From eab3f1e1c738e836ef81a4ee5bc2b73bf9380f29 Mon Sep 17 00:00:00 2001 From: Erika Shiroma Date: Fri, 14 Oct 2022 15:20:26 -0700 Subject: [PATCH] Allow specifically-listed cluster-scoped verbs (#576) --- marketplace/deployer_util/config_helper.py | 7 ++--- .../deployer_util/config_helper_test.py | 31 +++++++++++++++++++ 2 files changed, 34 insertions(+), 4 deletions(-) diff --git a/marketplace/deployer_util/config_helper.py b/marketplace/deployer_util/config_helper.py index f3b6057f..6be2531d 100644 --- a/marketplace/deployer_util/config_helper.py +++ b/marketplace/deployer_util/config_helper.py @@ -1049,13 +1049,12 @@ def has_discouraged_cluster_scoped_permissions(self): return True # Consider apiGroups=['*'] + resources=['*'] + verbs=[], # which is essentially `cluster-admin`. + # Allow if verbs are explicitly declared for applications which + # truly need those permissions. for rules in self.custom_cluster_role_rules(): for rule in rules: - write_verbs = set( - ['*', 'create', 'update', 'patch', 'delete', - 'deletecollection']).intersection(set(rule.get('verbs'))) if '*' in rule.get('apiGroups') and '*' in rule.get( - 'resources') and write_verbs: + 'resources') and '*' in rule.get('verbs'): return True return False diff --git a/marketplace/deployer_util/config_helper_test.py b/marketplace/deployer_util/config_helper_test.py index 2ce831c6..ddae2909 100644 --- a/marketplace/deployer_util/config_helper_test.py +++ b/marketplace/deployer_util/config_helper_test.py @@ -752,6 +752,37 @@ def test_deployer_service_account_cluster_scoped_mock_cluster_admin_role_enforce 'Disallowed service account role'): schema.validate() + def test_deployer_service_account_cluster_scoped_mock_cluster_admin_role_verbs_allowed_validate( + self): + schema = config_helper.Schema.load_yaml(""" + x-google-marketplace: + schemaVersion: v2 + + applicationApiVersion: v1beta1 + + publishedVersion: 6.5.130-metadata + publishedVersionMetadata: + releaseNote: Bug fixes + recommended: true + + images: {} + + deployerServiceAccount: + description: > + Asks for write cluster-scoped permissions when actually needed + roles: + - type: ClusterRole + rulesType: CUSTOM + rules: + - apiGroups: ['*'] + resources: ['*'] + verbs: ['create','delete','deletecollection','get','list','patch','update','watch'] + properties: + simple: + type: string + """) + schema.validate() + def test_deployer_service_account_no_escalated_permissions_allowed_validate( self): schema = config_helper.Schema.load_yaml("""