Merge pull request spidernet-io#3522 from kaaass/pr/fix-rbac-ep

fix(charts): Remove unnecessary sensitive permissions for DaemonSet agent and Pod init
ty-dc · Jun 17, 2024 · f4d26b6 · f4d26b6
2 parents 1d2e1c8 + 78450f9
commit f4d26b6
Show file tree

Hide file tree

Showing 2 changed files with 291 additions and 27 deletions.
diff --git a/charts/spiderpool/templates/role.yaml b/charts/spiderpool/templates/role.yaml
@@ -2,7 +2,166 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: spiderpool-admin
+  name: {{ .Values.spiderpoolAgent.name | trunc 63 | trimSuffix "-" }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - namespaces
+  - pods/status
+  verbs:
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - daemonsets
+  - deployments
+  - replicasets
+  - statefulsets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - cronjobs
+  - jobs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
+  - update
+- apiGroups:
+  - k8s.cni.cncf.io
+  resources:
+  - network-attachment-definitions
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - kubevirt.io
+  resources:
+  - virtualmachineinstances
+  - virtualmachines
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - resource.k8s.io
+  resources:
+  - podschedulingcontexts
+  - podschedulingcontexts/status
+  - resourceclaims
+  - resourceclaims/status
+  - resourceclaimtemplates
+  - resourceclasses
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - spiderpool.spidernet.io
+  resources:
+  - spiderclaimparameters
+  - spidercoordinators
+  - spiderendpoints
+  - spiderippools
+  - spidermultusconfigs
+  - spiderreservedips
+  - spidersubnets
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - spiderpool.spidernet.io
+  resources:
+  - spidercoordinators/status
+  - spiderippools/status
+  - spidersubnets/status
+  verbs:
+  - get
+  - patch
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.spiderpoolController.name | trunc 63 | trimSuffix "-" }}
 rules:
 - apiGroups:
   - ""
@@ -112,12 +271,6 @@ rules:
   - kubevirt.io
   resources:
   - virtualmachineinstances
-  verbs:
-  - get
-  - list
-- apiGroups:
-  - kubevirt.io
-  resources:
   - virtualmachines
   verbs:
   - get
@@ -141,9 +294,16 @@ rules:
   - spiderpool.spidernet.io
   resources:
   - spiderclaimparameters
+  - spidercoordinators
+  - spiderendpoints
+  - spiderippools
+  - spidermultusconfigs
+  - spiderreservedips
+  - spidersubnets
   verbs:
   - create
   - delete
+  - deletecollection
   - get
   - list
   - patch
@@ -152,27 +312,70 @@ rules:
 - apiGroups:
   - spiderpool.spidernet.io
   resources:
-  - spidercoordinators
+  - spidercoordinators/status
+  - spiderippools/status
+  - spidersubnets/status
+  verbs:
+  - get
+  - patch
+  - update
+---
+{{- if or .Values.ipam.enableIPv4 .Values.ipam.enableIPv6 }}
+{{- if or .Values.clusterDefaultPool.installIPv4IPPool .Values.clusterDefaultPool.installIPv6IPPool .Values.coordinator.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.spiderpoolInit.name | trunc 63 | trimSuffix "-" }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - namespaces
+  - pods
+  - pods/status
   verbs:
-  - create
   - delete
+  - deletecollection
   - get
   - list
   - patch
   - update
   - watch
 - apiGroups:
-  - spiderpool.spidernet.io
+  - ""
   resources:
-  - spidercoordinators/status
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
   verbs:
+  - create
+  - delete
   - get
+  - list
   - patch
   - update
+  - watch
 - apiGroups:
-  - spiderpool.spidernet.io
+  - '*'
   resources:
-  - spiderendpoints
+  - '*'
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
   verbs:
   - create
   - delete
@@ -182,30 +385,49 @@ rules:
   - update
   - watch
 - apiGroups:
-  - spiderpool.spidernet.io
+  - apiextensions.k8s.io
   resources:
-  - spiderippools
+  - customresourcedefinitions
   verbs:
   - create
   - delete
-  - deletecollection
   - get
   - list
   - patch
   - update
   - watch
 - apiGroups:
-  - spiderpool.spidernet.io
+  - apps
   resources:
-  - spiderippools/status
+  - daemonsets
+  - deployments
+  - replicasets
+  - statefulsets
   verbs:
   - get
-  - patch
+  - list
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - cronjobs
+  - jobs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
   - update
 - apiGroups:
-  - spiderpool.spidernet.io
+  - k8s.cni.cncf.io
   resources:
-  - spidermultusconfigs
+  - network-attachment-definitions
   verbs:
   - create
   - delete
@@ -215,12 +437,23 @@ rules:
   - update
   - watch
 - apiGroups:
-  - spiderpool.spidernet.io
+  - kubevirt.io
   resources:
-  - spiderreservedips
+  - virtualmachineinstances
+  - virtualmachines
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - resource.k8s.io
+  resources:
+  - podschedulingcontexts
+  - podschedulingcontexts/status
+  - resourceclaims
+  - resourceclaims/status
+  - resourceclaimtemplates
+  - resourceclasses
   verbs:
-  - create
-  - delete
   - get
   - list
   - patch
@@ -229,10 +462,17 @@ rules:
 - apiGroups:
   - spiderpool.spidernet.io
   resources:
+  - spiderclaimparameters
+  - spidercoordinators
+  - spiderendpoints
+  - spiderippools
+  - spidermultusconfigs
+  - spiderreservedips
   - spidersubnets
   verbs:
   - create
   - delete
+  - deletecollection
   - get
   - list
   - patch
@@ -241,8 +481,12 @@ rules:
 - apiGroups:
   - spiderpool.spidernet.io
   resources:
+  - spidercoordinators/status
+  - spiderippools/status
   - spidersubnets/status
   verbs:
   - get
   - patch
   - update
+{{- end }}
+{{- end }}