Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: narrow down the rbac permissions for schedualer #2024

Merged
merged 1 commit into from
Dec 19, 2024
Merged

chore: narrow down the rbac permissions for schedualer #2024

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
113 changes: 75 additions & 38 deletions cli/cmd/resources/scheduler.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (
"github.com/odigos-io/odigos/cli/pkg/containers"
"github.com/odigos-io/odigos/cli/pkg/kube"
"github.com/odigos-io/odigos/common"
"github.com/odigos-io/odigos/common/consts"

appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
Expand All @@ -17,11 +18,16 @@ import (
)

const (
SchedulerImage = "keyval/odigos-scheduler"
SchedulerServiceName = "scheduler"
SchedulerDeploymentName = "odigos-scheduler"
SchedulerAppLabelValue = "odigos-scheduler"
SchedulerContainerName = "manager"
SchedulerImage = "keyval/odigos-scheduler"
SchedulerServiceName = "scheduler"
SchedulerDeploymentName = "odigos-scheduler"
SchedulerAppLabelValue = SchedulerDeploymentName
SchedulerRoleName = SchedulerDeploymentName
SchedulerRoleBindingName = SchedulerDeploymentName
SchedulerClusterRoleName = SchedulerDeploymentName
SchedulerClusterRoleBindingName = SchedulerDeploymentName
SchedulerServiceAccountName = SchedulerDeploymentName
SchedulerContainerName = "manager"
)

func NewSchedulerServiceAccount(ns string) *corev1.ServiceAccount {
Expand All @@ -31,13 +37,13 @@ func NewSchedulerServiceAccount(ns string) *corev1.ServiceAccount {
APIVersion: "v1",
},
ObjectMeta: metav1.ObjectMeta{
Name: "odigos-scheduler",
Name: SchedulerServiceAccountName,
Namespace: ns,
},
}
}

func NewSchedulerRoleBinding(ns string) *rbacv1.RoleBinding {
func NewSchedulerLeaderElectionRoleBinding(ns string) *rbacv1.RoleBinding {
return &rbacv1.RoleBinding{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could we just embed the role and rolebinding yamls and marshal them to the API types? Then we can keep them in one spot that's a little more readable

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, they are currently duplicated between helm and cli. we sync them manually but need to find a better way to have them just once

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Opened #2047 to track (gh issue since it's not high priority)

TypeMeta: metav1.TypeMeta{
Kind: "RoleBinding",
Expand All @@ -50,7 +56,7 @@ func NewSchedulerRoleBinding(ns string) *rbacv1.RoleBinding {
Subjects: []rbacv1.Subject{
{
Kind: "ServiceAccount",
Name: "odigos-scheduler",
Name: SchedulerServiceAccountName,
},
},
RoleRef: rbacv1.RoleRef{
Expand All @@ -61,42 +67,48 @@ func NewSchedulerRoleBinding(ns string) *rbacv1.RoleBinding {
}
}

func NewSchedulerClusterRole() *rbacv1.ClusterRole {
return &rbacv1.ClusterRole{
func NewSchedulerRole(ns string) *rbacv1.Role {
return &rbacv1.Role{
TypeMeta: metav1.TypeMeta{
Kind: "ClusterRole",
Kind: "Role",
APIVersion: "rbac.authorization.k8s.io/v1",
},
ObjectMeta: metav1.ObjectMeta{
Name: "odigos-scheduler",
Name: SchedulerRoleName,
Namespace: ns,
},
Rules: []rbacv1.PolicyRule{
{
Verbs: []string{
"create",
"delete",
"get",
"list",
"patch",
"update",
"watch",
},
APIGroups: []string{
"odigos.io",
"",
},
Resources: []string{
"collectorsgroups",
"configmaps",
},
ResourceNames: []string{
consts.OdigosConfigurationName,
},
},
{
Verbs: []string{
"create",
"delete",
"get",
"list",
"patch",
"update",
"watch",
},
APIGroups: []string{
"odigos.io",
},
Resources: []string{
"collectorsgroups/finalizers",
"collectorsgroups",
},
},
{
Expand All @@ -114,12 +126,8 @@ func NewSchedulerClusterRole() *rbacv1.ClusterRole {
},
{
Verbs: []string{
"create",
"delete",
"get",
"list",
"patch",
"update",
"watch",
},
APIGroups: []string{
Expand All @@ -129,17 +137,6 @@ func NewSchedulerClusterRole() *rbacv1.ClusterRole {
"destinations",
},
},
{
Verbs: []string{
"update",
},
APIGroups: []string{
"odigos.io",
},
Resources: []string{
"destinations/finalizers",
},
},
{
Verbs: []string{
"get",
Expand All @@ -153,6 +150,44 @@ func NewSchedulerClusterRole() *rbacv1.ClusterRole {
"destinations/status",
},
},
},
}
}

