Add rule allowing api-gateway deployments to use SecurityContextConst…

…raints
hashicorp · Aug 7, 2023 · a529f27 · a529f27
1 parent 4f5437d
commit a529f27
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 2 deletions.
diff --git a/control-plane/api-gateway/common/helm_config.go b/control-plane/api-gateway/common/helm_config.go
@@ -11,6 +11,7 @@ import (
 const componentAuthMethod = "k8s-component-auth-method"
 
 // HelmConfig is the configuration of gateways that comes in from the user's Helm values.
+// This is a combination of the apiGateway stanza and other settings that impact api-gateways.
 type HelmConfig struct {
 	// ImageDataplane is the Consul Dataplane image to use in gateway deployments.
 	ImageDataplane             string
@@ -30,6 +31,14 @@ type HelmConfig struct {
 	ConsulTLSServerName string
 	ConsulCACert        string
 	ConsulConfig        ConsulConfig
+
+	// OpenShiftEnabled indicates whether we're deploying into an OpenShift environment
+	// and should create SecurityContextConstraints.
+	OpenShiftEnabled bool
+
+	// ReleaseName indicates the name of the release for the Helm installation. This value is used
+	// as a prefix for some resources - SecurityContextConstraints, for example - so it must be known.
+	ReleaseName string
 }
 
 type ConsulConfig struct {

diff --git a/control-plane/api-gateway/gatekeeper/role.go b/control-plane/api-gateway/gatekeeper/role.go
@@ -40,7 +40,7 @@ func (g *Gatekeeper) upsertRole(ctx context.Context, gateway gwv1beta1.Gateway,
 		return errors.New("role not owned by controller")
 	}
 
-	role = g.role(gateway, gcc)
+	role = g.role(gateway, gcc, config)
 	if err := ctrl.SetControllerReference(&gateway, role, g.Client.Scheme()); err != nil {
 		return err
 	}
@@ -62,7 +62,7 @@ func (g *Gatekeeper) deleteRole(ctx context.Context, gwName types.NamespacedName
 	return nil
 }
 
-func (g *Gatekeeper) role(gateway gwv1beta1.Gateway, gcc v1alpha1.GatewayClassConfig) *rbac.Role {
+func (g *Gatekeeper) role(gateway gwv1beta1.Gateway, gcc v1alpha1.GatewayClassConfig, config common.HelmConfig) *rbac.Role {
 	role := &rbac.Role{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      gateway.Name,
@@ -81,5 +81,16 @@ func (g *Gatekeeper) role(gateway gwv1beta1.Gateway, gcc v1alpha1.GatewayClassCo
 		})
 	}
 
+	if config.OpenShiftEnabled {
+		role.Rules = append(role.Rules, rbac.PolicyRule{
+			APIGroups: []string{"security.openshift.io"},
+			Resources: []string{"securitycontextconstraints"},
+			// TODO(nathancoleman) Consider accepting an explicit SCC name. This will make the code
+			//   here less brittle and allow for the user to provide their own SCC if they wish.
+			ResourceNames: []string{config.ReleaseName + "-api-gateway"},
+			Verbs:         []string{"use"},
+		})
+	}
+
 	return role
 }
diff --git a/control-plane/subcommand/inject-connect/command.go b/control-plane/subcommand/inject-connect/command.go
@@ -531,6 +531,8 @@ func (c *Command) Run(args []string) int {
 			ConsulTLSServerName:        c.consul.TLSServerName,
 			ConsulPartition:            c.consul.Partition,
 			ConsulCACert:               string(caCertPem),
+			OpenShiftEnabled:           c.flagEnableOpenShift,
+			ReleaseName:                c.flagReleaseName,
 		},
 		AllowK8sNamespacesSet:   allowK8sNamespaces,
 		DenyK8sNamespacesSet:    denyK8sNamespaces,