Merge pull request #339 from openshift-bot/synchronize-upstream

NO-ISSUE: Synchronize From Upstream Repositories

Author: openshift-merge-bot[bot]

.bingo/Variables.mk

@@ -59,11 +59,11 @@ $(KIND): $(BINGO_DIR)/kind.mod
 	@echo "(re)installing $(GOBIN)/kind-v0.27.0"
 	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=kind.mod -o=$(GOBIN)/kind-v0.27.0 "sigs.k8s.io/kind"
 
-KUSTOMIZE := $(GOBIN)/kustomize-v4.5.7
+KUSTOMIZE := $(GOBIN)/kustomize-v5.6.0
 $(KUSTOMIZE): $(BINGO_DIR)/kustomize.mod
 	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
-	@echo "(re)installing $(GOBIN)/kustomize-v4.5.7"
-	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=kustomize.mod -o=$(GOBIN)/kustomize-v4.5.7 "sigs.k8s.io/kustomize/kustomize/v4"
+	@echo "(re)installing $(GOBIN)/kustomize-v5.6.0"
+	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=kustomize.mod -o=$(GOBIN)/kustomize-v5.6.0 "sigs.k8s.io/kustomize/kustomize/v5"
 
 OPERATOR_SDK := $(GOBIN)/operator-sdk-v1.39.1
 $(OPERATOR_SDK): $(BINGO_DIR)/operator-sdk.mod

.bingo/kustomize.mod

@@ -1,5 +1,5 @@
 module _ // Auto generated by https://github.com/bwplotka/bingo. DO NOT EDIT
 
-go 1.20
+go 1.23.4
 
-require sigs.k8s.io/kustomize/kustomize/v4 v4.5.7
+require sigs.k8s.io/kustomize/kustomize/v5 v5.6.0

.bingo/kustomize.sum

@@ -22,7 +22,7 @@ GORELEASER="${GOBIN}/goreleaser-v1.26.2"
 
 KIND="${GOBIN}/kind-v0.27.0"
 
-KUSTOMIZE="${GOBIN}/kustomize-v4.5.7"
+KUSTOMIZE="${GOBIN}/kustomize-v5.6.0"
 
 OPERATOR_SDK="${GOBIN}/operator-sdk-v1.39.1"
 

.bingo/variables.env

@@ -305,6 +305,9 @@ func run() error {
 	}
 	tokenGetter := authentication.NewTokenGetter(coreClient, authentication.WithExpirationDuration(1*time.Hour))
 	clientRestConfigMapper := action.ServiceAccountRestConfigMapper(tokenGetter)
+	if features.OperatorControllerFeatureGate.Enabled(features.SyntheticPermissions) {
+		clientRestConfigMapper = action.SyntheticUserRestConfigMapper(clientRestConfigMapper)
+	}
 
 	cfgGetter, err := helmclient.NewActionConfigGetter(mgr.GetConfig(), mgr.GetRESTMapper(),
 		helmclient.StorageDriverMapper(action.ChunkedStorageDriverMapper(coreClient, mgr.GetAPIReader(), cfg.systemNamespace)),

cmd/operator-controller/main.go

@@ -1,4 +1,4 @@
-expectedMergeBase: d873ec10844b1e18efe43a62dddca76bc24b1504
+expectedMergeBase: 6f3a121e4d5035e9f53f6d5aaeb8cad1841f649a
 upstreamBranch: main
 upstreamOrg: operator-framework
 upstreamRepo: operator-controller

commitchecker.yaml

@@ -0,0 +1,19 @@
+# kustomization file for secure OLMv1
+# DO NOT ADD A NAMESPACE HERE
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../../base/operator-controller
+  - ../../../base/common
+components:
+  - ../../../components/tls/operator-controller
+
+patches:
+ - target:
+      kind: Deployment
+      name: operator-controller-controller-manager
+   path: patches/enable-featuregate.yaml
+ - target:
+     kind: ClusterRole
+     name: operator-controller-manager-role
+   path: patches/impersonate-perms.yaml

config/overlays/featuregate/synthetic-user-permissions/kustomization.yaml

@@ -0,0 +1,4 @@
+# enable synthetic-user feature gate
+- op: add
+  path: /spec/template/spec/containers/0/args/-
+  value: "--feature-gates=SyntheticPermissions=true"

config/overlays/featuregate/synthetic-user-permissions/patches/enable-featuregate.yaml

