From 8b7da178a79128cc213cf91ad5e4b8a953d0cd78 Mon Sep 17 00:00:00 2001
From: Clayton Coleman <ccoleman@redhat.com>
Date: Mon, 25 Sep 2017 23:27:45 -0400
Subject: [PATCH] Auto-create openshift-node and given nodes read on
 node-config

Other config variants will be stored in this location. The new namespace
ensures clean security isolation.
---
 pkg/cmd/server/bootstrappolicy/constants.go   | 13 ++++++--
 .../bootstrappolicy/namespace_policy.go       |  4 +++
 pkg/cmd/server/bootstrappolicy/policy.go      |  9 +++++
 .../bootstrappolicy/web_console_role_test.go  |  1 +
 pkg/cmd/server/start/bootstrap_node.go        |  2 +-
 test/integration/front_proxy_test.go          |  1 +
 test/integration/master_routes_test.go        |  1 +
 .../bootstrap_cluster_roles.yaml              | 15 +++++++++
 .../bootstrap_namespace_role_bindings.yaml    | 15 +++++++++
 .../bootstrap_policy_file.yaml                | 33 +++++++++++++++++++
 10 files changed, 90 insertions(+), 4 deletions(-)

diff --git a/pkg/cmd/server/bootstrappolicy/constants.go b/pkg/cmd/server/bootstrappolicy/constants.go
index 4401ee901fe3..2d408bef2a41 100644
--- a/pkg/cmd/server/bootstrappolicy/constants.go
+++ b/pkg/cmd/server/bootstrappolicy/constants.go
@@ -4,6 +4,7 @@ package bootstrappolicy
 const (
 	DefaultOpenShiftSharedResourcesNamespace = "openshift"
 	DefaultOpenShiftInfraNamespace           = "openshift-infra"
+	DefaultOpenShiftNodeNamespace            = "openshift-node"
 )
 
 // users
@@ -98,11 +99,13 @@ const (
 
 	OpenshiftSharedResourceViewRoleName = "shared-resource-viewer"
 
-	NodeBootstrapRoleName = "system:node-bootstrapper"
+	NodeBootstrapRoleName    = "system:node-bootstrapper"
+	NodeConfigReaderRoleName = "system:node-config-reader"
 )
 
 // RoleBindings
 const (
+	// Legacy roles that must continue to have a plural form
 	SelfAccessReviewerRoleBindingName = SelfAccessReviewerRoleName + "s"
 	SelfProvisionerRoleBindingName    = SelfProvisionerRoleName + "s"
 	DeployerRoleBindingName           = DeployerRoleName + "s"
@@ -128,10 +131,14 @@ const (
 	RegistryViewerRoleBindingName     = RegistryViewerRoleName + "s"
 	RegistryEditorRoleBindingName     = RegistryEditorRoleName + "s"
 
+	OpenshiftSharedResourceViewRoleBindingName = OpenshiftSharedResourceViewRoleName + "s"
+
+	// Roles beyond this point should not be pluralized
+	NodeConfigReaderRoleBindingName = NodeConfigReaderRoleName
+
+	// Bindings
 	BuildStrategyDockerRoleBindingName          = BuildStrategyDockerRoleName + "-binding"
 	BuildStrategyCustomRoleBindingName          = BuildStrategyCustomRoleName + "-binding"
 	BuildStrategySourceRoleBindingName          = BuildStrategySourceRoleName + "-binding"
 	BuildStrategyJenkinsPipelineRoleBindingName = BuildStrategyJenkinsPipelineRoleName + "-binding"
-
-	OpenshiftSharedResourceViewRoleBindingName = OpenshiftSharedResourceViewRoleName + "s"
 )
diff --git a/pkg/cmd/server/bootstrappolicy/namespace_policy.go b/pkg/cmd/server/bootstrappolicy/namespace_policy.go
index b9e41a6848dd..9ca8d9b0a70d 100644
--- a/pkg/cmd/server/bootstrappolicy/namespace_policy.go
+++ b/pkg/cmd/server/bootstrappolicy/namespace_policy.go
@@ -67,6 +67,10 @@ func buildNamespaceRolesAndBindings() (map[string][]rbac.Role, map[string][]rbac
 		DefaultOpenShiftSharedResourcesNamespace,
 		newOriginRoleBinding(OpenshiftSharedResourceViewRoleBindingName, OpenshiftSharedResourceViewRoleName, DefaultOpenShiftSharedResourcesNamespace).Groups(AuthenticatedGroup).BindingOrDie())
 
