Controller in restricted environment trying to access secrets at cluster level

[sheveg]

Which component: controller version: v0.26.2

Describe the bug Controller tries to access secrets cluster-wide in namespaced restricted mode.

To Reproduce Steps to reproduce the behavior:

1. Use this configuration in the helm chart:

args:
  - --key-size
  - "8192"
  - --my-cn
  - "testorg.com"
  - --all-namespaces
  - "false"
  additionalNamespaces:
  - mynamespace
  serviceAccount:
    create: false
    name: my-sa
  rbac:
    create: true
    clusterRole: false
    namespacedRoles: true
  namespace: mynamespace

2. Create the referenced service account my-sa with roles and rolebindings to access secrets and sealed secrets, taken from the templates in the helm chart

3. See error in the controller logs: W0605 10:19:11.752065 1 reflector.go:539] pkg/mod/k8s.io/client-go@v0.29.3/tools/cache/reflector.go:229: failed to list *v1alpha1.SealedSecret: sealedsecrets.bitnami.com is forbidden: User "system:serviceaccount:aeps:my-sa" cannot list resource "sealedsecrets" in API group "bitnami.com" at the cluster scope E0605 10:19:11.752096 1 reflector.go:147] pkg/mod/k8s.io/client-go@v0.29.3/tools/cache/reflector.go:229: Failed to watch *v1alpha1.SealedSecret: failed to list *v1alpha1.SealedSecret: sealedsecrets.bitnami.com is forbidden: User "system:serviceaccount:mynamespace:my-sa" cannot list resource "sealedsecrets" in API group "bitnami.com" at the cluster scope

Expected behavior The controllers tries not to access secrets at cluster level and

Version of Kubernetes:

• Output of kubectl version:

Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.17", GitCommit:"22a9682c8fe855c321be75c5faacde343f909b04", GitTreeState:"clean", BuildDate:"2023-08-23T23:44:35Z", GoVersion:"go1.20.7", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.4
Server Version: version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.13", GitCommit:"7ba444e261616cb572b2c9e3aa6ee8876140f46a", GitTreeState:"clean", BuildDate:"2024-01-17T13:37:06Z", GoVersion:"go1.20.13", Compiler:"gc", Platform:"linux/amd64"

[sheveg]

According to the source code in the controller I should also see this log entry Starting informer namespace mynamespace, which I do not see. This are the log entries at startup:

time=2024-06-05T10:29:15.172Z level=INFO msg="Starting sealed-secrets controller" version=v0.26.2
time=2024-06-05T10:29:15.173Z level=INFO msg="Searching for existing private keys"
time=2024-06-05T10:29:15.194Z level=INFO msg="registered private key" secretname=<secretname>
time=2024-06-05T10:29:15.195Z level=INFO msg="registered private key" secretname=<secretname>
time=2024-06-05T10:29:15.196Z level=INFO msg="registered private key" secretname=<secretname>
time=2024-06-05T10:29:15.197Z level=INFO msg="HTTP server serving" addr=:8080
time=2024-06-05T10:29:15.197Z level=INFO msg="HTTP metrics server serving" addr=:8081

[sheveg]

Found the issue: when specifying args, the other parameters like additionalNamespaces are overriden due to the implementation in templates\deployment.yaml source. Solution is to either specify all in args or use the other parameters for specifying values.yaml.

[sheveg]

Due to the definition of the role secrets-unsealer in templates:

{{ if and (and .Values.rbac.create .Values.rbac.namespacedRoles) (not $.Values.rbac.clusterRole) }}
  {{- range $additionalNamespace := $.Values.additionalNamespaces }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ $.Values.rbac.namespacedRolesName }}
  namespace: {{ $additionalNamespace }}

I had to define the additional namespaces twice in values.yaml, once as parameter in args and at root level:

sealed-secrets:
  args:
  - --key-size
  - "8192"
  - --my-cn
  - "testorg.com"
  - --additional-namespaces
  - mynamespace
  additionalNamespaces:
  - mynamespace
  rbac:
    create: true
    clusterRole: false
    namespacedRoles: true
  namespace: mynamespace