Merge pull request #1768 from Prateeknandle/job-rbac-1

fix(core):patch apparmor annotations for cronjobs and updating rbac rules
kubearmor · Jun 12, 2024 · 322dd5a · 322dd5a
2 parents b9ea20c + 0a8837f
commit 322dd5a
Show file tree

Hide file tree

Showing 6 changed files with 38 additions and 3 deletions.
diff --git a/KubeArmor/core/k8sHandler.go b/KubeArmor/core/k8sHandler.go
@@ -230,6 +230,10 @@ func (kh *K8sHandler) PatchResourceWithAppArmorAnnotations(namespaceName, deploy
 	}
 
 	spec := `{"spec":{"template":{"metadata":{"annotations":{"kubearmor-policy":"enabled",`
+	if kind == "CronJob" {
+		spec = `{"spec":{"jobTemplate":{"spec":{"template":{"metadata":{"annotations":{"kubearmor-policy":"enabled",`
+	}
+
 	count := len(appArmorAnnotations)
 
 	for k, v := range appArmorAnnotations {
@@ -246,7 +250,11 @@ func (kh *K8sHandler) PatchResourceWithAppArmorAnnotations(namespaceName, deploy
 		count--
 	}
 
-	spec = spec + `}}}}}`
+	if kind == "CronJob" {
+		spec = spec + `}}}}}}}`
+	} else {
+		spec = spec + `}}}}}`
+	}
 
 	if kind == "StatefulSet" {
 		_, err := kh.K8sClient.AppsV1().StatefulSets(namespaceName).Patch(context.Background(), deploymentName, types.StrategicMergePatchType, []byte(spec), metav1.PatchOptions{})
@@ -292,6 +300,11 @@ func (kh *K8sHandler) PatchResourceWithAppArmorAnnotations(namespaceName, deploy
 		if err != nil {
 			return err
 		}
+	} else if kind == "CronJob" {
+		_, err := kh.K8sClient.BatchV1().CronJobs(namespaceName).Patch(context.Background(), deploymentName, types.StrategicMergePatchType, []byte(spec), metav1.PatchOptions{})
+		if err != nil {
+			return err
+		}
 	} else if kind == "Pod" {
 		// this condition wont be triggered, handled by controller
 		return nil

diff --git a/deployments/get/objects.go b/deployments/get/objects.go
@@ -54,7 +54,7 @@ func GetClusterRole() *rbacv1.ClusterRole {
 			{
 				APIGroups: []string{"batch"},
 				Resources: []string{"jobs", "cronjobs"},
-				Verbs:     []string{"get"},
+				Verbs:     []string{"get", "patch", "list", "watch", "update"},
 			},
 			{
 				APIGroups: []string{"security.kubearmor.com"},
@@ -546,7 +546,6 @@ func GetKubeArmorControllerDeployment(namespace string) *appsv1.Deployment {
 					Labels: KubeArmorControllerLabels,
 				},
 				Spec: corev1.PodSpec{
-					PriorityClassName:  "system-node-critical",
 					ServiceAccountName: KubeArmorControllerServiceAccountName,
 					Volumes: []corev1.Volume{
 						KubeArmorControllerCertVolume,

diff --git a/deployments/helm/KubeArmor/templates/RBAC/roles.yaml b/deployments/helm/KubeArmor/templates/RBAC/roles.yaml
@@ -36,6 +36,10 @@ rules:
   - cronjobs
   verbs:
   - get
+  - patch
+  - list
+  - watch
+  - update
 - apiGroups:
   - security.kubearmor.com
   resources:

diff --git a/deployments/helm/KubeArmorOperator/templates/clusterrole-rbac.yaml b/deployments/helm/KubeArmorOperator/templates/clusterrole-rbac.yaml
@@ -136,6 +136,10 @@ rules:
   - cronjobs
   verbs:
   - get
+  - patch
+  - list
+  - watch
+  - update
 - apiGroups:
   - security.kubearmor.com
   resources:

diff --git a/deployments/operator/operator.yaml b/deployments/operator/operator.yaml
@@ -377,6 +377,17 @@ rules:
   - list
   - watch
   - update
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  - cronjobs
+  verbs:
+  - get
+  - patch
+  - list
+  - watch
+  - update
 - apiGroups:
   - security.kubearmor.com
   resources:

diff --git a/pkg/KubeArmorOperator/config/rbac/clusterrole.yaml b/pkg/KubeArmorOperator/config/rbac/clusterrole.yaml
@@ -130,6 +130,10 @@ rules:
   - cronjobs
   verbs:
   - get
+  - patch
+  - list
+  - watch
+  - update
 - apiGroups:
   - security.kubearmor.com
   resources: