diff --git a/cluster-scope/base/rbac.authorization.k8s.io/clusterroles/tekton-chains/chain-tenant-access-cluster-role.yaml b/cluster-scope/base/rbac.authorization.k8s.io/clusterroles/tekton-chains/chain-tenant-access-cluster-role.yaml new file mode 100644 index 0000000..6236518 --- /dev/null +++ b/cluster-scope/base/rbac.authorization.k8s.io/clusterroles/tekton-chains/chain-tenant-access-cluster-role.yaml @@ -0,0 +1,22 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + # This is the access that the controller needs on a per-namespace basis. + name: tekton-chains-controller-tenant-access + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-chains +rules: + # Read-write access to create Pods, K8s Events and PVCs (for Workspaces) + - apiGroups: [""] + resources: ["pods", "pods/log", "events", "persistentvolumeclaims"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + # Read-only access to these. + - apiGroups: [""] + resources: ["configmaps", "limitranges", "secrets", "serviceaccounts"] + verbs: ["get", "list", "watch"] + # Read-write access to StatefulSets for Affinity Assistant. + - apiGroups: ["apps"] + resources: ["statefulsets"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] diff --git a/cluster-scope/base/rbac.authorization.k8s.io/clusterroles/tekton-chains/kustomization.yaml b/cluster-scope/base/rbac.authorization.k8s.io/clusterroles/tekton-chains/kustomization.yaml index 4ac0388..8c1355f 100644 --- a/cluster-scope/base/rbac.authorization.k8s.io/clusterroles/tekton-chains/kustomization.yaml +++ b/cluster-scope/base/rbac.authorization.k8s.io/clusterroles/tekton-chains/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - chains-cluster-role.yaml +- chain-tenant-access-cluster-role.yaml diff --git a/cluster-scope/bundles/tekton-chains/kustomization.yaml b/cluster-scope/bundles/tekton-chains/kustomization.yaml index 7c759a4..055d6ac 100644 --- a/cluster-scope/bundles/tekton-chains/kustomization.yaml +++ b/cluster-scope/bundles/tekton-chains/kustomization.yaml @@ -5,3 +5,4 @@ resources: - ../../base/core/namespaces/tekton-chains - ../../base/rbac.authorization.k8s.io/clusterrolebindings/tekton-chains - ../../base/rbac.authorization.k8s.io/clusterroles/tekton-chains + - ../../../tekton-chains/overlays/rosa diff --git a/tekton-chains/base/clusterrole.yaml b/tekton-chains/base/clusterrole.yaml new file mode 100644 index 0000000..250d491 --- /dev/null +++ b/tekton-chains/base/clusterrole.yaml @@ -0,0 +1,47 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tekton-chains-controller-cluster-access + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-chains +rules: + - apiGroups: [""] + # Controller needs to watch Pods created by TaskRuns to see them progress. + resources: ["pods"] + verbs: ["list", "watch"] + # Controller needs cluster access to all of the CRDs that it is responsible for + # managing. + - apiGroups: ["tekton.dev"] + resources: ["tasks", "clustertasks", "taskruns", "pipelines", "pipelineruns", "pipelineresources", "conditions", "runs"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + - apiGroups: ["tekton.dev"] + resources: ["taskruns/finalizers", "pipelineruns/finalizers", "runs/finalizers"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + - apiGroups: ["tekton.dev"] + resources: ["tasks/status", "clustertasks/status", "taskruns/status", "pipelines/status", "pipelineruns/status", "pipelineresources/status", "runs/status"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + # This is the access that the controller needs on a per-namespace basis. + name: tekton-chains-controller-tenant-access + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-chains +rules: + # Read-write access to create Pods, K8s Events and PVCs (for Workspaces) + - apiGroups: [""] + resources: ["pods", "pods/log", "events", "persistentvolumeclaims"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + # Read-only access to these. + - apiGroups: [""] + resources: ["configmaps", "limitranges", "secrets", "serviceaccounts"] + verbs: ["get", "list", "watch"] + # Read-write access to StatefulSets for Affinity Assistant. + - apiGroups: ["apps"] + resources: ["statefulsets"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] diff --git a/tekton-chains/base/deployment.yaml b/tekton-chains/base/deployment.yaml new file mode 100644 index 0000000..438ec72 --- /dev/null +++ b/tekton-chains/base/deployment.yaml @@ -0,0 +1,71 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tekton-chains-controller + namespace: tekton-chains + labels: + app.kubernetes.io/name: controller + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-chains + pipeline.tekton.dev/release: "devel" + version: "v0.14.0" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: controller + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-chains + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "false" + labels: + app: tekton-chains-controller + app.kubernetes.io/name: controller + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-chains + # # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml + pipeline.tekton.dev/release: "devel" + version: "v0.14.0" + spec: + serviceAccountName: tekton-chains-controller + containers: + - name: tekton-chains-controller + image: gcr.io/tekton-releases/github.com/tektoncd/chains/cmd/controller:v0.14.0@sha256:b10b5a6298fe78ffeb72b7ed69794b0e7315a952482b9bff80858bc6746cbe4f + volumeMounts: + - name: signing-secrets + mountPath: /etc/signing-secrets + - name: oidc-info + mountPath: /var/run/sigstore/cosign + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: METRICS_DOMAIN + value: tekton.dev/chains + securityContext: + allowPrivilegeEscalation: false + # User 65532 is the distroless nonroot user ID + runAsUser: 65532 + runAsGroup: 65532 + volumes: + - name: signing-secrets + secret: + secretName: signing-secrets + - name: oidc-info + projected: + sources: + # The "public good" instance supports tokens from EKS and GKE by default. + # The fulcio URL can also be redirected to an instance that has been + # configured to accept other issuers as well. Removing this volume + # completely will direct chains to use alternate ambient credentials + # (e.g. GKE workload identity, SPIFFE) + - serviceAccountToken: + path: oidc-token + expirationSeconds: 600 # Use as short-lived as possible. + audience: sigstore diff --git a/tekton-chains/base/kustomization.yaml b/tekton-chains/base/kustomization.yaml index 9de1632..fb8214b 100644 --- a/tekton-chains/base/kustomization.yaml +++ b/tekton-chains/base/kustomization.yaml @@ -7,3 +7,6 @@ resources: - chains-logging-cm.yaml - chains-scc.yaml - signing-secret-sealed.yaml + - deployment.yaml + - role.yaml + - rolebinding.yaml diff --git a/tekton-chains/base/role.yaml b/tekton-chains/base/role.yaml new file mode 100644 index 0000000..12a8ba7 --- /dev/null +++ b/tekton-chains/base/role.yaml @@ -0,0 +1,31 @@ +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tekton-chains-leader-election + namespace: tekton-chains + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-chains +rules: + # We uses leases for leaderelection + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: tekton-chains-info + namespace: tekton-chains + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-chains +rules: + # All system:authenticated users need to have access + # to the chains-info ConfigMap even if they don't + # have access to other resources present in the + # installed namespace + - apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["chains-info"] + verbs: ["get"] diff --git a/tekton-chains/base/rolebinding.yaml b/tekton-chains/base/rolebinding.yaml new file mode 100644 index 0000000..c4e4db2 --- /dev/null +++ b/tekton-chains/base/rolebinding.yaml @@ -0,0 +1,36 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: tekton-chains-controller-leaderelection + namespace: tekton-chains + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-chains +subjects: + - kind: ServiceAccount + name: tekton-chains-controller + namespace: tekton-chains +roleRef: + kind: Role + name: tekton-chains-leader-election + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: tekton-chains-info + namespace: tekton-chains + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-chains +subjects: + # Giving all system:authenticated users the access to the + # ConfigMap which contains version information + - kind: Group + name: system:authenticated + apiGroup: rbac.authorization.k8s.io +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: tekton-chains-info