From 1d3f27dba7be3ef332366fc51f0ed1c52a51ced7 Mon Sep 17 00:00:00 2001 From: ashnamehrotra Date: Wed, 31 Jan 2024 08:13:11 -0800 Subject: [PATCH] rbac changes Signed-off-by: ashnamehrotra --- config/rbac/cluster_role_binding.yaml | 12 ++++ config/rbac/eraserconfig_editor_role.yaml | 31 ---------- config/rbac/eraserconfig_viewer_role.yaml | 27 --------- config/rbac/kustomization.yaml | 1 + config/rbac/role.yaml | 59 +++++++++++-------- config/rbac/role_binding.yaml | 5 +- .../imagecollector_controller.go | 6 +- controllers/imagejob/imagejob_controller.go | 4 +- controllers/imagelist/imagelist_controller.go | 4 +- .../eraser-manager-role-clusterrole.yaml | 35 ----------- .../templates/eraser-manager-role-role.yaml | 46 +++++++++++++++ ...raser-manager-rolebinding-rolebinding.yaml | 18 ++++++ manifest_staging/deploy/eraser.yaml | 49 ++++++++++----- 13 files changed, 157 insertions(+), 140 deletions(-) create mode 100644 config/rbac/cluster_role_binding.yaml delete mode 100644 config/rbac/eraserconfig_editor_role.yaml delete mode 100644 config/rbac/eraserconfig_viewer_role.yaml create mode 100644 manifest_staging/charts/eraser/templates/eraser-manager-role-role.yaml create mode 100644 manifest_staging/charts/eraser/templates/eraser-manager-rolebinding-rolebinding.yaml diff --git a/config/rbac/cluster_role_binding.yaml b/config/rbac/cluster_role_binding.yaml new file mode 100644 index 0000000000..2070ede446 --- /dev/null +++ b/config/rbac/cluster_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/config/rbac/eraserconfig_editor_role.yaml b/config/rbac/eraserconfig_editor_role.yaml deleted file mode 100644 index f4e162009c..0000000000 --- a/config/rbac/eraserconfig_editor_role.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# permissions for end users to edit eraserconfigs. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: eraserconfig-editor-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: eraser - app.kubernetes.io/part-of: eraser - app.kubernetes.io/managed-by: kustomize - name: eraserconfig-editor-role -rules: -- apiGroups: - - eraser.sh - resources: - - eraserconfigs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - eraser.sh - resources: - - eraserconfigs/status - verbs: - - get diff --git a/config/rbac/eraserconfig_viewer_role.yaml b/config/rbac/eraserconfig_viewer_role.yaml deleted file mode 100644 index b3798179ed..0000000000 --- a/config/rbac/eraserconfig_viewer_role.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# permissions for end users to view eraserconfigs. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: eraserconfig-viewer-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: eraser - app.kubernetes.io/part-of: eraser - app.kubernetes.io/managed-by: kustomize - name: eraserconfig-viewer-role -rules: -- apiGroups: - - eraser.sh - resources: - - eraserconfigs - verbs: - - get - - list - - watch -- apiGroups: - - eraser.sh - resources: - - eraserconfigs/status - verbs: - - get diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 408f075d94..d95d622b31 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -10,6 +10,7 @@ resources: - imagejob_pods_cluster_role.yaml - imagejob_pods_service.yaml - imagejob_pods_cluster_role_binding.yaml +- cluster_role_binding.yaml # Comment the following 4 lines if you want to disable # the auth proxy (https://github.com/brancz/kube-rbac-proxy) # which protects your /metrics endpoint. diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 53ddc8b2f6..c5625d46d5 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -4,18 +4,6 @@ kind: ClusterRole metadata: name: manager-role rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - apiGroups: - "" resources: @@ -25,32 +13,29 @@ rules: - list - watch - apiGroups: - - "" + - eraser.sh resources: - - pods + - imagejobs verbs: - create - delete - get - list + - patch - update - watch - apiGroups: - - "" + - eraser.sh resources: - - podtemplates + - imagejobs/status verbs: - - create - - delete - get - - list - patch - update - - watch - apiGroups: - eraser.sh resources: - - imagejobs + - imagelists verbs: - create - delete @@ -62,15 +47,22 @@ rules: - apiGroups: - eraser.sh resources: - - imagejobs/status + - imagelists/status verbs: - get - patch - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: manager-role + namespace: system +rules: - apiGroups: - - eraser.sh + - "" resources: - - imagelists + - configmaps verbs: - create - delete @@ -80,10 +72,25 @@ rules: - update - watch - apiGroups: - - eraser.sh + - "" resources: - - imagelists/status + - pods + verbs: + - create + - delete + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - podtemplates verbs: + - create + - delete - get + - list - patch - update + - watch diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml index 2070ede446..0f67d06101 100644 --- a/config/rbac/role_binding.yaml +++ b/config/rbac/role_binding.yaml @@ -1,10 +1,11 @@ apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: name: manager-rolebinding + namespace: system roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: Role name: manager-role subjects: - kind: ServiceAccount diff --git a/controllers/imagecollector/imagecollector_controller.go b/controllers/imagecollector/imagecollector_controller.go index 9201add8ed..c92fba5114 100644 --- a/controllers/imagecollector/imagecollector_controller.go +++ b/controllers/imagecollector/imagecollector_controller.go @@ -198,7 +198,11 @@ func add(mgr manager.Manager, r *Reconciler) error { return nil } -//+kubebuilder:rbac:groups="",resources=podtemplates,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=eraser.sh,resources=imagelists,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups="",namespace="system",resources=podtemplates,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=eraser.sh,resources=imagelists/status,verbs=get;update;patch +//+kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch +//+kubebuilder:rbac:groups="",namespace="system",resources=pods,verbs=get;list;watch;update;create;delete // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. diff --git a/controllers/imagejob/imagejob_controller.go b/controllers/imagejob/imagejob_controller.go index 2a83867fb8..bb3a7ba76f 100644 --- a/controllers/imagejob/imagejob_controller.go +++ b/controllers/imagejob/imagejob_controller.go @@ -189,9 +189,9 @@ func checkNodeFitness(pod *corev1.Pod, node *corev1.Node) bool { } //+kubebuilder:rbac:groups=eraser.sh,resources=imagejobs,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups="",resources=podtemplates,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups="",namespace="system",resources=podtemplates,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=eraser.sh,resources=imagejobs/status,verbs=get;update;patch -//+kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups="",namespace="system",resources=configmaps,verbs=get;list;watch;create;update;patch;delete // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. diff --git a/controllers/imagelist/imagelist_controller.go b/controllers/imagelist/imagelist_controller.go index 96d1b5ed04..109b67ca20 100644 --- a/controllers/imagelist/imagelist_controller.go +++ b/controllers/imagelist/imagelist_controller.go @@ -122,10 +122,10 @@ type Reconciler struct { } //+kubebuilder:rbac:groups=eraser.sh,resources=imagelists,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups="",resources=podtemplates,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups="",namespace="system",resources=podtemplates,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=eraser.sh,resources=imagelists/status,verbs=get;update;patch //+kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch -//+kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch;update;create;delete +//+kubebuilder:rbac:groups="",namespace="system",resources=pods,verbs=get;list;watch;update;create;delete // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. diff --git a/manifest_staging/charts/eraser/templates/eraser-manager-role-clusterrole.yaml b/manifest_staging/charts/eraser/templates/eraser-manager-role-clusterrole.yaml index 892b07ffce..370e54df3c 100644 --- a/manifest_staging/charts/eraser/templates/eraser-manager-role-clusterrole.yaml +++ b/manifest_staging/charts/eraser/templates/eraser-manager-role-clusterrole.yaml @@ -8,18 +8,6 @@ metadata: helm.sh/chart: '{{ template "eraser.name" . }}' name: eraser-manager-role rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - apiGroups: - "" resources: @@ -28,29 +16,6 @@ rules: - get - list - watch -- apiGroups: - - "" - resources: - - pods - verbs: - - create - - delete - - get - - list - - update - - watch -- apiGroups: - - "" - resources: - - podtemplates - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - apiGroups: - eraser.sh resources: diff --git a/manifest_staging/charts/eraser/templates/eraser-manager-role-role.yaml b/manifest_staging/charts/eraser/templates/eraser-manager-role-role.yaml new file mode 100644 index 0000000000..8e5624bd1e --- /dev/null +++ b/manifest_staging/charts/eraser/templates/eraser-manager-role-role.yaml @@ -0,0 +1,46 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' + app.kubernetes.io/name: '{{ template "eraser.name" . }}' + helm.sh/chart: '{{ template "eraser.name" . }}' + name: eraser-manager-role + namespace: '{{ .Release.Namespace }}' +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - podtemplates + verbs: + - create + - delete + - get + - list + - patch + - update + - watch diff --git a/manifest_staging/charts/eraser/templates/eraser-manager-rolebinding-rolebinding.yaml b/manifest_staging/charts/eraser/templates/eraser-manager-rolebinding-rolebinding.yaml new file mode 100644 index 0000000000..94262d3948 --- /dev/null +++ b/manifest_staging/charts/eraser/templates/eraser-manager-rolebinding-rolebinding.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' + app.kubernetes.io/name: '{{ template "eraser.name" . }}' + helm.sh/chart: '{{ template "eraser.name" . }}' + name: eraser-manager-rolebinding + namespace: '{{ .Release.Namespace }}' +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: eraser-manager-role +subjects: +- kind: ServiceAccount + name: eraser-controller-manager + namespace: '{{ .Release.Namespace }}' diff --git a/manifest_staging/deploy/eraser.yaml b/manifest_staging/deploy/eraser.yaml index a8cfff1f61..f0ccc17325 100644 --- a/manifest_staging/deploy/eraser.yaml +++ b/manifest_staging/deploy/eraser.yaml @@ -292,15 +292,10 @@ metadata: namespace: eraser-system --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: eraser-imagejob-pods-cluster-role ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: name: eraser-manager-role + namespace: eraser-system rules: - apiGroups: - "" @@ -317,33 +312,45 @@ rules: - apiGroups: - "" resources: - - nodes + - pods verbs: + - create + - delete - get - list + - update - watch - apiGroups: - "" resources: - - pods + - podtemplates verbs: - create - delete - get - list + - patch - update - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: eraser-imagejob-pods-cluster-role +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: eraser-manager-role +rules: - apiGroups: - "" resources: - - podtemplates + - nodes verbs: - - create - - delete - get - list - - patch - - update - watch - apiGroups: - eraser.sh @@ -387,6 +394,20 @@ rules: - update --- apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: eraser-manager-rolebinding + namespace: eraser-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: eraser-manager-role +subjects: +- kind: ServiceAccount + name: eraser-controller-manager + namespace: eraser-system +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: eraser-imagejob-pods-cluster-rolebinding