group: "" + kind: ClusterVersion + version: config.openshift.io/v1 + resource: + group: "" + resource: ClusterVersion + version: config.openshift.io/v1 + uid: e2848464-169a-4154-85ba-be1c3f755122 + userInfo: + uid: 7653037a-7f12-4e1f-a6eb-e1c1a4e2cb28 + username: fake-k8s-regular-user diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/regular_user_update_clusterversion.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/regular_user_update_clusterversion.yaml new file mode 100644 index 00000000000..f173ab5d9cb --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/regular_user_update_clusterversion.yaml @@ -0,0 +1,354 @@ +apiVersion: admission.k8s.io/v1 +kind: AdmissionReview +request: + dryRun: true + kind: + group: "" + kind: ClusterVersion + version: config.openshift.io/v1 + object: + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + metadata: + creationTimestamp: "2023-06-06T00:55:30Z" + generation: 4 + managedFields: + - apiVersion: config.openshift.io/v1 + fieldsType: FieldsV1 + fieldsV1: + f:spec: + .: {} + f:clusterID: {} + manager: cluster-bootstrap + operation: Update + time: "2023-06-06T00:55:30Z" + - apiVersion: config.openshift.io/v1 + fieldsType: FieldsV1 + fieldsV1: + f:spec: + f:channel: {} + manager: Mozilla + operation: Update + time: "2023-06-06T02:11:08Z" + - apiVersion: config.openshift.io/v1 + fieldsType: FieldsV1 + fieldsV1: + f:status: + .: {} + f:availableUpdates: {} + f:conditions: {} + f:desired: + .: {} + f:channels: {} + f:image: {} + f:url: {} + f:version: {} + f:history: {} + f:observedGeneration: {} + f:versionHash: {} + manager: cluster-version-operator + operation: Update + subresource: status + time: "2023-06-06T02:11:08Z" + name: version + resourceVersion: "47134" + uid: c0e0056b-1fd6-40d8-8f76-f66a94d0d890 + spec: + channel: stable-4.10 + clusterID: 19dc3852-f044-4183-beff-58c1a9fae0c5 + status: + availableUpdates: + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:d6efa3107f28b3eab7d44034e52a94296027ecf5d84826bc69ad6f91f006186c + url: https://access.redhat.com/errata/RHBA-2023:3217 + version: 4.10.60 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:0a737fac208f55a5d031b58adfb76fdafa7d129ee86552745fe3ff8de29c5ebc + url: https://access.redhat.com/errata/RHBA-2023:2018 + version: 4.10.59 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:7c2f759d9b8c42fa6f94ea1c0807a6418ad6d5fa904ab69ffaf05bc1c2a86c14 + url: https://access.redhat.com/errata/RHBA-2023:1867 + version: 4.10.58 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:744f7f457a8fa55c441bc05f89e651d24b1b263c3fca57dc7cf60228045ec646 + url: https://access.redhat.com/errata/RHBA-2023:1782 + version: 4.10.57 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:60f6c51a852f084a020c3dc32b92cbd91ed293b82c6c5b48aac51460566688c7 + url: https://access.redhat.com/errata/RHSA-2023:1656 + version: 4.10.56 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:ab559ed58d816f63af34735a7542864d9e41af3c75a7abe731e0526fbce80d5e + url: https://access.redhat.com/errata/RHSA-2023:1392 + version: 4.10.55 + conditions: + - lastTransitionTime: "2023-06-06T02:11:08Z" + status: "True" + type: RetrievedUpdates + - lastTransitionTime: "2023-06-06T00:55:30Z" + message: Payload loaded version="4.10.54" image="quay.io/openshift-release-dev/ocp-release@sha256:7e44fa5f6aa15f9492341c4714bba4dc5089c968f2bf77fb8d4cdf189634f8f5" + reason: PayloadLoaded + status: "True" + type: ReleaseAccepted + - lastTransitionTime: "2023-06-06T01:21:51Z" + message: Done applying 4.10.54 + status: "True" + type: Available + - lastTransitionTime: "2023-06-06T01:21:51Z" + status: "False" + type: Failing + - lastTransitionTime: "2023-06-06T01:21:51Z" + message: Cluster version is 4.10.54 + status: "False" + type: Progressing + desired: + channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:7e44fa5f6aa15f9492341c4714bba4dc5089c968f2bf77fb8d4cdf189634f8f5 + url: https://access.redhat.com/errata/RHSA-2023:1154 + version: 4.10.54 + history: + - completionTime: "2023-06-06T01:21:51Z" + image: quay.io/openshift-release-dev/ocp-release@sha256:7e44fa5f6aa15f9492341c4714bba4dc5089c968f2bf77fb8d4cdf189634f8f5 + startedTime: "2023-06-06T00:55:30Z" + state: Completed + verified: false + version: 4.10.54 + observedGeneration: 4 + versionHash: EkwGzQA2IU4= + oldObject: + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + metadata: + creationTimestamp: "2023-06-06T00:55:30Z" + generation: 4 + managedFields: + - apiVersion: config.openshift.io/v1 + fieldsType: FieldsV1 + fieldsV1: + f:spec: + .: {} + f:clusterID: {} + manager: cluster-bootstrap + operation: Update + time: "2023-06-06T00:55:30Z" + - apiVersion: config.openshift.io/v1 + fieldsType: FieldsV1 + fieldsV1: + f:spec: + f:channel: {} + manager: Mozilla + operation: Update + time: "2023-06-06T02:11:08Z" + - apiVersion: config.openshift.io/v1 + fieldsType: FieldsV1 + fieldsV1: + f:status: + .: {} + f:availableUpdates: {} + f:conditions: {} + f:desired: + .: {} + f:channels: {} + f:image: {} + f:url: {} + f:version: {} + f:history: {} + f:observedGeneration: {} + f:versionHash: {} + manager: cluster-version-operator + operation: Update + subresource: status + time: "2023-06-06T02:11:08Z" + name: version-old + resourceVersion: "47134" + uid: c0e0056b-1fd6-40d8-8f76-f66a94d0d890 + spec: + channel: stable-4.10 + clusterID: 19dc3852-f044-4183-beff-58c1a9fae0c5 + status: + availableUpdates: + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:d6efa3107f28b3eab7d44034e52a94296027ecf5d84826bc69ad6f91f006186c + url: https://access.redhat.com/errata/RHBA-2023:3217 + version: 4.10.60 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:0a737fac208f55a5d031b58adfb76fdafa7d129ee86552745fe3ff8de29c5ebc + url: https://access.redhat.com/errata/RHBA-2023:2018 + version: 4.10.59 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:7c2f759d9b8c42fa6f94ea1c0807a6418ad6d5fa904ab69ffaf05bc1c2a86c14 + url: https://access.redhat.com/errata/RHBA-2023:1867 + version: 4.10.58 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:744f7f457a8fa55c441bc05f89e651d24b1b263c3fca57dc7cf60228045ec646 + url: https://access.redhat.com/errata/RHBA-2023:1782 + version: 4.10.57 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:60f6c51a852f084a020c3dc32b92cbd91ed293b82c6c5b48aac51460566688c7 + url: https://access.redhat.com/errata/RHSA-2023:1656 + version: 4.10.56 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:ab559ed58d816f63af34735a7542864d9e41af3c75a7abe731e0526fbce80d5e + url: https://access.redhat.com/errata/RHSA-2023:1392 + version: 4.10.55 + conditions: + - lastTransitionTime: "2023-06-06T02:11:08Z" + status: "True" + type: RetrievedUpdates + - lastTransitionTime: "2023-06-06T00:55:30Z" + message: Payload loaded version="4.10.54" image="quay.io/openshift-release-dev/ocp-release@sha256:7e44fa5f6aa15f9492341c4714bba4dc5089c968f2bf77fb8d4cdf189634f8f5" + reason: PayloadLoaded + status: "True" + type: ReleaseAccepted + - lastTransitionTime: "2023-06-06T01:21:51Z" + message: Done applying 4.10.54 + status: "True" + type: Available + - lastTransitionTime: "2023-06-06T01:21:51Z" + status: "False" + type: Failing + - lastTransitionTime: "2023-06-06T01:21:51Z" + message: Cluster version is 4.10.54 + status: "False" + type: Progressing + desired: + channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:7e44fa5f6aa15f9492341c4714bba4dc5089c968f2bf77fb8d4cdf189634f8f5 + url: https://access.redhat.com/errata/RHSA-2023:1154 + version: 4.10.54 + history: + - completionTime: "2023-06-06T01:21:51Z" + image: quay.io/openshift-release-dev/ocp-release@sha256:7e44fa5f6aa15f9492341c4714bba4dc5089c968f2bf77fb8d4cdf189634f8f5 + startedTime: "2023-06-06T00:55:30Z" + state: Completed + verified: false + version: 4.10.54 + observedGeneration: 4 + versionHash: EkwGzQA2IU4= + operation: UPDATE + options: null + requestKind: + group: "" + kind: ClusterVersion + version: config.openshift.io/v1 + resource: + group: "" + resource: ClusterVersion + version: config.openshift.io/v1 + uid: 769d44ad-62b0-423a-8fc4-562234579d1f + userInfo: + uid: 8067a541-ed02-43eb-b0b7-6e726877410d + username: fake-k8s-regular-user diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/system_user_create_clusterversion.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/system_user_create_clusterversion.yaml new file mode 100644 index 00000000000..8267e61ea60 --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/system_user_create_clusterversion.yaml @@ -0,0 +1,189 @@ +apiVersion: admission.k8s.io/v1 +kind: AdmissionReview +request: + dryRun: true + kind: + group: "" + kind: ClusterVersion + version: config.openshift.io/v1 + object: + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + metadata: + creationTimestamp: "2023-06-06T00:55:30Z" + generation: 4 + managedFields: + - apiVersion: config.openshift.io/v1 + fieldsType: FieldsV1 + fieldsV1: + f:spec: + .: {} + f:clusterID: {} + manager: cluster-bootstrap + operation: Update + time: "2023-06-06T00:55:30Z" + - apiVersion: config.openshift.io/v1 + fieldsType: FieldsV1 + fieldsV1: + f:spec: + f:channel: {} + manager: Mozilla + operation: Update + time: "2023-06-06T02:11:08Z" + - apiVersion: config.openshift.io/v1 + fieldsType: FieldsV1 + fieldsV1: + f:status: + .: {} + f:availableUpdates: {} + f:conditions: {} + f:desired: + .: {} + f:channels: {} + f:image: {} + f:url: {} + f:version: {} + f:history: {} + f:observedGeneration: {} + f:versionHash: {} + manager: cluster-version-operator + operation: Update + subresource: status + time: "2023-06-06T02:11:08Z" + name: version + resourceVersion: "47134" + uid: c0e0056b-1fd6-40d8-8f76-f66a94d0d890 + spec: + channel: stable-4.10 + clusterID: 19dc3852-f044-4183-beff-58c1a9fae0c5 + status: + availableUpdates: + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:d6efa3107f28b3eab7d44034e52a94296027ecf5d84826bc69ad6f91f006186c + url: https://access.redhat.com/errata/RHBA-2023:3217 + version: 4.10.60 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:0a737fac208f55a5d031b58adfb76fdafa7d129ee86552745fe3ff8de29c5ebc + url: https://access.redhat.com/errata/RHBA-2023:2018 + version: 4.10.59 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:7c2f759d9b8c42fa6f94ea1c0807a6418ad6d5fa904ab69ffaf05bc1c2a86c14 + url: https://access.redhat.com/errata/RHBA-2023:1867 + version: 4.10.58 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:744f7f457a8fa55c441bc05f89e651d24b1b263c3fca57dc7cf60228045ec646 + url: https://access.redhat.com/errata/RHBA-2023:1782 + version: 4.10.57 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:60f6c51a852f084a020c3dc32b92cbd91ed293b82c6c5b48aac51460566688c7 + url: https://access.redhat.com/errata/RHSA-2023:1656 + version: 4.10.56 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:ab559ed58d816f63af34735a7542864d9e41af3c75a7abe731e0526fbce80d5e + url: https://access.redhat.com/errata/RHSA-2023:1392 + version: 4.10.55 + conditions: + - lastTransitionTime: "2023-06-06T02:11:08Z" + status: "True" + type: RetrievedUpdates + - lastTransitionTime: "2023-06-06T00:55:30Z" + message: Payload loaded version="4.10.54" image="quay.io/openshift-release-dev/ocp-release@sha256:7e44fa5f6aa15f9492341c4714bba4dc5089c968f2bf77fb8d4cdf189634f8f5" + reason: PayloadLoaded + status: "True" + type: ReleaseAccepted + - lastTransitionTime: "2023-06-06T01:21:51Z" + message: Done applying 4.10.54 + status: "True" + type: Available + - lastTransitionTime: "2023-06-06T01:21:51Z" + status: "False" + type: Failing + - lastTransitionTime: "2023-06-06T01:21:51Z" + message: Cluster version is 4.10.54 + status: "False" + type: Progressing + desired: + channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:7e44fa5f6aa15f9492341c4714bba4dc5089c968f2bf77fb8d4cdf189634f8f5 + url: https://access.redhat.com/errata/RHSA-2023:1154 + version: 4.10.54 + history: + - completionTime: "2023-06-06T01:21:51Z" + image: quay.io/openshift-release-dev/ocp-release@sha256:7e44fa5f6aa15f9492341c4714bba4dc5089c968f2bf77fb8d4cdf189634f8f5 + startedTime: "2023-06-06T00:55:30Z" + state: Completed + verified: false + version: 4.10.54 + observedGeneration: 4 + versionHash: EkwGzQA2IU4= + oldObject: null + operation: CREATE + options: null + requestKind: + group: "" + kind: ClusterVersion + version: config.openshift.io/v1 + resource: + group: "" + resource: ClusterVersion + version: config.openshift.io/v1 + uid: ddc9ff1c-913f-4421-8b78-f512a839da45 + userInfo: + uid: bc164435-e066-42f9-ae3e-e21164ebb1c0 + username: system:admin \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/system_user_delete_clusterversion.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/system_user_delete_clusterversion.yaml new file mode 100644 index 00000000000..b60c384e642 --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/system_user_delete_clusterversion.yaml @@ -0,0 +1,189 @@ +apiVersion: admission.k8s.io/v1 +kind: AdmissionReview +request: + dryRun: true + kind: + group: "" + kind: ClusterVersion + version: config.openshift.io/v1 + object: null + oldObject: + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + metadata: + creationTimestamp: "2023-06-06T00:55:30Z" + generation: 4 + managedFields: + - apiVersion: config.openshift.io/v1 + fieldsType: FieldsV1 + fieldsV1: + f:spec: + .: {} + f:clusterID: {} + manager: cluster-bootstrap + operation: Update + time: "2023-06-06T00:55:30Z" + - apiVersion: config.openshift.io/v1 + fieldsType: FieldsV1 + fieldsV1: + f:spec: + f:channel: {} + manager: Mozilla + operation: Update + time: "2023-06-06T02:11:08Z" + - apiVersion: config.openshift.io/v1 + fieldsType: FieldsV1 + fieldsV1: + f:status: + .: {} + f:availableUpdates: {} + f:conditions: {} + f:desired: + .: {} + f:channels: {} + f:image: {} + f:url: {} + f:version: {} + f:history: {} + f:observedGeneration: {} + f:versionHash: {} + manager: cluster-version-operator + operation: Update + subresource: status + time: "2023-06-06T02:11:08Z" + name: version-old + resourceVersion: "47134" + uid: c0e0056b-1fd6-40d8-8f76-f66a94d0d890 + spec: + channel: stable-4.10 + clusterID: 19dc3852-f044-4183-beff-58c1a9fae0c5 + status: + availableUpdates: + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:d6efa3107f28b3eab7d44034e52a94296027ecf5d84826bc69ad6f91f006186c + url: https://access.redhat.com/errata/RHBA-2023:3217 + version: 4.10.60 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:0a737fac208f55a5d031b58adfb76fdafa7d129ee86552745fe3ff8de29c5ebc + url: https://access.redhat.com/errata/RHBA-2023:2018 + version: 4.10.59 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:7c2f759d9b8c42fa6f94ea1c0807a6418ad6d5fa904ab69ffaf05bc1c2a86c14 + url: https://access.redhat.com/errata/RHBA-2023:1867 + version: 4.10.58 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:744f7f457a8fa55c441bc05f89e651d24b1b263c3fca57dc7cf60228045ec646 + url: https://access.redhat.com/errata/RHBA-2023:1782 + version: 4.10.57 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:60f6c51a852f084a020c3dc32b92cbd91ed293b82c6c5b48aac51460566688c7 + url: https://access.redhat.com/errata/RHSA-2023:1656 + version: 4.10.56 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:ab559ed58d816f63af34735a7542864d9e41af3c75a7abe731e0526fbce80d5e + url: https://access.redhat.com/errata/RHSA-2023:1392 + version: 4.10.55 + conditions: + - lastTransitionTime: "2023-06-06T02:11:08Z" + status: "True" + type: RetrievedUpdates + - lastTransitionTime: "2023-06-06T00:55:30Z" + message: Payload loaded version="4.10.54" image="quay.io/openshift-release-dev/ocp-release@sha256:7e44fa5f6aa15f9492341c4714bba4dc5089c968f2bf77fb8d4cdf189634f8f5" + reason: PayloadLoaded + status: "True" + type: ReleaseAccepted + - lastTransitionTime: "2023-06-06T01:21:51Z" + message: Done applying 4.10.54 + status: "True" + type: Available + - lastTransitionTime: "2023-06-06T01:21:51Z" + status: "False" + type: Failing + - lastTransitionTime: "2023-06-06T01:21:51Z" + message: Cluster version is 4.10.54 + status: "False" + type: Progressing + desired: + channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:7e44fa5f6aa15f9492341c4714bba4dc5089c968f2bf77fb8d4cdf189634f8f5 + url: https://access.redhat.com/errata/RHSA-2023:1154 + version: 4.10.54 + history: + - completionTime: "2023-06-06T01:21:51Z" + image: quay.io/openshift-release-dev/ocp-release@sha256:7e44fa5f6aa15f9492341c4714bba4dc5089c968f2bf77fb8d4cdf189634f8f5 + startedTime: "2023-06-06T00:55:30Z" + state: Completed + verified: false + version: 4.10.54 + observedGeneration: 4 + versionHash: EkwGzQA2IU4= + operation: DELETE + options: null + requestKind: + group: "" + kind: ClusterVersion + version: config.openshift.io/v1 + resource: + group: "" + resource: ClusterVersion + version: config.openshift.io/v1 + uid: d08b9c2e-0ae4-4630-bdf1-ae6cba8cba2d + userInfo: + uid: aac9e142-a82c-48cf-bdbe-57378c42e84a + username: system:admin diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/system_user_update_clusterversion.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/system_user_update_clusterversion.yaml new file mode 100644 index 00000000000..8651c4b511e --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/system_user_update_clusterversion.yaml @@ -0,0 +1,354 @@ +apiVersion: admission.k8s.io/v1 +kind: AdmissionReview +request: + dryRun: true + kind: + group: "" + kind: ClusterVersion + version: config.openshift.io/v1 + object: + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + metadata: + creationTimestamp: "2023-06-06T00:55:30Z" + generation: 4 + managedFields: + - apiVersion: config.openshift.io/v1 + fieldsType: FieldsV1 + fieldsV1: + f:spec: + .: {} + f:clusterID: {} + manager: cluster-bootstrap + operation: Update + time: "2023-06-06T00:55:30Z" + - apiVersion: config.openshift.io/v1 + fieldsType: FieldsV1 + fieldsV1: + f:spec: + f:channel: {} + manager: Mozilla + operation: Update + time: "2023-06-06T02:11:08Z" + - apiVersion: config.openshift.io/v1 + fieldsType: FieldsV1 + fieldsV1: + f:status: + .: {} + f:availableUpdates: {} + f:conditions: {} + f:desired: + .: {} + f:channels: {} + f:image: {} + f:url: {} + f:version: {} + f:history: {} + f:observedGeneration: {} + f:versionHash: {} + manager: cluster-version-operator + operation: Update + subresource: status + time: "2023-06-06T02:11:08Z" + name: version + resourceVersion: "47134" + uid: c0e0056b-1fd6-40d8-8f76-f66a94d0d890 + spec: + channel: stable-4.10 + clusterID: 19dc3852-f044-4183-beff-58c1a9fae0c5 + status: + availableUpdates: + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:d6efa3107f28b3eab7d44034e52a94296027ecf5d84826bc69ad6f91f006186c + url: https://access.redhat.com/errata/RHBA-2023:3217 + version: 4.10.60 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:0a737fac208f55a5d031b58adfb76fdafa7d129ee86552745fe3ff8de29c5ebc + url: https://access.redhat.com/errata/RHBA-2023:2018 + version: 4.10.59 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:7c2f759d9b8c42fa6f94ea1c0807a6418ad6d5fa904ab69ffaf05bc1c2a86c14 + url: https://access.redhat.com/errata/RHBA-2023:1867 + version: 4.10.58 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:744f7f457a8fa55c441bc05f89e651d24b1b263c3fca57dc7cf60228045ec646 + url: https://access.redhat.com/errata/RHBA-2023:1782 + version: 4.10.57 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:60f6c51a852f084a020c3dc32b92cbd91ed293b82c6c5b48aac51460566688c7 + url: https://access.redhat.com/errata/RHSA-2023:1656 + version: 4.10.56 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:ab559ed58d816f63af34735a7542864d9e41af3c75a7abe731e0526fbce80d5e + url: https://access.redhat.com/errata/RHSA-2023:1392 + version: 4.10.55 + conditions: + - lastTransitionTime: "2023-06-06T02:11:08Z" + status: "True" + type: RetrievedUpdates + - lastTransitionTime: "2023-06-06T00:55:30Z" + message: Payload loaded version="4.10.54" image="quay.io/openshift-release-dev/ocp-release@sha256:7e44fa5f6aa15f9492341c4714bba4dc5089c968f2bf77fb8d4cdf189634f8f5" + reason: PayloadLoaded + status: "True" + type: ReleaseAccepted + - lastTransitionTime: "2023-06-06T01:21:51Z" + message: Done applying 4.10.54 + status: "True" + type: Available + - lastTransitionTime: "2023-06-06T01:21:51Z" + status: "False" + type: Failing + - lastTransitionTime: "2023-06-06T01:21:51Z" + message: Cluster version is 4.10.54 + status: "False" + type: Progressing + desired: + channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:7e44fa5f6aa15f9492341c4714bba4dc5089c968f2bf77fb8d4cdf189634f8f5 + url: https://access.redhat.com/errata/RHSA-2023:1154 + version: 4.10.54 + history: + - completionTime: "2023-06-06T01:21:51Z" + image: quay.io/openshift-release-dev/ocp-release@sha256:7e44fa5f6aa15f9492341c4714bba4dc5089c968f2bf77fb8d4cdf189634f8f5 + startedTime: "2023-06-06T00:55:30Z" + state: Completed + verified: false + version: 4.10.54 + observedGeneration: 4 + versionHash: EkwGzQA2IU4= + oldObject: + apiVersion: config.openshift.io/v1 + kind: ClusterVersion + metadata: + creationTimestamp: "2023-06-06T00:55:30Z" + generation: 4 + managedFields: + - apiVersion: config.openshift.io/v1 + fieldsType: FieldsV1 + fieldsV1: + f:spec: + .: {} + f:clusterID: {} + manager: cluster-bootstrap + operation: Update + time: "2023-06-06T00:55:30Z" + - apiVersion: config.openshift.io/v1 + fieldsType: FieldsV1 + fieldsV1: + f:spec: + f:channel: {} + manager: Mozilla + operation: Update + time: "2023-06-06T02:11:08Z" + - apiVersion: config.openshift.io/v1 + fieldsType: FieldsV1 + fieldsV1: + f:status: + .: {} + f:availableUpdates: {} + f:conditions: {} + f:desired: + .: {} + f:channels: {} + f:image: {} + f:url: {} + f:version: {} + f:history: {} + f:observedGeneration: {} + f:versionHash: {} + manager: cluster-version-operator + operation: Update + subresource: status + time: "2023-06-06T02:11:08Z" + name: version-old + resourceVersion: "47134" + uid: c0e0056b-1fd6-40d8-8f76-f66a94d0d890 + spec: + channel: stable-4.10 + clusterID: 19dc3852-f044-4183-beff-58c1a9fae0c5 + status: + availableUpdates: + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:d6efa3107f28b3eab7d44034e52a94296027ecf5d84826bc69ad6f91f006186c + url: https://access.redhat.com/errata/RHBA-2023:3217 + version: 4.10.60 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:0a737fac208f55a5d031b58adfb76fdafa7d129ee86552745fe3ff8de29c5ebc + url: https://access.redhat.com/errata/RHBA-2023:2018 + version: 4.10.59 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:7c2f759d9b8c42fa6f94ea1c0807a6418ad6d5fa904ab69ffaf05bc1c2a86c14 + url: https://access.redhat.com/errata/RHBA-2023:1867 + version: 4.10.58 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:744f7f457a8fa55c441bc05f89e651d24b1b263c3fca57dc7cf60228045ec646 + url: https://access.redhat.com/errata/RHBA-2023:1782 + version: 4.10.57 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:60f6c51a852f084a020c3dc32b92cbd91ed293b82c6c5b48aac51460566688c7 + url: https://access.redhat.com/errata/RHSA-2023:1656 + version: 4.10.56 + - channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:ab559ed58d816f63af34735a7542864d9e41af3c75a7abe731e0526fbce80d5e + url: https://access.redhat.com/errata/RHSA-2023:1392 + version: 4.10.55 + conditions: + - lastTransitionTime: "2023-06-06T02:11:08Z" + status: "True" + type: RetrievedUpdates + - lastTransitionTime: "2023-06-06T00:55:30Z" + message: Payload loaded version="4.10.54" image="quay.io/openshift-release-dev/ocp-release@sha256:7e44fa5f6aa15f9492341c4714bba4dc5089c968f2bf77fb8d4cdf189634f8f5" + reason: PayloadLoaded + status: "True" + type: ReleaseAccepted + - lastTransitionTime: "2023-06-06T01:21:51Z" + message: Done applying 4.10.54 + status: "True" + type: Available + - lastTransitionTime: "2023-06-06T01:21:51Z" + status: "False" + type: Failing + - lastTransitionTime: "2023-06-06T01:21:51Z" + message: Cluster version is 4.10.54 + status: "False" + type: Progressing + desired: + channels: + - candidate-4.10 + - candidate-4.11 + - eus-4.10 + - eus-4.12 + - fast-4.10 + - fast-4.11 + - stable-4.10 + - stable-4.11 + image: quay.io/openshift-release-dev/ocp-release@sha256:7e44fa5f6aa15f9492341c4714bba4dc5089c968f2bf77fb8d4cdf189634f8f5 + url: https://access.redhat.com/errata/RHSA-2023:1154 + version: 4.10.54 + history: + - completionTime: "2023-06-06T01:21:51Z" + image: quay.io/openshift-release-dev/ocp-release@sha256:7e44fa5f6aa15f9492341c4714bba4dc5089c968f2bf77fb8d4cdf189634f8f5 + startedTime: "2023-06-06T00:55:30Z" + state: Completed + verified: false + version: 4.10.54 + observedGeneration: 4 + versionHash: EkwGzQA2IU4= + operation: UPDATE + options: null + requestKind: + group: "" + kind: ClusterVersion + version: config.openshift.io/v1 + resource: + group: "" + resource: ClusterVersion + version: config.openshift.io/v1 + uid: 18d3c95d-4301-4111-aee5-2cca86df4ee7 + userInfo: + uid: 893a4a16-303b-4df8-870f-48e9ced960c6 + username: system:admin diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/src.rego b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/src.rego new file mode 100644 index 00000000000..9acb2781bb4 --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/src.rego @@ -0,0 +1,24 @@ +package arodenyclusterversion + +import data.lib.common.is_exempted_account +import future.keywords.in + +# Use object +# To retrieve from a different resource, data.inventory.namespace["openshift-managed-upgrade-operator"]["v1"]["ConfigMap"]["managed-upgrade-operator-config"]["data"]["config.yaml"] +violation[{"msg": msg}] { + input.review.operation in ["CREATE", "UPDATE", "DELETE"] + + # ## Check user type + not is_exempted_account(input.review) + + # ## If regular user and + # ## has NO cloud.openshift.com entry in openshift-config/pull-secret Secret + # ## ALLOW EDITING + + # ## If regular user and + # ## HAS cloud.openshift.com entry (`source: OCM` indicates pull-secret exists) in openshift-config/pull-secret Secret + # ## NOT ALLOWED + config_data := data.inventory.namespace["openshift-managed-upgrade-operator"]["v1"]["ConfigMap"]["managed-upgrade-operator-config"]["data"]["config.yaml"] + regex.match("source: OCM", config_data) + msg := "Modifying the ClusterVersion is not allowed for regular users. This includes attempting to create, edit, or delete the ClusterVersion." +} \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/src_test.rego b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/src_test.rego new file mode 100644 index 00000000000..5442724ab39 --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/src_test.rego @@ -0,0 +1,103 @@ +package arodenyclusterversion + +test_input_allowed_regular_user_update_clusterversion { + input := {"review": input_configmap("regular-user", "regular-user", "UPDATE")} + inv := inv_data(create_data_local([])) + results := violation with input as input with data.inventory as inv + count(results) == 0 +} + +test_input_disallowed_regular_user_update_clusterversion { + input := {"review": input_configmap("regular-user", "regular-user", "UPDATE")} + inv := inv_data(create_data_ocm([])) + results := violation with input as input with data.inventory as inv + count(results) == 1 +} + +test_input_allowed_system_user_update_clusterversion { + input := {"review": input_configmap("system:admin", "system:admin", "UPDATE")} + inv := inv_data(create_data_ocm([])) + results := violation with input as input with data.inventory as inv + count(results) == 0 +} + +test_allowed_regular_user_delete_clusterversion { + input := {"review": input_configmap("regular-user", "regular-user", "DELETE")} + inv := inv_data(create_data_local([])) + results := violation with input as input with data.inventory as inv + count(results) == 0 +} + +test_disallowed_regular_user_delete_clusterversion { + input := {"review": input_configmap("regular-user", "regular-user", "DELETE")} + inv := inv_data(create_data_ocm([])) + results := violation with input as input with data.inventory as inv + count(results) == 1 +} + +test_allowed_system_user_delete_clusterversion { + input := {"review": input_configmap("system:admin", "system:admin", "DELETE")} + inv := inv_data(create_data_ocm([])) + results := violation with input as input with data.inventory as inv + count(results) == 0 +} + +test_allowed_regular_user_create_clusterversion { + input := {"review": input_configmap("regular-user", "regular-user", "CREATE")} + inv := inv_data(create_data_local([])) + results := violation with input as input with data.inventory as inv + count(results) == 0 +} + +test_disallowed_regular_user_create_clusterversion { + input := {"review": input_configmap("regular-user", "regular-user", "CREATE")} + inv := inv_data(create_data_ocm([])) + results := violation with input as input with data.inventory as inv + count(results) == 1 +} + +test_create_allowed_system_user_create_clusterversion { + input := {"review": input_configmap("system:admin", "system:admin", "CREATE")} + inv := inv_data(create_data_ocm([])) + results := violation with input as input with data.inventory as inv + count(results) == 0 +} + +input_configmap(group, username, operation) = output { + output = { + "operation": operation, + "uid": "d4cb640e-dc2f-42b0-95e2-c2f91dbc74d9", + "userInfo": { + "uid": "109561ea-68ee-45ca-82be-96733b504593", + "username": username + } + } +} + +inv_data(obj) = output { + output := {"namespace": {"openshift-managed-upgrade-operator": {obj.apiVersion: {obj.kind: obj}}}} +} + +create_data_ocm([]) = output { + output = { + "apiVersion": "v1", + "managed-upgrade-operator-config" : { + "data": { + "config.yaml": "configManager:\n source: OCM\n \n localConfigName: managed-upgrade-config\n\n watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType:\nARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut:\n45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n\n - openshift-azure-logging\n" + } + }, + "kind": "ConfigMap" + } +} + +create_data_local([]) = output { + output = { + "apiVersion": "v1", + "managed-upgrade-operator-config" : { + "data": { + "config.yaml": "configManager:\n source: LOCAL\n \n localConfigName: managed-upgrade-config\n\n watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType:\nARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut:\n45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n\n - openshift-azure-logging\n" + } + }, + "kind": "ConfigMap" + } +} \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/suite.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/suite.yaml new file mode 100644 index 00000000000..ade80b7b6ed --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/suite.yaml @@ -0,0 +1,81 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: clusterversion +tests: + - name: clusterversion-tests + template: ../../gktemplates/aro-deny-clusterversion.yaml + constraint: ../../gkconstraints-test/aro-clusterversion-deny.yaml + cases: + - name: create-clusterversion-allowed-regular-user + object: gator-test/regular_user_create_clusterversion.yaml + inventory: + - gator-test/inventory_config_local.yaml + assertions: + - violations: no + - name: create-clusterversion-allowed-system-user-local + object: gator-test/system_user_create_clusterversion.yaml + inventory: + - gator-test/inventory_config_local.yaml + assertions: + - violations: no + - name: create-clusterversion-allowed-system-user-ocm + object: gator-test/system_user_create_clusterversion.yaml + inventory: + - gator-test/inventory_config_ocm.yaml + assertions: + - violations: no + - name: create-clusterversion-not-allowed-regular-user + object: /gator-test/regular_user_create_clusterversion.yaml + inventory: + - gator-test/inventory_config_ocm.yaml + assertions: + - violations: yes + - name: update-clusterversion-allowed-regular-user + object: gator-test/regular_user_update_clusterversion.yaml + inventory: + - gator-test/inventory_config_local.yaml + assertions: + - violations: no + - name: update-clusterversion-allowed-system-user-local + object: gator-test/system_user_update_clusterversion.yaml + inventory: + - gator-test/inventory_config_local.yaml + assertions: + - violations: no + - name: update-clusterversion-allowed-system-user-local + object: gator-test/system_user_update_clusterversion.yaml + inventory: + - gator-test/inventory_config_ocm.yaml + assertions: + - violations: no + - name: update-clusterversion-not-allowed-regular-user + object: /gator-test/regular_user_update_clusterversion.yaml + inventory: + - gator-test/inventory_config_ocm.yaml + assertions: + - violations: yes + - name: delete-clusterversion-allowed-regular-user + object: gator-test/regular_user_delete_clusterversion.yaml + inventory: + - gator-test/inventory_config_local.yaml + assertions: + - violations: no + - name: delete-clusterversion-allowed-system-user-local + object: gator-test/system_user_delete_clusterversion.yaml + inventory: + - gator-test/inventory_config_local.yaml + assertions: + - violations: no + - name: delete-clusterversion-allowed-system-user-ocm + object: gator-test/system_user_delete_clusterversion.yaml + inventory: + - gator-test/inventory_config_ocm.yaml + assertions: + - violations: no + - name: delete-clusterversion-not-allowed-regular-user + object: gator-test/regular_user_delete_clusterversion.yaml + inventory: + - gator-test/inventory_config_ocm.yaml + assertions: + - violations: yes \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/sync.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/sync.yaml new file mode 100644 index 00000000000..9d2afe99279 --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/sync.yaml @@ -0,0 +1,40 @@ +apiVersion: config.gatekeeper.sh/v1alpha1 +kind: Config +metadata: + name: config + namespace: "openshift-azure-guardrails" +spec: + match: + - excludedNamespaces: + [ + "kube-*", + "openshift-kube-*", + "openshift", + "openshift-etcd*", + "openshift-monitoring", + "default", + "gatekeeper-system", + "openshift-apiserver*", + "openshift-authentication*", + "openshift-logging", + "openshift-redhat-marketplace", + "openshift-operators", + "openshift-user-workload-monitoring", + "openshift-pipelines", + "openshift-marketplace", + "openshift-multus", + "openshift-network*", + "openshift-vsphere-*", + "openshift-config-*", + "openshift-console", + "openshift-service-ca*", + "openshift-azure*", + "openshift-cloud*", + "openshift-sdn", + ] + processes: ["*"] + sync: + syncOnly: + - group: "" + version: "v1" + kind: "ConfigMap" \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-clusterversion.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-clusterversion.yaml new file mode 100644 index 00000000000..bc1b2b68d9c --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-clusterversion.yaml @@ -0,0 +1,265 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: arodenyclusterversion + annotations: + metadata.gatekeeper.sh/title: "ClusterVersion" + metadata.gatekeeper.sh/version: 1.0.0 + description: >- + Disallows editing ClusterVersion by regular users if there is a "cloud.openshift.com" entry in "openshift-config/pull-secret". + +spec: + crd: + spec: + names: + kind: ARODenyClusterVersion + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Disallows editing ClusterVersion by regular users if there is a "cloud.openshift.com" entry in "openshift-config/pull-secret". + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package arodenyclusterversion + + import data.lib.common.is_exempted_account + import future.keywords.in + + # Use object + # To retrieve from a different resource, data.inventory.namespace["openshift-managed-upgrade-operator"]["v1"]["ConfigMap"]["managed-upgrade-operator-config"]["data"]["config.yaml"] + violation[{"msg": msg}] { + input.review.operation in ["CREATE", "UPDATE", "DELETE"] + + # ## Check user type + not is_exempted_account(input.review) + + # ## If regular user and + # ## has NO cloud.openshift.com entry in openshift-config/pull-secret Secret + # ## ALLOW EDITING + + # ## If regular user and + # ## HAS cloud.openshift.com entry (`source: OCM` indicates pull-secret exists) in openshift-config/pull-secret Secret + # ## NOT ALLOWED + config_data := data.inventory.namespace["openshift-managed-upgrade-operator"]["v1"]["ConfigMap"]["managed-upgrade-operator-config"]["data"]["config.yaml"] + regex.match("source: OCM", config_data) + msg := "Modifying the ClusterVersion is not allowed for regular users. This includes attempting to create, edit, or delete the ClusterVersion." + } + libs: + - | + package lib.common + import future.keywords.in + + # shared structures, functions, etc. + + is_priv_namespace(ns) { + privileged_ns[ns] + } + + privileged_ns = { + # ARO specific namespaces + "openshift-azure-logging", + "openshift-azure-operator", + "openshift-managed-upgrade-operator", + + # OCP namespaces + "openshift", + "openshift-apiserver", + "openshift-apiserver-operator", + "openshift-authentication-operator", + "openshift-cloud-controller-manager", + "openshift-cloud-controller-manager-operator", + "openshift-cloud-credential-operator", + "openshift-cluster-csi-drivers", + "openshift-cluster-machine-approver", + "openshift-cluster-node-tuning-operator", + "openshift-cluster-samples-operator", + "openshift-cluster-storage-operator", + "openshift-cluster-version", + "openshift-config", + "openshift-config-managed", + "openshift-config-operator", + "openshift-console", + "openshift-console-operator", + "openshift-console-user-settings", + "openshift-controller-manager", + "openshift-controller-manager-operator", + "openshift-dns", + "openshift-dns-operator", + "openshift-etcd", + "openshift-etcd-operator", + "openshift-host-network", + "openshift-image-registry", + "openshift-ingress", + "openshift-ingress-canary", + "openshift-ingress-operator", + "openshift-insights", + "openshift-kni-infra", + "openshift-kube-apiserver", + "openshift-kube-apiserver-operator", + "openshift-kube-controller-manager", + "openshift-kube-controller-manager-operator", + "openshift-kube-scheduler", + "openshift-kube-scheduler-operator", + "openshift-kube-storage-version-migrator", + "openshift-kube-storage-version-migrator-operator", + "openshift-machine-api", + "openshift-machine-config-operator", + "openshift-marketplace", + "openshift-monitoring", + "openshift-multus", + "openshift-network-diagnostics", + "openshift-network-operator", + "openshift-oauth-apiserver", + "openshift-openstack-infra", + "openshift-operators", + "openshift-operator-lifecycle-manager", + "openshift-ovirt-infra", + "openshift-sdn", + "openshift-service-ca", + "openshift-service-ca-operator" + } + + exempted_service_account = { + "default", + "aro-sre", + "openshift-apiserver-operator", + "openshift-apiserver-sa", + "authentication-operator", + "geneva", + "aro-operator-worker", + "cluster-cloud-controller-manager", + "cloud-credential-operator", + "azure-disk-csi-driver-controller-sa", + "azure-disk-csi-driver-node-sa", + "azure-disk-csi-driver-operator", + "machine-approver-sa", + "cluster-node-tuning-operator", + "tuned", + "cluster-samples-operator", + "cluster-storage-operator", + "csi-snapshot-controller", + "csi-snapshot-controller-operator", + "openshift-config-operator", + "console-operator", + "console", + "openshift-controller-manager-operator", + "openshift-controller-manager-sa", + "dns-operator", + "dns", + "node-resolver", + "etcd-operator", + "cluster-image-registry-operator", + "registry", + "node-ca", + "ingress-operator", + "router", + "operator", + "kube-apiserver-operator", + "kube-controller-manager-operator", + "openshift-kube-scheduler-operator", + "kube-storage-version-migrator-operator", + "kube-storage-version-migrator-sa", + "cluster-autoscaler-operator", + "cluster-baremetal-operator", + "cluster-baremetal-operator", + "machine-api-controllers", + "machine-api-operator", + "machine-config-controller", + "machine-config-daemon", + "machine-config-server", + "managed-upgrade-operator", + "marketplace-operator", + "alertmanager-main", + "cluster-monitoring-operator", + "grafana", + "kube-state-metrics", + "node-exporter", + "openshift-state-metrics", + "prometheus-adapter", + "prometheus-k8s", + "prometheus-operator", + "thanos-querier", + "multus", + "metrics-daemon-sa", + "network-diagnostics", + "oauth-apiserver-sa", + "collect-profiles", + "olm-operator-serviceaccount", + "sdn", + "sdn-controller", + "service-ca-operator", + "service-ca", + "pruner", + "installer-sa" + } + + get_service_account(obj) = spec { + obj.kind == "Pod" + spec := obj.spec.serviceAccountName + } { + obj.kind == "CronJob" + spec := obj.spec.jobTemplate.spec.template.spec.serviceAccountName + } { + obj.kind in ["ReplicationController","ReplicaSet","Deployment","StatefulSet","DaemonSet","Job"] + spec := obj.spec.template.spec.serviceAccountName + } + + has_service_account(obj) { + obj.kind in ["Pod","CronJob","ReplicationController","ReplicaSet","Deployment","StatefulSet","DaemonSet","Job"] + } + + get_user_info(review) = info { + has_field(review.userInfo, "username") + username := get_user(review) + info := sprintf("user name %v", [username]) + } { + not has_field(review.userInfo, "username") + has_service_account(review.object) + sa := get_service_account(review.object) + info := sprintf("service account %v", [sa]) + } + + # this setup is to handle below case: + # user default::notfound not allowed to operate in namespace openshift-kube-scheduler + # + # assume for cmdline operations, userInfo is always present, which is the only key for user identity + # while for serviceAccount operations, no userInfo is present, and we have to rely on the serviceAccountName field in the object + + is_exempted_account(review) { + has_field(review.userInfo, "username") + username := get_user(review) + is_exempted_user(username) + print("exempted user:", username) + } { + not has_field(review.userInfo, "username") + sa := get_service_account(review.object) + is_exempted_service_account(sa) + print("exempted account:", sa) + } + + is_exempted_service_account(user) { + exempted_service_account[user] + } + + get_user(review) = name { + not has_field(review.userInfo, "username") + name = "notfound" + } { + has_field(review.userInfo, "username") + name = review.userInfo.username + print(name) + } + + has_field(object, field) = true { + object[field] + } + + is_exempted_user(user) { + exempted_user[user] + } + + exempted_user = { + "system:admin" # comment out temporarily for testing in console + } \ No newline at end of file From cc031323070923afa2b48d2885e486cf7ff910ed Mon Sep 17 00:00:00 2001 From: Edison Cardenas Date: Wed, 7 Jun 2023 17:53:43 +1200 Subject: [PATCH 09/18] ARO-1422: Rename gatekeeper-config.yaml to sync.yaml, to indicate that this is a config resource for all policies to use. --- .../{aro-deny-upgradeconfig/gatekeeper-config.yaml => sync.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename pkg/operator/controllers/guardrails/policies/gktemplates-src/{aro-deny-upgradeconfig/gatekeeper-config.yaml => sync.yaml} (100%) diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gatekeeper-config.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/sync.yaml similarity index 100% rename from pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gatekeeper-config.yaml rename to pkg/operator/controllers/guardrails/policies/gktemplates-src/sync.yaml From ec1d943dae01771ec0326267839f9f396c127114 Mon Sep 17 00:00:00 2001 From: Edison Date: Thu, 22 Jun 2023 10:44:12 +1200 Subject: [PATCH 10/18] ARO-1423: Refactor name --- .../aro-clusterversion-deny.yaml | 4 +- .../gktemplates/aro-deny-clusterversion.yaml | 299 +++++++----------- 2 files changed, 114 insertions(+), 189 deletions(-) diff --git a/pkg/operator/controllers/guardrails/policies/gkconstraints/aro-clusterversion-deny.yaml b/pkg/operator/controllers/guardrails/policies/gkconstraints/aro-clusterversion-deny.yaml index 92558144e99..41f94ce87d7 100644 --- a/pkg/operator/controllers/guardrails/policies/gkconstraints/aro-clusterversion-deny.yaml +++ b/pkg/operator/controllers/guardrails/policies/gkconstraints/aro-clusterversion-deny.yaml @@ -1,10 +1,10 @@ apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ARODenyClusterVersion metadata: - name: aro-deny-clusterversion-modification + name: aro-clusterversion-deny spec: enforcementAction: {{.Enforcement}} match: kinds: - apiGroups: ["config.openshift.io"] - kinds: ["ClusterVersion"] \ No newline at end of file + kinds: ["ClusterVersion"] diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-clusterversion.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-clusterversion.yaml index bc1b2b68d9c..99e4bb28bcd 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-clusterversion.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-clusterversion.yaml @@ -53,197 +53,20 @@ spec: # shared structures, functions, etc. - is_priv_namespace(ns) { - privileged_ns[ns] - } - - privileged_ns = { - # ARO specific namespaces - "openshift-azure-logging", - "openshift-azure-operator", - "openshift-managed-upgrade-operator", - - # OCP namespaces - "openshift", - "openshift-apiserver", - "openshift-apiserver-operator", - "openshift-authentication-operator", - "openshift-cloud-controller-manager", - "openshift-cloud-controller-manager-operator", - "openshift-cloud-credential-operator", - "openshift-cluster-csi-drivers", - "openshift-cluster-machine-approver", - "openshift-cluster-node-tuning-operator", - "openshift-cluster-samples-operator", - "openshift-cluster-storage-operator", - "openshift-cluster-version", - "openshift-config", - "openshift-config-managed", - "openshift-config-operator", - "openshift-console", - "openshift-console-operator", - "openshift-console-user-settings", - "openshift-controller-manager", - "openshift-controller-manager-operator", - "openshift-dns", - "openshift-dns-operator", - "openshift-etcd", - "openshift-etcd-operator", - "openshift-host-network", - "openshift-image-registry", - "openshift-ingress", - "openshift-ingress-canary", - "openshift-ingress-operator", - "openshift-insights", - "openshift-kni-infra", - "openshift-kube-apiserver", - "openshift-kube-apiserver-operator", - "openshift-kube-controller-manager", - "openshift-kube-controller-manager-operator", - "openshift-kube-scheduler", - "openshift-kube-scheduler-operator", - "openshift-kube-storage-version-migrator", - "openshift-kube-storage-version-migrator-operator", - "openshift-machine-api", - "openshift-machine-config-operator", - "openshift-marketplace", - "openshift-monitoring", - "openshift-multus", - "openshift-network-diagnostics", - "openshift-network-operator", - "openshift-oauth-apiserver", - "openshift-openstack-infra", - "openshift-operators", - "openshift-operator-lifecycle-manager", - "openshift-ovirt-infra", - "openshift-sdn", - "openshift-service-ca", - "openshift-service-ca-operator" - } - - exempted_service_account = { - "default", - "aro-sre", - "openshift-apiserver-operator", - "openshift-apiserver-sa", - "authentication-operator", - "geneva", - "aro-operator-worker", - "cluster-cloud-controller-manager", - "cloud-credential-operator", - "azure-disk-csi-driver-controller-sa", - "azure-disk-csi-driver-node-sa", - "azure-disk-csi-driver-operator", - "machine-approver-sa", - "cluster-node-tuning-operator", - "tuned", - "cluster-samples-operator", - "cluster-storage-operator", - "csi-snapshot-controller", - "csi-snapshot-controller-operator", - "openshift-config-operator", - "console-operator", - "console", - "openshift-controller-manager-operator", - "openshift-controller-manager-sa", - "dns-operator", - "dns", - "node-resolver", - "etcd-operator", - "cluster-image-registry-operator", - "registry", - "node-ca", - "ingress-operator", - "router", - "operator", - "kube-apiserver-operator", - "kube-controller-manager-operator", - "openshift-kube-scheduler-operator", - "kube-storage-version-migrator-operator", - "kube-storage-version-migrator-sa", - "cluster-autoscaler-operator", - "cluster-baremetal-operator", - "cluster-baremetal-operator", - "machine-api-controllers", - "machine-api-operator", - "machine-config-controller", - "machine-config-daemon", - "machine-config-server", - "managed-upgrade-operator", - "marketplace-operator", - "alertmanager-main", - "cluster-monitoring-operator", - "grafana", - "kube-state-metrics", - "node-exporter", - "openshift-state-metrics", - "prometheus-adapter", - "prometheus-k8s", - "prometheus-operator", - "thanos-querier", - "multus", - "metrics-daemon-sa", - "network-diagnostics", - "oauth-apiserver-sa", - "collect-profiles", - "olm-operator-serviceaccount", - "sdn", - "sdn-controller", - "service-ca-operator", - "service-ca", - "pruner", - "installer-sa" - } - - get_service_account(obj) = spec { - obj.kind == "Pod" - spec := obj.spec.serviceAccountName - } { - obj.kind == "CronJob" - spec := obj.spec.jobTemplate.spec.template.spec.serviceAccountName - } { - obj.kind in ["ReplicationController","ReplicaSet","Deployment","StatefulSet","DaemonSet","Job"] - spec := obj.spec.template.spec.serviceAccountName - } - - has_service_account(obj) { - obj.kind in ["Pod","CronJob","ReplicationController","ReplicaSet","Deployment","StatefulSet","DaemonSet","Job"] - } - - get_user_info(review) = info { + is_exempted_account(review) = true { + has_field(review, "userInfo") has_field(review.userInfo, "username") - username := get_user(review) - info := sprintf("user name %v", [username]) + username := get_username(review) + groups := get_user_group(review) + is_exempted_user_or_groups(username, groups) } { - not has_field(review.userInfo, "username") - has_service_account(review.object) - sa := get_service_account(review.object) - info := sprintf("service account %v", [sa]) - } - - # this setup is to handle below case: - # user default::notfound not allowed to operate in namespace openshift-kube-scheduler - # - # assume for cmdline operations, userInfo is always present, which is the only key for user identity - # while for serviceAccount operations, no userInfo is present, and we have to rely on the serviceAccountName field in the object - - is_exempted_account(review) { - has_field(review.userInfo, "username") - username := get_user(review) - is_exempted_user(username) - print("exempted user:", username) + not has_field(review, "userInfo") } { + has_field(review, "userInfo") not has_field(review.userInfo, "username") - sa := get_service_account(review.object) - is_exempted_service_account(sa) - print("exempted account:", sa) - } - - is_exempted_service_account(user) { - exempted_service_account[user] } - get_user(review) = name { + get_username(review) = name { not has_field(review.userInfo, "username") name = "notfound" } { @@ -252,14 +75,116 @@ spec: print(name) } + get_user_group(review) = group { + not review.userInfo + group = [] + } { + not review.userInfo.groups + group = [] + } { + group = review.userInfo.groups + } + + is_exempted_user_or_groups(user, groups) = true { + exempted_user[user] + print("exempted user:", user) + } { + group := [ g | g := groups[_]; (g in cast_set(exempted_groups)) ] + count(group) > 0 + print("exempted group:", group) + } + has_field(object, field) = true { object[field] } - is_exempted_user(user) { + is_exempted_user(user) = true { exempted_user[user] } + is_priv_namespace(ns) = true { + privileged_ns[ns] + } + exempted_user = { - "system:admin" # comment out temporarily for testing in console + # "system:admin" # comment out temporarily for testing in console + } + + exempted_groups = { + # "system:cluster-admins", # dont allow kube:admin + "system:serviceaccounts", # to allow all system service account? + # "system:serviceaccounts:openshift-monitoring", # monitoring operator + # "system:serviceaccounts:openshift-network-operator", # network operator + # "system:serviceaccounts:openshift-machine-config-operator", # machine-config-operator, however the request provide correct sa name + "system:masters" # system:admin + } + + privileged_ns = { + # Kubernetes specific namespaces + "kube-node-lease", + "kube-public", + "kube-system", + + # ARO specific namespaces + "openshift-azure-logging", + "openshift-azure-operator", + "openshift-managed-upgrade-operator", + "openshift-azure-guardrails", + + # OCP namespaces + "openshift", + "openshift-apiserver", + "openshift-apiserver-operator", + "openshift-authentication-operator", + "openshift-cloud-controller-manager", + "openshift-cloud-controller-manager-operator", + "openshift-cloud-credential-operator", + "openshift-cluster-csi-drivers", + "openshift-cluster-machine-approver", + "openshift-cluster-node-tuning-operator", + "openshift-cluster-samples-operator", + "openshift-cluster-storage-operator", + "openshift-cluster-version", + "openshift-config", + "openshift-config-managed", + "openshift-config-operator", + "openshift-console", + "openshift-console-operator", + "openshift-console-user-settings", + "openshift-controller-manager", + "openshift-controller-manager-operator", + "openshift-dns", + "openshift-dns-operator", + "openshift-etcd", + "openshift-etcd-operator", + "openshift-host-network", + "openshift-image-registry", + "openshift-ingress", + "openshift-ingress-canary", + "openshift-ingress-operator", + "openshift-insights", + "openshift-kni-infra", + "openshift-kube-apiserver", + "openshift-kube-apiserver-operator", + "openshift-kube-controller-manager", + "openshift-kube-controller-manager-operator", + "openshift-kube-scheduler", + "openshift-kube-scheduler-operator", + "openshift-kube-storage-version-migrator", + "openshift-kube-storage-version-migrator-operator", + "openshift-machine-api", + "openshift-machine-config-operator", + "openshift-marketplace", + "openshift-monitoring", + "openshift-multus", + "openshift-network-diagnostics", + "openshift-network-operator", + "openshift-oauth-apiserver", + "openshift-openstack-infra", + "openshift-operators", + "openshift-operator-lifecycle-manager", + "openshift-ovirt-infra", + "openshift-sdn", + "openshift-service-ca", + "openshift-service-ca-operator" } \ No newline at end of file From 6e5ff58a2e55e2b89e8bc7d66e8e197fc542b4a0 Mon Sep 17 00:00:00 2001 From: Edison Date: Fri, 23 Jun 2023 17:17:25 +1200 Subject: [PATCH 11/18] ARO-1423: Fix yaml lint issue with missing new line at end of file. --- .../gator-test/inventory_config_local.yaml | 3 ++- .../gator-test/inventory_config_ocm.yaml | 3 ++- .../gator-test/system_user_create_clusterversion.yaml | 2 +- .../policies/gktemplates/aro-deny-clusterversion.yaml | 2 +- 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/inventory_config_local.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/inventory_config_local.yaml index 69a8ae11317..0e6a2350a96 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/inventory_config_local.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/inventory_config_local.yaml @@ -13,4 +13,5 @@ data: 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n ignoredNamespaces:\n \ - openshift-logging\n - openshift-redhat-marketplace\n - openshift-operators\n - \ - openshift-user-workload-monitoring\n - openshift-pipelines\n - openshift-azure-logging\n" \ No newline at end of file + \ - openshift-user-workload-monitoring\n - openshift-pipelines\n - openshift-azure-logging\n" + \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/inventory_config_ocm.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/inventory_config_ocm.yaml index 114a6efc4fa..60466ff0e13 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/inventory_config_ocm.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/inventory_config_ocm.yaml @@ -13,4 +13,5 @@ data: 45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n ignoredNamespaces:\n \ - openshift-logging\n - openshift-redhat-marketplace\n - openshift-operators\n - \ - openshift-user-workload-monitoring\n - openshift-pipelines\n - openshift-azure-logging\n" \ No newline at end of file + \ - openshift-user-workload-monitoring\n - openshift-pipelines\n - openshift-azure-logging\n" + \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/system_user_create_clusterversion.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/system_user_create_clusterversion.yaml index 8267e61ea60..cccb346489c 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/system_user_create_clusterversion.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/system_user_create_clusterversion.yaml @@ -186,4 +186,4 @@ request: uid: ddc9ff1c-913f-4421-8b78-f512a839da45 userInfo: uid: bc164435-e066-42f9-ae3e-e21164ebb1c0 - username: system:admin \ No newline at end of file + username: system:admin diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-clusterversion.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-clusterversion.yaml index 99e4bb28bcd..f32b279d412 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-clusterversion.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-clusterversion.yaml @@ -187,4 +187,4 @@ spec: "openshift-sdn", "openshift-service-ca", "openshift-service-ca-operator" - } \ No newline at end of file + } From fc16f030069324d8da102d64ac130a2c46fc5171 Mon Sep 17 00:00:00 2001 From: Edison Date: Wed, 28 Jun 2023 19:59:35 +1200 Subject: [PATCH 12/18] ARO-1422 & ARO-1423: Merge logic of two policies. They have similar logic. --- .../aro-clusterversion-deny.yaml | 10 - ...ro-clusterversion-upgradeconfig-deny.yaml} | 8 +- .../README.md | 3 + ...aro-deny-clusterversion-upgradeconfig.tmpl | 28 ++ ...nventory_config_local_clusterversion.yaml} | 0 ...inventory_config_local_upgradeconfig.yaml} | 0 .../inventory_config_ocm_clusterversion.yaml} | 0 .../inventory_config_ocm_upgradeconfig.yaml} | 0 .../regular_user_create_clusterversion.yaml | 0 ..._user_create_managed_upgrade_operator.yaml | 0 .../regular_user_delete_clusterversion.yaml | 0 ..._user_delete_managed_upgrade_operator.yaml | 0 .../regular_user_update_clusterversion.yaml | 0 ..._user_update_managed_upgrade_operator.yaml | 0 .../system_user_create_clusterversion.yaml | 0 ..._user_create_managed_upgrade_operator.yaml | 0 .../system_user_delete_clusterversion.yaml | 0 ..._user_delete_managed_upgrade_operator.yaml | 0 .../system_user_update_clusterversion.yaml | 0 ..._user_update_managed_upgrade_operator.yaml | 0 .../src.rego | 4 +- .../src_test.rego | 206 +++++++++++++ .../suite.yaml | 157 ++++++++++ .../sync.yaml | 0 .../aro-deny-clusterversion.tmpl | 28 -- .../aro-deny-clusterversion/src.rego | 24 -- .../aro-deny-clusterversion/src_test.rego | 103 ------- .../aro-deny-clusterversion/suite.yaml | 81 ------ .../aro-deny-upgradeconfig/README.md | 3 - .../aro-deny-upgradeconfig.tmpl | 28 -- .../aro-deny-upgradeconfig/src_test.rego | 103 ------- .../aro-deny-upgradeconfig/suite.yaml | 81 ------ .../policies/gktemplates-src/sync.yaml | 43 --- ...ro-deny-clusterversion-upgradeconfig.yaml} | 16 +- .../gktemplates/aro-deny-upgradeconfig.yaml | 272 ------------------ 35 files changed, 409 insertions(+), 789 deletions(-) delete mode 100644 pkg/operator/controllers/guardrails/policies/gkconstraints/aro-clusterversion-deny.yaml rename pkg/operator/controllers/guardrails/policies/gkconstraints/{aro-upgradeconfig-deny.yaml => aro-clusterversion-upgradeconfig-deny.yaml} (51%) create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/README.md create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/aro-deny-clusterversion-upgradeconfig.tmpl rename pkg/operator/controllers/guardrails/policies/gktemplates-src/{aro-deny-upgradeconfig/gator-test/inventory_config_local.yaml => aro-deny-clusterversion-upgradeconfig/gator-test/inventory_config_local_clusterversion.yaml} (100%) rename pkg/operator/controllers/guardrails/policies/gktemplates-src/{aro-deny-clusterversion/gator-test/inventory_config_local.yaml => aro-deny-clusterversion-upgradeconfig/gator-test/inventory_config_local_upgradeconfig.yaml} (100%) rename pkg/operator/controllers/guardrails/policies/gktemplates-src/{aro-deny-upgradeconfig/gator-test/inventory_config_ocm.yaml => aro-deny-clusterversion-upgradeconfig/gator-test/inventory_config_ocm_clusterversion.yaml} (100%) rename pkg/operator/controllers/guardrails/policies/gktemplates-src/{aro-deny-clusterversion/gator-test/inventory_config_ocm.yaml => aro-deny-clusterversion-upgradeconfig/gator-test/inventory_config_ocm_upgradeconfig.yaml} (100%) rename pkg/operator/controllers/guardrails/policies/gktemplates-src/{aro-deny-clusterversion => aro-deny-clusterversion-upgradeconfig}/gator-test/regular_user_create_clusterversion.yaml (100%) rename pkg/operator/controllers/guardrails/policies/gktemplates-src/{aro-deny-upgradeconfig => aro-deny-clusterversion-upgradeconfig}/gator-test/regular_user_create_managed_upgrade_operator.yaml (100%) rename pkg/operator/controllers/guardrails/policies/gktemplates-src/{aro-deny-clusterversion => aro-deny-clusterversion-upgradeconfig}/gator-test/regular_user_delete_clusterversion.yaml (100%) rename pkg/operator/controllers/guardrails/policies/gktemplates-src/{aro-deny-upgradeconfig => aro-deny-clusterversion-upgradeconfig}/gator-test/regular_user_delete_managed_upgrade_operator.yaml (100%) rename pkg/operator/controllers/guardrails/policies/gktemplates-src/{aro-deny-clusterversion => aro-deny-clusterversion-upgradeconfig}/gator-test/regular_user_update_clusterversion.yaml (100%) rename pkg/operator/controllers/guardrails/policies/gktemplates-src/{aro-deny-upgradeconfig => aro-deny-clusterversion-upgradeconfig}/gator-test/regular_user_update_managed_upgrade_operator.yaml (100%) rename pkg/operator/controllers/guardrails/policies/gktemplates-src/{aro-deny-clusterversion => aro-deny-clusterversion-upgradeconfig}/gator-test/system_user_create_clusterversion.yaml (100%) rename pkg/operator/controllers/guardrails/policies/gktemplates-src/{aro-deny-upgradeconfig => aro-deny-clusterversion-upgradeconfig}/gator-test/system_user_create_managed_upgrade_operator.yaml (100%) rename pkg/operator/controllers/guardrails/policies/gktemplates-src/{aro-deny-clusterversion => aro-deny-clusterversion-upgradeconfig}/gator-test/system_user_delete_clusterversion.yaml (100%) rename pkg/operator/controllers/guardrails/policies/gktemplates-src/{aro-deny-upgradeconfig => aro-deny-clusterversion-upgradeconfig}/gator-test/system_user_delete_managed_upgrade_operator.yaml (100%) rename pkg/operator/controllers/guardrails/policies/gktemplates-src/{aro-deny-clusterversion => aro-deny-clusterversion-upgradeconfig}/gator-test/system_user_update_clusterversion.yaml (100%) rename pkg/operator/controllers/guardrails/policies/gktemplates-src/{aro-deny-upgradeconfig => aro-deny-clusterversion-upgradeconfig}/gator-test/system_user_update_managed_upgrade_operator.yaml (100%) rename pkg/operator/controllers/guardrails/policies/gktemplates-src/{aro-deny-upgradeconfig => aro-deny-clusterversion-upgradeconfig}/src.rego (83%) create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/src_test.rego create mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/suite.yaml rename pkg/operator/controllers/guardrails/policies/gktemplates-src/{aro-deny-clusterversion => aro-deny-clusterversion-upgradeconfig}/sync.yaml (100%) delete mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/aro-deny-clusterversion.tmpl delete mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/src.rego delete mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/src_test.rego delete mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/suite.yaml delete mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/README.md delete mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/aro-deny-upgradeconfig.tmpl delete mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src_test.rego delete mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/suite.yaml delete mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates-src/sync.yaml rename pkg/operator/controllers/guardrails/policies/gktemplates/{aro-deny-clusterversion.yaml => aro-deny-clusterversion-upgradeconfig.yaml} (89%) delete mode 100644 pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-upgradeconfig.yaml diff --git a/pkg/operator/controllers/guardrails/policies/gkconstraints/aro-clusterversion-deny.yaml b/pkg/operator/controllers/guardrails/policies/gkconstraints/aro-clusterversion-deny.yaml deleted file mode 100644 index 41f94ce87d7..00000000000 --- a/pkg/operator/controllers/guardrails/policies/gkconstraints/aro-clusterversion-deny.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: constraints.gatekeeper.sh/v1beta1 -kind: ARODenyClusterVersion -metadata: - name: aro-clusterversion-deny -spec: - enforcementAction: {{.Enforcement}} - match: - kinds: - - apiGroups: ["config.openshift.io"] - kinds: ["ClusterVersion"] diff --git a/pkg/operator/controllers/guardrails/policies/gkconstraints/aro-upgradeconfig-deny.yaml b/pkg/operator/controllers/guardrails/policies/gkconstraints/aro-clusterversion-upgradeconfig-deny.yaml similarity index 51% rename from pkg/operator/controllers/guardrails/policies/gkconstraints/aro-upgradeconfig-deny.yaml rename to pkg/operator/controllers/guardrails/policies/gkconstraints/aro-clusterversion-upgradeconfig-deny.yaml index 7c805d4422b..50a29f6f60d 100644 --- a/pkg/operator/controllers/guardrails/policies/gkconstraints/aro-upgradeconfig-deny.yaml +++ b/pkg/operator/controllers/guardrails/policies/gkconstraints/aro-clusterversion-upgradeconfig-deny.yaml @@ -1,13 +1,15 @@ apiVersion: constraints.gatekeeper.sh/v1beta1 -kind: ARODenyUpgradeConfig +kind: ARODenyClusterVersionUpgradeConfig metadata: - name: aro-deny-upgradeconfig-modification + name: aro-deny-clusterversion-upgradeconfig-modification spec: enforcementAction: {{.Enforcement}} match: - namespaces: ["openshift-managed-upgrade-operator"] kinds: - apiGroups: [""] kinds: ["ConfigMap"] - apiGroups: ["upgrade.managed.openshift.io"] kinds: ["UpgradeConfig"] + namespaces: ["openshift-managed-upgrade-operator",""] + - apiGroups: ["config.openshift.io"] + kinds: ["ClusterVersion"] diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/README.md b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/README.md new file mode 100644 index 00000000000..dec87f35514 --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/README.md @@ -0,0 +1,3 @@ +# UpgradeConfig Policy + +This policy needs the 'sync.yaml' applied to the cluster in order to retrieve data from data.inventory document. \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/aro-deny-clusterversion-upgradeconfig.tmpl b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/aro-deny-clusterversion-upgradeconfig.tmpl new file mode 100644 index 00000000000..be8c2397778 --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/aro-deny-clusterversion-upgradeconfig.tmpl @@ -0,0 +1,28 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: arodenyclusterversionupgradeconfig + annotations: + metadata.gatekeeper.sh/title: "ClusterVersion-UpgradeConfig" + metadata.gatekeeper.sh/version: 1.0.0 + description: >- + Disallows editing of ClusterVersioin and UpgradeConfig by regular users if there is a "cloud.openshift.com" entry in "openshift-config/pull-secret". + +spec: + crd: + spec: + names: + kind: ARODenyClusterVersionUpgradeConfig + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Disallows editing of ClusterVersioin and UpgradeConfi by regular users if there is a "cloud.openshift.com" entry in "openshift-config/pull-secret". + targets: + - target: admission.k8s.gatekeeper.sh + rego: | +{{ file.Read "gktemplates-src/aro-deny-clusterversion-upgradeconfig/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} + libs: + - | +{{ file.Read "gktemplates-src/library/common.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/inventory_config_local.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/inventory_config_local_clusterversion.yaml similarity index 100% rename from pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/inventory_config_local.yaml rename to pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/inventory_config_local_clusterversion.yaml diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/inventory_config_local.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/inventory_config_local_upgradeconfig.yaml similarity index 100% rename from pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/inventory_config_local.yaml rename to pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/inventory_config_local_upgradeconfig.yaml diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/inventory_config_ocm.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/inventory_config_ocm_clusterversion.yaml similarity index 100% rename from pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/inventory_config_ocm.yaml rename to pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/inventory_config_ocm_clusterversion.yaml diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/inventory_config_ocm.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/inventory_config_ocm_upgradeconfig.yaml similarity index 100% rename from pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/inventory_config_ocm.yaml rename to pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/inventory_config_ocm_upgradeconfig.yaml diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/regular_user_create_clusterversion.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/regular_user_create_clusterversion.yaml similarity index 100% rename from pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/regular_user_create_clusterversion.yaml rename to pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/regular_user_create_clusterversion.yaml diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/regular_user_create_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/regular_user_create_managed_upgrade_operator.yaml similarity index 100% rename from pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/regular_user_create_managed_upgrade_operator.yaml rename to pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/regular_user_create_managed_upgrade_operator.yaml diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/regular_user_delete_clusterversion.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/regular_user_delete_clusterversion.yaml similarity index 100% rename from pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/regular_user_delete_clusterversion.yaml rename to pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/regular_user_delete_clusterversion.yaml diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/regular_user_delete_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/regular_user_delete_managed_upgrade_operator.yaml similarity index 100% rename from pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/regular_user_delete_managed_upgrade_operator.yaml rename to pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/regular_user_delete_managed_upgrade_operator.yaml diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/regular_user_update_clusterversion.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/regular_user_update_clusterversion.yaml similarity index 100% rename from pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/regular_user_update_clusterversion.yaml rename to pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/regular_user_update_clusterversion.yaml diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/regular_user_update_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/regular_user_update_managed_upgrade_operator.yaml similarity index 100% rename from pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/regular_user_update_managed_upgrade_operator.yaml rename to pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/regular_user_update_managed_upgrade_operator.yaml diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/system_user_create_clusterversion.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/system_user_create_clusterversion.yaml similarity index 100% rename from pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/system_user_create_clusterversion.yaml rename to pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/system_user_create_clusterversion.yaml diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/system_user_create_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/system_user_create_managed_upgrade_operator.yaml similarity index 100% rename from pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/system_user_create_managed_upgrade_operator.yaml rename to pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/system_user_create_managed_upgrade_operator.yaml diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/system_user_delete_clusterversion.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/system_user_delete_clusterversion.yaml similarity index 100% rename from pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/system_user_delete_clusterversion.yaml rename to pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/system_user_delete_clusterversion.yaml diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/system_user_delete_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/system_user_delete_managed_upgrade_operator.yaml similarity index 100% rename from pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/system_user_delete_managed_upgrade_operator.yaml rename to pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/system_user_delete_managed_upgrade_operator.yaml diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/system_user_update_clusterversion.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/system_user_update_clusterversion.yaml similarity index 100% rename from pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/gator-test/system_user_update_clusterversion.yaml rename to pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/system_user_update_clusterversion.yaml diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/system_user_update_managed_upgrade_operator.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/system_user_update_managed_upgrade_operator.yaml similarity index 100% rename from pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/gator-test/system_user_update_managed_upgrade_operator.yaml rename to pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/system_user_update_managed_upgrade_operator.yaml diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src.rego b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/src.rego similarity index 83% rename from pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src.rego rename to pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/src.rego index 5b9b80fa270..333f01617fa 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src.rego +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/src.rego @@ -1,4 +1,4 @@ -package arodenyupgradeconfig +package arodenyclusterversionupgradeconfig import data.lib.common.is_exempted_account import future.keywords.in @@ -20,5 +20,5 @@ violation[{"msg": msg}] { # ## NOT ALLOWED config_data := data.inventory.namespace["openshift-managed-upgrade-operator"]["v1"]["ConfigMap"]["managed-upgrade-operator-config"]["data"]["config.yaml"] regex.match("source: OCM", config_data) - msg := "Modifying the UpgradeConfig is not allowed for regular users. This includes attempting to create, edit, or delete the UpgradeConfig." + msg := "Modifying this resource is not allowed for regular users. This includes attempting to create, edit, or delete." } diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/src_test.rego b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/src_test.rego new file mode 100644 index 00000000000..76a6f43a036 --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/src_test.rego @@ -0,0 +1,206 @@ +package arodenyclusterversionupgradeconfig + +test_input_allowed_regular_user_update_upgradeconfig { + input := {"review": input_configmap("regular-user", "regular-user", "UPDATE")} + inv := inv_data(create_data_local([])) + results := violation with input as input with data.inventory as inv + count(results) == 0 +} + +test_input_disallowed_regular_user_update_upgradeconfig { + input := {"review": input_configmap("regular-user", "regular-user", "UPDATE")} + inv := inv_data(create_data_ocm([])) + results := violation with input as input with data.inventory as inv + count(results) == 1 +} + +test_input_allowed_system_user_update_upgradeconfig { + input := {"review": input_configmap("system:admin", "system:admin", "UPDATE")} + inv := inv_data(create_data_ocm([])) + results := violation with input as input with data.inventory as inv + count(results) == 0 +} + +test_allowed_regular_user_delete_upgradeconfig { + input := {"review": input_configmap("regular-user", "regular-user", "DELETE")} + inv := inv_data(create_data_local([])) + results := violation with input as input with data.inventory as inv + count(results) == 0 +} + +test_disallowed_regular_user_delete_upgradeconfig { + input := {"review": input_configmap("regular-user", "regular-user", "DELETE")} + inv := inv_data(create_data_ocm([])) + results := violation with input as input with data.inventory as inv + count(results) == 1 +} + +test_allowed_system_user_delete_upgradeconfig { + input := {"review": input_configmap("system:admin", "system:admin", "DELETE")} + inv := inv_data(create_data_ocm([])) + results := violation with input as input with data.inventory as inv + count(results) == 0 +} + +test_allowed_regular_user_create_upgradeconfig { + input := {"review": input_configmap("regular-user", "regular-user", "CREATE")} + inv := inv_data(create_data_local([])) + results := violation with input as input with data.inventory as inv + count(results) == 0 +} + +test_disallowed_regular_user_create_upgradeconfig { + input := {"review": input_configmap("regular-user", "regular-user", "CREATE")} + inv := inv_data(create_data_ocm([])) + results := violation with input as input with data.inventory as inv + count(results) == 1 +} + +test_create_allowed_system_user_create_upgradeconfig { + input := {"review": input_configmap("system:admin", "system:admin", "CREATE")} + inv := inv_data(create_data_ocm([])) + results := violation with input as input with data.inventory as inv + count(results) == 0 +} + +input_configmap(group, username, operation) = output { + output = { + "operation": operation, + "uid": "d4cb640e-dc2f-42b0-95e2-c2f91dbc74d9", + "userInfo": { + "uid": "109561ea-68ee-45ca-82be-96733b504593", + "username": username + } + } +} + +inv_data(obj) = output { + output := {"namespace": {"openshift-managed-upgrade-operator": {obj.apiVersion: {obj.kind: obj}}}} +} + +create_data_ocm([]) = output { + output = { + "apiVersion": "v1", + "managed-upgrade-operator-config" : { + "data": { + "config.yaml": "configManager:\n source: OCM\n \n localConfigName: managed-upgrade-config\n\n watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType:\nARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut:\n45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n\n - openshift-azure-logging\n" + } + }, + "kind": "ConfigMap" + } +} + +create_data_local([]) = output { + output = { + "apiVersion": "v1", + "managed-upgrade-operator-config" : { + "data": { + "config.yaml": "configManager:\n source: LOCAL\n \n localConfigName: managed-upgrade-config\n\n watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType:\nARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut:\n45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n\n - openshift-azure-logging\n" + } + }, + "kind": "ConfigMap" + } +} + + +test_input_allowed_regular_user_update_clusterversion { + input := {"review": input_configmap("regular-user", "regular-user", "UPDATE")} + inv := inv_data(create_data_local([])) + results := violation with input as input with data.inventory as inv + count(results) == 0 +} + +test_input_disallowed_regular_user_update_clusterversion { + input := {"review": input_configmap("regular-user", "regular-user", "UPDATE")} + inv := inv_data(create_data_ocm([])) + results := violation with input as input with data.inventory as inv + count(results) == 1 +} + +test_input_allowed_system_user_update_clusterversion { + input := {"review": input_configmap("system:admin", "system:admin", "UPDATE")} + inv := inv_data(create_data_ocm([])) + results := violation with input as input with data.inventory as inv + count(results) == 0 +} + +test_allowed_regular_user_delete_clusterversion { + input := {"review": input_configmap("regular-user", "regular-user", "DELETE")} + inv := inv_data(create_data_local([])) + results := violation with input as input with data.inventory as inv + count(results) == 0 +} + +test_disallowed_regular_user_delete_clusterversion { + input := {"review": input_configmap("regular-user", "regular-user", "DELETE")} + inv := inv_data(create_data_ocm([])) + results := violation with input as input with data.inventory as inv + count(results) == 1 +} + +test_allowed_system_user_delete_clusterversion { + input := {"review": input_configmap("system:admin", "system:admin", "DELETE")} + inv := inv_data(create_data_ocm([])) + results := violation with input as input with data.inventory as inv + count(results) == 0 +} + +test_allowed_regular_user_create_clusterversion { + input := {"review": input_configmap("regular-user", "regular-user", "CREATE")} + inv := inv_data(create_data_local([])) + results := violation with input as input with data.inventory as inv + count(results) == 0 +} + +test_disallowed_regular_user_create_clusterversion { + input := {"review": input_configmap("regular-user", "regular-user", "CREATE")} + inv := inv_data(create_data_ocm([])) + results := violation with input as input with data.inventory as inv + count(results) == 1 +} + +test_create_allowed_system_user_create_clusterversion { + input := {"review": input_configmap("system:admin", "system:admin", "CREATE")} + inv := inv_data(create_data_ocm([])) + results := violation with input as input with data.inventory as inv + count(results) == 0 +} + +input_configmap(group, username, operation) = output { + output = { + "operation": operation, + "uid": "d4cb640e-dc2f-42b0-95e2-c2f91dbc74d9", + "userInfo": { + "uid": "109561ea-68ee-45ca-82be-96733b504593", + "username": username + } + } +} + +inv_data(obj) = output { + output := {"namespace": {"openshift-managed-upgrade-operator": {obj.apiVersion: {obj.kind: obj}}}} +} + +create_data_ocm([]) = output { + output = { + "apiVersion": "v1", + "managed-upgrade-operator-config" : { + "data": { + "config.yaml": "configManager:\n source: OCM\n \n localConfigName: managed-upgrade-config\n\n watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType:\nARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut:\n45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n\n - openshift-azure-logging\n" + } + }, + "kind": "ConfigMap" + } +} + +create_data_local([]) = output { + output = { + "apiVersion": "v1", + "managed-upgrade-operator-config" : { + "data": { + "config.yaml": "configManager:\n source: LOCAL\n \n localConfigName: managed-upgrade-config\n\n watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType:\nARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut:\n45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n\n - openshift-azure-logging\n" + } + }, + "kind": "ConfigMap" + } +} \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/suite.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/suite.yaml new file mode 100644 index 00000000000..a237aa5978b --- /dev/null +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/suite.yaml @@ -0,0 +1,157 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: clusterversion-upgradeconfig +tests: + - name: upgradeconfig-tests + template: ../../gktemplates/aro-deny-clusterversion-upgradeconfig.yaml + constraint: ../../gkconstraints-test/aro-clusterversion-upgradeconfig-deny.yaml + cases: + - name: create-upgradeconfig-allowed-regular-user + object: gator-test/regular_user_create_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_local_upgradeconfig.yaml + assertions: + - violations: no + - name: create-upgradeconfig-allowed-system-user-local + object: gator-test/system_user_create_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_local_upgradeconfig.yaml + assertions: + - violations: no + - name: create-upgradeconfig-allowed-system-user-ocm + object: gator-test/system_user_create_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_ocm_upgradeconfig.yaml + assertions: + - violations: no + - name: create-upgradeconfig-not-allowed-regular-user + object: /gator-test/regular_user_create_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_ocm_upgradeconfig.yaml + assertions: + - violations: yes + - name: update-upgradeconfig-allowed-regular-user + object: gator-test/regular_user_update_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_local_upgradeconfig.yaml + assertions: + - violations: no + - name: update-upgradeconfig-allowed-system-user-local + object: gator-test/system_user_update_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_local_upgradeconfig.yaml + assertions: + - violations: no + - name: update-upgradeconfig-allowed-system-user-local + object: gator-test/system_user_update_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_ocm_upgradeconfig.yaml + assertions: + - violations: no + - name: update-upgradeconfig-not-allowed-regular-user + object: /gator-test/regular_user_update_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_ocm_upgradeconfig.yaml + assertions: + - violations: yes + - name: delete-upgradeconfig-allowed-regular-user + object: gator-test/regular_user_delete_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_local_upgradeconfig.yaml + assertions: + - violations: no + - name: delete-upgradeconfig-allowed-system-user-local + object: gator-test/system_user_delete_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_local_upgradeconfig.yaml + assertions: + - violations: no + - name: delete-upgradeconfig-allowed-system-user-ocm + object: gator-test/system_user_delete_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_ocm_upgradeconfig.yaml + assertions: + - violations: no + - name: delete-upgradeconfig-not-allowed-regular-user + object: gator-test/regular_user_delete_managed_upgrade_operator.yaml + inventory: + - gator-test/inventory_config_ocm_upgradeconfig.yaml + assertions: + - violations: yes + - name: clusterversion-tests + template: ../../gktemplates/aro-deny-clusterversion-upgradeconfig.yaml + constraint: ../../gkconstraints-test/aro-clusterversion-upgradeconfig-deny.yaml + cases: + - name: create-clusterversion-allowed-regular-user + object: gator-test/regular_user_create_clusterversion.yaml + inventory: + - gator-test/inventory_config_local_clusterversion.yaml + assertions: + - violations: no + - name: create-clusterversion-allowed-system-user-local + object: gator-test/system_user_create_clusterversion.yaml + inventory: + - gator-test/inventory_config_local_clusterversion.yaml + assertions: + - violations: no + - name: create-clusterversion-allowed-system-user-ocm + object: gator-test/system_user_create_clusterversion.yaml + inventory: + - gator-test/inventory_config_ocm_clusterversion.yaml + assertions: + - violations: no + - name: create-clusterversion-not-allowed-regular-user + object: /gator-test/regular_user_create_clusterversion.yaml + inventory: + - gator-test/inventory_config_ocm_clusterversion.yaml + assertions: + - violations: yes + - name: update-clusterversion-allowed-regular-user + object: gator-test/regular_user_update_clusterversion.yaml + inventory: + - gator-test/inventory_config_local_clusterversion.yaml + assertions: + - violations: no + - name: update-clusterversion-allowed-system-user-local + object: gator-test/system_user_update_clusterversion.yaml + inventory: + - gator-test/inventory_config_local_clusterversion.yaml + assertions: + - violations: no + - name: update-clusterversion-allowed-system-user-local + object: gator-test/system_user_update_clusterversion.yaml + inventory: + - gator-test/inventory_config_ocm_clusterversion.yaml + assertions: + - violations: no + - name: update-clusterversion-not-allowed-regular-user + object: /gator-test/regular_user_update_clusterversion.yaml + inventory: + - gator-test/inventory_config_ocm_clusterversion.yaml + assertions: + - violations: yes + - name: delete-clusterversion-allowed-regular-user + object: gator-test/regular_user_delete_clusterversion.yaml + inventory: + - gator-test/inventory_config_local_clusterversion.yaml + assertions: + - violations: no + - name: delete-clusterversion-allowed-system-user-local + object: gator-test/system_user_delete_clusterversion.yaml + inventory: + - gator-test/inventory_config_local_clusterversion.yaml + assertions: + - violations: no + - name: delete-clusterversion-allowed-system-user-ocm + object: gator-test/system_user_delete_clusterversion.yaml + inventory: + - gator-test/inventory_config_ocm_clusterversion.yaml + assertions: + - violations: no + - name: delete-clusterversion-not-allowed-regular-user + object: gator-test/regular_user_delete_clusterversion.yaml + inventory: + - gator-test/inventory_config_ocm_clusterversion.yaml + assertions: + - violations: yes \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/sync.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/sync.yaml similarity index 100% rename from pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/sync.yaml rename to pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/sync.yaml diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/aro-deny-clusterversion.tmpl b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/aro-deny-clusterversion.tmpl deleted file mode 100644 index fa3b6d1834a..00000000000 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/aro-deny-clusterversion.tmpl +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: templates.gatekeeper.sh/v1 -kind: ConstraintTemplate -metadata: - name: arodenyclusterversion - annotations: - metadata.gatekeeper.sh/title: "ClusterVersion" - metadata.gatekeeper.sh/version: 1.0.0 - description: >- - Disallows editing ClusterVersion by regular users if there is a "cloud.openshift.com" entry in "openshift-config/pull-secret". - -spec: - crd: - spec: - names: - kind: ARODenyClusterVersion - validation: - # Schema for the `parameters` field - openAPIV3Schema: - type: object - description: >- - Disallows editing ClusterVersion by regular users if there is a "cloud.openshift.com" entry in "openshift-config/pull-secret". - targets: - - target: admission.k8s.gatekeeper.sh - rego: | -{{ file.Read "gktemplates-src/aro-deny-clusterversion/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} - libs: - - | -{{ file.Read "gktemplates-src/library/common.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/src.rego b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/src.rego deleted file mode 100644 index 9acb2781bb4..00000000000 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/src.rego +++ /dev/null @@ -1,24 +0,0 @@ -package arodenyclusterversion - -import data.lib.common.is_exempted_account -import future.keywords.in - -# Use object -# To retrieve from a different resource, data.inventory.namespace["openshift-managed-upgrade-operator"]["v1"]["ConfigMap"]["managed-upgrade-operator-config"]["data"]["config.yaml"] -violation[{"msg": msg}] { - input.review.operation in ["CREATE", "UPDATE", "DELETE"] - - # ## Check user type - not is_exempted_account(input.review) - - # ## If regular user and - # ## has NO cloud.openshift.com entry in openshift-config/pull-secret Secret - # ## ALLOW EDITING - - # ## If regular user and - # ## HAS cloud.openshift.com entry (`source: OCM` indicates pull-secret exists) in openshift-config/pull-secret Secret - # ## NOT ALLOWED - config_data := data.inventory.namespace["openshift-managed-upgrade-operator"]["v1"]["ConfigMap"]["managed-upgrade-operator-config"]["data"]["config.yaml"] - regex.match("source: OCM", config_data) - msg := "Modifying the ClusterVersion is not allowed for regular users. This includes attempting to create, edit, or delete the ClusterVersion." -} \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/src_test.rego b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/src_test.rego deleted file mode 100644 index 5442724ab39..00000000000 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/src_test.rego +++ /dev/null @@ -1,103 +0,0 @@ -package arodenyclusterversion - -test_input_allowed_regular_user_update_clusterversion { - input := {"review": input_configmap("regular-user", "regular-user", "UPDATE")} - inv := inv_data(create_data_local([])) - results := violation with input as input with data.inventory as inv - count(results) == 0 -} - -test_input_disallowed_regular_user_update_clusterversion { - input := {"review": input_configmap("regular-user", "regular-user", "UPDATE")} - inv := inv_data(create_data_ocm([])) - results := violation with input as input with data.inventory as inv - count(results) == 1 -} - -test_input_allowed_system_user_update_clusterversion { - input := {"review": input_configmap("system:admin", "system:admin", "UPDATE")} - inv := inv_data(create_data_ocm([])) - results := violation with input as input with data.inventory as inv - count(results) == 0 -} - -test_allowed_regular_user_delete_clusterversion { - input := {"review": input_configmap("regular-user", "regular-user", "DELETE")} - inv := inv_data(create_data_local([])) - results := violation with input as input with data.inventory as inv - count(results) == 0 -} - -test_disallowed_regular_user_delete_clusterversion { - input := {"review": input_configmap("regular-user", "regular-user", "DELETE")} - inv := inv_data(create_data_ocm([])) - results := violation with input as input with data.inventory as inv - count(results) == 1 -} - -test_allowed_system_user_delete_clusterversion { - input := {"review": input_configmap("system:admin", "system:admin", "DELETE")} - inv := inv_data(create_data_ocm([])) - results := violation with input as input with data.inventory as inv - count(results) == 0 -} - -test_allowed_regular_user_create_clusterversion { - input := {"review": input_configmap("regular-user", "regular-user", "CREATE")} - inv := inv_data(create_data_local([])) - results := violation with input as input with data.inventory as inv - count(results) == 0 -} - -test_disallowed_regular_user_create_clusterversion { - input := {"review": input_configmap("regular-user", "regular-user", "CREATE")} - inv := inv_data(create_data_ocm([])) - results := violation with input as input with data.inventory as inv - count(results) == 1 -} - -test_create_allowed_system_user_create_clusterversion { - input := {"review": input_configmap("system:admin", "system:admin", "CREATE")} - inv := inv_data(create_data_ocm([])) - results := violation with input as input with data.inventory as inv - count(results) == 0 -} - -input_configmap(group, username, operation) = output { - output = { - "operation": operation, - "uid": "d4cb640e-dc2f-42b0-95e2-c2f91dbc74d9", - "userInfo": { - "uid": "109561ea-68ee-45ca-82be-96733b504593", - "username": username - } - } -} - -inv_data(obj) = output { - output := {"namespace": {"openshift-managed-upgrade-operator": {obj.apiVersion: {obj.kind: obj}}}} -} - -create_data_ocm([]) = output { - output = { - "apiVersion": "v1", - "managed-upgrade-operator-config" : { - "data": { - "config.yaml": "configManager:\n source: OCM\n \n localConfigName: managed-upgrade-config\n\n watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType:\nARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut:\n45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n\n - openshift-azure-logging\n" - } - }, - "kind": "ConfigMap" - } -} - -create_data_local([]) = output { - output = { - "apiVersion": "v1", - "managed-upgrade-operator-config" : { - "data": { - "config.yaml": "configManager:\n source: LOCAL\n \n localConfigName: managed-upgrade-config\n\n watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType:\nARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut:\n45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n\n - openshift-azure-logging\n" - } - }, - "kind": "ConfigMap" - } -} \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/suite.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/suite.yaml deleted file mode 100644 index ade80b7b6ed..00000000000 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion/suite.yaml +++ /dev/null @@ -1,81 +0,0 @@ -kind: Suite -apiVersion: test.gatekeeper.sh/v1alpha1 -metadata: - name: clusterversion -tests: - - name: clusterversion-tests - template: ../../gktemplates/aro-deny-clusterversion.yaml - constraint: ../../gkconstraints-test/aro-clusterversion-deny.yaml - cases: - - name: create-clusterversion-allowed-regular-user - object: gator-test/regular_user_create_clusterversion.yaml - inventory: - - gator-test/inventory_config_local.yaml - assertions: - - violations: no - - name: create-clusterversion-allowed-system-user-local - object: gator-test/system_user_create_clusterversion.yaml - inventory: - - gator-test/inventory_config_local.yaml - assertions: - - violations: no - - name: create-clusterversion-allowed-system-user-ocm - object: gator-test/system_user_create_clusterversion.yaml - inventory: - - gator-test/inventory_config_ocm.yaml - assertions: - - violations: no - - name: create-clusterversion-not-allowed-regular-user - object: /gator-test/regular_user_create_clusterversion.yaml - inventory: - - gator-test/inventory_config_ocm.yaml - assertions: - - violations: yes - - name: update-clusterversion-allowed-regular-user - object: gator-test/regular_user_update_clusterversion.yaml - inventory: - - gator-test/inventory_config_local.yaml - assertions: - - violations: no - - name: update-clusterversion-allowed-system-user-local - object: gator-test/system_user_update_clusterversion.yaml - inventory: - - gator-test/inventory_config_local.yaml - assertions: - - violations: no - - name: update-clusterversion-allowed-system-user-local - object: gator-test/system_user_update_clusterversion.yaml - inventory: - - gator-test/inventory_config_ocm.yaml - assertions: - - violations: no - - name: update-clusterversion-not-allowed-regular-user - object: /gator-test/regular_user_update_clusterversion.yaml - inventory: - - gator-test/inventory_config_ocm.yaml - assertions: - - violations: yes - - name: delete-clusterversion-allowed-regular-user - object: gator-test/regular_user_delete_clusterversion.yaml - inventory: - - gator-test/inventory_config_local.yaml - assertions: - - violations: no - - name: delete-clusterversion-allowed-system-user-local - object: gator-test/system_user_delete_clusterversion.yaml - inventory: - - gator-test/inventory_config_local.yaml - assertions: - - violations: no - - name: delete-clusterversion-allowed-system-user-ocm - object: gator-test/system_user_delete_clusterversion.yaml - inventory: - - gator-test/inventory_config_ocm.yaml - assertions: - - violations: no - - name: delete-clusterversion-not-allowed-regular-user - object: gator-test/regular_user_delete_clusterversion.yaml - inventory: - - gator-test/inventory_config_ocm.yaml - assertions: - - violations: yes \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/README.md b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/README.md deleted file mode 100644 index 9db82fbbdd1..00000000000 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# UpgradeConfig Policy - -This policy needs the 'gatekeeper-config.yaml' installed to the cluster in order to retrieve data from data.inventory document. \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/aro-deny-upgradeconfig.tmpl b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/aro-deny-upgradeconfig.tmpl deleted file mode 100644 index 6d1a1af4c1c..00000000000 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/aro-deny-upgradeconfig.tmpl +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: templates.gatekeeper.sh/v1 -kind: ConstraintTemplate -metadata: - name: arodenyupgradeconfig - annotations: - metadata.gatekeeper.sh/title: "UpgradeConfig" - metadata.gatekeeper.sh/version: 1.0.0 - description: >- - Disallows editing UpgradeConfig by regular users if there is a "cloud.openshift.com" entry in "openshift-config/pull-secret". - -spec: - crd: - spec: - names: - kind: ARODenyUpgradeConfig - validation: - # Schema for the `parameters` field - openAPIV3Schema: - type: object - description: >- - Disallows editing UpgradeConfig by regular users if there is a "cloud.openshift.com" entry in "openshift-config/pull-secret". - targets: - - target: admission.k8s.gatekeeper.sh - rego: | -{{ file.Read "gktemplates-src/aro-deny-upgradeconfig/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} - libs: - - | -{{ file.Read "gktemplates-src/library/common.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src_test.rego b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src_test.rego deleted file mode 100644 index 2fc1008de5a..00000000000 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/src_test.rego +++ /dev/null @@ -1,103 +0,0 @@ -package arodenyupgradeconfig - -test_input_allowed_regular_user_update_upgradeconfig { - input := {"review": input_configmap("regular-user", "regular-user", "UPDATE")} - inv := inv_data(create_data_local([])) - results := violation with input as input with data.inventory as inv - count(results) == 0 -} - -test_input_disallowed_regular_user_update_upgradeconfig { - input := {"review": input_configmap("regular-user", "regular-user", "UPDATE")} - inv := inv_data(create_data_ocm([])) - results := violation with input as input with data.inventory as inv - count(results) == 1 -} - -test_input_allowed_system_user_update_upgradeconfig { - input := {"review": input_configmap("system:admin", "system:admin", "UPDATE")} - inv := inv_data(create_data_ocm([])) - results := violation with input as input with data.inventory as inv - count(results) == 0 -} - -test_allowed_regular_user_delete_upgradeconfig { - input := {"review": input_configmap("regular-user", "regular-user", "DELETE")} - inv := inv_data(create_data_local([])) - results := violation with input as input with data.inventory as inv - count(results) == 0 -} - -test_disallowed_regular_user_delete_upgradeconfig { - input := {"review": input_configmap("regular-user", "regular-user", "DELETE")} - inv := inv_data(create_data_ocm([])) - results := violation with input as input with data.inventory as inv - count(results) == 1 -} - -test_allowed_system_user_delete_upgradeconfig { - input := {"review": input_configmap("system:admin", "system:admin", "DELETE")} - inv := inv_data(create_data_ocm([])) - results := violation with input as input with data.inventory as inv - count(results) == 0 -} - -test_allowed_regular_user_create_upgradeconfig { - input := {"review": input_configmap("regular-user", "regular-user", "CREATE")} - inv := inv_data(create_data_local([])) - results := violation with input as input with data.inventory as inv - count(results) == 0 -} - -test_disallowed_regular_user_create_upgradeconfig { - input := {"review": input_configmap("regular-user", "regular-user", "CREATE")} - inv := inv_data(create_data_ocm([])) - results := violation with input as input with data.inventory as inv - count(results) == 1 -} - -test_create_allowed_system_user_create_upgradeconfig { - input := {"review": input_configmap("system:admin", "system:admin", "CREATE")} - inv := inv_data(create_data_ocm([])) - results := violation with input as input with data.inventory as inv - count(results) == 0 -} - -input_configmap(group, username, operation) = output { - output = { - "operation": operation, - "uid": "d4cb640e-dc2f-42b0-95e2-c2f91dbc74d9", - "userInfo": { - "uid": "109561ea-68ee-45ca-82be-96733b504593", - "username": username - } - } -} - -inv_data(obj) = output { - output := {"namespace": {"openshift-managed-upgrade-operator": {obj.apiVersion: {obj.kind: obj}}}} -} - -create_data_ocm([]) = output { - output = { - "apiVersion": "v1", - "managed-upgrade-operator-config" : { - "data": { - "config.yaml": "configManager:\n source: OCM\n \n localConfigName: managed-upgrade-config\n\n watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType:\nARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut:\n45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n\n - openshift-azure-logging\n" - } - }, - "kind": "ConfigMap" - } -} - -create_data_local([]) = output { - output = { - "apiVersion": "v1", - "managed-upgrade-operator-config" : { - "data": { - "config.yaml": "configManager:\n source: LOCAL\n \n localConfigName: managed-upgrade-config\n\n watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType:\nARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut:\n45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n\n - openshift-azure-logging\n" - } - }, - "kind": "ConfigMap" - } -} diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/suite.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/suite.yaml deleted file mode 100644 index 11650860826..00000000000 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-upgradeconfig/suite.yaml +++ /dev/null @@ -1,81 +0,0 @@ -kind: Suite -apiVersion: test.gatekeeper.sh/v1alpha1 -metadata: - name: upgradeconfig -tests: - - name: upgradeconfig-tests - template: ../../gktemplates/aro-deny-upgradeconfig.yaml - constraint: ../../gkconstraints-test/aro-upgradeconfig-deny.yaml - cases: - - name: create-upgradeconfig-allowed-regular-user - object: gator-test/regular_user_create_managed_upgrade_operator.yaml - inventory: - - gator-test/inventory_config_local.yaml - assertions: - - violations: no - - name: create-upgradeconfig-allowed-system-user-local - object: gator-test/system_user_create_managed_upgrade_operator.yaml - inventory: - - gator-test/inventory_config_local.yaml - assertions: - - violations: no - - name: create-upgradeconfig-allowed-system-user-ocm - object: gator-test/system_user_create_managed_upgrade_operator.yaml - inventory: - - gator-test/inventory_config_ocm.yaml - assertions: - - violations: no - - name: create-upgradeconfig-not-allowed-regular-user - object: /gator-test/regular_user_create_managed_upgrade_operator.yaml - inventory: - - gator-test/inventory_config_ocm.yaml - assertions: - - violations: yes - - name: update-upgradeconfig-allowed-regular-user - object: gator-test/regular_user_update_managed_upgrade_operator.yaml - inventory: - - gator-test/inventory_config_local.yaml - assertions: - - violations: no - - name: update-upgradeconfig-allowed-system-user-local - object: gator-test/system_user_update_managed_upgrade_operator.yaml - inventory: - - gator-test/inventory_config_local.yaml - assertions: - - violations: no - - name: update-upgradeconfig-allowed-system-user-local - object: gator-test/system_user_update_managed_upgrade_operator.yaml - inventory: - - gator-test/inventory_config_ocm.yaml - assertions: - - violations: no - - name: update-upgradeconfig-not-allowed-regular-user - object: /gator-test/regular_user_update_managed_upgrade_operator.yaml - inventory: - - gator-test/inventory_config_ocm.yaml - assertions: - - violations: yes - - name: delete-upgradeconfig-allowed-regular-user - object: gator-test/regular_user_delete_managed_upgrade_operator.yaml - inventory: - - gator-test/inventory_config_local.yaml - assertions: - - violations: no - - name: delete-upgradeconfig-allowed-system-user-local - object: gator-test/system_user_delete_managed_upgrade_operator.yaml - inventory: - - gator-test/inventory_config_local.yaml - assertions: - - violations: no - - name: delete-upgradeconfig-allowed-system-user-ocm - object: gator-test/system_user_delete_managed_upgrade_operator.yaml - inventory: - - gator-test/inventory_config_ocm.yaml - assertions: - - violations: no - - name: delete-upgradeconfig-not-allowed-regular-user - object: gator-test/regular_user_delete_managed_upgrade_operator.yaml - inventory: - - gator-test/inventory_config_ocm.yaml - assertions: - - violations: yes diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/sync.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/sync.yaml deleted file mode 100644 index ca9ac638a0d..00000000000 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/sync.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: config.gatekeeper.sh/v1alpha1 -kind: Config -metadata: - name: config - namespace: "openshift-azure-guardrails" -spec: - match: - - excludedNamespaces: - [ - "kube-*", - "openshift-kube-*", - "openshift", - "openshift-etcd*", - "openshift-monitoring", - "default", - "gatekeeper-system", - "openshift-apiserver*", - "openshift-authentication*", - "openshift-logging", - "openshift-redhat-marketplace", - "openshift-operators", - "openshift-user-workload-monitoring", - "openshift-pipelines", - "openshift-marketplace", - "openshift-multus", - "openshift-network*", - "openshift-vsphere-*", - "openshift-config-*", - "openshift-console", - "openshift-service-ca*", - "openshift-azure*", - "openshift-cloud*", - "openshift-sdn", - ] - processes: ["*"] - sync: - syncOnly: - - group: "" - version: "v1" - kind: "ConfigMap" - - group: "" - version: "v1" - kind: "Namespace" diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-clusterversion.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-clusterversion-upgradeconfig.yaml similarity index 89% rename from pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-clusterversion.yaml rename to pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-clusterversion-upgradeconfig.yaml index f32b279d412..24443aaf369 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-clusterversion.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-clusterversion-upgradeconfig.yaml @@ -1,28 +1,28 @@ apiVersion: templates.gatekeeper.sh/v1 kind: ConstraintTemplate metadata: - name: arodenyclusterversion + name: arodenyclusterversionupgradeconfig annotations: - metadata.gatekeeper.sh/title: "ClusterVersion" + metadata.gatekeeper.sh/title: "ClusterVersion-UpgradeConfig" metadata.gatekeeper.sh/version: 1.0.0 description: >- - Disallows editing ClusterVersion by regular users if there is a "cloud.openshift.com" entry in "openshift-config/pull-secret". + Disallows editing of ClusterVersioin and UpgradeConfig by regular users if there is a "cloud.openshift.com" entry in "openshift-config/pull-secret". spec: crd: spec: names: - kind: ARODenyClusterVersion + kind: ARODenyClusterVersionUpgradeConfig validation: # Schema for the `parameters` field openAPIV3Schema: type: object description: >- - Disallows editing ClusterVersion by regular users if there is a "cloud.openshift.com" entry in "openshift-config/pull-secret". + Disallows editing of ClusterVersioin and UpgradeConfi by regular users if there is a "cloud.openshift.com" entry in "openshift-config/pull-secret". targets: - target: admission.k8s.gatekeeper.sh rego: | - package arodenyclusterversion + package arodenyclusterversionupgradeconfig import data.lib.common.is_exempted_account import future.keywords.in @@ -44,7 +44,7 @@ spec: # ## NOT ALLOWED config_data := data.inventory.namespace["openshift-managed-upgrade-operator"]["v1"]["ConfigMap"]["managed-upgrade-operator-config"]["data"]["config.yaml"] regex.match("source: OCM", config_data) - msg := "Modifying the ClusterVersion is not allowed for regular users. This includes attempting to create, edit, or delete the ClusterVersion." + msg := "Modifying this resource is not allowed for regular users. This includes attempting to create, edit, or delete." } libs: - | @@ -107,7 +107,7 @@ spec: } exempted_user = { - # "system:admin" # comment out temporarily for testing in console + "system:admin" # comment out temporarily for testing in console } exempted_groups = { diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-upgradeconfig.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-upgradeconfig.yaml deleted file mode 100644 index 8b1f4d778de..00000000000 --- a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-upgradeconfig.yaml +++ /dev/null @@ -1,272 +0,0 @@ -apiVersion: templates.gatekeeper.sh/v1 -kind: ConstraintTemplate -metadata: - name: arodenyupgradeconfig - annotations: - metadata.gatekeeper.sh/title: "UpgradeConfig" - metadata.gatekeeper.sh/version: 1.0.0 - description: >- - Disallows editing UpgradeConfig by regular users if there is a "cloud.openshift.com" entry in "openshift-config/pull-secret". - -spec: - crd: - spec: - names: - kind: ARODenyUpgradeConfig - validation: - # Schema for the `parameters` field - openAPIV3Schema: - type: object - description: >- - Disallows editing UpgradeConfig by regular users if there is a "cloud.openshift.com" entry in "openshift-config/pull-secret". - targets: - - target: admission.k8s.gatekeeper.sh - rego: | - package arodenyupgradeconfig - - import data.lib.common.is_exempted_account - import future.keywords.in - - # Use object - # To retrieve from a different resource, data.inventory.namespace["openshift-managed-upgrade-operator"]["v1"]["ConfigMap"]["managed-upgrade-operator-config"]["data"]["config.yaml"] - violation[{"msg": msg}] { - input.review.operation in ["CREATE", "UPDATE", "DELETE"] - - # ## Check user type - not is_exempted_account(input.review) - - # ## If regular user and - # ## has NO cloud.openshift.com entry in openshift-config/pull-secret Secret - # ## ALLOW EDITING - - # ## If regular user and - # ## HAS cloud.openshift.com entry (`source: OCM` indicates pull-secret exists) in openshift-config/pull-secret Secret - # ## NOT ALLOWED - config_data := data.inventory.namespace["openshift-managed-upgrade-operator"]["v1"]["ConfigMap"]["managed-upgrade-operator-config"]["data"]["config.yaml"] - regex.match("source: OCM", config_data) - msg := "Modifying the UpgradeConfig is not allowed for regular users. This includes attempting to create, edit, or delete the UpgradeConfig." - } - libs: - - | - package lib.common - import future.keywords.in - - # shared structures, functions, etc. - - is_priv_namespace(ns) { - privileged_ns[ns] - } - - privileged_ns = { - # Kubernetes specific namespaces - "kube-node-lease", - "kube-public", - "kube-system", - - # ARO specific namespaces - "openshift-azure-logging", - "openshift-azure-operator", - "openshift-managed-upgrade-operator", - - # OCP namespaces - "openshift", - "openshift-apiserver", - "openshift-apiserver-operator", - "openshift-authentication-operator", - "openshift-cloud-controller-manager", - "openshift-cloud-controller-manager-operator", - "openshift-cloud-credential-operator", - "openshift-cluster-csi-drivers", - "openshift-cluster-machine-approver", - "openshift-cluster-node-tuning-operator", - "openshift-cluster-samples-operator", - "openshift-cluster-storage-operator", - "openshift-cluster-version", - "openshift-config", - "openshift-config-managed", - "openshift-config-operator", - "openshift-console", - "openshift-console-operator", - "openshift-console-user-settings", - "openshift-controller-manager", - "openshift-controller-manager-operator", - "openshift-dns", - "openshift-dns-operator", - "openshift-etcd", - "openshift-etcd-operator", - "openshift-host-network", - "openshift-image-registry", - "openshift-ingress", - "openshift-ingress-canary", - "openshift-ingress-operator", - "openshift-insights", - "openshift-kni-infra", - "openshift-kube-apiserver", - "openshift-kube-apiserver-operator", - "openshift-kube-controller-manager", - "openshift-kube-controller-manager-operator", - "openshift-kube-scheduler", - "openshift-kube-scheduler-operator", - "openshift-kube-storage-version-migrator", - "openshift-kube-storage-version-migrator-operator", - "openshift-machine-api", - "openshift-machine-config-operator", - "openshift-marketplace", - "openshift-monitoring", - "openshift-multus", - "openshift-network-diagnostics", - "openshift-network-operator", - "openshift-oauth-apiserver", - "openshift-openstack-infra", - "openshift-operators", - "openshift-operator-lifecycle-manager", - "openshift-ovirt-infra", - "openshift-sdn", - "openshift-service-ca", - "openshift-service-ca-operator" - } - - exempted_service_account = { - "default", - "aro-sre", - "openshift-apiserver-operator", - "openshift-apiserver-sa", - "authentication-operator", - "geneva", - "aro-operator-worker", - "cluster-cloud-controller-manager", - "cloud-credential-operator", - "azure-disk-csi-driver-controller-sa", - "azure-disk-csi-driver-node-sa", - "azure-disk-csi-driver-operator", - "machine-approver-sa", - "cluster-node-tuning-operator", - "tuned", - "cluster-samples-operator", - "cluster-storage-operator", - "csi-snapshot-controller", - "csi-snapshot-controller-operator", - "openshift-config-operator", - "console-operator", - "console", - "openshift-controller-manager-operator", - "openshift-controller-manager-sa", - "dns-operator", - "dns", - "node-resolver", - "etcd-operator", - "cluster-image-registry-operator", - "registry", - "node-ca", - "ingress-operator", - "router", - "operator", - "kube-apiserver-operator", - "kube-controller-manager-operator", - "openshift-kube-scheduler-operator", - "kube-storage-version-migrator-operator", - "kube-storage-version-migrator-sa", - "cluster-autoscaler-operator", - "cluster-baremetal-operator", - "cluster-baremetal-operator", - "machine-api-controllers", - "machine-api-operator", - "machine-config-controller", - "machine-config-daemon", - "machine-config-server", - "managed-upgrade-operator", - "marketplace-operator", - "alertmanager-main", - "cluster-monitoring-operator", - "grafana", - "kube-state-metrics", - "node-exporter", - "openshift-state-metrics", - "prometheus-adapter", - "prometheus-k8s", - "prometheus-operator", - "thanos-querier", - "multus", - "metrics-daemon-sa", - "network-diagnostics", - "oauth-apiserver-sa", - "collect-profiles", - "olm-operator-serviceaccount", - "sdn", - "sdn-controller", - "service-ca-operator", - "service-ca", - "pruner", - "machine-api-termination-handler", - "aro-operator-master", - "installer-sa" - } - - get_service_account(obj) = spec { - obj.kind == "Pod" - spec := obj.spec.serviceAccountName - } { - obj.kind == "CronJob" - spec := obj.spec.jobTemplate.spec.template.spec.serviceAccountName - } { - obj.kind in ["ReplicationController","ReplicaSet","Deployment","StatefulSet","DaemonSet","Job"] - spec := obj.spec.template.spec.serviceAccountName - } - - has_service_account(obj) { - obj.kind in ["Pod","CronJob","ReplicationController","ReplicaSet","Deployment","StatefulSet","DaemonSet","Job"] - } - - get_user_info(review) = info { - has_field(review.userInfo, "username") - username := get_user(review) - info := sprintf("user name %v", [username]) - } { - not has_field(review.userInfo, "username") - has_service_account(review.object) - sa := get_service_account(review.object) - info := sprintf("service account %v", [sa]) - } - - # this setup is to handle below case: - # user default::notfound not allowed to operate in namespace openshift-kube-scheduler - # - # assume for cmdline operations, userInfo is always present, which is the only key for user identity - # while for serviceAccount operations, no userInfo is present, and we have to rely on the serviceAccountName field in the object - - is_exempted_account(review) { - has_field(review.userInfo, "username") - username := get_user(review) - is_exempted_user(username) - print("exempted user:", username) - } { - not has_field(review.userInfo, "username") - sa := get_service_account(review.object) - is_exempted_service_account(sa) - print("exempted account:", sa) - } - - is_exempted_service_account(user) { - exempted_service_account[user] - } - - get_user(review) = name { - not has_field(review.userInfo, "username") - name = "notfound" - } { - has_field(review.userInfo, "username") - name = review.userInfo.username - print(name) - } - - has_field(object, field) = true { - object[field] - } - - is_exempted_user(user) { - exempted_user[user] - } - - exempted_user = { - "system:admin" # comment out temporarily for testing in console - } From 1d3fc2e4212bbcde956c4c6a337ee75f72bc4443 Mon Sep 17 00:00:00 2001 From: Edison Date: Thu, 29 Jun 2023 13:37:21 +1200 Subject: [PATCH 13/18] ARO-1422 & ARO-1423: Refactor redundant test data and update deny message. --- .../src.rego | 2 +- .../src_test.rego | 40 ------------------- 2 files changed, 1 insertion(+), 41 deletions(-) diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/src.rego b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/src.rego index 333f01617fa..cdf303b9041 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/src.rego +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/src.rego @@ -20,5 +20,5 @@ violation[{"msg": msg}] { # ## NOT ALLOWED config_data := data.inventory.namespace["openshift-managed-upgrade-operator"]["v1"]["ConfigMap"]["managed-upgrade-operator-config"]["data"]["config.yaml"] regex.match("source: OCM", config_data) - msg := "Modifying this resource is not allowed for regular users. This includes