Circumvent insecure secrets listing (#138)

Signed-off-by: Moritz Woermann <[email protected]> Signed-off-by: Moritz Wörmann <[email protected]> Signed-off-by: Moritz Wörmann <[email protected]> Co-authored-by: Stephan Krull <[email protected]> Co-authored-by: Maksim Nabokikh <[email protected]>
deckhouse · Feb 29, 2024 · c91c704 · c91c704
1 parent 49d488b
commit c91c704
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 3 deletions.
diff --git a/charts/k8s-image-availability-exporter/Chart.yaml b/charts/k8s-image-availability-exporter/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: "0.7.0"
 description: Application for monitoring the cluster workloads image presence in a container registry.
 name: k8s-image-availability-exporter
-version: "0.11.0"
+version: "0.12.0"
 kubeVersion: ">=1.14.0-0"
 maintainers:
 - name: nabokihms

diff --git a/charts/k8s-image-availability-exporter/README.md b/charts/k8s-image-availability-exporter/README.md
@@ -1,6 +1,6 @@
 # k8s-image-availability-exporter
 
-![Version: 0.11.0](https://img.shields.io/badge/Version-0.11.0-informational?style=flat-square) ![AppVersion: 0.7.0](https://img.shields.io/badge/AppVersion-0.7.0-informational?style=flat-square)
+![Version: 0.12.0](https://img.shields.io/badge/Version-0.12.0-informational?style=flat-square) ![AppVersion: 0.7.0](https://img.shields.io/badge/AppVersion-0.7.0-informational?style=flat-square)
 
 Application for monitoring the cluster workloads image presence in a container registry.
 
@@ -26,6 +26,7 @@ This chart bootstraps a [k8s-image-availability-exporter](https://github.com/fla
 | k8sImageAvailabilityExporter.image.tag | string | `""` | Image tag override for the default value (chart appVersion) |
 | k8sImageAvailabilityExporter.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy to use for the k8s-image-availability-exporter deployment |
 | k8sImageAvailabilityExporter.args | list | `["--bind-address=:8080"]` | Command line arguments for the exporter |
+| k8sImageAvailabilityExporter.useSecretsForPrivateRepositories | bool | `true` | Setting this to false will prevent k8s-iae having unconstrained cluster-wide secret access |
 | replicaCount | int | `1` | Number of replicas (pods) to launch. |
 | imagePullSecrets | list | `[]` | Reference to one or more secrets to be used when [pulling images](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret) (from private registries). |
 | podSecurityContext | object | `{}` | Pod [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod). See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) for details. |

diff --git a/charts/k8s-image-availability-exporter/templates/rbac.yaml b/charts/k8s-image-availability-exporter/templates/rbac.yaml
@@ -3,6 +3,7 @@ kind: ClusterRole
 metadata:
   name: {{ template "k8s-image-availability-exporter.fullname" . }}
 rules:
+{{- if .Values.k8sImageAvailabilityExporter.useSecretsForPrivateRepositories }}
   - apiGroups:
       - ""
     resources:
@@ -11,6 +12,7 @@ rules:
       - list
       - watch
       - get
+{{- end }}
   - apiGroups:
       - ""
     resources:

diff --git a/charts/k8s-image-availability-exporter/values.yaml b/charts/k8s-image-availability-exporter/values.yaml
@@ -10,6 +10,9 @@ k8sImageAvailabilityExporter:
   args:
     - --bind-address=:8080
 
+  # -- Setting this to false will prevent k8s-iae having unconstrained cluster-wide secret access
+  useSecretsForPrivateRepositories: true
+
 # -- Number of replicas (pods) to launch.
 replicaCount: 1
 

diff --git a/pkg/registry/checker.go b/pkg/registry/checker.go
@@ -20,6 +20,8 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/sirupsen/logrus"
 
+	k8sapierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	appsv1informers "k8s.io/client-go/informers/apps/v1"
 	batchv1informers "k8s.io/client-go/informers/batch/v1"
 	corev1informers "k8s.io/client-go/informers/core/v1"
@@ -214,7 +216,24 @@ func NewChecker(
 	}
 	rc.controllerIndexers.cronJobIndexer = rc.cronJobsInformer.Informer().GetIndexer()
 
-	rc.controllerIndexers.secretIndexer = rc.secretsInformer.Informer().GetIndexer()
+	namespace := "default"
+	// Create a context
+	ctx := context.Background()
+	// Attempt to list secrets in the default namespace
+	_, enumerr := kubeClient.CoreV1().Secrets(namespace).List(ctx, metav1.ListOptions{ResourceVersion: "0"})
+	if statusError, isStatus := enumerr.(*k8sapierrors.StatusError); isStatus {
+		if statusError.ErrStatus.Code == 401 {
+			logrus.Warn("The provided ServiceAccount is not able to list secrets. The check for images in private registries requires 'spec.imagePullSecrets' to be configured correctly.")
+		} else {
+			logrus.WithFields(logrus.Fields{
+				"error_message": statusError.ErrStatus.Message,
+			}).Error("Error trying to list secrets")
+		}
+	} else if err != nil {
+		logrus.Fatal(err.Error())
+	} else {
+		rc.controllerIndexers.secretIndexer = rc.secretsInformer.Informer().GetIndexer()
+	}
 
 	rc.controllerIndexers.forceCheckDisabledControllerKinds = forceCheckDisabledControllerKinds