Simplify DataImportCron ServiceAccount authorization

Add ServiceAccountName to DataImportCron spec, replacing CreatedBy
which was added in #3946.

In case of DataImportCron with PVC source, the controller checks the
ServiceAccount is authorized to clone the source PVC.

Signed-off-by: Arnon Gilboa <[email protected]>

Author: arnongilboa

api/openapi-spec/swagger.json

@@ -4400,6 +4400,10 @@
       "type": "string",
       "default": ""
      },
+     "serviceAccountName": {
+      "description": "ServiceAccountName is the name of the ServiceAccount for creating DataVolumes.",
+      "type": "string"
+     },
      "template": {
       "description": "Template specifies template for the DVs to be created",
       "default": {},

pkg/apis/core/v1beta1/openapi_generated.go

@@ -40,6 +40,7 @@ go_library(
         "//vendor/github.com/pkg/errors:go_default_library",
         "//vendor/github.com/prometheus/client_golang/prometheus:go_default_library",
         "//vendor/github.com/robfig/cron/v3:go_default_library",
+        "//vendor/k8s.io/api/authorization/v1:go_default_library",
         "//vendor/k8s.io/api/batch/v1:go_default_library",
         "//vendor/k8s.io/api/core/v1:go_default_library",
         "//vendor/k8s.io/api/networking/v1:go_default_library",

pkg/controller/BUILD.bazel

@@ -30,12 +30,13 @@ import (
 )
 
 const (
-	noDigest   = "NoDigest"
-	noImport   = "NoImport"
-	outdated   = "Outdated"
-	scheduled  = "ImportScheduled"
-	inProgress = "ImportProgressing"
-	upToDate   = "UpToDate"
+	noDigest      = "NoDigest"
+	noImport      = "NoImport"
+	notAuthorized = "NotAuthorized"
+	outdated      = "Outdated"
+	scheduled     = "ImportScheduled"
+	inProgress    = "ImportProgressing"
+	upToDate      = "UpToDate"
 )
 
 func updateDataImportCronCondition(cron *cdiv1.DataImportCron, conditionType cdiv1.DataImportCronConditionType, status corev1.ConditionStatus, message, reason string) {

pkg/controller/dataimportcron-conditions.go

@@ -33,6 +33,7 @@ import (
 	"github.com/pkg/errors"
 	cronexpr "github.com/robfig/cron/v3"
 
+	authorizationv1 "k8s.io/api/authorization/v1"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	storagev1 "k8s.io/api/storage/v1"
@@ -889,15 +890,62 @@ func (r *DataImportCronReconciler) createImportDataVolume(ctx context.Context, d
 			return nil
 		}
 	}
-
 	dv := r.newSourceDataVolume(dataImportCron, dvName)
+	if allowed, err := r.authorizeCloneDataVolume(dataImportCron, dv); err != nil {
+		return err
+	} else if !allowed {
+		updateDataImportCronCondition(dataImportCron, cdiv1.DataImportCronProgressing, corev1.ConditionFalse,
+			"Not authorized to create DataVolume", notAuthorized)
+		return nil
+	}
 	if err := r.client.Create(ctx, dv); err != nil && !k8serrors.IsAlreadyExists(err) {
 		return err
 	}
 
 	return nil
 }
 
+func (r *DataImportCronReconciler) authorizeCloneDataVolume(dataImportCron *cdiv1.DataImportCron, dv *cdiv1.DataVolume) (bool, error) {
+	if !isPvcSource(dataImportCron) {
+		return true, nil
+	}
+	saName := dataImportCron.Spec.ServiceAccountName
+	if saName == "" {
+		saName = "default"
+	}
+	if resp, err := dv.AuthorizeSA(dv.Namespace, dv.Name, r, dataImportCron.Namespace, saName); err != nil {
+		return false, err
+	} else if !resp.Allowed {
+		r.log.Info("Not authorized to create DataVolume", "cron", dataImportCron.Name, "reason", resp.Reason)
+		return false, nil
+	}
+
+	return true, nil
+}
+
+func (r *DataImportCronReconciler) CreateSar(sar *authorizationv1.SubjectAccessReview) (*authorizationv1.SubjectAccessReview, error) {
+	if err := r.client.Create(context.TODO(), sar); err != nil {
+		return nil, err
+	}
+	return sar, nil
+}
+
+func (r *DataImportCronReconciler) GetNamespace(name string) (*corev1.Namespace, error) {
+	ns := &corev1.Namespace{}
+	if err := r.client.Get(context.TODO(), types.NamespacedName{Name: name}, ns); err != nil {
+		return nil, err
+	}
+	return ns, nil
+}
+
+func (r *DataImportCronReconciler) GetDataSource(namespace, name string) (*cdiv1.DataSource, error) {
+	das := &cdiv1.DataSource{}
+	if err := r.client.Get(context.TODO(), types.NamespacedName{Namespace: namespace, Name: name}, das); err != nil {
+		return nil, err
+	}
+	return das, nil
+}
+
 func (r *DataImportCronReconciler) handleStorageClassChange(ctx context.Context, dataImportCron *cdiv1.DataImportCron, desiredStorageClass string) error {
 	digest, ok := dataImportCron.Annotations[AnnSourceDesiredDigest]
 	if !ok {

pkg/controller/dataimportcron-controller.go

@@ -920,7 +920,8 @@ var _ = Describe("All DataImportCron Tests", func() {
 					Namespace: pvc.Namespace,
 				},
 			}
-			reconciler = createDataImportCronReconciler(cron, pvc)
+			reconciler = createDataImportCronReconciler(cron, pvc,
+				&corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "default"}})
 			_, err := reconciler.Reconcile(context.TODO(), cronReq)
 			Expect(err).ToNot(HaveOccurred())
 		})

pkg/controller/dataimportcron-controller_test.go

@@ -117,6 +117,19 @@ func getControllerClusterPolicyRules() []rbacv1.PolicyRule {
 				"delete",
 			},
 		},
+		{
+			APIGroups: []string{
+				"",
+			},
+			Resources: []string{
+				"namespaces",
+			},
+			Verbs: []string{
+				"get",
+				"list",
+				"watch",
+			},
+		},
 		{
 			APIGroups: []string{
 				"",
@@ -271,6 +284,17 @@ func getControllerClusterPolicyRules() []rbacv1.PolicyRule {
 				"update",
 			},
 		},
+		{
+			APIGroups: []string{
+				"authorization.k8s.io",
+			},
+			Resources: []string{
+				"subjectaccessreviews",
+			},
+			Verbs: []string{
+				"create",
+			},
+		},
 	}
 }
 

pkg/operator/resources/cluster/controller.go

@@ -596,6 +596,9 @@ type DataImportCronSpec struct {
 	// RetentionPolicy specifies whether the created DataVolumes and DataSources are retained when their DataImportCron is deleted. Default is RatainAll.
 	// +optional
 	RetentionPolicy *DataImportCronRetentionPolicy `json:"retentionPolicy,omitempty"`
+	// ServiceAccountName is the name of the ServiceAccount for creating DataVolumes.
+	// +optional
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
 }
 
 // DataImportCronGarbageCollect represents the DataImportCron garbage collection mode