Simplify DataImportCron ServiceAccount authorization

Add ServiceAccountName to DataImportCron spec, replacing CreatedBy
which was added in #3946.

In case of DataImportCron with PVC source, the controller checks the
ServiceAccount is authorized to clone the source PVC.

Signed-off-by: Arnon Gilboa <[email protected]>

Author: arnongilboa

api/openapi-spec/swagger.json

@@ -4400,6 +4400,10 @@
       "type": "string",
       "default": ""
      },
+     "serviceAccountName": {
+      "description": "ServiceAccountName is the name of the ServiceAccount for creating DataVolumes.",
+      "type": "string"
+     },
      "template": {
       "description": "Template specifies template for the DVs to be created",
       "default": {},

pkg/apis/core/v1beta1/openapi_generated.go

@@ -40,6 +40,7 @@ go_library(
         "//vendor/github.com/pkg/errors:go_default_library",
         "//vendor/github.com/prometheus/client_golang/prometheus:go_default_library",
         "//vendor/github.com/robfig/cron/v3:go_default_library",
+        "//vendor/k8s.io/api/authorization/v1:go_default_library",
         "//vendor/k8s.io/api/batch/v1:go_default_library",
         "//vendor/k8s.io/api/core/v1:go_default_library",
         "//vendor/k8s.io/api/networking/v1:go_default_library",
@@ -109,6 +110,7 @@ go_test(
         "//vendor/github.com/openshift/api/security/v1:go_default_library",
         "//vendor/github.com/pkg/errors:go_default_library",
         "//vendor/github.com/prometheus/client_golang/prometheus:go_default_library",
+        "//vendor/k8s.io/api/authorization/v1:go_default_library",
         "//vendor/k8s.io/api/batch/v1:go_default_library",
         "//vendor/k8s.io/api/core/v1:go_default_library",
         "//vendor/k8s.io/api/networking/v1:go_default_library",

pkg/controller/BUILD.bazel

@@ -30,12 +30,13 @@ import (
 )
 
 const (
-	noDigest   = "NoDigest"
-	noImport   = "NoImport"
-	outdated   = "Outdated"
-	scheduled  = "ImportScheduled"
-	inProgress = "ImportProgressing"
-	upToDate   = "UpToDate"
+	noDigest      = "NoDigest"
+	noImport      = "NoImport"
+	notAuthorized = "NotAuthorized"
+	outdated      = "Outdated"
+	scheduled     = "ImportScheduled"
+	inProgress    = "ImportProgressing"
+	upToDate      = "UpToDate"
 )
 
 func updateDataImportCronCondition(cron *cdiv1.DataImportCron, conditionType cdiv1.DataImportCronConditionType, status corev1.ConditionStatus, message, reason string) {

pkg/controller/dataimportcron-conditions.go

@@ -33,6 +33,7 @@ import (
 	"github.com/pkg/errors"
 	cronexpr "github.com/robfig/cron/v3"
 
+	authorizationv1 "k8s.io/api/authorization/v1"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	storagev1 "k8s.io/api/storage/v1"
@@ -873,7 +874,6 @@ func (r *DataImportCronReconciler) createImportDataVolume(ctx context.Context, d
 	if err != nil {
 		return err
 	}
-	dataImportCron.Status.CurrentImports = []cdiv1.ImportStatus{{DataVolumeName: dvName, Digest: digest}}
 
 	sources := []client.Object{&snapshotv1.VolumeSnapshot{}, &corev1.PersistentVolumeClaim{}}
 	for _, src := range sources {
@@ -886,18 +886,72 @@ func (r *DataImportCronReconciler) createImportDataVolume(ctx context.Context, d
 				return err
 			}
 			// If source exists don't create DV
+			dataImportCron.Status.CurrentImports = []cdiv1.ImportStatus{{DataVolumeName: dvName, Digest: digest}}
 			return nil
 		}
 	}
 
 	dv := r.newSourceDataVolume(dataImportCron, dvName)
+	if allowed, err := r.authorizeCloneDataVolume(dataImportCron, dv); err != nil {
+		return err
+	} else if !allowed {
+		updateDataImportCronCondition(dataImportCron, cdiv1.DataImportCronProgressing, corev1.ConditionFalse,
+			"Not authorized to create DataVolume", notAuthorized)
+		return nil
+	}
 	if err := r.client.Create(ctx, dv); err != nil && !k8serrors.IsAlreadyExists(err) {
 		return err
 	}
+	dataImportCron.Status.CurrentImports = []cdiv1.ImportStatus{{DataVolumeName: dvName, Digest: digest}}
 
