Merge pull request #289 from peng9808/main

make data safer by default.in case user delete pvc by accident , and limit RBAC hwameistor-role permissions
hwameistor · Jul 26, 2024 · 2ad3d82 · 2ad3d82
2 parents ac32921 + d7ecf9e
commit 2ad3d82
Show file tree

Hide file tree

Showing 5 changed files with 110 additions and 9 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,7 +1,5 @@
 FROM centos:7
 
-FROM centos:7
-
 # Update the CentOS repository configuration
 RUN sed -i 's|mirrorlist=http://mirrorlist.centos.org/?|#mirrorlist=http://mirrorlist.centos.org/?|g' /etc/yum.repos.d/CentOS-*.repo && \
     sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*.repo

diff --git a/helm/operator/templates/hwameistorcluster.yaml b/helm/operator/templates/hwameistorcluster.yaml
@@ -254,8 +254,8 @@ spec:
             operator: DoesNotExist
     chartVersion: "v0.4.1"
   storageClass:
-    allowVolumeExpansion: true
-    reclaimPolicy: "Delete"
+    allowVolumeExpansion: {{ $.Values.storageClass.allowVolumeExpansion }}
+    reclaimPolicy: {{ $.Values.storageClass.reclaimPolicy }}
     fsType: "xfs"
 
   dataLoadManager:

diff --git a/helm/operator/values.yaml b/helm/operator/values.yaml
@@ -183,6 +183,13 @@ dataLoadInit:
   imageRepository: hwameistor/dataload-init
   tag: v0.0.1
 
+# StorageClass Settings
+storageClass:
+  # If allowed, volume can be expanded by modify pvc related field
+  allowVolumeExpansion: true
+  reclaimPolicy: Retain
+
+#storageClassReclaimPolicy: Retain > Delete
 #datasetDefaultPoolClass: NVMe > SSD > HDD
 
 # diskReserve example

diff --git a/pkg/install/rbac/rbac.go b/pkg/install/rbac/rbac.go
@@ -33,13 +33,109 @@ var clusterRole = rbacv1.ClusterRole{
 	},
 	Rules: []rbacv1.PolicyRule{
 		{
-			APIGroups: []string{"*"},
-			Resources: []string{"*"},
+			APIGroups: []string{"apiextensions.k8s.io"},
+			Resources: []string{"customresourcedefinitions"},
 			Verbs:     []string{"*"},
 		},
 		{
-			NonResourceURLs: []string{"*"},
-			Verbs:           []string{"*"},
+			APIGroups: []string{""},
+			Resources: []string{"nodes"},
+			Verbs:     []string{"get", "list", "watch"},
+		},
+		{
+			APIGroups: []string{""},
+			Resources: []string{"persistentvolumes", "pods/binding", "pods/status"},
+			Verbs:     []string{"get", "list", "watch", "create", "delete", "update", "patch"},
+		},
+		{
+			APIGroups: []string{""},
+			Resources: []string{"persistentvolumeclaims"},
+			Verbs:     []string{"get", "list", "watch", "update", "patch"},
+		},
+		{
+			APIGroups: []string{""},
+			Resources: []string{"persistentvolumeclaims/status"},
+			Verbs:     []string{"update", "patch"},
+		},
+		{
+			APIGroups: []string{"storage.k8s.io"},
+			Resources: []string{"storageclasses"},
+			Verbs:     []string{"get", "list", "watch", "create", "update"},
+		},
+		{
+			APIGroups: []string{"storage.k8s.io"},
+			Resources: []string{"volumeattachments", "volumeattachments/status"},
+			Verbs:     []string{"get", "list", "watch", "update", "patch", "delete"},
+		},
+		{
+			APIGroups: []string{"apps"},
+			Resources: []string{"deployments", "daemonsets"},
+			Verbs:     []string{"get"},
+		},
+		{
+			APIGroups: []string{"apps"},
+			Resources: []string{"replicasets", "statefulsets"},
+			Verbs:     []string{"get", "list", "watch"},
+		},
+		{
+			APIGroups: []string{""},
+			Resources: []string{"pods", "services", "replicationcontrollers"},
+			Verbs:     []string{"get", "list", "watch"},
+		},
+		{
+			APIGroups: []string{""},
+			Resources: []string{"namespaces"},
+			Verbs:     []string{"get", "list", "watch", "update", "patch"},
+		},
+		{
+			APIGroups: []string{"policy"},
+			Resources: []string{"poddisruptionbudgets"},
+			Verbs:     []string{"get", "list", "watch", "update", "patch"},
+		},
+		{
+			APIGroups: []string{"", "events.k8s.io"},
+			Resources: []string{"events"},
+			Verbs:     []string{"get", "list", "watch", "create", "update"},
+		},
+		{
+			APIGroups: []string{""},
+			Resources: []string{"secrets"},
+			Verbs:     []string{"get", "list", "create"},
+		},
+		{
+			APIGroups: []string{"snapshot.storage.k8s.io"},
+			Resources: []string{"volumesnapshots", "volumesnapshotcontents", "volumesnapshotclasses", "volumesnapshots/status", "volumesnapshotcontents/status"},
+			Verbs:     []string{"get", "list", "watch", "create", "delete", "update", "patch"},
+		},
+		{
+			APIGroups: []string{"storage.k8s.io"},
+			Resources: []string{"csinodes", "csidrivers", "csistoragecapacities"},
+			Verbs:     []string{"get", "list", "watch", "update"},
+		},
+		{
+			APIGroups: []string{"admissionregistration.k8s.io"},
+			Resources: []string{"mutatingwebhookconfigurations"},
+			Verbs:     []string{"get", "list", "watch", "update", "create"},
+		},
+		{
+			APIGroups: []string{"batch"},
+			Resources: []string{"jobs"},
+			Verbs:     []string{"get", "list", "watch", "update", "create", "delete"},
+		},
+		{
+			APIGroups: []string{"coordination.k8s.io"},
+			Resources: []string{"leases"},
+			Verbs:     []string{"get", "list", "watch", "update", "create"},
+		},
+		{
+			APIGroups: []string{""},
+			Resources: []string{"configmaps"},
+			Verbs:     []string{"get", "list", "watch", "update", "create"},
+		},
+		{
+			APIGroups: []string{"hwameistor.io"},
+			Resources: []string{"*"},
+			Verbs:     []string{"get", "list", "watch", "update", "create", "delete", "patch"},
 		},
 	},
 }

diff --git a/pkg/install/storageclass/storageclass.go b/pkg/install/storageclass/storageclass.go
@@ -34,7 +34,7 @@ func NewMaintainer(cli client.Client, clusterInstance *hwameistoroperatorv1alpha
 
 var volumeBindingWaitForFirstConsumer = storagev1.VolumeBindingWaitForFirstConsumer
 var defaultAllowVolumeExpansionBooleanValue = true
-var defaultReclaimPolicy = corev1.PersistentVolumeReclaimDelete
+var defaultReclaimPolicy = corev1.PersistentVolumeReclaimRetain
 var defaultDiskType = "HDD"
 var defaultFSType = "xfs"