+	addNamespaceRoleBinding(namespaceRoleBindings,
+		DefaultOpenShiftNodeNamespace,
+		newOriginRoleBinding(NodeConfigReaderRoleBindingName, NodeConfigReaderRoleName, DefaultOpenShiftNodeNamespace).Groups(NodesGroup).BindingOrDie())
+
 	return namespaceRoles, namespaceRoleBindings
 }
 
diff --git a/pkg/cmd/server/bootstrappolicy/policy.go b/pkg/cmd/server/bootstrappolicy/policy.go
index b02bf86bf3bc..4a6cb9758091 100644
--- a/pkg/cmd/server/bootstrappolicy/policy.go
+++ b/pkg/cmd/server/bootstrappolicy/policy.go
@@ -664,6 +664,15 @@ func GetOpenshiftBootstrapClusterRoles() []rbac.ClusterRole {
 				// TODO: expose other things like /healthz on the node once we figure out non-resource URL policy across systems
 			},
 		},
+		{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: NodeConfigReaderRoleName,
+			},
+			Rules: []rbac.PolicyRule{
+				// Allow the reader to read config maps in a given namespace with a given name.
+				rbac.NewRule("get").Groups(kapiGroup).Resources("configmaps").RuleOrDie(),
+			},
+		},
 		{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: NodeRoleName,
diff --git a/pkg/cmd/server/bootstrappolicy/web_console_role_test.go b/pkg/cmd/server/bootstrappolicy/web_console_role_test.go
index 1c95fb4f4f83..7e66b84019e5 100644
--- a/pkg/cmd/server/bootstrappolicy/web_console_role_test.go
+++ b/pkg/cmd/server/bootstrappolicy/web_console_role_test.go
@@ -42,6 +42,7 @@ var rolesToHide = sets.NewString(
 	"system:node",
 	"system:node-admin",
 	"system:node-bootstrapper",
+	"system:node-config-reader",
 	"system:node-problem-detector",
 	"system:node-proxier",
 	"system:node-reader",
diff --git a/pkg/cmd/server/start/bootstrap_node.go b/pkg/cmd/server/start/bootstrap_node.go
index dacacc68288f..ea54a66f4ea2 100644
--- a/pkg/cmd/server/start/bootstrap_node.go
+++ b/pkg/cmd/server/start/bootstrap_node.go
@@ -278,7 +278,7 @@ func (o NodeOptions) loadBootstrap(hostnames []string, nodeConfigDir string) err
 	}
 
 	// if there is no node-config.yaml and no server config map, generate one
-	glog.V(2).Infof("Generating a local configuration since no server config available")
+	glog.V(2).Infof("Generating a local configuration since no server config or cached config available")
 	nodeConfig, err := o.NodeArgs.BuildSerializeableNodeConfig()
 	if err != nil {
 		return err
diff --git a/test/integration/front_proxy_test.go b/test/integration/front_proxy_test.go
index 3f50cf1133f7..57a5ab4c114c 100644
--- a/test/integration/front_proxy_test.go
+++ b/test/integration/front_proxy_test.go
@@ -158,6 +158,7 @@ func TestFrontProxy(t *testing.T) {
 				"kube-system",
 				"openshift",
 				"openshift-infra",
+				"openshift-node",
 			),
 		},
 	} {
diff --git a/test/integration/master_routes_test.go b/test/integration/master_routes_test.go
index 5675027c138c..5e2212f2a7c5 100644
--- a/test/integration/master_routes_test.go
+++ b/test/integration/master_routes_test.go
@@ -100,6 +100,7 @@ var expectedIndex = []string{
 	// "/healthz/poststarthook/extensions/third-party-resources",  // Do not enable this controller, we do not support it
 	"/healthz/poststarthook/generic-apiserver-start-informers",
 	"/healthz/poststarthook/kube-apiserver-autoregistration",
+	"/healthz/poststarthook/node.openshift.io-sharednamespace",
 	"/healthz/poststarthook/oauth.openshift.io-EnsureBootstrapOAuthClients",
 	"/healthz/poststarthook/project.openshift.io-projectauthorizationcache",
 	"/healthz/poststarthook/project.openshift.io-projectcache",
diff --git a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml
index 549908684d6e..59c356f96567 100644
--- a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml
+++ b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml
@@ -2177,6 +2177,21 @@ items:
     verbs:
     - create
     - get
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+  kind: ClusterRole
+  metadata:
+    annotations:
+      authorization.openshift.io/system-only: "true"
+      rbac.authorization.kubernetes.io/autoupdate: "true"
+    creationTimestamp: null
+    name: system:node-config-reader
+  rules:
+  - apiGroups:
+    - ""
+    resources:
+    - configmaps
+    verbs:
+    - get
 - apiVersion: rbac.authorization.k8s.io/v1beta1
   kind: ClusterRole
   metadata:
diff --git a/test/testdata/bootstrappolicy/bootstrap_namespace_role_bindings.yaml b/test/testdata/bootstrappolicy/bootstrap_namespace_role_bindings.yaml
index c0c96663339c..d6ceb29f6fc8 100644
--- a/test/testdata/bootstrappolicy/bootstrap_namespace_role_bindings.yaml
+++ b/test/testdata/bootstrappolicy/bootstrap_namespace_role_bindings.yaml
@@ -123,5 +123,20 @@ items:
   subjects:
   - kind: Group
     name: system:authenticated
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+  kind: RoleBinding
+  metadata:
+    annotations:
+      rbac.authorization.kubernetes.io/autoupdate: "true"
+    creationTimestamp: null
+    name: system:node-config-reader
+    namespace: openshift-node
+  roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: Role
+    name: system:node-config-reader
+  subjects:
+  - kind: Group
+    name: system:nodes
 kind: List
 metadata: {}
diff --git a/test/testdata/bootstrappolicy/bootstrap_policy_file.yaml b/test/testdata/bootstrappolicy/bootstrap_policy_file.yaml
index eb040fc21cf7..1bef5968134c 100644
--- a/test/testdata/bootstrappolicy/bootstrap_policy_file.yaml
+++ b/test/testdata/bootstrappolicy/bootstrap_policy_file.yaml
@@ -2379,6 +2379,22 @@ items:
     verbs:
     - create
     - get
+- apiVersion: v1
+  kind: ClusterRole
+  metadata:
+    annotations:
+      authorization.openshift.io/system-only: "true"
+      openshift.io/reconcile-protect: "false"
+    creationTimestamp: null
+    name: system:node-config-reader
+  rules:
+  - apiGroups:
+    - ""
+    attributeRestrictions: null
+    resources:
+    - configmaps
+    verbs:
+    - get
 - apiVersion: v1
   kind: ClusterRole
   metadata:
@@ -7271,5 +7287,22 @@ items:
   - kind: SystemGroup
     name: system:authenticated
   userNames: null
+- apiVersion: v1
+  groupNames:
+  - system:nodes
+  kind: RoleBinding
+  metadata:
+    annotations:
+      openshift.io/reconcile-protect: "false"
+    creationTimestamp: null
+    name: system:node-config-reader
+    namespace: openshift-node
+  roleRef:
+    name: system:node-config-reader
+    namespace: openshift-node
+  subjects:
+  - kind: SystemGroup
+    name: system:nodes
+  userNames: null
 kind: List
 metadata: {}