Merge pull request #219 from guptaNswati/limit-cluster-access

guptaNswati · web-flow · commit 572730b9689e · 2025-01-07T14:10:40.000-08:00
Limit cluster access
diff --git a/deployments/helm/k8s-dra-driver/templates/clusterrole.yaml b/deployments/helm/k8s-dra-driver/templates/clusterrole.yaml
@@ -5,10 +5,15 @@ metadata:
   name: {{ include "k8s-dra-driver.fullname" . }}-role
   namespace: {{ include "k8s-dra-driver.namespace" . }}
 rules:
-- apiGroups:
-  - ""
-  - apps
-  - resource.k8s.io
-  - gpu.nvidia.com
-  resources: ["*"]
-  verbs: ["*"]
+- apiGroups: ["resource.k8s.io"]
+  resources: ["resourceclaims"]
+  verbs: ["get"]
+- apiGroups: ["resource.k8s.io"]
+  resources: ["resourceclaims/status"]
+  verbs: ["update"]
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["get"]
+- apiGroups: ["resource.k8s.io"]
+  resources: ["resourceslices"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
diff --git a/deployments/helm/k8s-dra-driver/templates/validatingadmissionpolicy.yaml b/deployments/helm/k8s-dra-driver/templates/validatingadmissionpolicy.yaml
@@ -0,0 +1,33 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: resourceslices-policy-{{ include "k8s-dra-driver.fullname" . }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["resource.k8s.io"]
+      apiVersions: ["v1beta1"]
+      operations:  ["CREATE", "UPDATE", "DELETE"]
+      resources:   ["resourceslices"]
+  matchConditions:
+  - name: isRestrictedUser
+    expression: >-
+      request.userInfo.username == "system:serviceaccount:{{ include "k8s-dra-driver.namespace" . }}:{{ include "k8s-dra-driver.serviceAccountName" . }}"
+  variables:
+  - name: userNodeName
+    expression: >-
+      request.userInfo.extra[?'authentication.kubernetes.io/node-name'][0].orValue('')
+  - name: objectNodeName
+    expression: >-
+      (request.operation == "DELETE" ? oldObject : object).spec.?nodeName.orValue("")
+  - name: nodeSelectorValue
+    expression: >-
+      (request.operation == "DELETE" ? oldObject : object).spec.nodeSelector.nodeSelectorTerms[0].matchExpressions[0].values[0].orValue("")
+  validations:
+  - expression: variables.userNodeName != ""
+    message: >-
+      no node association found for user, this user must run in a pod on a node and ServiceAccountTokenPodNodeInfo must be enabled
+  - expression: variables.userNodeName == variables.objectNodeName || variables.nodeSelectorValue != ""
+    messageExpression: >-
+      "this user running on node '"+variables.userNodeName+"' may not modify cluster or node resourceslices"
diff --git a/deployments/helm/k8s-dra-driver/templates/validatingadmissionpolicybinding.yaml b/deployments/helm/k8s-dra-driver/templates/validatingadmissionpolicybinding.yaml
@@ -0,0 +1,8 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: resourceslices-policy-{{ include "k8s-dra-driver.fullname" . }}
+spec:
+  policyName: resourceslices-policy-{{ include "k8s-dra-driver.fullname" . }}
+  validationActions: [Deny]
+  # All ResourceSlices are matched.
