fix(operator): move authorization RBAC to dedicated cluster_scoped

reconciler

Author: JoaoBraveCoding

operator/internal/controller/loki/dashboards_controller.go renamed to operator/internal/controller/loki/lokistack_cluster_scoped_controller.go

@@ -47,15 +47,15 @@ func (r *DashboardsReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 	if len(stacks.Items) == 0 {
 		// Removes all LokiStack dashboard resources on OpenShift clusters when
 		// the last LokiStack custom resource is deleted.
-		if err := handlers.DeleteDashboards(ctx, r.Client, r.OperatorNs); err != nil {
+		if err := handlers.DeleteClusterScopedResources(ctx, r.Client, r.OperatorNs); err != nil {
 			return ctrl.Result{}, kverrors.Wrap(err, "failed to delete dashboard resources")
 		}
 		return ctrl.Result{}, nil
 	}
 
 	// Creates all LokiStack dashboard resources on OpenShift clusters when
 	// the first LokiStack custom resource is created.
-	if err := handlers.CreateDashboards(ctx, r.Log, r.OperatorNs, r.Client, r.Scheme); err != nil {
+	if err := handlers.CreateClusterScopedResources(ctx, r.Log, r.OperatorNs, r.Client, r.Scheme, stacks); err != nil {
 		return ctrl.Result{}, kverrors.Wrap(err, "failed to create dashboard resources", "req", req)
 	}
 	return ctrl.Result{}, nil

operator/internal/handlers/dashboards_create.go renamed to operator/internal/handlers/lokistack_cluster_scope_resources_create.go

@@ -11,18 +11,34 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client" //nolint:typecheck
 	ctrlutil "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
+	lokiv1 "github.com/grafana/loki/operator/api/loki/v1"
 	"github.com/grafana/loki/operator/internal/external/k8s"
 	"github.com/grafana/loki/operator/internal/manifests"
 	"github.com/grafana/loki/operator/internal/manifests/openshift"
+	rbacv1 "k8s.io/api/rbac/v1"
 )
 
-// CreateDashboards handles the LokiStack dashboards create events.
-func CreateDashboards(ctx context.Context, log logr.Logger, operatorNs string, k k8s.Client, s *runtime.Scheme) error {
+// CreateClusterScopedResources handles the LokiStack cluster scoped create events.
+func CreateClusterScopedResources(ctx context.Context, log logr.Logger, operatorNs string, k k8s.Client, s *runtime.Scheme, stacks lokiv1.LokiStackList) error {
 	objs, err := openshift.BuildDashboards(operatorNs)
 	if err != nil {
 		return kverrors.Wrap(err, "failed to build dashboard manifests")
 	}
 
+	subjects := make([]rbacv1.Subject, 0, len(stacks.Items))
+	for _, stack := range stacks.Items {
+		subjects = append(subjects, rbacv1.Subject{
+			Kind:      "ServiceAccount",
+			Name:      manifests.GatewayName(stack.Name),
+			Namespace: stack.Namespace,
+		})
+	}
+	rbacOBjs, err := openshift.BuildRBAC(subjects)
+	if err != nil {
+		return kverrors.Wrap(err, "failed to build RBAC manifests")
+	}
+	objs = append(objs, rbacOBjs...)
+
 	var errCount int32
 	for _, obj := range objs {
 		desired := obj.DeepCopyObject().(client.Object)

operator/internal/handlers/dashboards_create_test.go renamed to operator/internal/handlers/lokistack_cluster_scope_resources_create_test.go

@@ -53,7 +53,7 @@ func TestCreateDashboards_ReturnsResourcesInManagedNamespaces(t *testing.T) {
 
 	k.StatusStub = func() client.StatusWriter { return sw }
 
-	err := CreateDashboards(context.TODO(), logger, "test", k, scheme)
+	err := CreateClusterScopedResources(context.TODO(), logger, "test", k, scheme)
 	require.NoError(t, err)
 
 	// make sure create was called

operator/internal/handlers/dashboards_delete.go renamed to operator/internal/handlers/lokistack_cluster_scope_resources_delete.go

@@ -11,8 +11,8 @@ import (
 	"github.com/grafana/loki/operator/internal/manifests/openshift"
 )
 
-// DeleteDashboards removes all cluster-scoped dashboard resources.
-func DeleteDashboards(ctx context.Context, k k8s.Client, operatorNs string) error {
+// DeleteClusterScopedResources removes all cluster-scoped resources.
+func DeleteClusterScopedResources(ctx context.Context, k k8s.Client, operatorNs string) error {
 	objs, err := openshift.BuildDashboards(operatorNs)
 	if err != nil {
 		return kverrors.Wrap(err, "failed to build dashboards manifests")

operator/internal/handlers/dashboards_delete_test.go renamed to operator/internal/handlers/lokistack_cluster_scope_resources_delete_test.go

