feat: added the option to enforce namespace annotations (#448)

omerlh · Flydiverny · web-flow · commit 151733331435 · 2020-07-26T16:57:15.000+02:00
* added the option to enforce namespace annotations

* Update lib/poller.js

Co-authored-by: Markus Maga &lt;markus@maga.se&gt;

* Update config/environment.js

Co-authored-by: Markus Maga &lt;markus@maga.se&gt;

Co-authored-by: Markus Maga &lt;markus@maga.se&gt;
diff --git a/bin/daemon.js b/bin/daemon.js
@@ -24,7 +24,8 @@ const {
   pollerIntervalMilliseconds,
   pollingDisabled,
   rolePermittedAnnotation,
-  namingPermittedAnnotation
+  namingPermittedAnnotation,
+  enforceNamespaceAnnotation
 } = require('../config')
 
 async function main () {
@@ -49,6 +50,7 @@ async function main () {
     pollerIntervalMilliseconds,
     rolePermittedAnnotation,
     namingPermittedAnnotation,
+    enforceNamespaceAnnotation,
     customResourceManifest,
     pollingDisabled,
     logger
diff --git a/config/environment.js b/config/environment.js
@@ -31,6 +31,7 @@ const pollingDisabled = 'DISABLE_POLLING' in process.env
 
 const rolePermittedAnnotation = process.env.ROLE_PERMITTED_ANNOTATION || 'iam.amazonaws.com/permitted'
 const namingPermittedAnnotation = process.env.NAMING_PERMITTED_ANNOTATION || 'externalsecrets.kubernetes-client.io/permitted-key-name'
+const enforceNamespaceAnnotation = 'ENFORCE_NAMESPACE_ANNOTATIONS' in process.env || false
 
 const metricsPort = process.env.METRICS_PORT || 3001
 
@@ -44,6 +45,7 @@ module.exports = {
   metricsPort,
   rolePermittedAnnotation,
   namingPermittedAnnotation,
+  enforceNamespaceAnnotation,
   pollingDisabled,
   logLevel,
   customResourceManagerDisabled,
diff --git a/lib/poller-factory.js b/lib/poller-factory.js
@@ -21,6 +21,7 @@ class PollerFactory {
     rolePermittedAnnotation,
     namingPermittedAnnotation,
     customResourceManifest,
+    enforceNamespaceAnnotation,
     pollingDisabled,
     logger
   }) {
@@ -32,6 +33,7 @@ class PollerFactory {
     this._customResourceManifest = customResourceManifest
     this._rolePermittedAnnotation = rolePermittedAnnotation
     this._namingPermittedAnnotation = namingPermittedAnnotation
+    this._enforceNamespaceAnnotation = enforceNamespaceAnnotation
     this._pollingDisabled = pollingDisabled
   }
 
@@ -49,6 +51,7 @@ class PollerFactory {
       customResourceManifest: this._customResourceManifest,
       rolePermittedAnnotation: this._rolePermittedAnnotation,
       namingPermittedAnnotation: this._namingPermittedAnnotation,
+      enforceNamespaceAnnotation: this._enforceNamespaceAnnotation,
       pollingDisabled: this._pollingDisabled,
       externalSecret
     })
diff --git a/lib/poller.js b/lib/poller.js
@@ -29,6 +29,8 @@ class Poller {
    * @param {Object} customResourceManifest - CRD manifest
    * @param {Object} externalSecret - ExternalSecret manifest.
    * @param {string} rolePermittedAnnotation - namespace annotation that defines which roles can be assumed within this namespace
+   * @param {string} namingPermittedAnnotation - namespace annotation that defines which keys can be assumed within this namespace
+   * @param {string} enforceNamespaceAnnotation - should enforce namespace annotations
    * @param {Object} metrics - Metrics client.
    */
   constructor ({
@@ -40,6 +42,7 @@ class Poller {
     customResourceManifest,
     rolePermittedAnnotation,
     namingPermittedAnnotation,
+    enforceNamespaceAnnotation,
     pollingDisabled,
     externalSecret
   }) {
@@ -53,6 +56,7 @@ class Poller {
     this._rolePermittedAnnotation = rolePermittedAnnotation
     this._namingPermittedAnnotation = namingPermittedAnnotation
     this._customResourceManifest = customResourceManifest
+    this._enforceNamespaceAnnotation = enforceNamespaceAnnotation
 
     this._externalSecret = externalSecret
     this._spec = externalSecret.spec || externalSecret.secretDescriptor
@@ -197,6 +201,8 @@ class Poller {
     let reason = ''
 
     if (!namespace.metadata.annotations) {
+      allowed = !this._enforceNamespaceAnnotation
+      reason = this._enforceNamespaceAnnotation ? 'Namespace annotation is required' : ''
       return {
         allowed, reason
       }
@@ -213,6 +219,14 @@ class Poller {
       reNaming = new RegExp(namingConvention)
     }
 
+    if (!namingConvention && this._enforceNamespaceAnnotation) {
+      allowed = false
+      reason = `Missing required annotation ${this._namingPermittedAnnotation} on namespace ${namespace.metadata.name}`
+      return {
+        allowed, reason
+      }
+    }
+
     // Testing data property
     if (namingConvention && externalData) {
       externalData.forEach((secretProperty, index) => {
@@ -242,14 +256,21 @@ class Poller {
 
     // 2. testing assume role if configured
 
-    const role = descriptor.roleArn
+    const role = descriptor.roleArn || descriptor.vaultRole
 
     if (!role) {
       return {
         allowed, reason
       }
     }
 
+    if (!namespace.metadata.annotations[this._rolePermittedAnnotation] && this._enforceNamespaceAnnotation) {
+      allowed = false
+      reason = `Missing required annotation ${this._rolePermittedAnnotation} on namespace ${namespace.metadata.name}`
+      return {
+        allowed, reason
+      }
+    }
     // an empty annotation value allows access to all roles
     const re = new RegExp(namespace.metadata.annotations[this._rolePermittedAnnotation])
 
diff --git a/lib/poller.test.js b/lib/poller.test.js
@@ -911,6 +911,128 @@ describe('Poller', () => {
             ]
           },
           permitted: true
+        },
+        {
+          // test regex
+          ns: { metadata: { annotations: { [namingPermittedAnnotation]: '.*', [rolePermittedAnnotation]: 'a' } } },
+          descriptor: {
+            data: [
+              { key: 'whatever', name: 'somethingelse' }
+            ],
+            roleArn: 'b'
+          },
+          permitted: false
+        },
+        {
+          // test regex
+          ns: { metadata: { annotations: { [namingPermittedAnnotation]: '.*', [rolePermittedAnnotation]: 'a' } } },
+          descriptor: {
+            data: [
+              { key: 'whatever', name: 'somethingelse' }
+            ],
+            vaultRole: 'b'
+          },
+          permitted: false
+        },
+        {
+          // test regex
+          ns: { metadata: { annotations: { [namingPermittedAnnotation]: '.*', [rolePermittedAnnotation]: 'a' } } },
+          descriptor: {
+            data: [
+              { key: 'whatever', name: 'somethingelse' }
+            ],
+            roleArn: 'a'
+          },
+          permitted: true
+        },
+        {
+          // test regex
+          ns: { metadata: { annotations: { [namingPermittedAnnotation]: '.*', [rolePermittedAnnotation]: 'a' } } },
+          descriptor: {
+            data: [
+              { key: 'whatever', name: 'somethingelse' }
+            ],
+            vaultRole: 'a'
+          },
+          permitted: true
+        }
+      ]
+
+      for (let i = 0; i < testcases.length; i++) {
+        const testcase = testcases[i]
+        const verdict = poller._isPermitted(testcase.ns, testcase.descriptor)
+        expect(verdict.allowed, `test case ${i + 1}`).to.equal(testcase.permitted)
+      }
+    })
+  })
+  describe('namespace annotation enforcement', () => {
+    let poller
+    beforeEach(() => {
+      poller = new Poller({
+        backends: {
+          fakeBackendType: backendMock
+        },
+        metrics: metricsMock,
+        intervalMilliseconds: 5000,
+        kubeClient: kubeClientMock,
+        logger: loggerMock,
+        externalSecret: fakeExternalSecret,
+        rolePermittedAnnotation,
+        namingPermittedAnnotation,
+        enforceNamespaceAnnotation: true,
+        customResourceManifest: fakeCustomResourceManifest
+      })
+    })
+
+    it('should enforce namespace annotations`', () => {
+      const testcases = [
+        {
+          // no annotations at all
+          ns: { metadata: {} },
+          descriptor: {},
+          permitted: false
+        },
+        {
+          // empty name annotation
+          ns: { metadata: { annotations: { [namingPermittedAnnotation]: '' } } },
+          descriptor: {
+            dataFrom: ['test']
+          },
+          permitted: false
+        },
+        {
+          // empty role annotation
+          ns: { metadata: { annotations: { [rolePermittedAnnotation]: '' } } },
+          descriptor: {
+            dataFrom: ['test']
+          },
+          permitted: false
+        },
+        {
+          // missing role annotation
+          ns: { metadata: { annotations: { [namingPermittedAnnotation]: 'a' } } },
+          descriptor: {
+            dataFrom: ['a'],
+            roleArn: 'a'
+          },
+          permitted: false
+        },
+        {
+          // empty role annotation
+          ns: { metadata: { annotations: { [namingPermittedAnnotation]: 'a', [rolePermittedAnnotation]: '' } } },
+          descriptor: {
+            dataFrom: ['a'],
+            roleArn: 'a'
+          },
+          permitted: false
+        },
+        {
+          // all required annotations
+          ns: { metadata: { annotations: { [namingPermittedAnnotation]: 'a', [rolePermittedAnnotation]: 'b' } } },
+          descriptor: {
+            dataFrom: ['a']
+          },
+          permitted: true
         }
       ]
 