 	return nil
 }
 
+func (r *DataImportCronReconciler) authorizeCloneDataVolume(dataImportCron *cdiv1.DataImportCron, dv *cdiv1.DataVolume) (bool, error) {
+	if !isPvcSource(dataImportCron) {
+		return true, nil
+	}
+	saName := "default"
+	if dataImportCron.Spec.ServiceAccountName != nil {
+		saName = *dataImportCron.Spec.ServiceAccountName
+	}
+	if resp, err := dv.AuthorizeSA(dv.Namespace, dv.Name, &authProxy{r.client}, dataImportCron.Namespace, saName); err != nil {
+		return false, err
+	} else if !resp.Allowed {
+		r.log.Info("Not authorized to create DataVolume", "cron", dataImportCron.Name, "reason", resp.Reason)
+		return false, nil
+	}
+
+	return true, nil
+}
+
+type authProxy struct {
+	client client.Client
+}
+
+func (p *authProxy) CreateSar(sar *authorizationv1.SubjectAccessReview) (*authorizationv1.SubjectAccessReview, error) {
+	if err := p.client.Create(context.TODO(), sar); err != nil {
+		return nil, err
+	}
+	return sar, nil
+}
+
+func (p *authProxy) GetNamespace(name string) (*corev1.Namespace, error) {
+	ns := &corev1.Namespace{}
+	if err := p.client.Get(context.TODO(), types.NamespacedName{Name: name}, ns); err != nil {
+		return nil, err
+	}
+	return ns, nil
+}
+
+func (p *authProxy) GetDataSource(namespace, name string) (*cdiv1.DataSource, error) {
+	das := &cdiv1.DataSource{}
+	if err := p.client.Get(context.TODO(), types.NamespacedName{Namespace: namespace, Name: name}, das); err != nil {
+		return nil, err
+	}
+	return das, nil
+}
+
 func (r *DataImportCronReconciler) handleStorageClassChange(ctx context.Context, dataImportCron *cdiv1.DataImportCron, desiredStorageClass string) error {
 	digest, ok := dataImportCron.Annotations[AnnSourceDesiredDigest]
 	if !ok {

pkg/controller/dataimportcron-controller.go

@@ -33,6 +33,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/prometheus/client_golang/prometheus"
 
+	authorizationv1 "k8s.io/api/authorization/v1"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	storagev1 "k8s.io/api/storage/v1"
@@ -911,18 +912,86 @@ var _ = Describe("All DataImportCron Tests", func() {
 			Expect(err.Error()).To(ContainSubstring("not found"))
 		})
 
-		It("Should succeed with existing source PVC", func() {
-			pvc := newPVC("test-pvc")
+		It("Should create DataVolume when source PVC is in the same namespace", func() {
+			sourcePvc := newPVC("source-pvc", metav1.NamespaceDefault)
 			cron := newDataImportCron(cronName)
 			cron.Spec.Template.Spec.Source = &cdiv1.DataVolumeSource{
 				PVC: &cdiv1.DataVolumeSourcePVC{
-					Name:      pvc.Name,
-					Namespace: pvc.Namespace,
+					Name:      sourcePvc.Name,
+					Namespace: sourcePvc.Namespace,
 				},
 			}
-			reconciler = createDataImportCronReconciler(cron, pvc)
+
+			reconciler = createDataImportCronReconciler(cron, sourcePvc,
+				&corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: sourcePvc.Namespace}})
+			setFakeSarClient(reconciler, false)
 			_, err := reconciler.Reconcile(context.TODO(), cronReq)
 			Expect(err).ToNot(HaveOccurred())
+
+			err = reconciler.client.Get(context.TODO(), cronKey, cron)
+			Expect(err).ToNot(HaveOccurred())
+
+			imports := cron.Status.CurrentImports
+			Expect(imports).ToNot(BeEmpty())
+			dvName := imports[0].DataVolumeName
+			Expect(dvName).ToNot(BeEmpty())
+			dv := &cdiv1.DataVolume{}
+			err = reconciler.client.Get(context.TODO(), dvKey(dvName), dv)
+			Expect(err).ToNot(HaveOccurred())
+		})
+
+		It("Should create DataVolume with cross-namespace source PVC when ServiceAccount is authorized", func() {
+			sourcePvc := newPVC("source-pvc", "source-ns")
+			cron := newDataImportCron(cronName)
+			cron.Spec.Template.Spec.Source = &cdiv1.DataVolumeSource{
+				PVC: &cdiv1.DataVolumeSourcePVC{
+					Name:      sourcePvc.Name,
+					Namespace: sourcePvc.Namespace,
+				},
+			}
+
+			reconciler = createDataImportCronReconciler(cron, sourcePvc,
+				&corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: sourcePvc.Namespace}})
+			setFakeSarClient(reconciler, true)
+			_, err := reconciler.Reconcile(context.TODO(), cronReq)
+			Expect(err).ToNot(HaveOccurred())
+
+			err = reconciler.client.Get(context.TODO(), cronKey, cron)
+			Expect(err).ToNot(HaveOccurred())
+
+			imports := cron.Status.CurrentImports
+			Expect(imports).ToNot(BeEmpty())
+			dvName := imports[0].DataVolumeName
+			Expect(dvName).ToNot(BeEmpty())
+			dv := &cdiv1.DataVolume{}
+			err = reconciler.client.Get(context.TODO(), dvKey(dvName), dv)
+			Expect(err).ToNot(HaveOccurred())
+		})
+
+		It("Should not create DataVolume with cross-namespace source PVC when ServiceAccount is not authorized", func() {
+			sourcePvc := newPVC("source-pvc", "source-ns")
+			cron := newDataImportCron(cronName)
+			cron.Spec.Template.Spec.Source = &cdiv1.DataVolumeSource{
+				PVC: &cdiv1.DataVolumeSourcePVC{
+					Name:      sourcePvc.Name,
+					Namespace: sourcePvc.Namespace,
+				},
+			}
+
+			reconciler = createDataImportCronReconciler(cron, sourcePvc,
+				&corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: sourcePvc.Namespace}})
+			setFakeSarClient(reconciler, false)
+			_, err := reconciler.Reconcile(context.TODO(), cronReq)
+			Expect(err).ToNot(HaveOccurred())
+
+			err = reconciler.client.Get(context.TODO(), cronKey, cron)
+			Expect(err).ToNot(HaveOccurred())
+
+			cronCond := FindDataImportCronConditionByType(cron, cdiv1.DataImportCronProgressing)
+			Expect(cronCond).ToNot(BeNil())
+			Expect(cronCond.ConditionState.Message).To(Equal("Not authorized to create DataVolume"))
+			Expect(cronCond.ConditionState.Reason).To(Equal("NotAuthorized"))
+			Expect(cron.Status.CurrentImports).To(BeEmpty())
 		})
 