@@ -19,7 +19,7 @@ func TestDeleteDashboards(t *testing.T) {
 
 	k := &k8sfakes.FakeClient{}
 
-	err = DeleteDashboards(context.TODO(), k, "operator-ns")
+	err = DeleteClusterScopedResources(context.TODO(), k, "operator-ns")
 	require.NoError(t, err)
 	require.Equal(t, k.DeleteCallCount(), len(objs))
 }
@@ -30,6 +30,6 @@ func TestDeleteDashboards_ReturnsNoError_WhenNotFound(t *testing.T) {
 		return apierrors.NewNotFound(schema.GroupResource{}, "something wasn't found")
 	}
 
-	err := DeleteDashboards(context.TODO(), k, "operator-ns")
+	err := DeleteClusterScopedResources(context.TODO(), k, "operator-ns")
 	require.NoError(t, err)
 }

operator/internal/manifests/openshift/build.go

@@ -15,24 +15,11 @@ func BuildGatewayObjects(opts Options) []client.Object {
 	}
 }
 
-// BuildGatewayTenantModeObjects returns a list of auxiliary openshift/k8s objects
-// for lokistack gateway deployments on OpenShift for tenant modes:
-// - openshift-logging
-// - openshift-network
-func BuildGatewayTenantModeObjects(opts Options) []client.Object {
-	return []client.Object{
-		BuildGatewayClusterRole(opts),
-		BuildGatewayClusterRoleBinding(opts),
-	}
-}
-
 // BuildRulerObjects returns a list of auxiliary openshift/k8s objects
 // for lokistack ruler deployments on OpenShift.
 func BuildRulerObjects(opts Options) []client.Object {
 	return []client.Object{
 		BuildAlertManagerCAConfigMap(opts),
 		BuildRulerServiceAccount(opts),
-		BuildRulerClusterRole(opts),
-		BuildRulerClusterRoleBinding(opts),
 	}
 }

operator/internal/manifests/openshift/rbac.go

@@ -3,22 +3,36 @@ package openshift
 import (
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
+const (
+	gatewayName = "lokistack-gateway"
+	rulerName   = "lokistack-ruler"
+)
+
+func BuildRBAC(subjects []rbacv1.Subject) ([]client.Object, error) {
+	objs := make([]client.Object, 0, 4)
+	objs = append(objs, BuildGatewayClusterRole())
+	objs = append(objs, BuildGatewayClusterRoleBinding(subjects))
+	objs = append(objs, BuildRulerClusterRole())
+	objs = append(objs, BuildRulerClusterRoleBinding(subjects))
+	return objs, nil
+}
+
 // BuildGatewayClusterRole returns a k8s ClusterRole object for the
 // lokistack gateway serviceaccount to allow creating:
 //   - TokenReviews to authenticate the user by bearer token.
 //   - SubjectAccessReview to authorize the user by bearer token.
 //     if having access to read/create logs.
-func BuildGatewayClusterRole(opts Options) *rbacv1.ClusterRole {
+func BuildGatewayClusterRole() *rbacv1.ClusterRole {
 	return &rbacv1.ClusterRole{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "ClusterRole",
 			APIVersion: rbacv1.SchemeGroupVersion.String(),
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Name:   authorizerRbacName(opts.BuildOpts.GatewayName),
-			Labels: opts.BuildOpts.Labels,
+			Name: authorizerRbacName(gatewayName),
 		},
 		Rules: []rbacv1.PolicyRule{
 			{
@@ -51,42 +65,34 @@ func BuildGatewayClusterRole(opts Options) *rbacv1.ClusterRole {
 // the lokistack gateway serviceaccount to grant access to:
 // - rbac.authentication.k8s.io/TokenReviews
 // - rbac.authorization.k8s.io/SubjectAccessReviews
-func BuildGatewayClusterRoleBinding(opts Options) *rbacv1.ClusterRoleBinding {
+func BuildGatewayClusterRoleBinding(subjects []rbacv1.Subject) *rbacv1.ClusterRoleBinding {
 	return &rbacv1.ClusterRoleBinding{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "ClusterRoleBinding",
 			APIVersion: rbacv1.SchemeGroupVersion.String(),
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Name:   authorizerRbacName(opts.BuildOpts.GatewayName),
-			Labels: opts.BuildOpts.Labels,
+			Name: authorizerRbacName(gatewayName),
 		},
 		RoleRef: rbacv1.RoleRef{
 			APIGroup: "rbac.authorization.k8s.io",
 			Kind:     "ClusterRole",
-			Name:     authorizerRbacName(opts.BuildOpts.GatewayName),
-		},
-		Subjects: []rbacv1.Subject{
-			{
-				Kind:      rbacv1.ServiceAccountKind,
-				Name:      gatewayServiceAccountName(opts),
-				Namespace: opts.BuildOpts.LokiStackNamespace,
-			},
+			Name:     authorizerRbacName(gatewayName),
 		},
+		Subjects: subjects,
 	}
 }
 
