feat: do not start operator if leader elector has no permission to lease object (#1912)

Author: csviri

operator-framework-core/src/main/java/io/javaoperatorsdk/operator/LeaderElectionManager.java

@@ -1,11 +1,13 @@
 package io.javaoperatorsdk.operator;
 
+import java.util.Arrays;
 import java.util.UUID;
 import java.util.concurrent.CompletableFuture;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import io.fabric8.kubernetes.api.model.authorization.v1.*;
 import io.fabric8.kubernetes.client.KubernetesClient;
 import io.fabric8.kubernetes.client.extended.leaderelection.LeaderCallbacks;
 import io.fabric8.kubernetes.client.extended.leaderelection.LeaderElectionConfig;
@@ -20,18 +22,26 @@ public class LeaderElectionManager {
 
   private static final Logger log = LoggerFactory.getLogger(LeaderElectionManager.class);
 
+  public static final String NO_PERMISSION_TO_LEASE_RESOURCE_MESSAGE =
+      "No permission to lease resource.";
+
   private LeaderElector leaderElector = null;
   private final ControllerManager controllerManager;
   private String identity;
   private CompletableFuture<?> leaderElectionFuture;
+  private KubernetesClient client;
+  private String leaseName;
+  private String leaseNamespace;
 
   public LeaderElectionManager(ControllerManager controllerManager) {
     this.controllerManager = controllerManager;
   }
 
   public void init(LeaderElectionConfiguration config, KubernetesClient client) {
+    this.client = client;
     this.identity = identity(config);
-    final var leaseNamespace =
+    this.leaseName = config.getLeaseName();
+    leaseNamespace =
         config.getLeaseNamespace().orElseGet(
             () -> ConfigurationServiceProvider.instance().getClientConfiguration().getNamespace());
     if (leaseNamespace == null) {
@@ -40,20 +50,19 @@ public void init(LeaderElectionConfiguration config, KubernetesClient client) {
       log.error(message);
       throw new IllegalArgumentException(message);
     }
-    final var lock = new LeaseLock(leaseNamespace, config.getLeaseName(), identity);
+    final var lock = new LeaseLock(leaseNamespace, leaseName, identity);
     // releaseOnCancel is not used in the underlying implementation
     leaderElector =
         new LeaderElectorBuilder(
             client, ExecutorServiceManager.instance().executorService())
-            .withConfig(
-                new LeaderElectionConfig(
-                    lock,
-                    config.getLeaseDuration(),
-                    config.getRenewDeadline(),
-                    config.getRetryPeriod(),
-                    leaderCallbacks(),
-                    true,
-                    config.getLeaseName()))
+            .withConfig(new LeaderElectionConfig(
+                lock,
+                config.getLeaseDuration(),
+                config.getRenewDeadline(),
+                config.getRetryPeriod(),
+                leaderCallbacks(),
+                true,
+                config.getLeaseName()))
             .build();
   }
 
@@ -90,6 +99,7 @@ private String identity(LeaderElectionConfiguration config) {
 
   public void start() {
     if (isLeaderElectionEnabled()) {
+      checkLeaseAccess();
       leaderElectionFuture = leaderElector.start();
     }
   }
@@ -99,4 +109,21 @@ public void stop() {
       leaderElectionFuture.cancel(false);
     }
   }
+
+  private void checkLeaseAccess() {
+    var verbs = Arrays.asList("create", "update", "get");
+    SelfSubjectRulesReview review = new SelfSubjectRulesReview();
+    review.setSpec(new SelfSubjectRulesReviewSpecBuilder().withNamespace(leaseNamespace).build());
+    var reviewResult = client.resource(review).create();
+    log.debug("SelfSubjectRulesReview result: {}", reviewResult);
+    var foundRule = reviewResult.getStatus().getResourceRules().stream()
+        .filter(rule -> rule.getApiGroups().contains("coordination.k8s.io")
+            && rule.getResources().contains("leases")
+            && (rule.getVerbs().containsAll(verbs)) || rule.getVerbs().contains("*"))
+        .findAny();
+    if (foundRule.isEmpty()) {
+      throw new OperatorException(NO_PERMISSION_TO_LEASE_RESOURCE_MESSAGE +
+          " in namespace: " + leaseNamespace);
+    }
+  }
 }

operator-framework/src/test/java/io/javaoperatorsdk/operator/LeaderElectionPermissionIT.java

