github/open-cluster-management
1
0
Fork 0
mirror of https://github.com/open-cluster-management-io/ocm.git synced 2026-05-24 18:12:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

remove escalate bind rbac (#344)

Browse Source 
Signed-off-by: Zhiwei Yin <zyin@redhat.com>
This commit is contained in:
Zhiwei Yin
2023-05-11 16:25:11 +08:00
committed by GitHub
parent c5446384b0
commit fc16c670b3
6 changed files with 307 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
deploy/cluster-manager/config/rbac/cluster_role.yaml
View File

@@ -5,8 +5,8 @@ metadata:
rules:
# Allow the registration-operator to create workload
- apiGroups: [""]
resources: ["configmaps", "namespaces", "serviceaccounts", "services"]
verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
resources: ["configmaps", "namespaces", "serviceaccounts", "services", "pods"]
verbs: ["create", "get", "list", "update", "watch", "patch", "delete", "deletecollection"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "update", "patch", "delete"]
@@ -25,25 +25,28 @@ rules:
verbs: ["create"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["create", "get", "list", "update", "watch", "patch"]
verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
verbs: ["create", "get"]
- apiGroups: ["", "events.k8s.io"]
resources: ["events"]
verbs: ["create", "patch", "update"]
verbs: ["get", "list", "watch", "create", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["get"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["clusterrolebindings", "rolebindings"]
verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["clusterroles", "roles"]
verbs: ["create", "get", "list", "update", "watch", "patch", "delete", "escalate", "bind"]
verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
# Allow the registration-operator to create crds
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
@@ -71,3 +74,62 @@ rules:
- apiGroups: ["migration.k8s.io"]
resources: ["storageversionmigrations"]
verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
# Some rbac needed in cluster-manager
- apiGroups: ["addon.open-cluster-management.io"]
resources: ["managedclusteraddons", "clustermanagementaddons"]
verbs: ["create", "update", "patch", "get", "list", "watch", "delete"]
- apiGroups: ["addon.open-cluster-management.io"]
resources: ["managedclusteraddons/status", "clustermanagementaddons/status"]
verbs: ["patch", "update"]
- apiGroups: ["addon.open-cluster-management.io"]
resources: [managedclusteraddons/finalizers, "clustermanagementaddons/finalizers"]
verbs: ["update"]
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests"]
verbs: ["create", "get", "list", "watch"]
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests/approval", "certificatesigningrequests/status"]
verbs: ["update"]
- apiGroups: ["certificates.k8s.io"]
resources: ["signers"]
resourceNames: ["kubernetes.io/kube-apiserver-client"]
verbs: ["approve"]
- apiGroups: ["cluster.open-cluster-management.io"]
resources: ["managedclusters"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["cluster.open-cluster-management.io"]
resources: ["managedclustersetbindings", "placements", "addonplacementscores"]
verbs: ["get", "list", "watch"]
- apiGroups: ["cluster.open-cluster-management.io"]
resources: ["managedclustersets","placementdecisions"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["cluster.open-cluster-management.io"]
resources: ["managedclusters/status","managedclustersetbindings/status", "managedclustersets/status", "placements/status", "placementdecisions/status"]
verbs: ["update", "patch"]
- apiGroups: ["cluster.open-cluster-management.io"]
resources: ["placements/finalizers"]
verbs: ["update"]
- apiGroups: ["register.open-cluster-management.io"]
resources: ["managedclusters/clientcertificates"]
verbs: ["renew"]
- apiGroups: ["work.open-cluster-management.io"]
resources: ["manifestworkreplicasets"]
verbs: ["get", "list", "watch", "create", "update", "delete", "deletecollection", "patch"]
- apiGroups: ["work.open-cluster-management.io"]
resources: ["manifestworkreplicasets/finalizers"]
verbs: ["update"]
- apiGroups: ["work.open-cluster-management.io"]
resources: ["manifestworks"]
verbs: ["get", "list", "watch", "create", "update", "delete", "deletecollection", "patch", "execute-as"]
- apiGroups: ["work.open-cluster-management.io"]
resources: ["manifestworks/status", "manifestworkreplicasets/status"]
verbs: ["update", "patch"]
- apiGroups: ["flowcontrol.apiserver.k8s.io"]
resources: ["flowschemas", "prioritylevelconfigurations"]
verbs: ["get", "list", "watch"]
- apiGroups: ["config.openshift.io"]
resources: ["infrastructures"]
verbs: ["get"]