 // BuildRulerClusterRole returns a k8s ClusterRole object for the
 // lokistack ruler serviceaccount to allow patching sending alerts to alertmanagers.
-func BuildRulerClusterRole(opts Options) *rbacv1.ClusterRole {
+func BuildRulerClusterRole() *rbacv1.ClusterRole {
 	return &rbacv1.ClusterRole{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "ClusterRole",
 			APIVersion: rbacv1.SchemeGroupVersion.String(),
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Name:   authorizerRbacName(opts.BuildOpts.RulerName),
-			Labels: opts.BuildOpts.Labels,
+			Name: authorizerRbacName(rulerName),
 		},
 		Rules: []rbacv1.PolicyRule{
 			{
@@ -125,27 +131,20 @@ func BuildRulerClusterRole(opts Options) *rbacv1.ClusterRole {
 
 // BuildRulerClusterRoleBinding returns a k8s ClusterRoleBinding object for
 // the lokistack ruler serviceaccount to grant access to alertmanagers.
-func BuildRulerClusterRoleBinding(opts Options) *rbacv1.ClusterRoleBinding {
+func BuildRulerClusterRoleBinding(subjects []rbacv1.Subject) *rbacv1.ClusterRoleBinding {
 	return &rbacv1.ClusterRoleBinding{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "ClusterRoleBinding",
 			APIVersion: rbacv1.SchemeGroupVersion.String(),
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Name:   authorizerRbacName(opts.BuildOpts.RulerName),
-			Labels: opts.BuildOpts.Labels,
+			Name: authorizerRbacName(rulerName),
 		},
 		RoleRef: rbacv1.RoleRef{
 			APIGroup: "rbac.authorization.k8s.io",
 			Kind:     "ClusterRole",
-			Name:     authorizerRbacName(opts.BuildOpts.RulerName),
-		},
-		Subjects: []rbacv1.Subject{
-			{
-				Kind:      rbacv1.ServiceAccountKind,
-				Name:      rulerServiceAccountName(opts),
-				Namespace: opts.BuildOpts.LokiStackNamespace,
-			},
+			Name:     authorizerRbacName(rulerName),
 		},
+		Subjects: subjects,
 	}
 }

operator/internal/validation/openshift/common.go

@@ -19,6 +19,7 @@ const (
 	descriptionAnnotationName = "description"
 
 	namespaceLabelName        = "kubernetes_namespace_name"
+	namespaceOTLPLabelName    = "k8s_namespace_name"
 	namespaceOpenshiftLogging = "openshift-logging"
 
 	tenantAudit          = "audit"
@@ -64,23 +65,44 @@ func validateRuleExpression(namespace, tenantID, rawExpr string) error {
 	}
 
 	matchers := selector.Matchers()
-	if tenantID != tenantAudit && !validateIncludesNamespace(namespace, matchers) {
-		return lokiv1.ErrRuleMustMatchNamespace
+	if tenantID != tenantAudit {
+		if !validateIncludesNamespace(namespace, matchers) {
+			return lokiv1.ErrRuleMustMatchNamespace
+		}
+		if !validateExclusiveNamespaceLabels(matchers) {
+			return lokiv1.ErrRuleExclusiveNamespaceLabel
+		}
 	}
 
 	return nil
 }
 
 func validateIncludesNamespace(namespace string, matchers []*labels.Matcher) bool {
 	for _, m := range matchers {
-		if m.Name == namespaceLabelName && m.Type == labels.MatchEqual && m.Value == namespace {
+		if (m.Name == namespaceLabelName || m.Name == namespaceOTLPLabelName) && m.Type == labels.MatchEqual && m.Value == namespace {
 			return true
 		}
 	}
 
 	return false
 }
 
+func validateExclusiveNamespaceLabels(matchers []*labels.Matcher) bool {
+	var namespaceLabelSet, otlpLabelSet bool
+
+	for _, m := range matchers {
+		if m.Name == namespaceLabelName && m.Type == labels.MatchEqual {
+			namespaceLabelSet = true
+		}
+		if m.Name == namespaceOTLPLabelName && m.Type == labels.MatchEqual {
+			otlpLabelSet = true
+		}
+	}
+
+	// Only one of the labels should be set, not both
+	return (namespaceLabelSet || otlpLabelSet) && !(namespaceLabelSet && otlpLabelSet)
+}
+
 func tenantForNamespace(namespace string) []string {
 	if strings.HasPrefix(namespace, "openshift") ||
 		strings.HasPrefix(namespace, "kube-") ||