restrict access to the hosts configmap

Signed-off-by: Evgeny Slutsky <[email protected]>

Author: eslutsky

assets/components/openshift-dns/dns/hosts-configmap-role.yaml

@@ -0,0 +1,16 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: hosts-configmap-reader
+  namespace: openshift-dns
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  resourceNames:
+  - hosts-file
+  verbs:
+  - get
+  - list
+  - watch

assets/components/openshift-dns/dns/hosts-configmap-rolebinding.yaml

@@ -0,0 +1,13 @@
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: hosts-configmap-reader
+  namespace: openshift-dns
+subjects:
+- kind: ServiceAccount
+  name: dns
+  namespace: openshift-dns
+roleRef:
+  kind: Role
+  name: hosts-configmap-reader
+  apiGroup: rbac.authorization.k8s.io

pkg/controllers/hostswatcher.go

@@ -200,6 +200,8 @@ func (s *HostsWatcherManager) createOrUpdateConfigMap(ctx context.Context, clien
 				"app.kubernetes.io/name":       "microshift-hosts-watcher",
 				"app.kubernetes.io/component":  "hosts-file-sync",
 				"app.kubernetes.io/managed-by": "microshift",
+				// Restrict access to only CoreDNS pods
+				"microshift.io/access-restricted": "coredns-only",
 			},
 			Annotations: map[string]string{
 				"microshift.io/hosts-file-path": s.file,