215
deploy/cluster-manager/olm-catalog/cluster-manager/manifests/cluster-manager.clusterserviceversion.yaml
View File

@@ -11,6 +11,14 @@ metadata:
"name": "cluster-manager"
},
"spec": {
"addOnManagerConfiguration": {
"featureGates": [
{
"feature": "AddonManagement",
"mode": "Enable"
}
]
},
"addOnManagerImagePullSpec": "quay.io/open-cluster-management/addon-manager",
"deployOption": {
"mode": "Default"
@@ -21,10 +29,30 @@ metadata:
{
"feature": "DefaultClusterSet",
"mode": "Enable"
},
{
"feature": "V1beta1CSRAPICompatibility",
"mode": "Enable"
},
{
"feature": "ManagedClusterAutoApproval",
"mode": "Enable"
}
]
},
"registrationImagePullSpec": "quay.io/open-cluster-management/registration",
"workConfiguration": {
"featureGates": [
{
"feature": "ManifestWorkReplicaSet",
"mode": "Enable"
},
{
"feature": "NilExecutorValidating",
"mode": "Enable"
}
]
},
"workImagePullSpec": "quay.io/open-cluster-management/work"
}
},
@@ -124,6 +152,7 @@ spec:
- namespaces
- serviceaccounts
- services
- pods
verbs:
- create
- get
@@ -132,6 +161,7 @@ spec:
- watch
- patch
- delete
- deletecollection
- apiGroups:
- ""
resourceNames:
@@ -170,6 +200,7 @@ spec:
- update
- watch
- patch
- delete
- apiGroups:
- ""
resources:
@@ -184,15 +215,21 @@ spec:
- subjectaccessreviews
verbs:
- create
- get
- apiGroups:
- ""
- events.k8s.io
resources:
- events
verbs:
- get
- list
- watch
- create
- patch
- update
- delete
- deletecollection
- apiGroups:
- apps
resources:
@@ -205,6 +242,12 @@ spec:
- watch
- patch
- delete
- apiGroups:
- apps
resources:
- replicasets
verbs:
- get
- apiGroups:
- rbac.authorization.k8s.io
resources:
@@ -231,8 +274,6 @@ spec:
- watch
- patch
- delete
- escalate
- bind
- apiGroups:
- apiextensions.k8s.io
resources:
@@ -306,6 +347,176 @@ spec:
- watch
- patch
- delete
- apiGroups:
- addon.open-cluster-management.io
resources:
- managedclusteraddons
- clustermanagementaddons
verbs:
- create
- update
- patch
- get
- list
- watch
- delete
- apiGroups:
- addon.open-cluster-management.io
resources:
- managedclusteraddons/status
- clustermanagementaddons/status
verbs:
- patch
- update
- apiGroups:
- addon.open-cluster-management.io
resources:
- managedclusteraddons/finalizers
- clustermanagementaddons/finalizers
verbs:
- update
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
verbs:
- create
- get
- list
- watch
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests/approval
- certificatesigningrequests/status
verbs:
- update
- apiGroups:
- certificates.k8s.io
resourceNames:
- kubernetes.io/kube-apiserver-client
resources:
- signers
verbs:
- approve
- apiGroups:
- cluster.open-cluster-management.io
resources:
- managedclusters
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- cluster.open-cluster-management.io
resources:
- managedclustersetbindings
- placements
- addonplacementscores
verbs:
- get
- list
- watch
- apiGroups:
- cluster.open-cluster-management.io
resources:
- managedclustersets
- placementdecisions
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- cluster.open-cluster-management.io
resources:
- managedclusters/status
- managedclustersetbindings/status
- managedclustersets/status
- placements/status
- placementdecisions/status
verbs:
- update
- patch
- apiGroups:
- cluster.open-cluster-management.io
resources:
- placements/finalizers
verbs:
- update
- apiGroups:
- register.open-cluster-management.io
resources:
- managedclusters/clientcertificates
verbs:
- renew
- apiGroups:
- work.open-cluster-management.io
resources:
- manifestworkreplicasets
verbs:
- get
- list
- watch
- create
- update
- delete
- deletecollection
- patch
- apiGroups:
- work.open-cluster-management.io
resources:
- manifestworkreplicasets/finalizers
verbs:
- update
- apiGroups:
- work.open-cluster-management.io
resources:
- manifestworks
verbs:
- get
- list
- watch
- create
- update
- delete
- deletecollection
- patch
- execute-as
- apiGroups:
- work.open-cluster-management.io
resources:
- manifestworks/status
- manifestworkreplicasets/status
verbs:
- update
- patch
- apiGroups:
- flowcontrol.apiserver.k8s.io
resources:
- flowschemas
- prioritylevelconfigurations
verbs:
- get
- list
- watch
- apiGroups:
- config.openshift.io
resources:
- infrastructures
verbs:
- get
serviceAccountName: cluster-manager
deployments:
- name: cluster-manager

