feat: stops operator if leader elector has no permission to lease object

csviri · csviri · commit 18f396aa6779 · 2023-05-23T14:41:38.000+02:00
diff --git a/operator-framework-core/src/main/java/io/javaoperatorsdk/operator/LeaderElectionManager.java b/operator-framework-core/src/main/java/io/javaoperatorsdk/operator/LeaderElectionManager.java
@@ -7,6 +7,7 @@
 import org.slf4j.LoggerFactory;
 
 import io.fabric8.kubernetes.client.KubernetesClient;
+import io.fabric8.kubernetes.client.KubernetesClientException;
 import io.fabric8.kubernetes.client.extended.leaderelection.LeaderCallbacks;
 import io.fabric8.kubernetes.client.extended.leaderelection.LeaderElectionConfig;
 import io.fabric8.kubernetes.client.extended.leaderelection.LeaderElector;
@@ -20,16 +21,22 @@ public class LeaderElectionManager {
 
   private static final Logger log = LoggerFactory.getLogger(LeaderElectionManager.class);
 
+  public static final String NO_PERMISSION_TO_LEASE_RESOURCE_MESSAGE =
+      "No permission to lease resource.";
+
   private LeaderElector leaderElector = null;
   private final ControllerManager controllerManager;
   private String identity;
   private CompletableFuture<?> leaderElectionFuture;
+  private LeaderElectionConfig leaderElectionConfig;
+  private KubernetesClient client;
 
   public LeaderElectionManager(ControllerManager controllerManager) {
     this.controllerManager = controllerManager;
   }
 
   public void init(LeaderElectionConfiguration config, KubernetesClient client) {
+    this.client = client;
     this.identity = identity(config);
     final var leaseNamespace =
         config.getLeaseNamespace().orElseGet(
@@ -42,18 +49,19 @@ public void init(LeaderElectionConfiguration config, KubernetesClient client) {
     }
     final var lock = new LeaseLock(leaseNamespace, config.getLeaseName(), identity);
     // releaseOnCancel is not used in the underlying implementation
+    leaderElectionConfig = new LeaderElectionConfig(
+        lock,
+        config.getLeaseDuration(),
+        config.getRenewDeadline(),
+        config.getRetryPeriod(),
+        leaderCallbacks(),
+        true,
+        config.getLeaseName());
+
     leaderElector =
         new LeaderElectorBuilder(
             client, ExecutorServiceManager.instance().executorService())
-            .withConfig(
-                new LeaderElectionConfig(
-                    lock,
-                    config.getLeaseDuration(),
-                    config.getRenewDeadline(),
-                    config.getRetryPeriod(),
-                    leaderCallbacks(),
-                    true,
-                    config.getLeaseName()))
+            .withConfig(leaderElectionConfig)
             .build();
   }
 
