feat(security): allow configurable overide of app rules via helm chart…

charts/gitops-server/templates/appRulesConfigMap.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: wego-app-rules
+data:
+  rules.yaml: |-
+    {{ toYaml .Values.weaveGitOpsApprules | indent 4 }}

charts/gitops-server/values.yaml

@@ -29,6 +29,30 @@ envVars:
   - name: WEAVE_GITOPS_FEATURE_GITOPS_RUNTIME
     value: "false"
 
+# This section is used to configure the app rules for the GitOps server.
+# The app rules are used to define the permissions that the GitOps server has
+# to access resources in the cluster. The rules are defined in a ConfigMap
+# that is mounted into the GitOps server pod.
+weaveGitOpsApprules:
+  - apiGroups: [""]
+    resources: ["pods", "secrets"]
+    verbs: ["get", "list"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["apps"]
+    resources: ["deployments", "replicasets"]
+    verbs: ["get", "list"]
+  - apiGroups: ["kustomize.toolkit.fluxcd.io"]
+    resources: ["kustomizations"]
+    verbs: ["get", "list"]
+  - apiGroups: ["helm.toolkit.fluxcd.io"]
+    resources: ["helmreleases"]
+    verbs: ["get", "list"]
+  - apiGroups: ["source.toolkit.fluxcd.io"]
+    resources: ["buckets", "helmcharts", "helmrepositories", "gitrepositories", "ocirepositories"]
+    verbs: ["get", "list"]
+
 # -- Annotations to add to the deployment
 annotations: {}
 # Should the 'oidc-auth' secret be created. For a detailed

cmd/gitops-server/cmd/cmd.go

@@ -35,7 +35,7 @@
 	"github.com/weaveworks/weave-gitops/core/clustersmngr/fetcher"
 	"github.com/weaveworks/weave-gitops/core/logger"
 	"github.com/weaveworks/weave-gitops/core/nsaccess"
 	core "github.com/weaveworks/weave-gitops/core/server"
 	"github.com/weaveworks/weave-gitops/pkg/featureflags"
 	"github.com/weaveworks/weave-gitops/pkg/health"
 	"github.com/weaveworks/weave-gitops/pkg/kube"
@@ -244,7 +244,7 @@
 
 	fetcher := fetcher.NewSingleClusterFetcher(cl)
 
-	clustersManager := clustersmngr.NewClustersManager([]clustersmngr.ClusterFetcher{fetcher}, nsaccess.NewChecker(nsaccess.DefautltWegoAppRules), log)
+	clustersManager := clustersmngr.NewClustersManager([]clustersmngr.ClusterFetcher{fetcher}, nsaccess.NewChecker(nsaccess.MergeAppRules), log)
 	clustersManager.Start(ctx)
 
 	healthChecker := health.NewHealthChecker()

core/nsaccess/nsaccess.go

@@ -2,7 +2,10 @@ package nsaccess
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
 
 	authorizationv1 "k8s.io/api/authorization/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -14,8 +17,9 @@ import (
 
 //go:generate go run github.com/maxbrunsfeld/counterfeiter/v6 -generate
 
-// DefautltWegoAppRules is the minimun set of permissions a user will need to use the wego-app in a given namespace
-var DefautltWegoAppRules = []rbacv1.PolicyRule{
+// BaseWegoAppRules is the minimun set of permissions a user will need to use the wego-app in a given namespace.
+// was DefautltWegoAppRules
+var BaseWegoAppRules = []rbacv1.PolicyRule{
 	{
 		APIGroups: []string{""},
 		Resources: []string{"pods", "secrets"},
@@ -48,6 +52,55 @@ var DefautltWegoAppRules = []rbacv1.PolicyRule{
 	},
 }
 
+func getWegoAppRulesFromConfigMap() interface{} {
+
+	config, err := rest.InClusterConfig()
+	if err != nil {
+		panic(err.Error())
+	}
+
+	clientset, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		panic(err.Error())
+	}
+
+	configMap, err := clientset.CoreV1().ConfigMaps("flux-system").Get(context.TODO(), "wego-app-rules", metav1.GetOptions{})
+	if err != nil {
+		panic(err.Error())
+	}
+
+	var rules []rbacv1.PolicyRule
+	err = json.Unmarshal([]byte(configMap.Data["rules"]), &rules)
+	if err != nil {
+		panic(err.Error())
+	}
+
+	return rules
+
+}
+
+// MergeAppRules merges the default rules with the rules from the configMap, overriding defaults with configMap rules
+func MergeAppRules(defaultRules, configMapRules []rbacv1.PolicyRule) []rbacv1.PolicyRule {
+	ruleMap := make(map[string]rbacv1.PolicyRule)
+
+	for _, rule := range defaultRules {
+		key := fmt.Sprintf("%s-%s", rule.APIGroups, rule.Resources)
+		ruleMap[key] = rule
+	}
+
+	for _, rule := range configMapRules {
+		key := fmt.Sprintf("%s-%s", rule.APIGroups, rule.Resources)
+		ruleMap[key] = rule
+	}
+
+	mergedRules := make([]rbacv1.PolicyRule, 0, len(ruleMap))
+	for _, rule := range ruleMap {
+		mergedRules = append(mergedRules, rule)
+	}
+
+	return mergedRules
+}
+
 // Checker contains methods for validing user access to Kubernetes namespaces, based on a set of PolicyRules
 //
 //counterfeiter:generate . Checker

core/server/server.go

@@ -62,7 +62,7 @@
 		log:             log.WithName("core-server"),
 		RestCfg:         cfg,
 		clusterName:     clusterName,
-		NSAccess:        nsaccess.NewChecker(nsaccess.DefautltWegoAppRules),
+		NSAccess:        nsaccess.NewChecker(nsaccess.MergeAppRules),
 		ClustersManager: clustersManager,
 		PrimaryKinds:    kinds,
 		HealthChecker:   healthChecker,

pkg/services/crd/suite_test.go

@@ -68,7 +68,7 @@ func createClient(k8sEnv *testutils.K8sTestEnv) (clustersmngr.Client, clustersmn
 
 	clustersManager := clustersmngr.NewClustersManager(
 		[]clustersmngr.ClusterFetcher{fetcher},
-		nsaccess.NewChecker(nsaccess.DefautltWegoAppRules),
+		nsaccess.NewChecker(nsaccess.MergeAppRules),
 		log,
 	)