Skip to content

Commit

Permalink
Add RBAC for Owner Refs Permission Enforcement
Browse files Browse the repository at this point in the history
Add necessary permissions so that the shipwright build controller can
add owner references if a cluster has the
OwnerReferencesPermissionEnforcement admission controller enabled.
With this admission controller enabled, service accounts need to have
explicit permission to delete objects that they set owner references on.
When `blockOwnerDeletion` is set on an owner ref, the controller must
also have explicit permission to update the finalizer subresource of the
parent object.

- Added delete permissions for objects we set owner refs on
- Added update permissions for the finalizer subresource on owner ref
  parents
- Fix ordering of permissions to use View (read) -> Edit (create,
  update) -> Admin (delete) ordering.
  • Loading branch information
adambkaplan committed Jun 21, 2021
1 parent 2ff33de commit 9579ced
Show file tree
Hide file tree
Showing 3 changed files with 73 additions and 4 deletions.
24 changes: 20 additions & 4 deletions deploy/200-role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ metadata:
rules:
- apiGroups: ['']
resources: ['configmaps']
verbs: ['create', 'get', 'update']
verbs: ['get', 'create', 'update']

- apiGroups: ['']
resources: ['events']
Expand All @@ -21,7 +21,15 @@ metadata:
rules:
- apiGroups: ['shipwright.io']
resources: ['buildruns']
verbs: ['get', 'list', 'update', 'watch']
# The build-run-deletion annotation sets an owner ref on BuildRun objects.
# With the OwnerReferencesPermissionEnforcement admission controller enabled, controllers need the "delete" permission on objects that they set owner references on.
verbs: ['get', 'list', 'watch', 'update', 'delete']

- apiGroups: ['shipwright.io']
# BuildRuns are set as the owners of Tekton TaskRuns.
# With the OwnerReferencesPermissionEnforcement admission controller enabled, controllers need the "update" permission on the finalizer of the parent object in the owner reference.
resources: ['buildruns/finalizers']
verbs: ['update']

- apiGroups: ['shipwright.io']
resources: ['buildruns/status']
Expand All @@ -31,6 +39,12 @@ rules:
resources: ['builds']
verbs: ['get', 'list', 'watch']

- apiGroups: ['shipwright.io']
# The build-run-deletion annotation makes Builds an owner of BuildRun objects.
# With the OwnerReferencesPermissionEnforcement admission controller enabled, controllers need the "update" permission on the finalizer of the parent object in the owner reference.
resources: ['builds/finalizers']
verbs: ['update']

- apiGroups: ['shipwright.io']
resources: ['builds/status']
verbs: ['update']
Expand All @@ -45,7 +59,9 @@ rules:

- apiGroups: ['tekton.dev']
resources: ['taskruns']
verbs: ['get', 'create', 'list', 'watch']
# BuildRuns are set as the owners of Tekton TaskRuns.
# With the OwnerReferencesPermissionEnforcement admission controller enabled, controllers need the "delete" permission on objects that they set owner references on.
verbs: ['get', 'list', 'watch', 'create', 'delete']

- apiGroups: ['']
resources: ['pods']
Expand All @@ -57,4 +73,4 @@ rules:

- apiGroups: ['']
resources: ['serviceaccounts']
verbs: ['create', 'delete', 'get', 'list', 'update', 'watch']
verbs: ['get', 'list', 'watch', 'create', 'update', 'delete']
16 changes: 16 additions & 0 deletions test/data/build_buildpacks-v3_golang_delete_cr.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
---
apiVersion: shipwright.io/v1alpha1
kind: Build
metadata:
name: buildpack-golang-build
annotations:
build.shipwright.io/build-run-deletion: "true"
spec:
source:
url: https://github.com/shipwright-io/sample-go
contextDir: source-build
strategy:
name: buildpacks-v3
kind: ClusterBuildStrategy
output:
image: image-registry.openshift-image-registry.svc:5000/build-examples/taxi-app
37 changes: 37 additions & 0 deletions test/e2e/e2e_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (

. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
"k8s.io/apimachinery/pkg/api/errors"

buildv1alpha1 "github.com/shipwright-io/build/pkg/apis/build/v1alpha1"
)
Expand Down Expand Up @@ -254,6 +255,42 @@ var _ = Describe("For a Kubernetes cluster with Tekton and build installed", fun
})
})

Context("when a build uses the build-run-deletion annotation", func() {

BeforeEach(func() {
testID = generateTestID("buildpacks-v3-golang")

// create the build definition
build = createBuild(
testBuild,
testID,
"test/data/build_buildpacks-v3_golang_delete_cr.yaml",
)
})

It("successfully deletes the BuildRun after the Build is deleted", func() {
By("running a build and expecting it to succeed")
buildRun, err = buildRunTestData(testBuild.Namespace, testID, "test/data/buildrun_buildpacks-v3_golang_cr.yaml")
Expect(err).ToNot(HaveOccurred(), "Error retrieving buildrun test data")

validateBuildRunToSucceed(testBuild, buildRun)

By("deleting the parent Build object")
err = testBuild.DeleteBuild(build.Name)
Expect(err).NotTo(HaveOccurred(), "error deleting the parent Build")
Eventually(func() bool {
_, err = testBuild.GetBR(buildRun.Name)
if err == nil {
return false
}
if !errors.IsNotFound(err) {
return false
}
return true
}).Should(BeTrue())
})
})

Context("when a Buildpacks v3 build is defined for a java runtime", func() {

BeforeEach(func() {
Expand Down

0 comments on commit 9579ced

Please sign in to comment.