@@ -90,6 +98,7 @@ private String identity(LeaderElectionConfiguration config) {
 
   public void start() {
     if (isLeaderElectionEnabled()) {
+      checkLeaseAccess();
       leaderElectionFuture = leaderElector.start();
     }
   }
@@ -99,4 +108,16 @@ public void stop() {
       leaderElectionFuture.cancel(false);
     }
   }
+
+  private void checkLeaseAccess() {
+    try {
+      leaderElectionConfig.getLock().get(client);
+    } catch (KubernetesClientException e) {
+      if (e.getCode() == 403) {
+        throw new OperatorException(NO_PERMISSION_TO_LEASE_RESOURCE_MESSAGE, e);
+      } else {
+        throw e;
+      }
+    }
+  }
 }
diff --git a/operator-framework/src/test/java/io/javaoperatorsdk/operator/LeaderElectionPermissionIT.java b/operator-framework/src/test/java/io/javaoperatorsdk/operator/LeaderElectionPermissionIT.java
@@ -0,0 +1,72 @@
+package io.javaoperatorsdk.operator;
+
+import org.junit.jupiter.api.Test;
+
+import io.fabric8.kubernetes.api.model.ConfigMap;
+import io.fabric8.kubernetes.api.model.rbac.Role;
+import io.fabric8.kubernetes.api.model.rbac.RoleBinding;
+import io.fabric8.kubernetes.client.ConfigBuilder;
+import io.fabric8.kubernetes.client.KubernetesClient;
+import io.fabric8.kubernetes.client.KubernetesClientBuilder;
+import io.javaoperatorsdk.operator.api.config.LeaderElectionConfiguration;
+import io.javaoperatorsdk.operator.api.reconciler.Context;
+import io.javaoperatorsdk.operator.api.reconciler.ControllerConfiguration;
+import io.javaoperatorsdk.operator.api.reconciler.Reconciler;
+import io.javaoperatorsdk.operator.api.reconciler.UpdateControl;
+
+import static io.javaoperatorsdk.operator.LeaderElectionManager.NO_PERMISSION_TO_LEASE_RESOURCE_MESSAGE;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+class LeaderElectionPermissionIT {
+
+  KubernetesClient adminClient = new KubernetesClientBuilder().build();
+
+  @Test
+  void operatorStopsIfNoLeaderElectionPermission() {
+    applyRole();
+    applyRoleBinding();
+
+    var client = new KubernetesClientBuilder().withConfig(new ConfigBuilder()
+        .withImpersonateUsername("leader-elector-stop-noaccess")
+        .build()).build();
+
+    var operator = new Operator(client, o -> {
+      o.withLeaderElectionConfiguration(
+          new LeaderElectionConfiguration("lease1", "default"));
+      o.withStopOnInformerErrorDuringStartup(false);
+    });
+    operator.register(new TestReconciler(), o -> o.settingNamespace("default"));
+
+    OperatorException exception = assertThrows(
+        OperatorException.class,
+        operator::start);
+
+    assertThat(exception.getCause().getMessage())
+        .isEqualTo(NO_PERMISSION_TO_LEASE_RESOURCE_MESSAGE);
+  }
+
+
+  @ControllerConfiguration
+  public static class TestReconciler implements Reconciler<ConfigMap> {
+    @Override
+    public UpdateControl<ConfigMap> reconcile(ConfigMap resource, Context<ConfigMap> context)
+        throws Exception {
+      throw new IllegalStateException("Should not get here");
+    }
+  }
+
+  private void applyRoleBinding() {
+    var clusterRoleBinding = ReconcilerUtils
+        .loadYaml(RoleBinding.class, this.getClass(),
+            "leader-elector-stop-noaccess-role-binding.yaml");
+    adminClient.resource(clusterRoleBinding).createOrReplace();
+  }
+
+  private void applyRole() {
+    var role = ReconcilerUtils
+        .loadYaml(Role.class, this.getClass(), "leader-elector-stop-role-noaccess.yaml");
+    adminClient.resource(role).createOrReplace();
+  }
+
+}
diff --git a/operator-framework/src/test/resources/io/javaoperatorsdk/operator/leader-elector-stop-noaccess-role-binding.yaml b/operator-framework/src/test/resources/io/javaoperatorsdk/operator/leader-elector-stop-noaccess-role-binding.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
+kind: RoleBinding
+metadata:
+  name: informer-rbac-startup-global
+  namespace: default
+subjects:
+  - kind: User
+    name: leader-elector-stop-noaccess
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: leader-elector-stop-noaccess
+  apiGroup: rbac.authorization.k8s.io
diff --git a/operator-framework/src/test/resources/io/javaoperatorsdk/operator/leader-elector-stop-role-noaccess.yaml b/operator-framework/src/test/resources/io/javaoperatorsdk/operator/leader-elector-stop-role-noaccess.yaml
@@ -0,0 +1,9 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: default
+  name: leader-elector-stop-noaccess
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "configmaps" ]
+    verbs: [ "get", "watch", "list","post", "delete", "create" ]
