From 30231ffb545a99b7378a0d51a49834c34d20750a Mon Sep 17 00:00:00 2001 From: Abhinav Dahiya Date: Mon, 13 May 2019 13:24:35 -0700 Subject: [PATCH] operator: remove the cluster role binding that auto approves all node client CSRs Because of the existense of this ClusterRoleBinding, kube-controller-manager approves all node client CSRs requests and therefore allowing wrongful actors to get node level client priviledges. cluster-machine-approver [1] takes on the role of approving only certain node client CSR requests. [1]: https://github.com/openshift/cluster-machine-approver/pull/26 --- .../csr-approver-role-binding.yaml | 17 --------- pkg/operator/assets/bindata.go | 36 ------------------- pkg/operator/bootstrap.go | 3 -- pkg/operator/sync.go | 1 - 4 files changed, 57 deletions(-) delete mode 100644 manifests/machineconfigserver/csr-approver-role-binding.yaml diff --git a/manifests/machineconfigserver/csr-approver-role-binding.yaml b/manifests/machineconfigserver/csr-approver-role-binding.yaml deleted file mode 100644 index 1c43a24284..0000000000 --- a/manifests/machineconfigserver/csr-approver-role-binding.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# CSRApproverRoleBindingTemplate instructs the csrapprover controller to -# automatically approve CSRs made by serviceaccount node-bootstrapper in openshift-machine-config-operator -# for client credentials. -# -# This binding should be removed to disable CSR auto-approval. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: system-bootstrap-approve-node-client-csr -subjects: -- kind: ServiceAccount - name: node-bootstrapper - namespace: openshift-machine-config-operator -roleRef: - kind: ClusterRole - name: system:certificates.k8s.io:certificatesigningrequests:nodeclient - apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/pkg/operator/assets/bindata.go b/pkg/operator/assets/bindata.go index 7fd611fe43..2f7dfd63a0 100644 --- a/pkg/operator/assets/bindata.go +++ b/pkg/operator/assets/bindata.go @@ -20,7 +20,6 @@ // manifests/machineconfigpool.crd.yaml // manifests/machineconfigserver/clusterrole.yaml // manifests/machineconfigserver/clusterrolebinding.yaml -// manifests/machineconfigserver/csr-approver-role-binding.yaml // manifests/machineconfigserver/csr-bootstrap-role-binding.yaml // manifests/machineconfigserver/csr-renewal-role-binding.yaml // manifests/machineconfigserver/daemonset.yaml @@ -842,39 +841,6 @@ func manifestsMachineconfigserverClusterrolebindingYaml() (*asset, error) { return a, nil } -var _manifestsMachineconfigserverCsrApproverRoleBindingYaml = []byte(`# CSRApproverRoleBindingTemplate instructs the csrapprover controller to -# automatically approve CSRs made by serviceaccount node-bootstrapper in openshift-machine-config-operator -# for client credentials. -# -# This binding should be removed to disable CSR auto-approval. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: system-bootstrap-approve-node-client-csr -subjects: -- kind: ServiceAccount - name: node-bootstrapper - namespace: openshift-machine-config-operator -roleRef: - kind: ClusterRole - name: system:certificates.k8s.io:certificatesigningrequests:nodeclient - apiGroup: rbac.authorization.k8s.io`) - -func manifestsMachineconfigserverCsrApproverRoleBindingYamlBytes() ([]byte, error) { - return _manifestsMachineconfigserverCsrApproverRoleBindingYaml, nil -} - -func manifestsMachineconfigserverCsrApproverRoleBindingYaml() (*asset, error) { - bytes, err := manifestsMachineconfigserverCsrApproverRoleBindingYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "manifests/machineconfigserver/csr-approver-role-binding.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - var _manifestsMachineconfigserverCsrBootstrapRoleBindingYaml = []byte(`# system-bootstrap-node-bootstrapper lets serviceaccount `+"`"+`openshift-machine-config-operator/node-bootstrapper`+"`"+` tokens and nodes request CSRs. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -1227,7 +1193,6 @@ var _bindata = map[string]func() (*asset, error){ "manifests/machineconfigpool.crd.yaml": manifestsMachineconfigpoolCrdYaml, "manifests/machineconfigserver/clusterrole.yaml": manifestsMachineconfigserverClusterroleYaml, "manifests/machineconfigserver/clusterrolebinding.yaml": manifestsMachineconfigserverClusterrolebindingYaml, - "manifests/machineconfigserver/csr-approver-role-binding.yaml": manifestsMachineconfigserverCsrApproverRoleBindingYaml, "manifests/machineconfigserver/csr-bootstrap-role-binding.yaml": manifestsMachineconfigserverCsrBootstrapRoleBindingYaml, "manifests/machineconfigserver/csr-renewal-role-binding.yaml": manifestsMachineconfigserverCsrRenewalRoleBindingYaml, "manifests/machineconfigserver/daemonset.yaml": manifestsMachineconfigserverDaemonsetYaml, @@ -1305,7 +1270,6 @@ var _bintree = &bintree{nil, map[string]*bintree{ "machineconfigserver": &bintree{nil, map[string]*bintree{ "clusterrole.yaml": &bintree{manifestsMachineconfigserverClusterroleYaml, map[string]*bintree{}}, "clusterrolebinding.yaml": &bintree{manifestsMachineconfigserverClusterrolebindingYaml, map[string]*bintree{}}, - "csr-approver-role-binding.yaml": &bintree{manifestsMachineconfigserverCsrApproverRoleBindingYaml, map[string]*bintree{}}, "csr-bootstrap-role-binding.yaml": &bintree{manifestsMachineconfigserverCsrBootstrapRoleBindingYaml, map[string]*bintree{}}, "csr-renewal-role-binding.yaml": &bintree{manifestsMachineconfigserverCsrRenewalRoleBindingYaml, map[string]*bintree{}}, "daemonset.yaml": &bintree{manifestsMachineconfigserverDaemonsetYaml, map[string]*bintree{}}, diff --git a/pkg/operator/bootstrap.go b/pkg/operator/bootstrap.go index 16a238aafc..22636b8506 100644 --- a/pkg/operator/bootstrap.go +++ b/pkg/operator/bootstrap.go @@ -127,9 +127,6 @@ func RenderBootstrap( }, { data: filesData[pullSecretFile], filename: "bootstrap/manifests/machineconfigcontroller-pull-secret", - }, { - name: "manifests/machineconfigserver/csr-approver-role-binding.yaml", - filename: "manifests/csr-approver-role-binding.yaml", }, { name: "manifests/machineconfigserver/csr-bootstrap-role-binding.yaml", filename: "manifests/csr-bootstrap-role-binding.yaml", diff --git a/pkg/operator/sync.go b/pkg/operator/sync.go index 8cf149e051..9b0e287efe 100644 --- a/pkg/operator/sync.go +++ b/pkg/operator/sync.go @@ -253,7 +253,6 @@ func (optr *Operator) syncMachineConfigServer(config renderConfig) error { crbs := []string{ "manifests/machineconfigserver/clusterrolebinding.yaml", - "manifests/machineconfigserver/csr-approver-role-binding.yaml", "manifests/machineconfigserver/csr-bootstrap-role-binding.yaml", "manifests/machineconfigserver/csr-renewal-role-binding.yaml", }