[Backport release-1.4] Feat: enhance controller auth by removing useless features & add authentication for componentrevision+healthcheck (#4023)

* Feat: use application identity in gc & componentrevision & collectHealthStatus Signed-off-by: Somefive <yd219913@alibaba-inc.com> (cherry picked from commit 63fc4bcc69) * Chore: remove useless features and roles Signed-off-by: Somefive <yd219913@alibaba-inc.com> (cherry picked from commit f4ef77b2b3) * Fix: remove DELETE from mutating webhook Signed-off-by: Somefive <yd219913@alibaba-inc.com> (cherry picked from commit 75f3d5dc35) * Chore: enhance deploy error display Signed-off-by: Somefive <yd219913@alibaba-inc.com> (cherry picked from commit e69079bdae) * Fix: e2e test vela cli output match & controllerrevision recycle for serviceaccount impersonation Signed-off-by: Somefive <yd219913@alibaba-inc.com> (cherry picked from commit 05b85573a2) Co-authored-by: Somefive <yd219913@alibaba-inc.com>
2026-05-24 18:23:11 +00:00 · 2022-05-27 16:00:04 +08:00
parent 371affb389
commit e20ef02a6a
21 changed files with 54 additions and 96 deletions
--- a/charts/vela-core/templates/cluster-gateway/cluster-gateway.yaml
+++ b/charts/vela-core/templates/cluster-gateway/cluster-gateway.yaml
@@ -129,7 +129,7 @@ spec:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ include "kubevela.fullname" . }}:cluster-gateway-access-role
+  name: {{ include "kubevela.fullname" . }}:cluster-gateway:proxy
 rules:
  - apiGroups: [ "cluster.core.oam.dev" ]
    resources: [ "clustergateways/proxy" ]
@@ -138,15 +138,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ include "kubevela.fullname" . }}:cluster-gateway-access-rolebinding
+  name: {{ include "kubevela.fullname" . }}:cluster-gateway:proxy
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: {{ include "kubevela.fullname" . }}:cluster-gateway-access-role
+  name: {{ include "kubevela.fullname" . }}:cluster-gateway:proxy
 subjects:
-  - kind: Group
-    name: cluster-gateway-accessor
-    apiGroup: rbac.authorization.k8s.io
  - kind: Group
    name: kubevela:client
    apiGroup: rbac.authorization.k8s.io
--- a/charts/vela-core/templates/kubevela-controller.yaml
+++ b/charts/vela-core/templates/kubevela-controller.yaml
@@ -25,9 +25,6 @@ subjects:
  - kind: ServiceAccount
    name: {{ include "kubevela.serviceAccountName" . }}
    namespace: {{ .Release.Namespace }}
-  - kind: Group
-    name: core.oam.dev
-    apiGroup: rbac.authorization.k8s.io

 ---
 # permissions to do leader election.
--- a/charts/vela-core/templates/rbac/x-definition.yaml
+++ b/charts/vela-core/templates/rbac/x-definition.yaml
@@ -1,23 +0,0 @@
-{{ if .Values.authentication.enabled }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: kubevela:x-definition:reader
-rules:
-  - apiGroups: [ "core.oam.dev" ]
-    resources: [ "componentdefinitions", "traitdefinitions", "workloaddefinitions", "workflowstepdefinitions", "policydefinitions", "definitionrevisions" ]
-    verbs: [ "get", "list", "watch" ]
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: kubevela:x-definition:reader-binding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: kubevela:x-definition:reader
-subjects:
-  - kind: Group
-    name: kubevela:x-definition:reader
-    apiGroup: rbac.authorization.k8s.io
-{{ end }}
--- a/charts/vela-minimal/templates/cluster-gateway.yaml
+++ b/charts/vela-minimal/templates/cluster-gateway.yaml
@@ -194,24 +194,22 @@ spec:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ include "kubevela.fullname" . }}:cluster-gateway-access-role
+  name: {{ include "kubevela.fullname" . }}:cluster-gateway:proxy
 rules:
  - apiGroups: [ "cluster.core.oam.dev" ]
    resources: [ "clustergateways/proxy" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
-{{ end }}
 ---
-{{ if and .Values.multicluster.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ include "kubevela.fullname" . }}:cluster-gateway-access-rolebinding
+  name: {{ include "kubevela.fullname" . }}:cluster-gateway:proxy
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: {{ include "kubevela.fullname" . }}:cluster-gateway-access-role
+  name: {{ include "kubevela.fullname" . }}:cluster-gateway:proxy
 subjects:
  - kind: Group
-    name: cluster-gateway-accessor
+    name: kubevela:client
    apiGroup: rbac.authorization.k8s.io
 {{ end }}
--- a/charts/vela-minimal/templates/kubevela-controller.yaml
+++ b/charts/vela-minimal/templates/kubevela-controller.yaml
@@ -27,9 +27,6 @@ subjects:
  - kind: ServiceAccount
    name: {{ include "kubevela.serviceAccountName" . }}
    namespace: {{ .Release.Namespace }}
-  - kind: Group
-    name: core.oam.dev
-    apiGroup: rbac.authorization.k8s.io

 ---
 # permissions to do leader election.