From 9d01f45d658280aac290298fb004ace4fb55eb19 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <ttsujika@zlab.co.jp>
Date: Fri, 2 Feb 2024 03:18:33 +0000
Subject: [PATCH] Add Role and RoleBinding

Add Role and RoleBinding for nghttpx-secret.  Move permissions for
events and leases to Role.
---
 README.md                                | 19 ++------------
 examples/default/service-account.yaml    | 28 ++++++++++++++++++--
 examples/proxyproto/02-nghttpx-rbac.yaml | 22 +++++++++++-----
 rc.yaml                                  | 33 +++++++++++++++++++-----
 4 files changed, 69 insertions(+), 33 deletions(-)

diff --git a/README.md b/README.md
index b1042571..6788a4ef 100644
--- a/README.md
+++ b/README.md
@@ -197,23 +197,8 @@ port specified by `--nghttpx-https-port` flag.
 > v0.66.0, copy Secret `nghttpx-quic-km` to `nghttpx-km`, and upgrade
 > nghttpx-ingress-controller.
 
-HTTP/3 requires writing Secret and extra capabilities to load eBPF
-program.  For writing Secret, you might need to add the following
-entry to ClusterRole:
-
-```yaml
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-...
-rules:
-- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["create", "update", "patch"]
-...
-```
-
-Add the following capabilities to the nghttpx-ingress-controller
-container:
+HTTP/3 requires the extra capabilities to load eBPF program.  Add the
+following capabilities to the nghttpx-ingress-controller container:
 
 ```yaml
 apiVersion: apps/v1
diff --git a/examples/default/service-account.yaml b/examples/default/service-account.yaml
index c83f50d8..46116ab2 100644
--- a/examples/default/service-account.yaml
+++ b/examples/default/service-account.yaml
@@ -21,6 +21,29 @@ rules:
 - apiGroups: ["discovery.k8s.io"]
   resources: ["endpointslices"]
   verbs: ["get", "list", "watch"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ingress
+subjects:
+- kind: ServiceAccount
+  name: ingress
+  namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: ingress
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ingress
+  namespace: kube-system
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create", "update", "patch"]
 - apiGroups: ["events.k8s.io"]
   resources: ["events"]
   verbs: ["create", "patch"]
@@ -28,15 +51,16 @@ rules:
   resources: ["leases"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 ---
-kind: ClusterRoleBinding
+kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: ingress
+  namespace: kube-system
 subjects:
 - kind: ServiceAccount
   name: ingress
   namespace: kube-system
 roleRef:
-  kind: ClusterRole
+  kind: Role
   name: ingress
   apiGroup: rbac.authorization.k8s.io
diff --git a/examples/proxyproto/02-nghttpx-rbac.yaml b/examples/proxyproto/02-nghttpx-rbac.yaml
index c0a56a76..cf88b47d 100644
--- a/examples/proxyproto/02-nghttpx-rbac.yaml
+++ b/examples/proxyproto/02-nghttpx-rbac.yaml
@@ -43,13 +43,6 @@ rules:
       - get
       - list
       - watch
-  - apiGroups:
-      - "events.k8s.io"
-    resources:
-        - events
-    verbs:
-        - create
-        - patch
   - apiGroups:
       - "networking.k8s.io"
     resources:
@@ -107,6 +100,21 @@ rules:
       - get
       - create
       - update
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - create
+      - update
+      - patch
+  - apiGroups:
+      - "events.k8s.io"
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
   - apiGroups:
       - "coordination.k8s.io"
     resources:
diff --git a/rc.yaml b/rc.yaml
index 32c580bf..4d77e462 100644
--- a/rc.yaml
+++ b/rc.yaml
@@ -77,28 +77,47 @@ rules:
 - apiGroups: ["discovery.k8s.io"]
   resources: ["endpointslices"]
   verbs: ["get", "list", "watch"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ingress
+subjects:
+- kind: ServiceAccount
+  name: ingress
+  namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: ingress
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ingress
+  namespace: kube-system
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create", "update", "patch"]
 - apiGroups: ["events.k8s.io"]
   resources: ["events"]
   verbs: ["create", "patch"]
 - apiGroups: ["coordination.k8s.io"]
   resources: ["leases"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-# Permission to write Secret is required for HTTP/3.
-# You can remove it if HTTP/3 is not used.
-- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["create", "update", "patch"]
 ---
-kind: ClusterRoleBinding
+kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: ingress
+  namespace: kube-system
 subjects:
 - kind: ServiceAccount
   name: ingress
   namespace: kube-system
 roleRef:
-  kind: ClusterRole
+  kind: Role
   name: ingress
   apiGroup: rbac.authorization.k8s.io
 ---