Remove cluster-wide Secret reading permissions. (#1968)

* Remove cluster-wide Secret reading permissions.

Only have Secret read permissions in the system namespace.

* Create a namespace Secret informer and use it in the BrokerCell and Deployment controllers.

* Use the namespace secret informer from knative/pkg.

* hack/update-deps.sh

config/core/roles/clusterrole.yaml

@@ -119,7 +119,6 @@ rules:
     - ""
   resources:
     - configmaps
-    - secrets
     - endpoints
   verbs: &readOnly
     - get

pkg/reconciler/brokercell/controller_test.go

@@ -35,9 +35,9 @@ import (
 	_ "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/fake"
 	_ "knative.dev/pkg/client/injection/kube/informers/core/v1/endpoints/fake"
 	_ "knative.dev/pkg/client/injection/kube/informers/core/v1/pod/fake"
-	_ "knative.dev/pkg/client/injection/kube/informers/core/v1/secret/fake"
 	_ "knative.dev/pkg/client/injection/kube/informers/core/v1/service/fake"
 	_ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/fake"
+	_ "knative.dev/pkg/injection/clients/namespacedkube/informers/core/v1/secret/fake"
 
 	// Fake injection informers
 	_ "github.com/google/knative-gcp/pkg/client/injection/informers/broker/v1beta1/broker/fake"

pkg/reconciler/deployment/controller.go

@@ -23,10 +23,10 @@ import (
 	"k8s.io/apimachinery/pkg/util/clock"
 	"k8s.io/client-go/tools/cache"
 	"knative.dev/pkg/client/injection/kube/informers/apps/v1/deployment"
-	"knative.dev/pkg/client/injection/kube/informers/core/v1/secret"
 	"knative.dev/pkg/configmap"
 	"knative.dev/pkg/controller"
 	"knative.dev/pkg/injection"
+	systemnamespacesecretinformer "knative.dev/pkg/injection/clients/namespacedkube/informers/core/v1/secret"
 
 	"github.com/google/knative-gcp/pkg/apis/duck"
 	"github.com/google/knative-gcp/pkg/reconciler"
@@ -64,7 +64,7 @@ func NewController(
 ) *controller.Impl {
 
 	deploymentInformer := deployment.Get(ctx)
-	secretInformer := secret.Get(ctx)
+	secretInformer := systemnamespacesecretinformer.Get(ctx)
 
 	r := &Reconciler{
 		Base:             reconciler.NewBase(ctx, controllerAgentName, cmw),

pkg/reconciler/deployment/controller_test.go

@@ -25,7 +25,7 @@ import (
 	// Fake injection informers
 	_ "github.com/google/knative-gcp/pkg/reconciler/testing"
 	_ "knative.dev/pkg/client/injection/kube/informers/apps/v1/deployment/fake"
-	_ "knative.dev/pkg/client/injection/kube/informers/core/v1/secret/fake"
+	_ "knative.dev/pkg/injection/clients/namespacedkube/informers/core/v1/secret/fake"
 )
 
 func TestNew(t *testing.T) {

vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/secret/fake/fake.go → vendor/knative.dev/pkg/injection/clients/namespacedkube/informers/core/v1/secret/fake/fake.go

@@ -14,17 +14,15 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// Code generated by injection-gen. DO NOT EDIT.
-
 package fake
 
 import (
 	context "context"
 
-	secret "knative.dev/pkg/client/injection/kube/informers/core/v1/secret"
-	fake "knative.dev/pkg/client/injection/kube/informers/factory/fake"
 	controller "knative.dev/pkg/controller"
 	injection "knative.dev/pkg/injection"
+	secret "knative.dev/pkg/injection/clients/namespacedkube/informers/core/v1/secret"
+	fake "knative.dev/pkg/injection/clients/namespacedkube/informers/factory/fake"
 )
 
 var Get = secret.Get

vendor/knative.dev/pkg/injection/clients/namespacedkube/informers/factory/fake/fake.go

@@ -0,0 +1,42 @@
+/*
+Copyright 2020 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package fake
+
+import (
+	context "context"
+
+	informers "k8s.io/client-go/informers"
+	fake "knative.dev/pkg/client/injection/kube/client/fake"
+	controller "knative.dev/pkg/controller"
+	injection "knative.dev/pkg/injection"
+	factory "knative.dev/pkg/injection/clients/namespacedkube/informers/factory"
+	"knative.dev/pkg/system"
+)
+
+var Get = factory.Get
+
+func init() {
+	injection.Fake.RegisterInformerFactory(withInformerFactory)
+}
+
+func withInformerFactory(ctx context.Context) context.Context {
+	c := fake.Get(ctx)
+	return context.WithValue(ctx, factory.Key{},
+		informers.NewSharedInformerFactoryWithOptions(c, controller.GetResyncPeriod(ctx),
+			// This factory scopes things to the system namespace.
+			informers.WithNamespace(system.Namespace())))
+}

vendor/modules.txt

@@ -1182,8 +1182,6 @@ knative.dev/pkg/client/injection/kube/informers/core/v1/endpoints
 knative.dev/pkg/client/injection/kube/informers/core/v1/endpoints/fake
 knative.dev/pkg/client/injection/kube/informers/core/v1/pod
 knative.dev/pkg/client/injection/kube/informers/core/v1/pod/fake
-knative.dev/pkg/client/injection/kube/informers/core/v1/secret
-knative.dev/pkg/client/injection/kube/informers/core/v1/secret/fake
 knative.dev/pkg/client/injection/kube/informers/core/v1/service
 knative.dev/pkg/client/injection/kube/informers/core/v1/service/fake
 knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount
@@ -1203,7 +1201,9 @@ knative.dev/pkg/injection
 knative.dev/pkg/injection/clients/dynamicclient
 knative.dev/pkg/injection/clients/dynamicclient/fake
 knative.dev/pkg/injection/clients/namespacedkube/informers/core/v1/secret
+knative.dev/pkg/injection/clients/namespacedkube/informers/core/v1/secret/fake
 knative.dev/pkg/injection/clients/namespacedkube/informers/factory
+knative.dev/pkg/injection/clients/namespacedkube/informers/factory/fake
 knative.dev/pkg/injection/sharedmain
 knative.dev/pkg/kmeta
 knative.dev/pkg/kmp