Skip to content

Improvements#74

Merged
openshift-merge-bot[bot] merged 2 commits into
openshift:mainfrom
zeeke:fix/security-audit-high-findings
Jun 12, 2026
Merged

Improvements#74
openshift-merge-bot[bot] merged 2 commits into
openshift:mainfrom
zeeke:fix/security-audit-high-findings

Conversation

@zeeke

@zeeke zeeke commented Jun 10, 2026

Copy link
Copy Markdown
Contributor
  • drop hostPID from rendered DaemonSet
  • rbac: scope reconciler permissions to the install namespace

Summary by CodeRabbit

  • Refactor

    • Moved and consolidated operator RBAC into namespace-scoped roles/permissions to tighten permission boundaries.
    • Adjusted authorization for custom resource status and finalizers, adding needed verbs for proper status updates and lifecycle handling.
  • Chores

    • Removed host PID namespace access from operator pods to improve isolation and security.

@coderabbitai

coderabbitai Bot commented Jun 10, 2026

Copy link
Copy Markdown

Walkthrough

This PR migrates the pf-status-relay-operator from cluster-wide RBAC to namespace-scoped RBAC, removes HostPID access from managed DaemonSet pods, and updates both bundle and stable ClusterServiceVersion manifests to consolidate RBAC rules in the deployment permissions section.

Changes

RBAC Namespace Scoping and Pod Security Hardening

Layer / File(s) Summary
RBAC Namespace Scoping
internal/controller/pflacpmonitor_controller.go, config/rbac/role.yaml, config/rbac/role_binding.yaml
Controller kubebuilder RBAC annotations, config Role, and RoleBinding updated to enforce system namespace scoping and include expanded verbs (patch) for pflacpmonitors/status and pflacpmonitors/finalizers subresources.
Pod Security Hardening
internal/controller/pflacpmonitor_controller.go
DaemonSet pod spec security setting HostPID: true removed, eliminating privileged host PID namespace access.
Bundle CSV Manifest Sync
bundle/manifests/pf-status-relay-operator.clusterserviceversion.yaml
RBAC rules for apps/daemonsets and pfstatusrelay.openshift.io/pflacpmonitors removed from clusterPermissions section and re-added in the deployment permissions rules section.
Stable CSV Manifest Sync
manifests/stable/pf-status-relay-operator.clusterserviceversion.yaml
Same RBAC rule reorganization applied: daemonsets and pflacpmonitors permissions moved from clusterPermissions to deployment permissions section.

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name Status Explanation Resolution
Test Structure And Quality ⚠️ Warning Tests lack resource cleanup for cluster-scoped resources (newPFLACPMonitor, e2e-empty-iface), assertions lack failure messages, and "Degraded status" test violates single responsibility principle. Add AfterEach cleanup blocks for resources created in It blocks; add descriptive messages to Expect() calls; split multi-behavior tests into single-responsibility test blocks.
Title check ❓ Inconclusive The title 'Improvements' is vague and generic, using a non-descriptive term that does not convey meaningful information about the specific changes in the changeset. Revise the title to be more specific and descriptive of the main changes, such as 'Remove hostPID and scope RBAC permissions to install namespace' or similar.
✅ Passed checks (14 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Operator Image Source ✅ Passed Controller properly reads PF_STATUS_RELAY_IMAGE env var via getDaemonSetImage() function; no hardcoded image references found in code.
Stable And Deterministic Test Names ✅ Passed All 24 It(), 8 Describe(), and 5 Context() Ginkgo tests use stable, static string literals with no dynamic content (no UUIDs, timestamps, generated suffixes, or runtime values).
Microshift Test Compatibility ✅ Passed No new Ginkgo e2e tests were added in this PR; it only modifies RBAC manifests, role.yaml, role_binding.yaml, and removes HostPID from DaemonSet PodSpec. The check does not apply.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No new Ginkgo e2e tests (It, Describe, Context, When declarations) were added in this PR; all changes are RBAC, configuration, and controller code modifications.
Topology-Aware Scheduling Compatibility ✅ Passed PR changes are RBAC scoping and HostPID removal. No topology-incompatible scheduling constraints introduced: no anti-affinity, topology spread, control-plane selectors, or PodDisruptionBudgets found.
Ote Binary Stdout Contract ✅ Passed PR uses controller-runtime's zap logger for stderr, not stdout. E2e tests use GinkgoWriter. No direct stdout writes in process-level code detected.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed New Ginkgo e2e tests use cluster-internal DNS names and do not require external connectivity or IPv4-specific assumptions. Tests are compatible with IPv6-only and disconnected environments.
No-Weak-Crypto ✅ Passed No weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons found in PR changes.
Container-Privileges ✅ Passed PR successfully removes hostPID from DaemonSet and scopes RBAC to namespace=system. Remaining privilege settings are necessary for network operations.
No-Sensitive-Data-In-Logs ✅ Passed No logging statements exposing sensitive data found. PR contains RBAC and YAML manifest changes with no new logging that could leak passwords, tokens, API keys, PII, or other sensitive information.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci openshift-ci Bot requested review from SchSeba and karampok June 10, 2026 11:15
@openshift-ci

