From 78450f925fb0389f1a97fba45b59f30d12d80109 Mon Sep 17 00:00:00 2001 From: KAAAsS Date: Sat, 25 May 2024 22:35:50 +0800 Subject: [PATCH] fix(charts): Remove unnecessary sensitive permissions for DaemonSet agent and Pod init Signed-off-by: KAAAsS --- charts/spiderpool/templates/role.yaml | 294 ++++++++++++++++-- charts/spiderpool/templates/role_binding.yaml | 24 +- 2 files changed, 291 insertions(+), 27 deletions(-) diff --git a/charts/spiderpool/templates/role.yaml b/charts/spiderpool/templates/role.yaml index bec7c2bef1..b4483502f5 100644 --- a/charts/spiderpool/templates/role.yaml +++ b/charts/spiderpool/templates/role.yaml @@ -2,7 +2,166 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: spiderpool-admin + name: {{ .Values.spiderpoolAgent.name | trunc 63 | trimSuffix "-" }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - namespaces + - pods/status + verbs: + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - nodes + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch +- apiGroups: + - batch + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +- apiGroups: + - k8s.cni.cncf.io + resources: + - network-attachment-definitions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - kubevirt.io + resources: + - virtualmachineinstances + - virtualmachines + verbs: + - get + - list +- apiGroups: + - resource.k8s.io + resources: + - podschedulingcontexts + - podschedulingcontexts/status + - resourceclaims + - resourceclaims/status + - resourceclaimtemplates + - resourceclasses + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - spiderpool.spidernet.io + resources: + - spiderclaimparameters + - spidercoordinators + - spiderendpoints + - spiderippools + - spidermultusconfigs + - spiderreservedips + - spidersubnets + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - spiderpool.spidernet.io + resources: + - spidercoordinators/status + - spiderippools/status + - spidersubnets/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.spiderpoolController.name | trunc 63 | trimSuffix "-" }} rules: - apiGroups: - "" @@ -112,12 +271,6 @@ rules: - kubevirt.io resources: - virtualmachineinstances - verbs: - - get - - list -- apiGroups: - - kubevirt.io - resources: - virtualmachines verbs: - get @@ -141,9 +294,16 @@ rules: - spiderpool.spidernet.io resources: - spiderclaimparameters + - spidercoordinators + - spiderendpoints + - spiderippools + - spidermultusconfigs + - spiderreservedips + - spidersubnets verbs: - create - delete + - deletecollection - get - list - patch @@ -152,27 +312,70 @@ rules: - apiGroups: - spiderpool.spidernet.io resources: - - spidercoordinators + - spidercoordinators/status + - spiderippools/status + - spidersubnets/status + verbs: + - get + - patch + - update +--- +{{- if or .Values.ipam.enableIPv4 .Values.ipam.enableIPv6 }} +{{- if or .Values.clusterDefaultPool.installIPv4IPPool .Values.clusterDefaultPool.installIPv6IPPool .Values.coordinator.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.spiderpoolInit.name | trunc 63 | trimSuffix "-" }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - namespaces + - pods + - pods/status verbs: - - create - delete + - deletecollection - get - list - patch - update - watch - apiGroups: - - spiderpool.spidernet.io + - "" resources: - - spidercoordinators/status + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events verbs: + - create + - delete - get + - list - patch - update + - watch - apiGroups: - - spiderpool.spidernet.io + - '*' resources: - - spiderendpoints + - '*' + verbs: + - get + - list + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations verbs: - create - delete @@ -182,30 +385,49 @@ rules: - update - watch - apiGroups: - - spiderpool.spidernet.io + - apiextensions.k8s.io resources: - - spiderippools + - customresourcedefinitions verbs: - create - delete - - deletecollection - get - list - patch - update - watch - apiGroups: - - spiderpool.spidernet.io + - apps resources: - - spiderippools/status + - daemonsets + - deployments + - replicasets + - statefulsets verbs: - get - - patch + - list + - watch +- apiGroups: + - batch + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get - update - apiGroups: - - spiderpool.spidernet.io + - k8s.cni.cncf.io resources: - - spidermultusconfigs + - network-attachment-definitions verbs: - create - delete @@ -215,12 +437,23 @@ rules: - update - watch - apiGroups: - - spiderpool.spidernet.io + - kubevirt.io resources: - - spiderreservedips + - virtualmachineinstances + - virtualmachines + verbs: + - get + - list +- apiGroups: + - resource.k8s.io + resources: + - podschedulingcontexts + - podschedulingcontexts/status + - resourceclaims + - resourceclaims/status + - resourceclaimtemplates + - resourceclasses verbs: - - create - - delete - get - list - patch @@ -229,10 +462,17 @@ rules: - apiGroups: - spiderpool.spidernet.io resources: + - spiderclaimparameters + - spidercoordinators + - spiderendpoints + - spiderippools + - spidermultusconfigs + - spiderreservedips - spidersubnets verbs: - create - delete + - deletecollection - get - list - patch @@ -241,8 +481,12 @@ rules: - apiGroups: - spiderpool.spidernet.io resources: + - spidercoordinators/status + - spiderippools/status - spidersubnets/status verbs: - get - patch - update +{{- end }} +{{- end }} diff --git a/charts/spiderpool/templates/role_binding.yaml b/charts/spiderpool/templates/role_binding.yaml index f183176705..d1457c3e50 100644 --- a/charts/spiderpool/templates/role_binding.yaml +++ b/charts/spiderpool/templates/role_binding.yaml @@ -1,20 +1,40 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: spiderpool-admin + name: {{ .Values.spiderpoolAgent.name | trunc 63 | trimSuffix "-" }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: spiderpool-admin + name: {{ .Values.spiderpoolAgent.name | trunc 63 | trimSuffix "-" }} subjects: - kind: ServiceAccount name: {{ .Values.spiderpoolAgent.name | trunc 63 | trimSuffix "-" }} namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Values.spiderpoolController.name | trunc 63 | trimSuffix "-" }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.spiderpoolController.name | trunc 63 | trimSuffix "-" }} +subjects: - kind: ServiceAccount name: {{ .Values.spiderpoolController.name | trunc 63 | trimSuffix "-" }} namespace: {{ .Release.Namespace }} +--- {{- if or .Values.ipam.enableIPv4 .Values.ipam.enableIPv6 }} {{- if or .Values.clusterDefaultPool.installIPv4IPPool .Values.clusterDefaultPool.installIPv6IPPool .Values.coordinator.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Values.spiderpoolInit.name | trunc 63 | trimSuffix "-" }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.spiderpoolInit.name | trunc 63 | trimSuffix "-" }} +subjects: - kind: ServiceAccount name: {{ .Values.spiderpoolInit.name | trunc 63 | trimSuffix "-" }} namespace: {{ .Release.Namespace }}