3
manifests/cluster-manager/hub/cluster-manager-addon-manager-clusterrole.yaml
View File

@@ -7,6 +7,9 @@ rules:
- apiGroups: [""]
resources: ["configmaps", "events"]
verbs: ["get", "list", "watch", "create", "update", "delete", "deletecollection", "patch"]
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["get"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "list", "watch", "create", "update", "patch"]

6
manifests/cluster-manager/hub/cluster-manager-manifestworkreplicaset-clusterrole.yaml
View File

@@ -34,3 +34,9 @@ rules:
- apiGroups: [ "cluster.open-cluster-management.io" ]
resources: [ "placements", "placementdecisions" ]
verbs: [ "get", "list", "watch"]
- apiGroups: ["config.openshift.io"]
resources: ["infrastructures"]
verbs: ["get"]
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["get"]

8
manifests/cluster-manager/hub/cluster-manager-placement-clusterrole.yaml
View File

@@ -5,8 +5,11 @@ metadata:
rules:
# Allow controller to get/list/watch/create/delete configmaps
- apiGroups: [""]
resources: ["configmaps"]
resources: ["configmaps", "pods"]
verbs: ["get", "list", "watch", "create", "delete", "update"]
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["get"]
# Allow controller to create/patch/update events
- apiGroups: ["", "events.k8s.io"]
resources: ["events"]
@@ -36,3 +39,6 @@ rules:
- apiGroups: ["cluster.open-cluster-management.io"]
resources: ["placements/finalizers"]
verbs: ["update"]
- apiGroups: ["config.openshift.io"]
resources: ["infrastructures"]
verbs: ["get"]

11
manifests/cluster-manager/hub/cluster-manager-registration-clusterrole.yaml
View File

@@ -17,6 +17,9 @@ rules:
- apiGroups: ["", "events.k8s.io"]
resources: ["events"]
verbs: ["create", "patch", "update"]
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["get"]
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
@@ -26,7 +29,7 @@ rules:
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["clusterroles", "roles"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "escalate", "bind"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
# Allow hub to manage coordination.k8s.io/lease
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
@@ -42,6 +45,9 @@ rules:
- apiGroups: ["work.open-cluster-management.io"]
resources: ["manifestworks"]
verbs: ["get", "list", "watch","create", "update", "delete", "deletecollection", "patch", "execute-as"]
- apiGroups: [ "work.open-cluster-management.io" ]
resources: [ "manifestworks/status" ]
verbs: [ "patch", "update" ]
# Allow hub to monitor manifestworkreplicasets
- apiGroups: ["work.open-cluster-management.io"]
resources: ["manifestworkreplicasets"]
@@ -85,3 +91,6 @@ rules:
- apiGroups: ["addon.open-cluster-management.io"]
resources: ["managedclusteraddons/status"]
verbs: ["patch", "update"]
- apiGroups: ["register.open-cluster-management.io"]
resources: ["managedclusters/clientcertificates"]
verbs: ["renew"]