Merge pull request from GHSA-93xx-cvmc-9w3v

* Fix rbacs and limit CSI Plugin's node related access Signed-off-by: trafalgarzzz <trafalgarz@outlook.com> * Update change log Signed-off-by: trafalgarzzz <trafalgarz@outlook.com> --------- Signed-off-by: trafalgarzzz <trafalgarz@outlook.com>
fluid-cloudnative · May 8, 2023 · 77c8110 · 77c8110
1 parent 1cc14b3
commit 77c8110
Show file tree

Hide file tree

Showing 12 changed files with 203 additions and 60 deletions.
diff --git a/charts/fluid/fluid/CHANGELOG.md b/charts/fluid/fluid/CHANGELOG.md
@@ -53,4 +53,5 @@
 * Scale runtime controllers on demand
 
 ### 0.9.0
-* Support pass image pull secrets from fluid charts to alluxioruntime controller
+* Support pass image pull secrets from fluid charts to alluxioruntime controller
+* Fix components rbacs and set Fluid CSI Plugin with node-authorized kube-client
diff --git a/charts/fluid/fluid/templates/csi/daemonset.yaml b/charts/fluid/fluid/templates/csi/daemonset.yaml
@@ -104,8 +104,16 @@ spec:
           - name: fluid-src-dir
             mountPath: {{ .Values.runtime.mountRoot | quote }}
             mountPropagation: "Bidirectional"
-          - name: host-etc-dir
-            mountPath: /host-etc
+          - name: kubelet-kube-config
+            mountPath: /etc/kubernetes/kubelet.conf
+            readOnly: true
+          - name: kubelet-cert-dir
+            mountPath: {{ .Values.csi.kubelet.certDir | quote }}
+            readOnly: true
+          - name: updatedb-conf
+            mountPath: /host-etc/updatedb.conf
+          - name: updatedb-conf-bak
+            mountPath: /host-etc/updatedb.conf.bak
       volumes:
         - name: kubelet-dir
           hostPath:
@@ -124,6 +132,18 @@ spec:
             type: DirectoryOrCreate
           name: fluid-src-dir
         - hostPath:
-            path: /etc
+            path: {{ .Values.csi.kubelet.kubeConfigFile | quote }}
+            type: File
+          name: kubelet-kube-config
+        - hostPath:
+            path: {{ .Values.csi.kubelet.certDir | quote }}
             type: Directory
-          name: host-etc-dir
+          name: kubelet-cert-dir
+        - hostPath:
+            path: /etc/updatedb.conf
+            type: FileOrCreate
+          name: updatedb-conf
+        - hostPath:
+            path: /etc/updatedb.conf.backup
+            type: FileOrCreate
+          name: updatedb-conf-bak
diff --git a/charts/fluid/fluid/templates/role/csi/rbac.yaml b/charts/fluid/fluid/templates/role/csi/rbac.yaml
@@ -41,13 +41,7 @@ rules:
     verbs: ["get"]
   - apiGroups: [""]
     resources: ["events"]
-    verbs: ["get", "list", "watch", "create", "update", "patch"]
-  - apiGroups: [""]
-    resources: ["nodes"]
-    verbs: ["get", "patch"]
-  - apiGroups: [""]
-    resources: ["nodes/proxy"]
-    verbs: ["*"]
+    verbs: ["create", "patch"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

diff --git a/charts/fluid/fluid/templates/role/webhook/rabc.yaml b/charts/fluid/fluid/templates/role/webhook/rabc.yaml
@@ -1,16 +1,59 @@
 {{ if .Values.webhook.enabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: fluid-webhook
+  namespace: {{ include "fluid.namespace" . }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - update
+    resourceNames:
+      - fluid-webhook-certs
+  # resourceNames won't protect create verb, so individually specify it for readability
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: fluid-webhook-rolebinding
+  namespace: {{ include "fluid.namespace" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: fluid-webhook
+subjects:
+  - kind: ServiceAccount
+    name: fluid-webhook
+    namespace: {{ include "fluid.namespace" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: fluid-webhook
 rules:
+  # Can only list and watch secret `mutatingwebhookconfiguration` with a metadata.name field selector
+  # See https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources
   - apiGroups:
       - admissionregistration.k8s.io
     resources:
-      - validatingwebhookconfigurations
       - mutatingwebhookconfigurations
+    resourceNames:
+      - fluid-pod-admission-webhook
     verbs:
-      - '*'
+      - get
+      - patch
+      - list
+      - watch
   - apiGroups:
       - data.fluid.io
     resources:
@@ -38,9 +81,7 @@ rules:
   - apiGroups:
       - ""
     resources:
-      - secrets
       - configmaps
-      - events
     verbs:
       - get
       - create
@@ -56,12 +97,6 @@ rules:
       - get
       - list
       - watch
-  - apiGroups:
-      - coordination.k8s.io
-    resources:
-      - leases
-    verbs:
-      - '*'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

diff --git a/charts/fluid/fluid/templates/webhook/webhook.yaml b/charts/fluid/fluid/templates/webhook/webhook.yaml
@@ -16,6 +16,8 @@ spec:
       labels:
         control-plane: fluid-webhook
     spec:
+      tolerations:
+        - operator: Exists
       {{- with .Values.image.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/fluid/fluid/values.yaml b/charts/fluid/fluid/values.yaml
@@ -26,6 +26,8 @@ csi:
   plugins:
     image: fluidcloudnative/fluid-csi:v0.9.0-085b23e
   kubelet:
+    kubeConfigFile: /etc/kubernetes/kubelet.conf
+    certDir: /var/lib/kubelet/pki
     rootDir: /var/lib/kubelet
   pruneFs: fuse.alluxio-fuse,fuse.jindofs-fuse,fuse.juicefs,fuse.goosefs-fuse,ossfs,alifuse.aliyun-alinas-efc
 