@@ -0,0 +1,74 @@
+package io.javaoperatorsdk.operator;
+
+import org.junit.jupiter.api.Test;
+
+import io.fabric8.kubernetes.api.model.ConfigMap;
+import io.fabric8.kubernetes.api.model.authorization.v1.*;
+import io.fabric8.kubernetes.api.model.rbac.Role;
+import io.fabric8.kubernetes.api.model.rbac.RoleBinding;
+import io.fabric8.kubernetes.client.ConfigBuilder;
+import io.fabric8.kubernetes.client.KubernetesClient;
+import io.fabric8.kubernetes.client.KubernetesClientBuilder;
+import io.javaoperatorsdk.operator.api.config.ConfigurationServiceProvider;
+import io.javaoperatorsdk.operator.api.config.LeaderElectionConfiguration;
+import io.javaoperatorsdk.operator.api.reconciler.Context;
+import io.javaoperatorsdk.operator.api.reconciler.ControllerConfiguration;
+import io.javaoperatorsdk.operator.api.reconciler.Reconciler;
+import io.javaoperatorsdk.operator.api.reconciler.UpdateControl;
+
+import static io.javaoperatorsdk.operator.LeaderElectionManager.NO_PERMISSION_TO_LEASE_RESOURCE_MESSAGE;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+class LeaderElectionPermissionIT {
+
+  KubernetesClient adminClient = new KubernetesClientBuilder().build();
+
+  @Test
+  void operatorStopsIfNoLeaderElectionPermission() {
+    applyRole();
+    applyRoleBinding();
+
+    var client = new KubernetesClientBuilder().withConfig(new ConfigBuilder()
+        .withImpersonateUsername("leader-elector-stop-noaccess")
+        .build()).build();
+
+    var operator = new Operator(client, o -> {
+      o.withLeaderElectionConfiguration(
+          new LeaderElectionConfiguration("lease1", "default"));
+      o.withStopOnInformerErrorDuringStartup(false);
+    });
+    operator.register(new TestReconciler(), o -> o.settingNamespace("default"));
+
+    OperatorException exception = assertThrows(
+        OperatorException.class,
+        operator::start);
+
+    assertThat(exception.getCause().getMessage())
+        .contains(NO_PERMISSION_TO_LEASE_RESOURCE_MESSAGE);
+    ConfigurationServiceProvider.reset();
+  }
+
+
+  @ControllerConfiguration
+  public static class TestReconciler implements Reconciler<ConfigMap> {
+    @Override
+    public UpdateControl<ConfigMap> reconcile(ConfigMap resource, Context<ConfigMap> context)
+        throws Exception {
+      throw new IllegalStateException("Should not get here");
+    }
+  }
+
+  private void applyRoleBinding() {
+    var clusterRoleBinding = ReconcilerUtils
+        .loadYaml(RoleBinding.class, this.getClass(),
+            "leader-elector-stop-noaccess-role-binding.yaml");
+    adminClient.resource(clusterRoleBinding).createOrReplace();
+  }
+
+  private void applyRole() {
+    var role = ReconcilerUtils
+        .loadYaml(Role.class, this.getClass(), "leader-elector-stop-role-noaccess.yaml");
+    adminClient.resource(role).createOrReplace();
+  }
+}

operator-framework/src/test/resources/io/javaoperatorsdk/operator/leader-elector-stop-noaccess-role-binding.yaml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
+kind: RoleBinding
+metadata:
+  name: informer-rbac-startup-global
+  namespace: default
+subjects:
+  - kind: User
+    name: leader-elector-stop-noaccess
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: leader-elector-stop-noaccess
+  apiGroup: rbac.authorization.k8s.io

operator-framework/src/test/resources/io/javaoperatorsdk/operator/leader-elector-stop-role-noaccess.yaml

@@ -0,0 +1,9 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: default
+  name: leader-elector-stop-noaccess
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "configmaps" ]
+    verbs: [ "get", "watch", "list","post", "delete", "create" ]