[FlowAggregator] Clean up RBAC (#7125)

* most permissions can be limited to a single Namespace (flow-aggregator
  Namespace) and the rules can be moved to a Role instead of a
  ClusterRole.
* the rule allowing create / get / list / watch for all ConfigMaps in all
  Namespaces was not necessary.
* binding to the system:auth-delegator ClusterRole is necessary for the
  FlowAggregator apiserver to delegate auth to the K8s apiserver. Note
  that today we typically only access the API locally (using the
  loopback token, which is privileged) so the missing permissions have
  not been an issue so far. Still, the RBAC permissions didn't match the
  apiserver configuration.
* we can bind to the extension-apiserver-authentication-reader Role
  instead of replicating its RBAC rules, now that we require K8s 1.19 or
  above.
* add antreaNamespace value to the flow-aggregator Helm chart, to
  avoid hardcoding kube-system in flow-exporter-role-binding (which
  binds a Role to the antrea-agent ServiceAccount).

Signed-off-by: Antonin Bas <[email protected]>

Author: antoninbas

build/charts/flow-aggregator/README.md

@@ -20,6 +20,7 @@ Kubernetes: `>= 1.19.0-0`
 |-----|------|---------|-------------|
 | activeFlowRecordTimeout | string | `"60s"` | Provide the active flow record timeout as a duration string. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". |
 | aggregatorTransportProtocol | string | `"tls"` | Provide the transport protocol for the flow aggregator collecting process, which is tls, tcp or udp. |
+| antreaNamespace | string | `"kube-system"` | Namespace in which Antrea was installed. |
 | apiServer.apiPort | int | `10348` | The port for the Flow Aggregator APIServer to serve on. |
 | apiServer.tlsCipherSuites | string | `""` | Comma-separated list of cipher suites that will be used by the Flow Aggregator APIservers. If empty, the default Go Cipher Suites will be used. |
 | apiServer.tlsMinVersion | string | `""` | TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. |

build/charts/flow-aggregator/templates/clusterrole.yaml

@@ -5,34 +5,6 @@ metadata:
     app: flow-aggregator
   name: flow-aggregator-role
 rules:
-  - apiGroups: [""]
-    resources: ["configmaps"]
-    resourceNames: ["flow-aggregator-ca"]
-    verbs: ["get", "update"]
   - apiGroups: [""]
     resources: ["pods"]
     verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["configmaps"]
-    verbs: ["create", "get", "list", "watch"]
-  # This is the content of built-in role kube-system/extension-apiserver-authentication-reader.
-  # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-agent) will
-  # have permission issue after bumping up apiserver library to a version that supports dynamic authentication.
-  # See https://github.com/kubernetes/kubernetes/pull/85375
-  # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on
-  # the extension-apiserver-authentication role.
-  - apiGroups: [""]
-    resourceNames: ["extension-apiserver-authentication"]
-    resources: ["configmaps"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["secrets"]
-    resourceNames: ["flow-aggregator-client-tls"]
-    verbs: ["get", "update"]
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["create"]
-  - apiGroups: [ "" ]
-    resources: [ "configmaps" ]
-    resourceNames: [ "flow-aggregator-configmap" ]
-    verbs: [ "update" ]

build/charts/flow-aggregator/templates/clusterrolebinding.yaml

@@ -0,0 +1,30 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    app: flow-aggregator
+  name: flow-aggregator-cluster-role-binding
+subjects:
+  - kind: ServiceAccount
+    name: flow-aggregator
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: flow-aggregator-role
+  apiGroup: rbac.authorization.k8s.io
+---
+# For auth delegation to apiserver
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    app: flow-aggregator
+  name: flow-aggregator-auth-delegator-cluster-role-binding
+subjects:
+  - kind: ServiceAccount
+    name: flow-aggregator
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: system:auth-delegator
+  apiGroup: rbac.authorization.k8s.io

build/charts/flow-aggregator/templates/clusterrolebindings.yaml

@@ -0,0 +1,48 @@
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    app: flow-aggregator
+  name: flow-exporter-role-binding
+  namespace: {{ .Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+  name: antrea-agent
+  namespace: {{ .Values.antreaNamespace }}
+roleRef:
+  kind: Role
+  name: flow-exporter-role
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    app: flow-aggregator
+  name: flow-aggregator-role-binding
+  namespace: {{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: flow-aggregator
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: flow-aggregator-role
+  apiGroup: rbac.authorization.k8s.io
+---
+# For auth delegation to apiserver
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    app: flow-aggregator
+  name: flow-aggregator-extension-apiserver-authentication-reader-role-binding
+  namespace: kube-system
+subjects:
+  - kind: ServiceAccount
+    name: flow-aggregator
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: extension-apiserver-authentication-reader
+  apiGroup: rbac.authorization.k8s.io

build/charts/flow-aggregator/templates/role.yaml

@@ -0,0 +1,46 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    app: flow-aggregator
+  name: flow-exporter-role
+  namespace: {{ .Release.Namespace }}
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    resourceNames: ["flow-aggregator-ca"]
+    verbs: ["get"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: ["flow-aggregator-client-tls"]
+    verbs: ["get"]
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    app: flow-aggregator
+  name: flow-aggregator-role
+  namespace: {{ .Release.Namespace }}
+rules:
+  # RBAC to create / update / get flow-aggregator-ca ConfigMap
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create"]
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    resourceNames: ["flow-aggregator-ca"]
+    verbs: ["get", "update"]
+  # RBAC to create / update / get flow-aggregator-client-tls Secret
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["create"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: ["flow-aggregator-client-tls"]
+    verbs: ["get", "update"]
+  # RBAC to get / update flow-aggregator-configmap ConfigMap (required by antctl)
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    resourceNames: ["flow-aggregator-configmap"]
+    verbs: ["get", "update"]

build/charts/flow-aggregator/templates/rolebinding.yaml

@@ -142,3 +142,5 @@ testing:
   coverage: false
 # -- Log verbosity switch for Flow Aggregator.
 logVerbosity: 0
+# -- Namespace in which Antrea was installed.
+antreaNamespace: "kube-system"