From 37928adb92703a9fe73101b903082801b0eb42c6 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Sat, 17 Feb 2024 23:35:12 +0100
Subject: [PATCH] feat: Reduce permissions for system-upgrade-controller
 serviceaccount

This patch drastically cuts down the permissions of the
system-upgrades-controller from the previous cluster-admin permissions
to a tailored set of permissions for the controller.
---
 kustomization.yaml                       |   2 +
 manifests/clusterrole.yaml               | 108 +++++++++++++++++++++++
 manifests/clusterrolebinding.yaml        |  36 ++++++++
 manifests/system-upgrade-controller.yaml |  13 ---
 4 files changed, 146 insertions(+), 13 deletions(-)
 create mode 100644 manifests/clusterrole.yaml
 create mode 100644 manifests/clusterrolebinding.yaml

diff --git a/kustomization.yaml b/kustomization.yaml
index 182cf2b8..1fa48a18 100644
--- a/kustomization.yaml
+++ b/kustomization.yaml
@@ -1,6 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+- manifests/clusterrole.yaml
+- manifests/clusterrolebinding.yaml
 - manifests/system-upgrade-controller.yaml
 images:
 - name: rancher/system-upgrade-controller
diff --git a/manifests/clusterrole.yaml b/manifests/clusterrole.yaml
new file mode 100644
index 00000000..f1881383
--- /dev/null
+++ b/manifests/clusterrole.yaml
@@ -0,0 +1,108 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system-upgrade-controller
+rules:
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - update
+- apiGroups:
+  - upgrade.cattle.io
+  resources:
+  - plans
+  - plans/status
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - patch
+  - update
+  - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: system-upgrade-controller
+rules:
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
+# Borrowed from https://stackoverflow.com/a/63553032
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system-upgrade-controller-drainer
+rules:
+  # Needed to evict pods
+  - apiGroups:
+      - ""
+    resources:
+      - "pods/eviction"
+    verbs:
+      - "create"
+  # Needed to list pods by Node
+  - apiGroups:
+      - ""
+    resources:
+      - "pods"
+    verbs:
+      - "get"
+      - "list"
+  # Needed to cordon Nodes
+  - apiGroups:
+      - ""
+    resources:
+      - "nodes"
+    verbs:
+      - "get"
+      - "patch"
+  # Needed to determine Pod owners
+  - apiGroups:
+      - "apps"
+    resources:
+      - "statefulsets"
+      - "daemonsets"
+      - "replicasets"
+    verbs:
+      - "get"
+      - "list"
diff --git a/manifests/clusterrolebinding.yaml b/manifests/clusterrolebinding.yaml
new file mode 100644
index 00000000..8a74335e
--- /dev/null
+++ b/manifests/clusterrolebinding.yaml
@@ -0,0 +1,36 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system-upgrade-drainer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system-upgrade-controller-drainer
+subjects:
+- kind: ServiceAccount
+  name: system-upgrade
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system-upgrade
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system-upgrade-controller
+subjects:
+- kind: ServiceAccount
+  name: system-upgrade
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: system-upgrade
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: system-upgrade-controller
+subjects:
+- kind: ServiceAccount
+  name: system-upgrade
diff --git a/manifests/system-upgrade-controller.yaml b/manifests/system-upgrade-controller.yaml
index b5ce4dbc..e3efd9de 100644
--- a/manifests/system-upgrade-controller.yaml
+++ b/manifests/system-upgrade-controller.yaml
@@ -11,19 +11,6 @@ metadata:
   name: system-upgrade
   namespace: system-upgrade
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name:  system-upgrade
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-- kind: ServiceAccount
-  name: system-upgrade
-  namespace: system-upgrade
----
 apiVersion: v1
 kind: ConfigMap
 metadata:
-- 
GitLab