oracle
diff --git a/‎kubernetes/internal/generate-security-policy.sh‎
Lines changed: 16 additions & 4 deletions b/‎kubernetes/internal/generate-security-policy.sh‎
Lines changed: 16 additions & 4 deletions
diff --git a/‎operator/src/main/java/oracle/kubernetes/operator/Main.java‎
Lines changed: 1 addition & 1 deletion b/‎operator/src/main/java/oracle/kubernetes/operator/Main.java‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎operator/src/main/java/oracle/kubernetes/operator/helpers/AuthenticationProxy.java‎
Lines changed: 1 addition & 1 deletion b/‎operator/src/main/java/oracle/kubernetes/operator/helpers/AuthenticationProxy.java‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎operator/src/main/java/oracle/kubernetes/operator/helpers/AuthorizationProxy.java‎
Lines changed: 82 additions & 39 deletions b/‎operator/src/main/java/oracle/kubernetes/operator/helpers/AuthorizationProxy.java‎
Lines changed: 82 additions & 39 deletions
diff --git a/‎operator/src/main/java/oracle/kubernetes/operator/helpers/CallBuilder.java‎
Lines changed: 36 additions & 0 deletions b/‎operator/src/main/java/oracle/kubernetes/operator/helpers/CallBuilder.java‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎operator/src/main/java/oracle/kubernetes/operator/helpers/ClientFactory.java‎
Lines changed: 12 additions & 0 deletions b/‎operator/src/main/java/oracle/kubernetes/operator/helpers/ClientFactory.java‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎operator/src/main/java/oracle/kubernetes/operator/helpers/ClientPool.java‎
Lines changed: 32 additions & 5 deletions b/‎operator/src/main/java/oracle/kubernetes/operator/helpers/ClientPool.java‎
Lines changed: 32 additions & 5 deletions
@@ -94,8 +94,11 @@ metadata:
     weblogic.operatorName: ${NAMESPACE}
 rules:
 - apiGroups: [""]
-  resources: ["namespaces", "persistentvolumes"]
+  resources: ["namespaces"]
   verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+  resources: ["persistentvolumes"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"]
 - apiGroups: ["apiextensions.k8s.io"]
   resources: ["customresourcedefinitions"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"]
@@ -108,6 +111,12 @@ rules:
 - apiGroups: ["extensions"]
   resources: ["ingresses"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"]
+- apiGroups: ["authentication.k8s.io"]
+  resources: ["tokenreviews"]
+  verbs: ["create"]
+- apiGroups: ["authorization.k8s.io"]
+  resources: ["selfsubjectaccessreviews", "localsubjectaccessreviews", "subjectaccessreviews", "selfsubjectrulesreviews"]
+  verbs: ["create"]
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -197,20 +206,23 @@ metadata:
     weblogic.operatorName: ${NAMESPACE}
 rules:
 - apiGroups: [""]
-  resources: ["secrets", "persistentvolumeclaims"]
+  resources: ["secrets"]
   verbs: ["get", "list", "watch"]
 - apiGroups: ["storage.k8s.io"]
   resources: ["storageclasses"]
   verbs: ["get", "list", "watch"]
 - apiGroups: [""]
-  resources: ["services", "configmaps", "pods", "jobs", "events"]
+  resources: ["services", "configmaps", "pods", "podtemplates", "events", "persistentvolumeclaims"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"]
 - apiGroups: [""]
   resources: ["pods/logs"]
   verbs: ["get", "list"]
 - apiGroups: [""]
   resources: ["pods/exec"]
   verbs: ["create"]
+- apiGroups: ["batch"]
+  resources: ["jobs", "cronjobs"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"]
 - apiGroups: ["settings.k8s.io"]
   resources: ["podpresets"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"]
@@ -253,4 +265,4 @@ EOF
 #
 echo "Create the WebLogic Operator Security configuration using kubectl as follows: kubectl create -f ${SCRIPT}"
 #
-echo "Ensure you start the API server with the --authorization-mode=RBAC option."
+echo "Ensure you start the API server with the --authorization-mode=RBAC option."
@@ -220,7 +220,7 @@ private static void begin() {
         HealthCheckHelper healthCheck = new HealthCheckHelper(namespace, targetNamespaces);
         version = healthCheck.performK8sVersionCheck();
         healthCheck.performNonSecurityChecks();
-        healthCheck.performSecurityChecks(serviceAccountName);
+        healthCheck.performSecurityChecks();
       } catch (ApiException e) {
         LOGGER.warning(MessageKeys.EXCEPTION, e);
       }
 