attempting to create, edit, or delete." + msg := "Modifying this resource is not allowed for regular users if have updated your Azure Red Hat OpenShift pull secret for your cluster, and including the cloud.openshift.com entry from your pull secret." } diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/src_test.rego b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/src_test.rego index 76a6f43a036..2b117bc7076 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/src_test.rego +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/src_test.rego @@ -63,46 +63,6 @@ test_create_allowed_system_user_create_upgradeconfig { count(results) == 0 } -input_configmap(group, username, operation) = output { - output = { - "operation": operation, - "uid": "d4cb640e-dc2f-42b0-95e2-c2f91dbc74d9", - "userInfo": { - "uid": "109561ea-68ee-45ca-82be-96733b504593", - "username": username - } - } -} - -inv_data(obj) = output { - output := {"namespace": {"openshift-managed-upgrade-operator": {obj.apiVersion: {obj.kind: obj}}}} -} - -create_data_ocm([]) = output { - output = { - "apiVersion": "v1", - "managed-upgrade-operator-config" : { - "data": { - "config.yaml": "configManager:\n source: OCM\n \n localConfigName: managed-upgrade-config\n\n watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType:\nARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut:\n45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n\n - openshift-azure-logging\n" - } - }, - "kind": "ConfigMap" - } -} - -create_data_local([]) = output { - output = { - "apiVersion": "v1", - "managed-upgrade-operator-config" : { - "data": { - "config.yaml": "configManager:\n source: LOCAL\n \n localConfigName: managed-upgrade-config\n\n watchInterval: 15\nmaintenance:\n controlPlaneTime: 90\n ignoredAlerts:\n\n controlPlaneCriticals:\n - ClusterOperatorDown\n - ClusterOperatorDegraded\nupgradeType:\nARO\nupgradeWindow:\n delayTrigger: 30\n timeOut: 120\nnodeDrain:\n timeOut:\n45\n expectedNodeDrainTime: 8\nscale:\n timeOut: 30\nhealthCheck:\n ignoredCriticals:\n\n - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n\n ignoredNamespaces:\n - openshift-logging\n - openshift-redhat-marketplace\n\n - openshift-operators\n - openshift-user-workload-monitoring\n - openshift-pipelines\n\n - openshift-azure-logging\n" - } - }, - "kind": "ConfigMap" - } -} - - test_input_allowed_regular_user_update_clusterversion { input := {"review": input_configmap("regular-user", "regular-user", "UPDATE")} inv := inv_data(create_data_local([])) From 747d3fb21e32d377f579a7c645478342561b152b Mon Sep 17 00:00:00 2001 From: Edison Date: Thu, 29 Jun 2023 15:21:19 +1200 Subject: [PATCH 14/18] ARO-1422 & ARO-1422: Modify metadata name, update deny message, and move statement in README. --- pkg/operator/controllers/guardrails/policies/README.md | 3 +-- .../gkconstraints/aro-clusterversion-upgradeconfig-deny.yaml | 2 +- .../gktemplates/aro-deny-clusterversion-upgradeconfig.yaml | 2 +- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/pkg/operator/controllers/guardrails/policies/README.md b/pkg/operator/controllers/guardrails/policies/README.md index e3e9ab7e224..364f78c9d17 100644 --- a/pkg/operator/controllers/guardrails/policies/README.md +++ b/pkg/operator/controllers/guardrails/policies/README.md @@ -135,11 +135,10 @@ spec: - apiGroups: ["policy"] kinds: ["PodDisruptionBudget"] ``` +Make sure the filename of constraint is the same as the .metadata.name of the Constraint object, as it is the feature flag name that will be used to turn on / off the policy. ## Test Rego source code -Make sure the filename of constraint is the same as the .metadata.name of the Constraint object, as it is the feature flag name that will be used to turn on / off the policy. - * install opa cli, refer https://github.com/open-policy-agent/opa/releases/ * after _test.go is done, test it out, and fix the problem diff --git a/pkg/operator/controllers/guardrails/policies/gkconstraints/aro-clusterversion-upgradeconfig-deny.yaml b/pkg/operator/controllers/guardrails/policies/gkconstraints/aro-clusterversion-upgradeconfig-deny.yaml index 50a29f6f60d..7ba6e83a8b4 100644 --- a/pkg/operator/controllers/guardrails/policies/gkconstraints/aro-clusterversion-upgradeconfig-deny.yaml +++ b/pkg/operator/controllers/guardrails/policies/gkconstraints/aro-clusterversion-upgradeconfig-deny.yaml @@ -1,7 +1,7 @@ apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ARODenyClusterVersionUpgradeConfig metadata: - name: aro-deny-clusterversion-upgradeconfig-modification + name: aro-clusterversion-upgradeconfig-deny spec: enforcementAction: {{.Enforcement}} match: diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-clusterversion-upgradeconfig.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-clusterversion-upgradeconfig.yaml index 24443aaf369..ccc43ea32d7 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-clusterversion-upgradeconfig.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-clusterversion-upgradeconfig.yaml @@ -44,7 +44,7 @@ spec: # ## NOT ALLOWED config_data := data.inventory.namespace["openshift-managed-upgrade-operator"]["v1"]["ConfigMap"]["managed-upgrade-operator-config"]["data"]["config.yaml"] regex.match("source: OCM", config_data) - msg := "Modifying this resource is not allowed for regular users. This includes attempting to create, edit, or delete." + msg := "Modifying this resource is not allowed for regular users if have updated your Azure Red Hat OpenShift pull secret for your cluster, and including the cloud.openshift.com entry from your pull secret." } libs: - | From cb88f6bb54f9c51fa90439f4644cbf46cd4956b1 Mon Sep 17 00:00:00 2001 From: Edison Date: Mon, 3 Jul 2023 12:42:07 +1200 Subject: [PATCH 15/18] ARO-1422 & ARO-1423: Remove 'excludedNamespaces' in sync.yaml. It prevents other policies from working. --- .../sync.yaml | 29 ------------------- 1 file changed, 29 deletions(-) diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/sync.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/sync.yaml index 9d2afe99279..c273562b131 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/sync.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/sync.yaml @@ -4,35 +4,6 @@ metadata: name: config namespace: "openshift-azure-guardrails" spec: - match: - - excludedNamespaces: - [ - "kube-*", - "openshift-kube-*", - "openshift", - "openshift-etcd*", - "openshift-monitoring", - "default", - "gatekeeper-system", - "openshift-apiserver*", - "openshift-authentication*", - "openshift-logging", - "openshift-redhat-marketplace", - "openshift-operators", - "openshift-user-workload-monitoring", - "openshift-pipelines", - "openshift-marketplace", - "openshift-multus", - "openshift-network*", - "openshift-vsphere-*", - "openshift-config-*", - "openshift-console", - "openshift-service-ca*", - "openshift-azure*", - "openshift-cloud*", - "openshift-sdn", - ] - processes: ["*"] sync: syncOnly: - group: "" From d8aea5e9330d6b2d166aedadf8cc5845ffa72acd Mon Sep 17 00:00:00 2001 From: Edison Date: Mon, 3 Jul 2023 12:50:23 +1200 Subject: [PATCH 16/18] ARO-1422 & ARO-1423: Add missing documentation for 'data.inventory'. --- .../controllers/guardrails/policies/README.md | 86 +++++++++++++++++++ 1 file changed, 86 insertions(+) diff --git a/pkg/operator/controllers/guardrails/policies/README.md b/pkg/operator/controllers/guardrails/policies/README.md index 364f78c9d17..89ca897ecdc 100644 --- a/pkg/operator/controllers/guardrails/policies/README.md +++ b/pkg/operator/controllers/guardrails/policies/README.md @@ -137,6 +137,92 @@ spec: ``` Make sure the filename of constraint is the same as the .metadata.name of the Constraint object, as it is the feature flag name that will be used to turn on / off the policy. + +# Syncing of data into OPA using `data.inventory` + +* Not all data you need are found on the `'input.review'` object. For example, if your policy is for blocking modification of the UpgradeConfig, and you need to check if the cluster is connected to OCM via the ConfigMap of `'openshift-managed-upgrade-operator'`, the info you need will not available on the `'input.review'` object because it only contains data from the UpgradeConfig the user is trying to modify. In this case, you need to sync data of the ConfigMap into OPA via `'data.inventory'` document so your rule can access it. In order to create such policies, you need to follow the steps below: + + * Set the `'audit-from-cache'` flag to true in ".../gktemplates/aro-deny-upgradeconfig.yaml". + ```yaml + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + control-plane: audit-controller + gatekeeper.sh/operation: audit + gatekeeper.sh/system: "yes" + name: gatekeeper-audit + namespace: {{.Namespace}} + spec: + replicas: 1 + selector: + matchLabels: + control-plane: audit-controller + gatekeeper.sh/operation: audit + gatekeeper.sh/system: "yes" + template: + metadata: + labels: + control-plane: audit-controller + gatekeeper.sh/operation: audit + gatekeeper.sh/system: "yes" + spec: + automountServiceAccountToken: true + containers: + - args: + - --audit-from-cache=true ----->>>>>SET THIS FLAG TO TRUE + ``` + * Create and apply the sync config resource to the cluster. Only resources in syncOnly will be synced into OPA. See template below. For more info, please check https://open-policy-agent.github.io/gatekeeper/website/docs/v3.10.x/exempt-namespaces + + ```yaml + apiVersion: config.gatekeeper.sh/v1alpha1 + kind: Config + metadata: + name: config + namespace: "openshift-azure-guardrails" + spec: + match: + - excludedNamespaces: [""] # Namespaces to exclude from the sync data. It is always best to remove any data that is not needed for your policy + processes: [""] # Includes all processes + sync: + syncOnly: + - group: "" # Populate as needed + version: "" # Populate as needed + kind: "" # Populate as needed + # Add resources as needed + ``` + * Below is a sample implementation of a sync config resource which allows syncing data of all ConfigMap and Namespace resources with the version `v1`. Avoid using `excludedNamespaces` because it prevents other policies from woring. + ```yaml + apiVersion: config.gatekeeper.sh/v1alpha1 + kind: Config + metadata: + name: config + namespace: "openshift-azure-guardrails" + spec: + sync: + syncOnly: + - group: "" + version: "v1" + kind: "ConfigMap" + - group: "" + version: "v1" + kind: "Namespace" + + ``` + * Write your rego rule. To access data from `'data.inventory'`, follow the format below: + + * For cluster-scoped objects: `'data.inventory.cluster[][][]'`. Example below. + + ```Rego + data.inventory.cluster["v1"].Namespace["gatekeeper"] + ``` + * For namespace-scoped objects: `'data.inventory.namespace[][groupVersion][][]'`. Example below. + ```Rego + data.inventory.namespace["openshift-managed-upgrade-operator"]["v1"]["ConfigMap"]["managed-upgrade-operator-config"]["data"]["config.yaml"] + ``` + * For more info on syncing your data into OPA, please check the official Gatekeeper documentation https://open-policy-agent.github.io/gatekeeper/website/docs/v3.10.x/sync + + ## Test Rego source code * install opa cli, refer https://github.com/open-policy-agent/opa/releases/ From 4318d7cb94df0d459872723cc20f43286e7e1576 Mon Sep 17 00:00:00 2001 From: Edison Date: Wed, 5 Jul 2023 15:32:22 +1200 Subject: [PATCH 17/18] Fix lint issues --- .../gkconstraints/aro-clusterversion-upgradeconfig-deny.yaml | 1 - .../gator-test/inventory_config_ocm_upgradeconfig.yaml | 1 - .../aro-deny-clusterversion-upgradeconfig/src.rego | 1 - .../aro-deny-clusterversion-upgradeconfig/suite.yaml | 2 +- .../aro-deny-clusterversion-upgradeconfig/sync.yaml | 2 +- .../gktemplates/aro-deny-clusterversion-upgradeconfig.yaml | 1 - 6 files changed, 2 insertions(+), 6 deletions(-) diff --git a/pkg/operator/controllers/guardrails/policies/gkconstraints/aro-clusterversion-upgradeconfig-deny.yaml b/pkg/operator/controllers/guardrails/policies/gkconstraints/aro-clusterversion-upgradeconfig-deny.yaml index 7ba6e83a8b4..47bd90f78d4 100644 --- a/pkg/operator/controllers/guardrails/policies/gkconstraints/aro-clusterversion-upgradeconfig-deny.yaml +++ b/pkg/operator/controllers/guardrails/policies/gkconstraints/aro-clusterversion-upgradeconfig-deny.yaml @@ -10,6 +10,5 @@ spec: kinds: ["ConfigMap"] - apiGroups: ["upgrade.managed.openshift.io"] kinds: ["UpgradeConfig"] - namespaces: ["openshift-managed-upgrade-operator",""] - apiGroups: ["config.openshift.io"] kinds: ["ClusterVersion"] diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/inventory_config_ocm_upgradeconfig.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/inventory_config_ocm_upgradeconfig.yaml index 60466ff0e13..f225b6e09a2 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/inventory_config_ocm_upgradeconfig.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/inventory_config_ocm_upgradeconfig.yaml @@ -14,4 +14,3 @@ data: \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n ignoredNamespaces:\n \ - openshift-logging\n - openshift-redhat-marketplace\n - openshift-operators\n \ - openshift-user-workload-monitoring\n - openshift-pipelines\n - openshift-azure-logging\n" - \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/src.rego b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/src.rego index cdf303b9041..2123bea7afe 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/src.rego +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/src.rego @@ -14,7 +14,6 @@ violation[{"msg": msg}] { # ## If regular user and # ## has NO cloud.openshift.com entry in openshift-config/pull-secret Secret # ## ALLOW EDITING - # ## If regular user and # ## HAS cloud.openshift.com entry (`source: OCM` indicates pull-secret exists) in openshift-config/pull-secret Secret # ## NOT ALLOWED diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/suite.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/suite.yaml index a237aa5978b..f0a9bda9531 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/suite.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/suite.yaml @@ -154,4 +154,4 @@ tests: inventory: - gator-test/inventory_config_ocm_clusterversion.yaml assertions: - - violations: yes \ No newline at end of file + - violations: yes diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/sync.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/sync.yaml index c273562b131..38258b514c6 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/sync.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/sync.yaml @@ -8,4 +8,4 @@ spec: syncOnly: - group: "" version: "v1" - kind: "ConfigMap" \ No newline at end of file + kind: "ConfigMap" diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-clusterversion-upgradeconfig.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-clusterversion-upgradeconfig.yaml index ccc43ea32d7..38dba3df568 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-clusterversion-upgradeconfig.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-clusterversion-upgradeconfig.yaml @@ -38,7 +38,6 @@ spec: # ## If regular user and # ## has NO cloud.openshift.com entry in openshift-config/pull-secret Secret # ## ALLOW EDITING - # ## If regular user and # ## HAS cloud.openshift.com entry (`source: OCM` indicates pull-secret exists) in openshift-config/pull-secret Secret # ## NOT ALLOWED From 3dec55922ad1d4891e892cc77aaf459f2b2abb4b Mon Sep 17 00:00:00 2001 From: Edison Date: Tue, 11 Jul 2023 16:44:34 +1200 Subject: [PATCH 18/18] ARO-1422 & ARO-1423: Fixed lint issues on whitespaces --- .../gator-test/inventory_config_local_upgradeconfig.yaml | 1 - .../gktemplates/aro-deny-clusterversion-upgradeconfig.yaml | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/inventory_config_local_upgradeconfig.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/inventory_config_local_upgradeconfig.yaml index 0e6a2350a96..ed1b2035886 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/inventory_config_local_upgradeconfig.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-clusterversion-upgradeconfig/gator-test/inventory_config_local_upgradeconfig.yaml @@ -14,4 +14,3 @@ data: \ - PrometheusRuleFailures\n - CannotRetrieveUpdates\n - FluentdNodeDown\n ignoredNamespaces:\n \ - openshift-logging\n - openshift-redhat-marketplace\n - openshift-operators\n \ - openshift-user-workload-monitoring\n - openshift-pipelines\n - openshift-azure-logging\n" - \ No newline at end of file diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-clusterversion-upgradeconfig.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-clusterversion-upgradeconfig.yaml index 38dba3df568..cda381f5e94 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-clusterversion-upgradeconfig.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-clusterversion-upgradeconfig.yaml @@ -38,7 +38,7 @@ spec: # ## If regular user and # ## has NO cloud.openshift.com entry in openshift-config/pull-secret Secret # ## ALLOW EDITING - # ## If regular user and + # ## If regular user and # ## HAS cloud.openshift.com entry (`source: OCM` indicates pull-secret exists) in openshift-config/pull-secret Secret # ## NOT ALLOWED config_data := data.inventory.namespace["openshift-managed-upgrade-operator"]["v1"]["ConfigMap"]["managed-upgrade-operator-config"]["data"]["config.yaml"]