openshift-ci Bot commented Jun 10, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: zeeke

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 10, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that commit cannot enter if we want to have #73 wdyt?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suppose you're referring to the ClusterRole -> Role change for the manager-role resource.
Whatever the installation method is, the operator will read pflacpmonitors objects from its own namespace, right?
And it will create/update/delete daemonsets in the namespace the operator is running.

So, this should be compatible with

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

he operator will read pflacpmonitors objects from its own namespace, right?

Probably that is the right approach, but I was under the impression that moving to "AllNamespaces" would actually mean the opposite.

zeeke and others added 2 commits June 10, 2026 14:51
The pf-status-relay DaemonSet runs with privileged: true + hostPID:
true + hostNetwork: true. hostPID is not needed by the agent: netlink
and sysfs VF manipulation work without sharing the host PID namespace.

Dropping it removes the agent's visibility into every host process
(/proc/<pid>/environ and cmdline can leak secrets of other workloads,
and any process can be ptraced or signalled) and removes the cheapest
container-to-host breakout (nsenter -t 1 -a into a host root shell).

Co-Authored-By: Claude Code <noreply@anthropic.com>
Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
The controller SA held a cluster-wide ClusterRole with full CRUD on
apps/daemonsets: a compromised operator pod (or stolen SA token) could
create arbitrary DaemonSets in any namespace.

Add namespace=system to the kubebuilder RBAC markers so controller-gen
emits a namespaced Role instead of a ClusterRole, replace the
ClusterRoleBinding with a RoleBinding, and regenerate the bundle so the
CSV ships these rules under permissions instead of clusterPermissions.

Co-Authored-By: Claude Code <noreply@anthropic.com>
Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
@zeeke zeeke force-pushed the fix/security-audit-high-findings branch from 328a0cc to 7dea6e9 Compare June 10, 2026 12:52

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
bundle/manifests/pf-status-relay-operator.clusterserviceversion.yaml (1)

1-1: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Bundle directory contains generated files that should not be committed.

As per coding guidelines, the bundle/ directory is regenerated by make generate && make manifests and should not be committed. The changes here will be overwritten during bundle regeneration and may cause merge conflicts.

Consider reverting this file and documenting the expected bundle output in the PR description instead.

As per coding guidelines: "The bundle regeneration modifies bundle/ directory—do not commit generated bundle files."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@bundle/manifests/pf-status-relay-operator.clusterserviceversion.yaml` at line
1, The commit includes generated bundle files (e.g.,
bundle/manifests/pf-status-relay-operator.clusterserviceversion.yaml) that
should not be committed; revert the changes to any files under bundle/, remove
them from the commit (or reset them to the state in main), and ensure bundle
artifacts are excluded from future commits (follow repo convention: do not add
bundle/ to commits or add a note to the PR instead). Update the PR description
with the expected bundle output if needed and run make generate && make
manifests locally to regenerate the bundle rather than committing generated
files.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@config/rbac/role_binding.yaml`:
- Around line 2-7: The RoleBinding metadata is missing an explicit namespace;
add "namespace: system" under the metadata of the RoleBinding (the resource with
name "manager-rolebinding") so it matches the Role's namespace and avoids
deployment inconsistencies when applied directly.