func NewSchedulerRoleBinding(ns string) *rbacv1.RoleBinding {
return &rbacv1.RoleBinding{
TypeMeta: metav1.TypeMeta{
Kind: "RoleBinding",
APIVersion: "rbac.authorization.k8s.io/v1",
},
ObjectMeta: metav1.ObjectMeta{
Name: SchedulerRoleBindingName,
Namespace: ns,
},
Subjects: []rbacv1.Subject{
{
Kind: "ServiceAccount",
Name: SchedulerServiceAccountName,
},
},
RoleRef: rbacv1.RoleRef{
APIGroup: "rbac.authorization.k8s.io",
Kind: "Role",
Name: SchedulerRoleName,
},
}
}

func NewSchedulerClusterRole() *rbacv1.ClusterRole {
return &rbacv1.ClusterRole{
TypeMeta: metav1.TypeMeta{
Kind: "ClusterRole",
APIVersion: "rbac.authorization.k8s.io/v1",
},
ObjectMeta: metav1.ObjectMeta{
Name: SchedulerClusterRoleName,
},
Rules: []rbacv1.PolicyRule{
{
Verbs: []string{
"list",
Expand All @@ -173,19 +208,19 @@ func NewSchedulerClusterRoleBinding(ns string) *rbacv1.ClusterRoleBinding {
APIVersion: "rbac.authorization.k8s.io/v1",
},
ObjectMeta: metav1.ObjectMeta{
Name: "odigos-scheduler",
Name: SchedulerClusterRoleBindingName,
},
Subjects: []rbacv1.Subject{
{
Kind: "ServiceAccount",
Name: "odigos-scheduler",
Name: SchedulerServiceAccountName,
Namespace: ns,
},
},
RoleRef: rbacv1.RoleRef{
APIGroup: "rbac.authorization.k8s.io",
Kind: "ClusterRole",
Name: "odigos-scheduler",
Name: SchedulerClusterRoleName,
},
}
}
Expand Down Expand Up @@ -285,7 +320,7 @@ func NewSchedulerDeployment(ns string, version string, imagePrefix string) *apps
},
},
TerminationGracePeriodSeconds: ptrint64(10),
ServiceAccountName: "odigos-scheduler",
ServiceAccountName: SchedulerServiceAccountName,
SecurityContext: &corev1.PodSecurityContext{
RunAsNonRoot: ptrbool(true),
},
Expand Down Expand Up @@ -313,6 +348,8 @@ func (a *schedulerResourceManager) Name() string { return "Scheduler" }
func (a *schedulerResourceManager) InstallFromScratch(ctx context.Context) error {
resources := []kube.Object{
NewSchedulerServiceAccount(a.ns),
NewSchedulerLeaderElectionRoleBinding(a.ns),
NewSchedulerRole(a.ns),
NewSchedulerRoleBinding(a.ns),
NewSchedulerClusterRole(),
NewSchedulerClusterRoleBinding(a.ns),
Expand Down
33 changes: 2 additions & 31 deletions helm/odigos/templates/scheduler/clusterrole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,40 +3,11 @@ kind: ClusterRole
metadata:
name: odigos-scheduler
rules:
- apiGroups:
- odigos.io
resources:
- collectorsgroups
- destinations
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- odigos.io
resources:
- collectorsgroups/finalizers
- destinations/finalizers
verbs:
- update
- apiGroups:
- odigos.io
resources:
- collectorsgroups/status
- destinations/status
verbs:
- get
- patch
- update
- apiGroups:
- odigos.io
resources:
- instrumentationconfigs
verbs:
- get
- list
- watch
- get
- watch
11 changes: 11 additions & 0 deletions helm/odigos/templates/scheduler/role-binding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: odigos-scheduler
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: odigos-scheduler
subjects:
- kind: ServiceAccount
name: odigos-scheduler
51 changes: 51 additions & 0 deletions helm/odigos/templates/scheduler/role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: odigos-scheduler
rules:
- apiGroups:
- ""
resourceNames:
- odigos-config
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- odigos.io
resources:
- collectorsgroups
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- odigos.io
resources:
- collectorsgroups/status
verbs:
- get
- patch
- update
- apiGroups:
- odigos.io
resources:
- destinations
verbs:
- get
- list
- watch
- apiGroups:
- odigos.io
resources:
- destinations/status
verbs:
- get
- patch
- update
6 changes: 6 additions & 0 deletions scheduler/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,12 @@ func main() {
&corev1.ConfigMap{}: {
Field: odigosConfigSelector,
},
&odigosv1.CollectorsGroup{}: {
Field: nsSelector,
},
&odigosv1.Destination{}: {
Field: nsSelector,
},
},
},
HealthProbeBindAddress: probeAddr,
Expand Down
Loading