feat(auth-properties): allow users to specific cryostat permission mappings

api/v1beta1/cryostat_types.go

@@ -90,6 +90,10 @@ type CryostatSpec struct {
 	// +optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	Resources ResourceConfigList `json:"resources,omitempty"`
+	// Override default authorization properties for Cryostat on OpenShift.
+	// +optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Properties",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:advanced"}
+	AuthProperties *AuthorizationProperties `json:"authProperties,omitempty"`
 }
 
 type ResourceConfigList struct {
@@ -151,7 +155,6 @@ type StorageConfiguration struct {
 	// +optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	PVC *PersistentVolumeClaimConfig `json:"pvc,omitempty"`
-
 	// Configuration for an EmptyDir to be created
 	// by the operator instead of a PVC.
 	// +optional
@@ -402,3 +405,19 @@ type TemplateConfigMap struct {
 	// Filename within config map containing the template file
 	Filename string `json:"filename"`
 }
+
+// Authorization properties provide custom permission mapping between Cryostat resources to Kubernetes resources.
+// If the mapping is updated, Cryostat must be manually restarted.
+type AuthorizationProperties struct {
+	// Name of the ClusterRole to use when Cryostat requests a role-scoped OAuth token.
+	// This ClusterRole should contain permissions for all Kubernetes objects listed in custom permission mapping.
+	// More details: https://docs.openshift.com/container-platform/4.11/authentication/tokens-scoping.html#scoping-tokens-role-scope_configuring-internal-oauth
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="ClusterRole Name",xDescriptors={"urn:alm:descriptor:io.kubernetes:ClusterRole"}
+	ClusterRoleName string `json:"clusterRoleName"`
+	// Name of config map in the local namespace.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="ConfigMap Name",xDescriptors={"urn:alm:descriptor:io.kubernetes:ConfigMap"}
+	ConfigMapName string `json:"configMapName"`
+	// Filename within config map containing the resource mapping.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:text"}
+	Filename string `json:"filename"`
+}

bundle/manifests/cryostat-operator-oauth-client_rbac.authorization.k8s.io_v1_clusterrole.yaml

@@ -5,37 +5,32 @@ metadata:
   name: cryostat-operator-oauth-client
 rules:
 - apiGroups:
-  - ""
+  - operator.cryostat.io
   resources:
-  - pods
+  - cryostats
   verbs:
   - create
+  - patch
+  - delete
   - get
 - apiGroups:
   - ""
   resources:
-  - replicationcontrollers
-  - endpoints
-  verbs:
-  - get
-- apiGroups:
-  - operator.cryostat.io
-  resources:
-  - cryostats
+  - pods
+  - pods/exec
+  - services
   verbs:
   - create
+  - patch
   - delete
   - get
 - apiGroups:
-  - operator.cryostat.io
+  - ""
   resources:
-  - flightrecorders
-  - recordings
+  - replicationcontrollers
+  - endpoints
   verbs:
-  - create
-  - delete
   - get
-  - patch
 - apiGroups:
   - apps
   resources:

bundle/manifests/cryostat-operator.clusterserviceversion.yaml

@@ -120,6 +120,28 @@ spec:
         name: ""
         version: v1
       specDescriptors:
+      - description: Override default authorization properties for Cryostat on OpenShift.
+        displayName: Authorization Properties
+        path: authProperties
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+      - description: 'Name of the ClusterRole to use when Cryostat requests a role-scoped
+          OAuth token. This ClusterRole should contain permissions for all Kubernetes
+          objects listed in custom permission mapping. More details: https://docs.openshift.com/container-platform/4.11/authentication/tokens-scoping.html#scoping-tokens-role-scope_configuring-internal-oauth'
+        displayName: ClusterRole Name
+        path: authProperties.clusterRoleName
+        x-descriptors:
+        - urn:alm:descriptor:io.kubernetes:ClusterRole
+      - description: Name of config map in the local namespace.
+        displayName: ConfigMap Name
+        path: authProperties.configMapName
+        x-descriptors:
+        - urn:alm:descriptor:io.kubernetes:ConfigMap
+      - description: Filename within config map containing the resource mapping.
+        displayName: Filename
+        path: authProperties.filename
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
       - description: Use cert-manager to secure in-cluster communication between Cryostat
           components. Requires cert-manager to be installed.
         displayName: Enable cert-manager Integration