@@ -36,7 +36,7 @@ public V1TokenReviewStatus check(String principal, String token) {
     try {
       boolean allowed = authorizationProxy.check(principal,
           AuthorizationProxy.Operation.create,
-          AuthorizationProxy.Resource.tokenreviews,
+          AuthorizationProxy.Resource.TOKENREVIEWS,
           null,
           AuthorizationProxy.Scope.cluster,
           null);
 
@@ -8,6 +8,8 @@
 import io.kubernetes.client.ApiException;
 import io.kubernetes.client.models.V1ObjectMeta;
 import io.kubernetes.client.models.V1ResourceAttributes;
+import io.kubernetes.client.models.V1SelfSubjectAccessReview;
+import io.kubernetes.client.models.V1SelfSubjectAccessReviewSpec;
 import io.kubernetes.client.models.V1SubjectAccessReview;
 import io.kubernetes.client.models.V1SubjectAccessReviewSpec;
 import io.kubernetes.client.models.V1SubjectAccessReviewStatus;
@@ -37,18 +39,50 @@ public enum Operation {
   }
 
   public enum Resource {
-    pods,
-    services,
-    namespaces,
-    customresources,
-    customresourcedefinitions,
-    domains,
-    tokenreviews,
-    networkpolicies,
-    secrets,
-    persistentvolumes,
-    persistentvolumeclaims,
-    ingresses
+    CONFIGMAPS ("configmaps", ""),
+    PODS ("pods", ""),
+    LOGS ("pods", "logs", ""),
+    EXEC ("pods", "exec", ""),
+    PODTEMPLATES ("podtemplates", ""),
+    EVENTS ("events", ""),
+    SERVICES ("services", ""),
+    NAMESPACES ("namespaces", ""),
+    JOBS ("jobs", "batch"),
+    CRONJOBS ("cronjobs", "batch"),
+    CRDS ("customresourcedefinitions", "apiextensions.k8s.io"),
+    DOMAINS ("domains", "weblogic.oracle"),
+    DOMAINSTATUSS ("domains", "status", "weblogic.oracle"),
+    SUBJECTACCESSREVIEWS ("subjectaccessreviews", "authorization.k8s.io"),
+    SELFSUBJECTACCESSREVIEWS ("selfsubjectaccessreviews", "authorization.k8s.io"),
+    LOCALSUBJECTACCESSREVIEWS ("localsubjectaccessreviews", "authorization.k8s.io"),
+    SELFSUBJECTRULESREVIEWS ("selfsubjectrulesreviews", "authorization.k8s.io"),
+    TOKENREVIEWS ("tokenreviews", "authentication.k8s.io"),
+    SECRETS ("secrets", ""),
+    PERSISTENTVOLUMES ("persistentvolumes", ""),
+    PERSISTENTVOLUMECLAIMS ("persistentvolumeclaims", ""),
+    STORAGECLASSES ("storageclasses", "storage.k8s.io"),
+    PODPRESETS ("podpresets" , "settings.k8s.io"),
+    INGRESSES ("ingresses", "extensions"),
+    NETWORKPOLICIES ("networkpolicies", "extensions"),
+    PODSECURITYPOLICIES ("podsecuritypolicies", "extensions");
+    
+    private final String resource;
+    private final String subResource;
+    private final String apiGroup;
+    
+    Resource(String resource, String apiGroup) {
+      this(resource, "", apiGroup);
+    }
+    
+    Resource(String resource, String subResource, String apiGroup) {
+      this.resource = resource;
+      this.subResource = subResource;
+      this.apiGroup = apiGroup;
+    }
+    
+    public String getResource() { return resource; }
+    public String getSubResource() { return subResource; }
+    public String getAPIGroup() { return apiGroup; }
   }
 
   public enum Scope {
@@ -104,6 +138,24 @@ public boolean check(String principal, final List<String> groups, Operation oper
     return result;
   }
 
+  public boolean check(Operation operation, Resource resource, String resourceName, Scope scope, String namespaceName) {
+    LOGGER.entering();
+    V1SelfSubjectAccessReview subjectAccessReview = prepareSelfSubjectAccessReview(operation, resource, resourceName, scope, namespaceName);
+    try {
+      CallBuilderFactory factory = ContainerResolver.getInstance().getContainer().getSPI(CallBuilderFactory.class);
+      subjectAccessReview = factory.create().createSelfSubjectAccessReview(subjectAccessReview);
+    } catch (ApiException e) {
+      LOGGER.severe(MessageKeys.APIEXCEPTION_FROM_SUBJECT_ACCESS_REVIEW, e);
+      LOGGER.exiting(Boolean.FALSE);
+      return Boolean.FALSE;
+
+    }
+    V1SubjectAccessReviewStatus subjectAccessReviewStatus = subjectAccessReview.getStatus();
+    Boolean result = subjectAccessReviewStatus.isAllowed();
+    LOGGER.exiting(result);
+    return result;
+  }
+
   /**
    * Prepares an instance of SubjectAccessReview and returns same.
    *
@@ -133,6 +185,21 @@ private V1SubjectAccessReview prepareSubjectAccessReview(String principal, final
     return subjectAccessReview;
   }
 
+  private V1SelfSubjectAccessReview prepareSelfSubjectAccessReview(Operation operation, Resource resource, String resourceName, Scope scope, String namespaceName) {
+    LOGGER.entering();
+    V1SelfSubjectAccessReviewSpec subjectAccessReviewSpec = new V1SelfSubjectAccessReviewSpec();
+
+    subjectAccessReviewSpec.setResourceAttributes(prepareResourceAttributes(operation, resource, resourceName, scope, namespaceName));
+
+    V1SelfSubjectAccessReview subjectAccessReview = new V1SelfSubjectAccessReview();
+    subjectAccessReview.setApiVersion("authorization.k8s.io/v1");
+    subjectAccessReview.setKind("SelfSubjectAccessReview");
+    subjectAccessReview.setMetadata(new V1ObjectMeta());
+    subjectAccessReview.setSpec(subjectAccessReviewSpec);
+    LOGGER.exiting(subjectAccessReview);
+    return subjectAccessReview;
+  }
+
   /**
    * Prepares an instance of ResourceAttributes and returns same.
    *
@@ -150,12 +217,9 @@ private V1ResourceAttributes prepareResourceAttributes(Operation operation, Reso
       resourceAttributes.setVerb(operation.toString());
     }
     if (null != resource) {
-      resourceAttributes.setResource(resource.toString());
-    }
-
-    String apiGroup = getApiGroup(resource);
-    if (apiGroup != null) {
-      resourceAttributes.setGroup(apiGroup);
+      resourceAttributes.setResource(resource.resource);
+      resourceAttributes.setSubresource(resource.subResource);
+      resourceAttributes.setGroup(resource.apiGroup);
     }
 
     if (null != resourceName) {
@@ -168,25 +232,4 @@ private V1ResourceAttributes prepareResourceAttributes(Operation operation, Reso
     LOGGER.exiting(resourceAttributes);
     return resourceAttributes;
   }
-
-  private String getApiGroup(Resource resource) {
-    if (resource == Resource.domains) {
-      return "weblogic.oracle";
-    }
-
-    if (resource == Resource.customresourcedefinitions) {
-      return "apiextensions.k8s.io";
-    }
-
-    if (resource == Resource.tokenreviews) {
-      return "authentication.k8s.io";
-    }
-    
-    if (resource == Resource.ingresses) {
-      return "extensions";
-    }
-
-    // TODO - do we need to specify the api group for any of the other Resource values?
-    return null;
-  }
 }
@@ -36,6 +36,7 @@
 import io.kubernetes.client.models.V1Pod;
 import io.kubernetes.client.models.V1PodList;
 import io.kubernetes.client.models.V1Secret;
+import io.kubernetes.client.models.V1SelfSubjectAccessReview;
 import io.kubernetes.client.models.V1Service;
 import io.kubernetes.client.models.V1ServiceList;
 import io.kubernetes.client.models.V1Status;
@@ -1384,6 +1385,41 @@ public Step createSubjectAccessReviewAsync(V1SubjectAccessReview body, ResponseS
     return createRequestAsync(responseStep, new RequestParams("createSubjectAccessReview", null, null, body), CREATE_SUBJECTACCESSREVIEW);
   }
 
+  /* Self Subject Access Review */
+  
+  /**
+   * Create self subject access review
+   * @param body Body
+   * @return Created self subject access review
+   * @throws ApiException API Exception
+   */
+  public V1SelfSubjectAccessReview createSelfSubjectAccessReview(V1SelfSubjectAccessReview body) throws ApiException {
+    ApiClient client = helper.take();
+    try {
+      return new AuthorizationV1Api(client).createSelfSubjectAccessReview(body, pretty);
+    } finally {
+      helper.recycle(client);
+    }
+  }
+
+  private com.squareup.okhttp.Call createSelfSubjectAccessReviewAsync(ApiClient client, V1SelfSubjectAccessReview body, ApiCallback<V1SelfSubjectAccessReview> callback) throws ApiException {
+    return new AuthorizationV1Api(client).createSelfSubjectAccessReviewAsync(body, pretty, callback);
+  }
+
+  private final CallFactory<V1SelfSubjectAccessReview> CREATE_SELFSUBJECTACCESSREVIEW = (requestParams, usage, cont, callback) -> {
+    return createSelfSubjectAccessReviewAsync(usage, (V1SelfSubjectAccessReview) requestParams.body, callback);
+  };
+  
+  /**
+   * Asynchronous step for creating self subject access review
+   * @param body Body
+   * @param responseStep Response step for when call completes
+   * @return Asynchronous step
+   */
+  public Step createSelfSubjectAccessReviewAsync(V1SelfSubjectAccessReview body, ResponseStep<V1SelfSubjectAccessReview> responseStep) {
+    return createRequestAsync(responseStep, new RequestParams("createSelfSubjectAccessReview", null, null, body), CREATE_SELFSUBJECTACCESSREVIEW);
+  }
+  
   /* Token Review */
 
   /**
 
@@ -0,0 +1,12 @@
+// Copyright 2018, Oracle Corporation and/or its affiliates.  All rights reserved.
+// Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl.
+
+package oracle.kubernetes.operator.helpers;
+
+import java.util.function.Supplier;
+
+import io.kubernetes.client.ApiClient;
+
+public interface ClientFactory extends Supplier<ApiClient> {
+
+}
@@ -9,15 +9,18 @@
 import oracle.kubernetes.operator.logging.LoggingFacade;
 import oracle.kubernetes.operator.logging.LoggingFactory;
 import oracle.kubernetes.operator.logging.MessageKeys;
+import oracle.kubernetes.operator.work.Container;
+import oracle.kubernetes.operator.work.ContainerResolver;
 
+import java.io.IOException;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicBoolean;
 
 public class ClientPool extends Pool<ApiClient> {
   private static final LoggingFacade LOGGER = LoggingFactory.getLogger("Operator", "Operator");
   private static final ClientPool SINGLETON = new ClientPool();
-
-  private final AtomicBoolean first = new AtomicBoolean(true);
+  
+  private static final DefaultClientFactory FACTORY = new DefaultClientFactory();
 
   public static ClientPool getInstance() {
     return SINGLETON;
@@ -37,10 +40,16 @@ private ApiClient getApiClient() {
     ApiClient client = null;
     LOGGER.fine(MessageKeys.CREATING_API_CLIENT);
     try {
-      client = Config.defaultClient();
-      if (first.getAndSet(false)) {
-        Configuration.setDefaultApiClient(client);
+      ClientFactory factory = null;
+      Container c = ContainerResolver.getInstance().getContainer();
+      if (c != null) {
+        factory = c.getSPI(ClientFactory.class);
+      }
+      if (factory == null) {
+        factory = FACTORY;
       }
+      
+      client = factory.get();
     } catch (Throwable e) {
       LOGGER.warning(MessageKeys.EXCEPTION, e);
     }
@@ -53,4 +62,22 @@ private ApiClient getApiClient() {
     return client;
   }
 
+  private static class DefaultClientFactory implements ClientFactory {
+    private final AtomicBoolean first = new AtomicBoolean(true);
+
+    @Override
+    public ApiClient get() {
+      ApiClient client;
+      try {
+        client = Config.defaultClient();
+        if (first.getAndSet(false)) {
+          Configuration.setDefaultApiClient(client);
+        }
+        return client;
+      } catch (IOException e) {
+        throw new RuntimeException(e);
+      }
+    }
+    
+  }
 }
Original file line number	Diff line number	Diff line change
`@@ -220,7 +220,7 @@ private static void begin() {`
`220`	`220`	`HealthCheckHelper healthCheck = new HealthCheckHelper(namespace, targetNamespaces);`
`221`	`221`	`version = healthCheck.performK8sVersionCheck();`
`222`	`222`	`healthCheck.performNonSecurityChecks();`
`223`		`- healthCheck.performSecurityChecks(serviceAccountName);`
	`223`	`+ healthCheck.performSecurityChecks();`
`224`	`224`	`} catch (ApiException e) {`
`225`	`225`	`LOGGER.warning(MessageKeys.EXCEPTION, e);`
`226`	`226`	`}`