---

Outside diff comments:
In `@bundle/manifests/pf-status-relay-operator.clusterserviceversion.yaml`:
- Line 1: The commit includes generated bundle files (e.g.,
bundle/manifests/pf-status-relay-operator.clusterserviceversion.yaml) that
should not be committed; revert the changes to any files under bundle/, remove
them from the commit (or reset them to the state in main), and ensure bundle
artifacts are excluded from future commits (follow repo convention: do not add
bundle/ to commits or add a note to the PR instead). Update the PR description
with the expected bundle output if needed and run make generate && make
manifests locally to regenerate the bundle rather than committing generated
files.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: c11b7d21-4236-4433-947d-3233fd925b59

📥 Commits

Reviewing files that changed from the base of the PR and between 328a0cc and 7dea6e9.

📒 Files selected for processing (5)
  • bundle/manifests/pf-status-relay-operator.clusterserviceversion.yaml
  • config/rbac/role.yaml
  • config/rbac/role_binding.yaml
  • internal/controller/pflacpmonitor_controller.go
  • manifests/stable/pf-status-relay-operator.clusterserviceversion.yaml

Comment on lines +2 to 7
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/name: pf-status-relay-operator
app.kubernetes.io/managed-by: kustomize
name: manager-rolebinding

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add namespace: system to RoleBinding metadata for consistency.

The Role in role.yaml explicitly declares namespace: system in its metadata, but this RoleBinding does not. While kustomize's namespace transformer may add it during build, explicitly declaring the namespace ensures both resources are consistent and avoids potential deployment issues if applied directly.

Suggested fix
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
     app.kubernetes.io/name: pf-status-relay-operator
     app.kubernetes.io/managed-by: kustomize
   name: manager-rolebinding
+  namespace: system
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@config/rbac/role_binding.yaml` around lines 2 - 7, The RoleBinding metadata
is missing an explicit namespace; add "namespace: system" under the metadata of
the RoleBinding (the resource with name "manager-rolebinding") so it matches the
Role's namespace and avoids deployment inconsistencies when applied directly.

@openshift-ci

openshift-ci Bot commented Jun 10, 2026

Copy link
Copy Markdown

@zeeke: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@karampok

karampok commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

This branch is 2 commits ahead of and 5 commits behind openshift/pf-status-relay-operator:main.

Can you rebase? I see some config files like certmanager that were removed added back

(probably the merge will be okay but I prefer to be sure and that the end status will not generate file difference)

@karampok

Copy link
Copy Markdown
Contributor

Two notes

  1. There is no happy path test, those changes are not tested in any way. E2E do not process valid CR and create operand. If we can test manual would be nice but given no GA that can be verified later by @gkopels
  2. Commits should be signed :)

@zeeke zeeke changed the title Fix/security audit high findings Improvements Jun 11, 2026
@karampok

Copy link
Copy Markdown
Contributor

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 11, 2026
@zeeke

zeeke commented Jun 11, 2026

Copy link
Copy Markdown
Contributor Author

/verified later by @gkopels

@openshift-ci-robot

Copy link
Copy Markdown

@zeeke: Only users can be targets for the /verified later command.

Details

In response to this:

/verified later by @gkopels

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@zeeke

zeeke commented Jun 12, 2026

Copy link
Copy Markdown
Contributor Author

/verified later @gkopels

@openshift-ci-robot openshift-ci-robot added verified-later verified Signifies that the PR passed pre-merge verification criteria labels Jun 12, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@zeeke: This PR has been marked to be verified later by @gkopels.

Details

In response to this:

/verified later @gkopels

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-merge-bot openshift-merge-bot Bot merged commit 953873b into openshift:main Jun 12, 2026
8 checks passed
karampok added a commit to karampok/pf-status-relay-operator that referenced this pull request Jun 15, 2026
PR openshift#74 converted all RBAC to namespace-scoped Role/RoleBinding.
TLS compliance requires cluster-scoped access to tokenreviews,
subjectaccessreviews, and apiservers.config.openshift.io.
Add a dedicated ClusterRoleBinding so operator-sdk populates
clusterPermissions in the CSV.

Assisted-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria verified-later

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants