Set the operator up with enforced secrets

To prevent arbitrary secret access using compromised SAs, the SAs created by Submariner are now configured to enforce mountable secrets. This requires that accessible secrets be listed explicitly in the SA. To make this simple, use a static name for the broker secret. To allow secrets to be configured, leave them alone when creating or updating the SAs. Signed-off-by: Stephen Kitt <[email protected]>
submariner-io · Jul 9, 2024 · 2f1faf5 · 2f1faf5
1 parent 27df1e4
commit 2f1faf5
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 10 deletions.
diff --git a/go.mod b/go.mod
@@ -21,7 +21,7 @@ require (
 	github.com/submariner-io/lighthouse v0.16.7
 	github.com/submariner-io/shipyard v0.16.7
 	github.com/submariner-io/submariner v0.16.7
-	github.com/submariner-io/submariner-operator v0.16.7
+	github.com/submariner-io/submariner-operator v0.16.8-0.20240709144215-1b44b4f78f1f
 	github.com/uw-labs/lichen v0.1.7
 	golang.org/x/net v0.23.0
 	golang.org/x/oauth2 v0.12.0

diff --git a/go.sum b/go.sum
@@ -556,8 +556,8 @@ github.com/submariner-io/shipyard v0.16.7 h1:lqUHMS8TW9rNMC1I982imguPpiZnaA/89OY
 github.com/submariner-io/shipyard v0.16.7/go.mod h1:ZsUnkTPsq7SbgU4gCSefTgh0znuxKm8VGMo4SP8VVT0=
 github.com/submariner-io/submariner v0.16.7 h1:Yr1z6hUL3I3RPLoCYa9D8MAitVZbTsgY/UJza+Xl1hU=
 github.com/submariner-io/submariner v0.16.7/go.mod h1:SFFP6TkoeicKPGQAzqE+bPWdHzpbT7fmobIQTsH5IlA=
-github.com/submariner-io/submariner-operator v0.16.7 h1:reNbq+lDJwapMgQh8kHHVm7h9wgRiZcIN40v7CBH64Q=
-github.com/submariner-io/submariner-operator v0.16.7/go.mod h1:ejDiB05XW7R93sww9IGYQ3FQDg/bU3dcsz7ek05sQkg=
+github.com/submariner-io/submariner-operator v0.16.8-0.20240709144215-1b44b4f78f1f h1:BuoMWV356zbXNXdslC3tskhoUH2+Awwh9SsKKY5IdOM=
+github.com/submariner-io/submariner-operator v0.16.8-0.20240709144215-1b44b4f78f1f/go.mod h1:ejDiB05XW7R93sww9IGYQ3FQDg/bU3dcsz7ek05sQkg=
 github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=

diff --git a/pkg/join/join.go b/pkg/join/join.go
@@ -198,7 +198,7 @@ func populateBrokerSecret(brokerInfo *broker.Info) *v1.Secret {
 	// We need to copy the broker token secret as an opaque secret to store it in the connecting cluster
 	return &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			GenerateName: "broker-secret-",
+			Name: "submariner-broker-secret",
 		},
 		Type: v1.SecretTypeOpaque,
 		Data: brokerInfo.ClientToken.Data,

diff --git a/pkg/serviceaccount/ensure.go b/pkg/serviceaccount/ensure.go
@@ -32,7 +32,6 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
-	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/kubernetes"
@@ -44,11 +43,7 @@ const (
 )
 
 func ensure(ctx context.Context, kubeClient kubernetes.Interface, namespace string, sa *corev1.ServiceAccount) (bool, error) {
-	result, err := util.CreateOrUpdate(ctx, resource.ForServiceAccount(kubeClient, namespace), sa,
-		func(existing runtime.Object) (runtime.Object, error) {
-			existing.(*corev1.ServiceAccount).Secrets = nil
-			return existing, nil
-		})
+	result, err := util.CreateOrUpdate(ctx, resource.ForServiceAccount(kubeClient, namespace), sa, util.Replace(sa))
 
 	return result == util.OperationResultCreated, errors.Wrapf(err, "error creating or updating ServiceAccount %q", sa.Name)
 }