feat: added the option to enforce namespace annotations (external-sec…

…rets#448) * added the option to enforce namespace annotations * Update lib/poller.js Co-authored-by: Markus Maga <[email protected]> * Update config/environment.js Co-authored-by: Markus Maga <[email protected]> Co-authored-by: Markus Maga <[email protected]>
umlublin · Jul 26, 2020 · 1517333 · 1517333
1 parent 605a815
commit 1517333
Show file tree

Hide file tree

Showing 5 changed files with 152 additions and 2 deletions.
diff --git a/bin/daemon.js b/bin/daemon.js
@@ -24,7 +24,8 @@ const {
  pollerIntervalMilliseconds,
  pollingDisabled,
  rolePermittedAnnotation,
- namingPermittedAnnotation
+ namingPermittedAnnotation,
+ enforceNamespaceAnnotation
 } = require('../config')
 
 async function main () {
@@ -49,6 +50,7 @@ async function main () {
  pollerIntervalMilliseconds,
  rolePermittedAnnotation,
  namingPermittedAnnotation,
+ enforceNamespaceAnnotation,
  customResourceManifest,
  pollingDisabled,
  logger

diff --git a/config/environment.js b/config/environment.js
@@ -31,6 +31,7 @@ const pollingDisabled = 'DISABLE_POLLING' in process.env
 
 const rolePermittedAnnotation = process.env.ROLE_PERMITTED_ANNOTATION || 'iam.amazonaws.com/permitted'
 const namingPermittedAnnotation = process.env.NAMING_PERMITTED_ANNOTATION || 'externalsecrets.kubernetes-client.io/permitted-key-name'
+const enforceNamespaceAnnotation = 'ENFORCE_NAMESPACE_ANNOTATIONS' in process.env || false
 
 const metricsPort = process.env.METRICS_PORT || 3001
 
@@ -44,6 +45,7 @@ module.exports = {
  metricsPort,
  rolePermittedAnnotation,
  namingPermittedAnnotation,
+ enforceNamespaceAnnotation,
  pollingDisabled,
  logLevel,
  customResourceManagerDisabled,

diff --git a/lib/poller-factory.js b/lib/poller-factory.js
@@ -21,6 +21,7 @@ class PollerFactory {
  rolePermittedAnnotation,
  namingPermittedAnnotation,
  customResourceManifest,
+ enforceNamespaceAnnotation,
  pollingDisabled,
  logger
  }) {
@@ -32,6 +33,7 @@ class PollerFactory {
  this._customResourceManifest = customResourceManifest
  this._rolePermittedAnnotation = rolePermittedAnnotation
  this._namingPermittedAnnotation = namingPermittedAnnotation
+ this._enforceNamespaceAnnotation = enforceNamespaceAnnotation
  this._pollingDisabled = pollingDisabled
  }
 
@@ -49,6 +51,7 @@ class PollerFactory {
  customResourceManifest: this._customResourceManifest,
  rolePermittedAnnotation: this._rolePermittedAnnotation,
  namingPermittedAnnotation: this._namingPermittedAnnotation,
+ enforceNamespaceAnnotation: this._enforceNamespaceAnnotation,
  pollingDisabled: this._pollingDisabled,
  externalSecret
  })

diff --git a/lib/poller.js b/lib/poller.js
@@ -29,6 +29,8 @@ class Poller {
  * @param {Object} customResourceManifest - CRD manifest
  * @param {Object} externalSecret - ExternalSecret manifest.
  * @param {string} rolePermittedAnnotation - namespace annotation that defines which roles can be assumed within this namespace
+ * @param {string} namingPermittedAnnotation - namespace annotation that defines which keys can be assumed within this namespace
+ * @param {string} enforceNamespaceAnnotation - should enforce namespace annotations
  * @param {Object} metrics - Metrics client.
  */
  constructor ({
@@ -40,6 +42,7 @@ class Poller {
  customResourceManifest,
  rolePermittedAnnotation,
  namingPermittedAnnotation,
+ enforceNamespaceAnnotation,
  pollingDisabled,
  externalSecret
  }) {
@@ -53,6 +56,7 @@ class Poller {
  this._rolePermittedAnnotation = rolePermittedAnnotation
  this._namingPermittedAnnotation = namingPermittedAnnotation
  this._customResourceManifest = customResourceManifest
+ this._enforceNamespaceAnnotation = enforceNamespaceAnnotation
 
  this._externalSecret = externalSecret
  this._spec = externalSecret.spec || externalSecret.secretDescriptor
@@ -197,6 +201,8 @@ class Poller {
  let reason = ''
 
  if (!namespace.metadata.annotations) {
+ allowed = !this._enforceNamespaceAnnotation
+ reason = this._enforceNamespaceAnnotation ? 'Namespace annotation is required' : ''
  return {
  allowed, reason
  }
@@ -213,6 +219,14 @@ class Poller {
  reNaming = new RegExp(namingConvention)
  }
 