 		It("Should succeed garbage collecting old version DVs", func() {
@@ -1601,22 +1670,43 @@ func createDataImportCronReconcilerWithoutConfig(objects ...runtime.Object) *Dat
 	return r
 }
 
+func setFakeSarClient(reconciler *DataImportCronReconciler, allowed bool) {
+	client := &fakeSarClient{Client: reconciler.client, allowed: allowed}
+	reconciler.client = client
+	reconciler.uncachedClient = client
+}
+
+type fakeSarClient struct {
+	client.Client
+	allowed bool
+}
+
+func (s *fakeSarClient) Create(ctx context.Context, obj client.Object, opts ...client.CreateOption) error {
+	if sar, ok := obj.(*authorizationv1.SubjectAccessReview); ok {
+		sar.GenerateName = "test-sar"
+		sar.Status.Allowed = s.allowed
+		return s.Client.Create(ctx, sar, opts...)
+	}
+	return s.Client.Create(ctx, obj, opts...)
+}
+
 func newDataImportCronWithImageStream(dataImportCronName, taggedImageStreamName string) *cdiv1.DataImportCron {
 	cron := newDataImportCron(dataImportCronName)
 	cron.Spec.Template.Spec.Source.Registry.ImageStream = &taggedImageStreamName
 	cron.Spec.Template.Spec.Source.Registry.URL = nil
 	return cron
 }
 
-func newPVC(name string) *corev1.PersistentVolumeClaim {
+func newPVC(name, namespace string) *corev1.PersistentVolumeClaim {
 	return &corev1.PersistentVolumeClaim{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: metav1.NamespaceDefault,
+			Namespace: namespace,
 			UID:       types.UID(metav1.NamespaceDefault + "-" + name),
 		},
 	}
 }
+
 func newImageStream(name string) *imagev1.ImageStream {
 	return &imagev1.ImageStream{
 		TypeMeta: metav1.TypeMeta{APIVersion: imagev1.SchemeGroupVersion.String()},

pkg/controller/dataimportcron-controller_test.go

@@ -117,6 +117,19 @@ func getControllerClusterPolicyRules() []rbacv1.PolicyRule {
 				"delete",
 			},
 		},
+		{
+			APIGroups: []string{
+				"",
+			},
+			Resources: []string{
+				"namespaces",
+			},
+			Verbs: []string{
+				"get",
+				"list",
+				"watch",
+			},
+		},
 		{
 			APIGroups: []string{
 				"",
@@ -271,6 +284,17 @@ func getControllerClusterPolicyRules() []rbacv1.PolicyRule {
 				"update",
 			},
 		},
+		{
+			APIGroups: []string{
+				"authorization.k8s.io",
+			},
+			Resources: []string{
+				"subjectaccessreviews",
+			},
+			Verbs: []string{
+				"create",
+			},
+		},
 	}
 }
 

pkg/operator/resources/cluster/controller.go

@@ -596,6 +596,10 @@ type DataImportCronSpec struct {
 	// RetentionPolicy specifies whether the created DataVolumes and DataSources are retained when their DataImportCron is deleted. Default is RatainAll.
 	// +optional
 	RetentionPolicy *DataImportCronRetentionPolicy `json:"retentionPolicy,omitempty"`
+	// ServiceAccountName is the name of the ServiceAccount for creating DataVolumes.
+	// +optional
+	// +kubebuilder:validation:MinLength=1
+	ServiceAccountName *string `json:"serviceAccountName,omitempty"`
 }
 
 // DataImportCronGarbageCollect represents the DataImportCron garbage collection mode