Merge pull request #58 from secureCodeBox/custom-hook-service-account

zzzFelix · web-flow · commit 917e6e819114 · 2020-07-20T14:01:36.000+02:00
Allow Hooks to use custom ServiceAccounts
diff --git a/hooks/declarative-subsequent-scans/templates/declerative-subsequent-scans-hook.yaml b/hooks/declarative-subsequent-scans/templates/declerative-subsequent-scans-hook.yaml
@@ -16,4 +16,5 @@ spec:
   {{- else }}
   image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
   {{- end }}
-  {{- end }}
+  {{- end }}
+  serviceAccountName: declarative-combined-scans
diff --git a/hooks/declarative-subsequent-scans/templates/role-binding.yaml b/hooks/declarative-subsequent-scans/templates/role-binding.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    description: DeclarativeCombinedScansHooks needs to have the rights to create new scans and the usual patch rules to update the scan status
+  name: declarative-combined-scans
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: declarative-combined-scans
+subjects:
+  - kind: ServiceAccount
+    name: declarative-combined-scans
diff --git a/hooks/declarative-subsequent-scans/templates/role.yaml b/hooks/declarative-subsequent-scans/templates/role.yaml
@@ -0,0 +1,29 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    description: DeclarativeCombinedScansHooks needs to have the rights to create new scans and the usual patch rules to update the scan status
+  name: declarative-combined-scans
+  namespace: {{ .Release.Namespace }}
+rules:
+  - apiGroups:
+      - execution.experimental.securecodebox.io
+    resources:
+      - scans
+    verbs:
+      - get
+      - create
+  - apiGroups:
+      - execution.experimental.securecodebox.io
+    resources:
+      - scans/status
+    verbs:
+      - get
+      - patch
+  - apiGroups:
+      - cascading.experimental.securecodebox.io
+    resources:
+      - cascadingrules
+    verbs:
+      - get
+      - list
diff --git a/hooks/declarative-subsequent-scans/templates/service-account.yaml b/hooks/declarative-subsequent-scans/templates/service-account.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    description: DeclarativeCombinedScansHooks needs to have the rights to create new scans and the usual patch rules to update the scan status
+  name: declarative-combined-scans
+  namespace: {{ .Release.Namespace }}
diff --git a/hooks/imperative-subsequent-scans/templates/imperative-subsequent-scans-hook.yaml b/hooks/imperative-subsequent-scans/templates/imperative-subsequent-scans-hook.yaml
@@ -17,6 +17,7 @@ spec:
   image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
   {{- end }}
   {{- end }}
+  serviceAccountName: imperative-combined-scans
   env:
     - name: CASCADE_AMASS_NMAP
       value: {{ .Values.cascade.amassNmap | quote }}
diff --git a/hooks/imperative-subsequent-scans/templates/role-binding.yaml b/hooks/imperative-subsequent-scans/templates/role-binding.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    description: ImperativeCombinedScansHook needs to have the rights to create new scans and the usual patch rules to update the scan status
+  name: imperative-combined-scans
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: imperative-combined-scans
+subjects:
+  - kind: ServiceAccount
+    name: imperative-combined-scans
diff --git a/hooks/imperative-subsequent-scans/templates/role.yaml b/hooks/imperative-subsequent-scans/templates/role.yaml
@@ -0,0 +1,23 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    description: ImperativeCombinedScansHook needs to have the rights to create new scans and the usual patch rules to update the scan status
+  name: imperative-combined-scans
+  namespace: {{ .Release.Namespace }}
+rules:
+  - apiGroups:
+      - execution.experimental.securecodebox.io
+    resources:
+      - scans
+    verbs:
+      - get
+      - list
+      - create
+  - apiGroups:
+      - execution.experimental.securecodebox.io
+    resources:
+      - scans/status
+    verbs:
+      - get
+      - patch
diff --git a/hooks/imperative-subsequent-scans/templates/service-account.yaml b/hooks/imperative-subsequent-scans/templates/service-account.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    description: ImperativeCombinedScansHook needs to have the rights to create new scans and the usual patch rules to update the scan status
+  name: imperative-combined-scans
+  namespace: {{ .Release.Namespace }}
diff --git a/operator/apis/execution/v1/scancompletionhook.go b/operator/apis/execution/v1/scancompletionhook.go
@@ -44,6 +44,8 @@ type ScanCompletionHookSpec struct {
 	ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
 	Env              []corev1.EnvVar               `json:"env,omitempty"`
 	Type             HookType                      `json:"type"`
+	// ServiceAccountName Name of the serviceAccount Name used. Should only be used if your hook needs specifc RBAC Access. Otherwise the hook is run using a "scan-completion-hook" service account. The service account should have at least "get" rights on scans.execution.experimental.securecodebox.io, and "get" & "patch" scans.execution.experimental.securecodebox.io/status
+	ServiceAccountName *string `json:"serviceAccountName,omitempty"`
 }
 
