add: IRA Superadmin (#2212)

iwilltry42 · web-flow · commit dd80be1e757c · 2023-10-04T00:01:19.000+02:00
- Add SuperAdmin role as required e.g. by the cluster-agent
- Remove scope validation for non cluster-scoped IRAs
- Clear permissions denied if IRA feature is disabled
diff --git a/pkg/controller/permissions/permissions_check.go b/pkg/controller/permissions/permissions_check.go
@@ -123,6 +123,8 @@ func CheckPermissions(transport http.RoundTripper) router.HandlerFunc {
 			denied, _ := v1.GrantsAll(app.Namespace, copyWithName(details.Permissions, imageName), authzPerms)
 
 			app.Status.Staged.ImagePermissionsDenied = denied
+		} else {
+			app.Status.Staged.ImagePermissionsDenied = nil
 		}
 
 		// This is checking if the user granted all permissions that the app requires
diff --git a/pkg/install/install.go b/pkg/install/install.go
@@ -744,7 +744,10 @@ func Roles() ([]kclient.Object, error) {
 	if err != nil {
 		return nil, err
 	}
-	for _, role := range append(roles.ClusterRoles(), roles.AWSRoles()...) {
+	r := roles.ClusterRoles()
+	r = append(r, roles.SuperAdminRole())
+	r = append(r, roles.AWSRoles()...)
+	for _, role := range r {
 		role := role
 		objs = append(objs, &role)
 	}
diff --git a/pkg/roles/roles.go b/pkg/roles/roles.go
@@ -22,6 +22,9 @@ const (
 	GroupRoleAWSAcornIO = "role.aws.acorn.io"
 
 	AWSAdmin = "acorn:aws:admin"
+
+	// Cluster Agent Special
+	SuperAdmin = "acorn:super-admin"
 )
 
 var (
@@ -279,3 +282,20 @@ func AWSRoles() []rbacv1.ClusterRole {
 		},
 	}
 }
+
+func SuperAdminRole() rbacv1.ClusterRole {
+	return rbacv1.ClusterRole{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: SuperAdmin,
+		},
+		Rules: []rbacv1.PolicyRule{
+			{
+				APIGroups: []string{"*"},
+				Verbs:     []string{"get", "list", "watch", "update", "patch", "delete", "deletecollection", "create"},
+				Resources: []string{
+					"*",
+				},
+			},
+		},
+	}
+}
diff --git a/pkg/server/registry/apigroups/admin/imageroleauthorizations/validator.go b/pkg/server/registry/apigroups/admin/imageroleauthorizations/validator.go
@@ -17,12 +17,6 @@ func (s *Validator) Validate(ctx context.Context, obj runtime.Object) (result fi
 		return append(result, field.Required(field.NewPath("imageSelector", "namePatterns"), "the image selector patterns must be defined to specify which images this rule applies to"))
 	}
 	result = append(result, validateSignatureRules(aiar.ImageSelector.Signatures)...)
-	for _, scope := range aiar.Roles.Scopes {
-		if scope == "cluster" {
-			result = append(result, field.Invalid(field.NewPath("roles", "scopes"), scope, "cannot authorize cluster-scoped in ImageRoleAuthorizations - use ClusterImageRoleAuthorizations instead"))
-		}
-		// TODO(@iwilltry42): do we want to validate possible values here?
-	}
 	return
 }
 

Original file line number	Diff line number	Diff line change
`@@ -123,6 +123,8 @@ func CheckPermissions(transport http.RoundTripper) router.HandlerFunc {`
`123`	`123`	`denied, _ := v1.GrantsAll(app.Namespace, copyWithName(details.Permissions, imageName), authzPerms)`
`124`	`124`
`125`	`125`	`app.Status.Staged.ImagePermissionsDenied = denied`
	`126`	`+ } else {`
	`127`	`+ app.Status.Staged.ImagePermissionsDenied = nil`
`126`	`128`	`}`
`127`	`129`
`128`	`130`	`// This is checking if the user granted all permissions that the app requires`
Original file line number	Diff line number	Diff line change
`@@ -744,7 +744,10 @@ func Roles() ([]kclient.Object, error) {`
`744`	`744`	`if err != nil {`
`745`	`745`	`return nil, err`
`746`	`746`	`}`
`747`		`- for _, role := range append(roles.ClusterRoles(), roles.AWSRoles()...) {`
	`747`	`+ r := roles.ClusterRoles()`
	`748`	`+ r = append(r, roles.SuperAdminRole())`
	`749`	`+ r = append(r, roles.AWSRoles()...)`
	`750`	`+ for _, role := range r {`
`748`	`751`	`role := role`
`749`	`752`	`objs = append(objs, &role)`
`750`	`753`	`}`
Original file line number	Diff line number	Diff line change
`@@ -17,12 +17,6 @@ func (s *Validator) Validate(ctx context.Context, obj runtime.Object) (result fi`
`17`	`17`	`return append(result, field.Required(field.NewPath("imageSelector", "namePatterns"), "the image selector patterns must be defined to specify which images this rule applies to"))`
`18`	`18`	`}`
`19`	`19`	`result = append(result, validateSignatureRules(aiar.ImageSelector.Signatures)...)`
`20`		`- for _, scope := range aiar.Roles.Scopes {`
`21`		`- if scope == "cluster" {`
`22`		`- result = append(result, field.Invalid(field.NewPath("roles", "scopes"), scope, "cannot authorize cluster-scoped in ImageRoleAuthorizations - use ClusterImageRoleAuthorizations instead"))`
`23`		`- }`
`24`		`- // TODO(@iwilltry42): do we want to validate possible values here?`
`25`		`- }`
`26`	`20`	`return`
`27`	`21`	`}`
`28`	`22`