diff --git a/cmd/csi/app/csi.go b/cmd/csi/app/csi.go
@@ -39,12 +39,13 @@ import (
 )
 
 var (
-	endpoint    string
-	nodeID      string
-	metricsAddr string
-	pprofAddr   string
-	pruneFs     []string
-	prunePath   string
+	endpoint              string
+	nodeID                string
+	metricsAddr           string
+	pprofAddr             string
+	pruneFs               []string
+	prunePath             string
+	kubeletKubeConfigPath string
 )
 
 var scheme = runtime.NewScheme()
@@ -81,6 +82,7 @@ func init() {
 	startCmd.Flags().StringVarP(&prunePath, "prune-path", "", "/runtime-mnt", "Prune path to add in /etc/updatedb.conf")
 	startCmd.Flags().StringVarP(&metricsAddr, "metrics-addr", "", ":8080", "The address the metrics endpoint binds to.")
 	startCmd.Flags().StringVarP(&pprofAddr, "pprof-addr", "", "", "The address for pprof to use while exporting profiling results")
+	startCmd.Flags().StringVarP(&kubeletKubeConfigPath, "kubelet-kube-config", "", "/etc/kubernetes/kubelet.conf", "The file path to kubelet kube config")
 	utilfeature.DefaultMutableFeatureGate.AddFlag(startCmd.Flags())
 	startCmd.Flags().AddGoFlagSet(flag.CommandLine)
 }
@@ -109,10 +111,11 @@ func handle() {
 	}
 
 	config := config.Config{
-		NodeId:    nodeID,
-		Endpoint:  endpoint,
-		PruneFs:   pruneFs,
-		PrunePath: prunePath,
+		NodeId:            nodeID,
+		Endpoint:          endpoint,
+		PruneFs:           pruneFs,
+		PrunePath:         prunePath,
+		KubeletConfigPath: kubeletKubeConfigPath,
 	}
 
 	if err = csi.SetupWithManager(mgr, config); err != nil {

diff --git a/pkg/csi/config/config.go b/pkg/csi/config/config.go
@@ -17,8 +17,9 @@ limitations under the License.
 package config
 
 type Config struct {
-	NodeId    string
-	Endpoint  string
-	PruneFs   []string
-	PrunePath string
+	NodeId            string
+	Endpoint          string
+	PruneFs           []string
+	PrunePath         string
+	KubeletConfigPath string
 }
diff --git a/pkg/csi/plugins/driver.go b/pkg/csi/plugins/driver.go
@@ -23,6 +23,7 @@ import (
 	"path/filepath"
 	"strings"
 
+	"k8s.io/client-go/kubernetes"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 
@@ -38,15 +39,16 @@ const (
 )
 
 type driver struct {
-	client           client.Client
-	apiReader        client.Reader
-	csiDriver        *csicommon.CSIDriver
-	nodeId, endpoint string
+	client               client.Client
+	apiReader            client.Reader
+	nodeAuthorizedClient *kubernetes.Clientset
+	csiDriver            *csicommon.CSIDriver
+	nodeId, endpoint     string
 }
 
 var _ manager.Runnable = &driver{}
 
-func NewDriver(nodeID, endpoint string, client client.Client, apiReader client.Reader) *driver {
+func NewDriver(nodeID, endpoint string, client client.Client, apiReader client.Reader, nodeAuthorizedClient *kubernetes.Clientset) *driver {
 	glog.Infof("Driver: %v version: %v", driverName, version)
 
 	proto, addr := utils.SplitSchemaAddr(endpoint)
@@ -68,11 +70,12 @@ func NewDriver(nodeID, endpoint string, client client.Client, apiReader client.R
 	csiDriver.AddVolumeCapabilityAccessModes([]csi.VolumeCapability_AccessMode_Mode{csi.VolumeCapability_AccessMode_MULTI_NODE_MULTI_WRITER})
 
 	return &driver{
-		nodeId:    nodeID,
-		endpoint:  endpoint,
-		csiDriver: csiDriver,
-		client:    client,
-		apiReader: apiReader,
+		nodeId:               nodeID,
+		endpoint:             endpoint,
+		csiDriver:            csiDriver,
+		client:               client,
+		nodeAuthorizedClient: nodeAuthorizedClient,
+		apiReader:            apiReader,
 	}
 }
 
@@ -84,10 +87,11 @@ func (d *driver) newControllerServer() *controllerServer {
 
 func (d *driver) newNodeServer() *nodeServer {
 	return &nodeServer{
-		nodeId:            d.nodeId,
-		DefaultNodeServer: csicommon.NewDefaultNodeServer(d.csiDriver),
-		client:            d.client,
-		apiReader:         d.apiReader,
+		nodeId:               d.nodeId,
+		DefaultNodeServer:    csicommon.NewDefaultNodeServer(d.csiDriver),
+		client:               d.client,
+		apiReader:            d.apiReader,
+		nodeAuthorizedClient: d.nodeAuthorizedClient,
 	}
 }