 // ScanCompletionHookStatus defines the observed state of ScanCompletionHook
diff --git a/operator/apis/execution/v1/zz_generated.deepcopy.go b/operator/apis/execution/v1/zz_generated.deepcopy.go
diff --git a/operator/config/crd/bases/execution.experimental.securecodebox.io_scancompletionhooks.yaml b/operator/config/crd/bases/execution.experimental.securecodebox.io_scancompletionhooks.yaml
@@ -156,6 +156,13 @@ spec:
                     type: string
                 type: object
               type: array
+            serviceAccountName:
+              description: ServiceAccountName Name of the serviceAccount Name used.
+                Should only be used if your hook needs specifc RBAC Access. Otherwise
+                the hook is run using a "scan-completion-hook" service account. The
+                service account should have at least "get" rights on scans.execution.experimental.securecodebox.io,
+                and "get" & "patch" scans.execution.experimental.securecodebox.io/status
+              type: string
             type:
               description: HookType Defines weather the hook should be able to change
                 the findings or is run in a read only mode.
diff --git a/operator/controllers/execution/scan_controller.go b/operator/controllers/execution/scan_controller.go
@@ -985,25 +985,33 @@ func (r *ScanReconciler) setHookStatus(scan *executionv1.Scan) error {
 
 func (r *ScanReconciler) createJobForHook(hook *executionv1.ScanCompletionHook, scan *executionv1.Scan, cliArgs []string) (string, error) {
 	ctx := context.Background()
-	rules := []rbacv1.PolicyRule{
-		{
-			APIGroups: []string{"execution.experimental.securecodebox.io"},
-			Resources: []string{"scans"},
-			Verbs:     []string{"get", "list", "create"},
-		},
-		{
-			APIGroups: []string{"execution.experimental.securecodebox.io"},
-			Resources: []string{"scans/status"},
-			Verbs:     []string{"get", "patch"},
-		},
-	}
+
 	serviceAccountName := "scan-completion-hook"
-	r.ensureServiceAccountExists(
-		hook.Namespace,
-		serviceAccountName,
-		"ScanCompletionHooks need to access the current scan to view where its results are stored",
-		rules,
-	)
+	if hook.Spec.ServiceAccountName != nil {
+		// Hook uses a custom ServiceAccount
+		serviceAccountName = *hook.Spec.ServiceAccountName
+	} else {
+		// Check and create a serviceAccount for the hook in its namespace, if it doesn't already exist.
+		rules := []rbacv1.PolicyRule{
+			{
+				APIGroups: []string{"execution.experimental.securecodebox.io"},
+				Resources: []string{"scans"},
+				Verbs:     []string{"get"},
+			},
+			{
+				APIGroups: []string{"execution.experimental.securecodebox.io"},
+				Resources: []string{"scans/status"},
+				Verbs:     []string{"get", "patch"},
+			},
+		}
+
+		r.ensureServiceAccountExists(
+			hook.Namespace,
+			serviceAccountName,
+			"ScanCompletionHooks need to access the current scan to view where its results are stored",
+			rules,
+		)
+	}
 
 	standardEnvVars := []corev1.EnvVar{
 		{
diff --git a/operator/crds/execution.experimental.securecodebox.io_scancompletionhooks.yaml b/operator/crds/execution.experimental.securecodebox.io_scancompletionhooks.yaml
@@ -156,6 +156,13 @@ spec:
                     type: string
                 type: object
               type: array
+            serviceAccountName:
+              description: ServiceAccountName Name of the serviceAccount Name used.
+                Should only be used if your hook needs specifc RBAC Access. Otherwise
+                the hook is run using a "scan-completion-hook" service account. The
+                service account should have at least "get" rights on scans.execution.experimental.securecodebox.io,
+                and "get" & "patch" scans.execution.experimental.securecodebox.io/status
+              type: string
             type:
               description: HookType Defines weather the hook should be able to change
                 the findings or is run in a read only mode.

Original file line number	Diff line number	Diff line change
`@@ -44,6 +44,8 @@ type ScanCompletionHookSpec struct {`
`44`	`44`	ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
`45`	`45`	Env []corev1.EnvVar `json:"env,omitempty"`
`46`	`46`	Type HookType `json:"type"`
	`47`	`+ // ServiceAccountName Name of the serviceAccount Name used. Should only be used if your hook needs specifc RBAC Access. Otherwise the hook is run using a "scan-completion-hook" service account. The service account should have at least "get" rights on scans.execution.experimental.securecodebox.io, and "get" & "patch" scans.execution.experimental.securecodebox.io/status`
	`48`	+ ServiceAccountName *string `json:"serviceAccountName,omitempty"`
`47`	`49`	`}`
`48`	`50`
`49`	`51`	`// ScanCompletionHookStatus defines the observed state of ScanCompletionHook`