@@ -0,0 +1,11 @@
+# enable synthetic-user feature gate
+- op: add
+  path: /rules/-
+  value:
+    apiGroups:
+    - ""
+    resources:
+    - groups
+    - users
+    verbs:
+    - impersonate

config/overlays/featuregate/synthetic-user-permissions/patches/impersonate-perms.yaml

@@ -0,0 +1,133 @@
+## Synthetic User Permissions
+
+!!! note
+This feature is still in *alpha* the `SyntheticPermissions` feature-gate must be enabled to make use of it.
+See the instructions below on how to enable it.
+
+Synthetic user permissions enables fine-grained configuration of ClusterExtension management client RBAC permissions.
+User can not only configure RBAC permissions governing the management across all ClusterExtensions, but also on a 
+case-by-case basis.
+
+### Update OLM to enable Feature
+
+```terminal title=Enable SyntheticPermissions feature
+kubectl kustomize config/overlays/featuregate/synthetic-user-permissions | kubectl apply -f -
+```
+
+```terminal title=Wait for rollout to complete
+kubectl rollout status -n olmv1-system deployment/operator-controller-controller-manager 
+```
+
+### How does it work?
+
+When managing a ClusterExtension, OLM will assume the identity of user "olm:clusterextensions:<clusterextension-name>"
+and group "olm:clusterextensions" limiting Kubernetes API access scope to those defined for this user and group. These
+users and group do not exist beyond being defined in Cluster/RoleBinding(s) and can only be impersonated by clients with
+ `impersonate` verb permissions on the `users` and `groups` resources.
+
+### Demo
+
+[![asciicast](https://asciinema.org/a/Jbtt8nkV8Dm7vriHxq7sxiVvi.svg)](https://asciinema.org/a/Jbtt8nkV8Dm7vriHxq7sxiVvi)
+
+#### Examples:
+
+##### ClusterExtension management as cluster-admin
+
+To enable ClusterExtensions management as cluster-admin, bind the `cluster-admin` cluster role to the `olm:clusterextensions`
+group:
+
+```
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+    name: clusterextensions-group-admin-binding
+roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: ClusterRole
+    name: cluster-admin
+subjects:
+- kind: Group
+  name: "olm:clusterextensions"
+```
+
+##### Scoped olm:clusterextension group + Added perms on specific extensions
+
+Give ClusterExtension management group broad permissions to manage ClusterExtensions denying potentially dangerous
+permissions such as being able to read cluster wide secrets:
+
+```
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: clusterextension-installer
+rules:
+  - apiGroups: [ olm.operatorframework.io ]
+    resources: [ clusterextensions/finalizers ]
+    verbs: [ update ]
+  - apiGroups: [ apiextensions.k8s.io ]
+    resources: [ customresourcedefinitions ]
+    verbs: [ create, list, watch, get, update, patch, delete ]
+  - apiGroups: [ rbac.authorization.k8s.io ]
+    resources: [ clusterroles, roles, clusterrolebindings, rolebindings ]
+    verbs: [ create, list, watch, get, update, patch, delete ]
+  - apiGroups: [""]
+    resources: [configmaps, endpoints, events, pods, pod/logs, serviceaccounts, services, services/finalizers, namespaces, persistentvolumeclaims]
+    verbs: ['*']
+  - apiGroups: [apps]
+    resources: [ '*' ]
+    verbs: ['*']
+  - apiGroups: [ batch ]
+    resources: [ '*' ]
+    verbs: [ '*' ]
+  - apiGroups: [ networking.k8s.io ]
+    resources: [ '*' ]
+    verbs: [ '*' ]
+  - apiGroups: [authentication.k8s.io]
+    resources: [tokenreviews, subjectaccessreviews]
+    verbs: [create]
+```
+
+```
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+    name: clusterextension-installer-binding
+roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: ClusterRole
+    name: clusterextension-installer
+subjects:
+- kind: Group
+  name: "olm:clusterextensions"
+```
+
+Give a specific ClusterExtension secrets access, maybe even on specific namespaces:
+
+```
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+    name: clusterextension-privileged
+rules:
+- apiGroups: [""]
+  resources: [secrets]
+  verbs: ['*']
+```
+
+```
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+    name: clusterextension-privileged-binding
+    namespace: <some namespace>
+roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: ClusterRole
+    name: clusterextension-privileged
+subjects:
+- kind: User
+  name: "olm:clusterextensions:argocd-operator"
+```
+
+Note: In this example the ClusterExtension user (or group) will still need to be updated to be able to manage
+the CRs coming from the argocd operator. Some look ahead and RBAC permission wrangling will still be required.