Skip to content

Commit 06506ed

Browse files
Fix remote host collection RBAC checks (#1672)
* fix remote host collection rbac checks * move saveNodeList into collectRemoteHost function * fix resource attribute list and retrieve namespace from kubeconfig * revert change to set a default namespace from kubeconfig * remove duplicate code
1 parent e272683 commit 06506ed

File tree

3 files changed

+95
-45
lines changed

3 files changed

+95
-45
lines changed

pkg/supportbundle/collect.go

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -213,6 +213,10 @@ func collectRemoteHost(ctx context.Context, collectSpecs []*troubleshootv1beta2.
213213
opts.KubernetesRestConfig.Burst = constants.DEFAULT_CLIENT_BURST
214214
opts.KubernetesRestConfig.UserAgent = fmt.Sprintf("%s/%s", constants.DEFAULT_CLIENT_USER_AGENT, version.Version())
215215

216+
if err := saveNodeList(opts, bundlePath); err != nil {
217+
return err
218+
}
219+
216220
// Run remote collectors sequentially
217221
for _, spec := range collectSpecs {
218222
collector, ok := collect.GetHostCollector(spec, bundlePath)
@@ -340,3 +344,29 @@ func getGlobalRedactors(additionalRedactors *troubleshootv1beta2.Redactor) []*tr
340344
}
341345
return []*troubleshootv1beta2.Redact{}
342346
}
347+
348+
func saveNodeList(opts SupportBundleCreateOpts, bundlePath string) error {
349+
result := make(collect.CollectorResult)
350+
351+
clientset, err := kubernetes.NewForConfig(opts.KubernetesRestConfig)
352+
if err != nil {
353+
return errors.Wrap(err, "failed to create kubernetes clientset to run host collectors in pod")
354+
}
355+
356+
nodeList, err := getNodeList(clientset, opts)
357+
if err != nil {
358+
return errors.Wrap(err, "failed to get remote node list")
359+
}
360+
361+
nodeListBytes, err := json.MarshalIndent(nodeList, "", " ")
362+
if err != nil {
363+
return errors.Wrap(err, "failed to marshal remote node list")
364+
}
365+
366+
err = result.SaveResult(bundlePath, constants.NODE_LIST_FILE, bytes.NewBuffer(nodeListBytes))
367+
if err != nil {
368+
return errors.Wrap(err, "failed to write remote node list")
369+
}
370+
371+
return nil
372+
}

pkg/supportbundle/rbac.go

Lines changed: 65 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -34,34 +34,75 @@ func checkRemoteCollectorRBAC(ctx context.Context, clientConfig *rest.Config, ti
3434

3535
var forbidden []error
3636

37-
spec := authorizationv1.SelfSubjectAccessReviewSpec{
38-
ResourceAttributes: &authorizationv1.ResourceAttributes{
39-
Namespace: namespace,
40-
Verb: "create,delete",
41-
Group: "",
42-
Version: "",
43-
Resource: "pods,configmap",
44-
Subresource: "",
45-
Name: "",
37+
resourceAttributesList := []authorizationv1.ResourceAttributes{
38+
{
39+
Namespace: namespace,
40+
Verb: "get",
41+
Resource: "pods",
42+
},
43+
{
44+
Namespace: namespace,
45+
Verb: "create",
46+
Resource: "pods",
47+
},
48+
{
49+
Namespace: namespace,
50+
Verb: "delete",
51+
Resource: "pods",
52+
},
53+
{
54+
Namespace: namespace,
55+
Verb: "get",
56+
Resource: "pods/log",
57+
},
58+
{
59+
Verb: "list",
60+
Resource: "nodes",
61+
},
62+
{
63+
Namespace: namespace,
64+
Verb: "get",
65+
Resource: "configmaps",
66+
},
67+
{
68+
Namespace: namespace,
69+
Verb: "create",
70+
Resource: "configmaps",
71+
},
72+
{
73+
Namespace: namespace,
74+
Verb: "delete",
75+
Resource: "configmaps",
76+
},
77+
{
78+
Namespace: namespace,
79+
Verb: "get",
80+
Resource: "serviceaccounts",
4681
},
47-
NonResourceAttributes: nil,
4882
}
4983

50-
sar := &authorizationv1.SelfSubjectAccessReview{
51-
Spec: spec,
52-
}
53-
resp, err := client.AuthorizationV1().SelfSubjectAccessReviews().Create(ctx, sar, metav1.CreateOptions{})
54-
if err != nil {
55-
return errors.Wrap(err, "failed to run subject review")
56-
}
84+
for _, resourceAttributes := range resourceAttributesList {
85+
spec := authorizationv1.SelfSubjectAccessReviewSpec{
86+
ResourceAttributes: &resourceAttributes,
87+
}
88+
89+
sar := &authorizationv1.SelfSubjectAccessReview{
90+
Spec: spec,
91+
}
92+
93+
resp, err := client.AuthorizationV1().SelfSubjectAccessReviews().Create(ctx, sar, metav1.CreateOptions{})
94+
if err != nil {
95+
return errors.Wrap(err, "failed to run subject review")
96+
}
5797

58-
if !resp.Status.Allowed {
59-
forbidden = append(forbidden, collect.RBACError{
60-
DisplayName: title,
61-
Namespace: spec.ResourceAttributes.Namespace,
62-
Resource: spec.ResourceAttributes.Resource,
63-
Verb: spec.ResourceAttributes.Verb,
64-
})
98+
if !resp.Status.Allowed {
99+
forbidden = append(forbidden, collect.RBACError{
100+
DisplayName: title,
101+
Namespace: spec.ResourceAttributes.Namespace,
102+
Resource: spec.ResourceAttributes.Resource,
103+
Verb: spec.ResourceAttributes.Verb,
104+
})
105+
}
65106
}
66107

67108
if len(forbidden) > 0 {

pkg/supportbundle/supportbundle.go

Lines changed: 0 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,6 @@ package supportbundle
33
import (
44
"bytes"
55
"context"
6-
"encoding/json"
76
"fmt"
87
"net/http"
98
"os"
@@ -118,26 +117,6 @@ func CollectSupportBundleFromSpec(
118117
root.End()
119118
}()
120119

121-
// only create a node list if we are running host collectors in a pod
122-
if opts.RunHostCollectorsInPod {
123-
clientset, err := kubernetes.NewForConfig(opts.KubernetesRestConfig)
124-
if err != nil {
125-
return nil, errors.Wrap(err, "failed to create kubernetes clientset to run host collectors in pod")
126-
}
127-
nodeList, err := getNodeList(clientset, opts)
128-
if err != nil {
129-
return nil, errors.Wrap(err, "failed to get remote node list")
130-
}
131-
nodeListBytes, err := json.MarshalIndent(nodeList, "", " ")
132-
if err != nil {
133-
return nil, errors.Wrap(err, "failed to marshal remote node list")
134-
}
135-
err = result.SaveResult(bundlePath, constants.NODE_LIST_FILE, bytes.NewBuffer(nodeListBytes))
136-
if err != nil {
137-
return nil, errors.Wrap(err, "failed to write remote node list")
138-
}
139-
}
140-
141120
// Cache error returned by collectors and return it at the end of the function
142121
// so as to have a chance to run analyzers and archive the support bundle after.
143122
// If both host and in cluster collectors fail, the errors will be wrapped

0 commit comments

Comments
 (0)