+ if (!namingConvention && this._enforceNamespaceAnnotation) {
+ allowed = false
+ reason = `Missing required annotation ${this._namingPermittedAnnotation} on namespace ${namespace.metadata.name}`
+ return {
+ allowed, reason
+ }
+ }
+
  // Testing data property
  if (namingConvention && externalData) {
  externalData.forEach((secretProperty, index) => {
@@ -242,14 +256,21 @@ class Poller {
 
  // 2. testing assume role if configured
 
- const role = descriptor.roleArn
+ const role = descriptor.roleArn || descriptor.vaultRole
 
  if (!role) {
  return {
  allowed, reason
  }
  }
 
+ if (!namespace.metadata.annotations[this._rolePermittedAnnotation] && this._enforceNamespaceAnnotation) {
+ allowed = false
+ reason = `Missing required annotation ${this._rolePermittedAnnotation} on namespace ${namespace.metadata.name}`
+ return {
+ allowed, reason
+ }
+ }
  // an empty annotation value allows access to all roles
  const re = new RegExp(namespace.metadata.annotations[this._rolePermittedAnnotation])
 

diff --git a/lib/poller.test.js b/lib/poller.test.js
@@ -911,6 +911,128 @@ describe('Poller', () => {
  ]
  },
  permitted: true
+ },
+ {
+ // test regex
+ ns: { metadata: { annotations: { [namingPermittedAnnotation]: '.*', [rolePermittedAnnotation]: 'a' } } },
+ descriptor: {
+ data: [
+ { key: 'whatever', name: 'somethingelse' }
+ ],
+ roleArn: 'b'
+ },
+ permitted: false
+ },
+ {
+ // test regex
+ ns: { metadata: { annotations: { [namingPermittedAnnotation]: '.*', [rolePermittedAnnotation]: 'a' } } },
+ descriptor: {
+ data: [
+ { key: 'whatever', name: 'somethingelse' }
+ ],
+ vaultRole: 'b'
+ },
+ permitted: false
+ },
+ {
+ // test regex
+ ns: { metadata: { annotations: { [namingPermittedAnnotation]: '.*', [rolePermittedAnnotation]: 'a' } } },
+ descriptor: {
+ data: [
+ { key: 'whatever', name: 'somethingelse' }
+ ],
+ roleArn: 'a'
+ },
+ permitted: true
+ },
+ {
+ // test regex
+ ns: { metadata: { annotations: { [namingPermittedAnnotation]: '.*', [rolePermittedAnnotation]: 'a' } } },
+ descriptor: {
+ data: [
+ { key: 'whatever', name: 'somethingelse' }
+ ],
+ vaultRole: 'a'
+ },
+ permitted: true
+ }
+ ]
+
+ for (let i = 0; i < testcases.length; i++) {
+ const testcase = testcases[i]
+ const verdict = poller._isPermitted(testcase.ns, testcase.descriptor)
+ expect(verdict.allowed, `test case ${i + 1}`).to.equal(testcase.permitted)
+ }
+ })
+ })
+ describe('namespace annotation enforcement', () => {
+ let poller
+ beforeEach(() => {
+ poller = new Poller({
+ backends: {
+ fakeBackendType: backendMock
+ },
+ metrics: metricsMock,
+ intervalMilliseconds: 5000,
+ kubeClient: kubeClientMock,
+ logger: loggerMock,
+ externalSecret: fakeExternalSecret,
+ rolePermittedAnnotation,
+ namingPermittedAnnotation,
+ enforceNamespaceAnnotation: true,
+ customResourceManifest: fakeCustomResourceManifest
+ })
+ })
+
+ it('should enforce namespace annotations`', () => {
+ const testcases = [
+ {
+ // no annotations at all
+ ns: { metadata: {} },
+ descriptor: {},
+ permitted: false
+ },
+ {
+ // empty name annotation
+ ns: { metadata: { annotations: { [namingPermittedAnnotation]: '' } } },
+ descriptor: {
+ dataFrom: ['test']
+ },
+ permitted: false
+ },
+ {
+ // empty role annotation
+ ns: { metadata: { annotations: { [rolePermittedAnnotation]: '' } } },
+ descriptor: {
+ dataFrom: ['test']
+ },
+ permitted: false
+ },
+ {
+ // missing role annotation
+ ns: { metadata: { annotations: { [namingPermittedAnnotation]: 'a' } } },
+ descriptor: {
+ dataFrom: ['a'],
+ roleArn: 'a'
+ },
+ permitted: false
+ },
+ {
+ // empty role annotation
+ ns: { metadata: { annotations: { [namingPermittedAnnotation]: 'a', [rolePermittedAnnotation]: '' } } },
+ descriptor: {
+ dataFrom: ['a'],
+ roleArn: 'a'
+ },
+ permitted: false
+ },
+ {
+ // all required annotations
+ ns: { metadata: { annotations: { [namingPermittedAnnotation]: 'a', [rolePermittedAnnotation]: 'b' } } },
+ descriptor: {
+ dataFrom: ['a']
+ },
+ permitted: true
  }
  ]