Add ServiceAccount name field to Hooks CRD

J12934 · J12934 · commit 82241c816707 · 2020-07-20T13:33:00.000+02:00
This is used to optionally override the default serviceAccount of a Hook.
diff --git a/operator/apis/execution/v1/scancompletionhook.go b/operator/apis/execution/v1/scancompletionhook.go
@@ -44,6 +44,8 @@ type ScanCompletionHookSpec struct {
 	ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
 	Env              []corev1.EnvVar               `json:"env,omitempty"`
 	Type             HookType                      `json:"type"`
+	// ServiceAccountName Name of the serviceAccount Name used. Should only be used if your hook needs specifc RBAC Access. Otherwise the hook is run using a "scan-completion-hook" service account. The service account should have at least "get" rights on scans.execution.experimental.securecodebox.io, and "get" & "patch" scans.execution.experimental.securecodebox.io/status
+	ServiceAccountName *string `json:"serviceAccountName,omitempty"`
 }
 
 // ScanCompletionHookStatus defines the observed state of ScanCompletionHook
diff --git a/operator/apis/execution/v1/zz_generated.deepcopy.go b/operator/apis/execution/v1/zz_generated.deepcopy.go
diff --git a/operator/config/crd/bases/execution.experimental.securecodebox.io_scancompletionhooks.yaml b/operator/config/crd/bases/execution.experimental.securecodebox.io_scancompletionhooks.yaml
@@ -156,6 +156,13 @@ spec:
                     type: string
                 type: object
               type: array
+            serviceAccountName:
+              description: ServiceAccountName Name of the serviceAccount Name used.
+                Should only be used if your hook needs specifc RBAC Access. Otherwise
+                the hook is run using a "scan-completion-hook" service account. The
+                service account should have at least "get" rights on scans.execution.experimental.securecodebox.io,
+                and "get" & "patch" scans.execution.experimental.securecodebox.io/status
+              type: string
             type:
               description: HookType Defines weather the hook should be able to change
                 the findings or is run in a read only mode.
diff --git a/operator/controllers/execution/scan_controller.go b/operator/controllers/execution/scan_controller.go
@@ -985,25 +985,33 @@ func (r *ScanReconciler) setHookStatus(scan *executionv1.Scan) error {
 
 func (r *ScanReconciler) createJobForHook(hook *executionv1.ScanCompletionHook, scan *executionv1.Scan, cliArgs []string) (string, error) {
 	ctx := context.Background()
-	rules := []rbacv1.PolicyRule{
-		{
-			APIGroups: []string{"execution.experimental.securecodebox.io"},
-			Resources: []string{"scans"},
-			Verbs:     []string{"get", "list", "create"},
-		},
-		{
-			APIGroups: []string{"execution.experimental.securecodebox.io"},
-			Resources: []string{"scans/status"},
-			Verbs:     []string{"get", "patch"},
-		},
-	}
+
 	serviceAccountName := "scan-completion-hook"
-	r.ensureServiceAccountExists(
-		hook.Namespace,
-		serviceAccountName,
-		"ScanCompletionHooks need to access the current scan to view where its results are stored",
-		rules,
-	)
+	if hook.Spec.ServiceAccountName != nil {
+		// Hook uses a custom ServiceAccount
+		serviceAccountName = *hook.Spec.ServiceAccountName
+	} else {
+		// Check and create a serviceAccount for the hook in its namespace, if it doesn't already exist.
+		rules := []rbacv1.PolicyRule{
+			{
+				APIGroups: []string{"execution.experimental.securecodebox.io"},
+				Resources: []string{"scans"},
+				Verbs:     []string{"get"},
+			},
+			{
+				APIGroups: []string{"execution.experimental.securecodebox.io"},
+				Resources: []string{"scans/status"},
+				Verbs:     []string{"get", "patch"},
+			},
+		}
+
+		r.ensureServiceAccountExists(
+			hook.Namespace,
+			serviceAccountName,
+			"ScanCompletionHooks need to access the current scan to view where its results are stored",
+			rules,
+		)
+	}
 
 	standardEnvVars := []corev1.EnvVar{
 		{
diff --git a/operator/crds/execution.experimental.securecodebox.io_scancompletionhooks.yaml b/operator/crds/execution.experimental.securecodebox.io_scancompletionhooks.yaml
@@ -156,6 +156,13 @@ spec:
                     type: string
                 type: object
               type: array
+            serviceAccountName:
+              description: ServiceAccountName Name of the serviceAccount Name used.
+                Should only be used if your hook needs specifc RBAC Access. Otherwise
+                the hook is run using a "scan-completion-hook" service account. The
+                service account should have at least "get" rights on scans.execution.experimental.securecodebox.io,
+                and "get" & "patch" scans.execution.experimental.securecodebox.io/status
+              type: string
             type:
               description: HookType Defines weather the hook should be able to change
                 the findings or is run in a read only mode.

Original file line number	Diff line number	Diff line change
`@@ -44,6 +44,8 @@ type ScanCompletionHookSpec struct {`
`44`	`44`	ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
`45`	`45`	Env []corev1.EnvVar `json:"env,omitempty"`
`46`	`46`	Type HookType `json:"type"`
	`47`	`+ // ServiceAccountName Name of the serviceAccount Name used. Should only be used if your hook needs specifc RBAC Access. Otherwise the hook is run using a "scan-completion-hook" service account. The service account should have at least "get" rights on scans.execution.experimental.securecodebox.io, and "get" & "patch" scans.execution.experimental.securecodebox.io/status`
	`48`	+ ServiceAccountName *string `json:"serviceAccountName,omitempty"`
`47`	`49`	`}`
`48`	`50`
`49`	`51`	`// ScanCompletionHookStatus defines the observed state of ScanCompletionHook`