bundle/manifests/operator.cryostat.io_cryostats.yaml

@@ -43,6 +43,28 @@ spec:
           spec:
             description: CryostatSpec defines the desired state of Cryostat
             properties:
+              authProperties:
+                description: Override default authorization properties for Cryostat
+                  on OpenShift.
+                properties:
+                  clusterRoleName:
+                    description: 'Name of the ClusterRole to use when Cryostat requests
+                      a role-scoped OAuth token. This ClusterRole should contain permissions
+                      for all Kubernetes objects listed in custom permission mapping.
+                      More details: https://docs.openshift.com/container-platform/4.11/authentication/tokens-scoping.html#scoping-tokens-role-scope_configuring-internal-oauth'
+                    type: string
+                  configMapName:
+                    description: Name of config map in the local namespace.
+                    type: string
+                  filename:
+                    description: Filename within config map containing the resource
+                      mapping.
+                    type: string
+                required:
+                - clusterRoleName
+                - configMapName
+                - filename
+                type: object
               enableCertManager:
                 description: Use cert-manager to secure in-cluster communication between
                   Cryostat components. Requires cert-manager to be installed.

config/crd/bases/operator.cryostat.io_cryostats.yaml

@@ -44,6 +44,28 @@ spec:
           spec:
             description: CryostatSpec defines the desired state of Cryostat
             properties:
+              authProperties:
+                description: Override default authorization properties for Cryostat
+                  on OpenShift.
+                properties:
+                  clusterRoleName:
+                    description: 'Name of the ClusterRole to use when Cryostat requests
+                      a role-scoped OAuth token. This ClusterRole should contain permissions
+                      for all Kubernetes objects listed in custom permission mapping.
+                      More details: https://docs.openshift.com/container-platform/4.11/authentication/tokens-scoping.html#scoping-tokens-role-scope_configuring-internal-oauth'
+                    type: string
+                  configMapName:
+                    description: Name of config map in the local namespace.
+                    type: string
+                  filename:
+                    description: Filename within config map containing the resource
+                      mapping.
+                    type: string
+                required:
+                - clusterRoleName
+                - configMapName
+                - filename
+                type: object
               enableCertManager:
                 description: Use cert-manager to secure in-cluster communication between
                   Cryostat components. Requires cert-manager to be installed.

config/manifests/bases/cryostat-operator.clusterserviceversion.yaml

@@ -108,6 +108,28 @@ spec:
         name: ""
         version: v1
       specDescriptors:
+      - description: Override default authorization properties for Cryostat on OpenShift.
+        displayName: Authorization Properties
+        path: authProperties
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+      - description: 'Name of the ClusterRole to use when Cryostat requests a role-scoped
+          OAuth token. This ClusterRole should contain permissions for all Kubernetes
+          objects listed in custom permission mapping. More details: https://docs.openshift.com/container-platform/4.11/authentication/tokens-scoping.html#scoping-tokens-role-scope_configuring-internal-oauth'
+        displayName: ClusterRole Name
+        path: authProperties.clusterRoleName
+        x-descriptors:
+        - urn:alm:descriptor:io.kubernetes:ClusterRole
+      - description: Name of config map in the local namespace.
+        displayName: ConfigMap Name
+        path: authProperties.configMapName
+        x-descriptors:
+        - urn:alm:descriptor:io.kubernetes:ConfigMap
+      - description: Filename within config map containing the resource mapping.
+        displayName: Filename
+        path: authProperties.filename
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
       - description: Use cert-manager to secure in-cluster communication between Cryostat
           components. Requires cert-manager to be installed.
         displayName: Enable cert-manager Integration

config/rbac/oauth_client.yaml

@@ -7,37 +7,32 @@ metadata:
   name: oauth-client
 rules:
 - apiGroups:
-  - ""
+  - operator.cryostat.io
   resources:
-  - pods
+  - cryostats
   verbs:
   - create
+  - patch
+  - delete
   - get
 - apiGroups:
   - ""
   resources:
-  - replicationcontrollers
-  - endpoints
-  verbs:
-  - get
-- apiGroups:
-  - operator.cryostat.io
-  resources:
-  - cryostats
+  - pods
+  - pods/exec
+  - services
   verbs:
   - create
+  - patch
   - delete
   - get
 - apiGroups:
-  - operator.cryostat.io
+  - ""
   resources:
-  - flightrecorders
-  - recordings
+  - replicationcontrollers
+  - endpoints
   verbs:
-  - create
-  - delete
   - get
-  - patch
 - apiGroups:
   - apps
   resources:

docs/config.md

@@ -133,9 +133,10 @@ metadata:
 spec:
   reportOptions:
     replicas: 1
-    requests:
-      cpu: 1000m
-      memory: 512Mi
+    resources:
+      requests:
+        cpu: 1000m
+        memory: 512Mi
 ```
 If zero sidecar replicas are configured, SubProcessMaxHeapSize configures
 the maximum heap size of the main Cryostat container's subprocess report generator in MiB.
@@ -267,3 +268,44 @@ spec:
     targetCacheSize: -1
     targetCacheTTL: 10
 ```
+
+
+### Authorization Properties
+
+When running on OpenShift, the user is required to have sufficient permissions for certain Kubernetes resources that are mapped into Cryostat-managed resources for authorization.
+
+The mappings can be specified using a ConfigMap that is compatible with [`OpenShiftAuthManager.properties`](https://github.com/cryostatio/cryostat/blob/bd95e1a11e9e29cc39559f4a5fdeaae77e81b4c6/src/main/resources/io/cryostat/net/openshift/OpenShiftAuthManager.properties). For example:
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: auth-properties
+data:  
+  auth.properties: |
+    TARGET=pods,deployments.apps
+    RECORDING=pods,pods/exec
+    CERTIFICATE=deployments.apps,pods,cryostats.operator.cryostat.io
+    CREDENTIALS=cryostats.operator.cryostat.io
+```
+
+If custom mapping is specified, a ClusterRole must be defined and should contain permissions for all Kubernetes objects listed in custom permission mapping. This ClusterRole will give additional rules on top of [default rules](placeholder). <!-- FIXME add link after merging -->
+
+
+**Note**: Using [`Secret`](https://kubernetes.io/docs/concepts/configuration/secret/) in mapping can fail with access denied under [security protection](https://kubernetes.io/docs/concepts/configuration/secret/#information-security-for-secrets) against escalations. Find more details about this issue [here](https://docs.openshift.com/container-platform/4.11/authentication/tokens-scoping.html#scoping-tokens-role-scope_configuring-internal-oauth).
+
+The property `.spec.authProperties` can then be set to configure Cryostat to use this mapping instead of the default ones.
+```yaml
+apiVersion: operator.cryostat.io/v1beta1
+kind: Cryostat
+metadata:
+  name: cryostat-sample
+spec:
+  authProperties:
+    configMapName: auth-properties
+    filename: auth.properties
+    clusterRoleName: oauth-cluster-role
+```
+
+Each `configMapName` must refer to the name of a Config Map in the same namespace as Cryostat. The corresponding `filename` must be a key within that Config Map containing resource mappings. The `clusterRoleName` must be a valid name of an existing Cluster Role.
+
+**Note:** If the mapping is updated, Cryostat must be manually restarted.