From fc16c670b31b15d816ceae4c854155f9c80c2a94 Mon Sep 17 00:00:00 2001 From: Zhiwei Yin Date: Thu, 11 May 2023 16:25:11 +0800 Subject: [PATCH] remove escalate bind rbac (#344) Signed-off-by: Zhiwei Yin --- .../config/rbac/cluster_role.yaml | 74 +++++- ...cluster-manager.clusterserviceversion.yaml | 215 +++++++++++++++++- ...ter-manager-addon-manager-clusterrole.yaml | 3 + ...er-manifestworkreplicaset-clusterrole.yaml | 6 + ...cluster-manager-placement-clusterrole.yaml | 8 +- ...ster-manager-registration-clusterrole.yaml | 11 +- 6 files changed, 307 insertions(+), 10 deletions(-) diff --git a/deploy/cluster-manager/config/rbac/cluster_role.yaml b/deploy/cluster-manager/config/rbac/cluster_role.yaml index bb153e5e0..5c52d033c 100644 --- a/deploy/cluster-manager/config/rbac/cluster_role.yaml +++ b/deploy/cluster-manager/config/rbac/cluster_role.yaml @@ -5,8 +5,8 @@ metadata: rules: # Allow the registration-operator to create workload - apiGroups: [""] - resources: ["configmaps", "namespaces", "serviceaccounts", "services"] - verbs: ["create", "get", "list", "update", "watch", "patch", "delete"] + resources: ["configmaps", "namespaces", "serviceaccounts", "services", "pods"] + verbs: ["create", "get", "list", "update", "watch", "patch", "delete", "deletecollection"] - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list", "watch", "update", "patch", "delete"] @@ -25,25 +25,28 @@ rules: verbs: ["create"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] - verbs: ["create", "get", "list", "update", "watch", "patch"] + verbs: ["create", "get", "list", "update", "watch", "patch", "delete"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch"] - apiGroups: ["authorization.k8s.io"] resources: ["subjectaccessreviews"] - verbs: ["create"] + verbs: ["create", "get"] - apiGroups: ["", "events.k8s.io"] resources: ["events"] - verbs: ["create", "patch", "update"] + verbs: ["get", "list", "watch", "create", "patch", "update", "delete", "deletecollection"] - apiGroups: ["apps"] resources: ["deployments"] verbs: ["create", "get", "list", "update", "watch", "patch", "delete"] +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get"] - apiGroups: ["rbac.authorization.k8s.io"] resources: ["clusterrolebindings", "rolebindings"] verbs: ["create", "get", "list", "update", "watch", "patch", "delete"] - apiGroups: ["rbac.authorization.k8s.io"] resources: ["clusterroles", "roles"] - verbs: ["create", "get", "list", "update", "watch", "patch", "delete", "escalate", "bind"] + verbs: ["create", "get", "list", "update", "watch", "patch", "delete"] # Allow the registration-operator to create crds - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] @@ -71,3 +74,62 @@ rules: - apiGroups: ["migration.k8s.io"] resources: ["storageversionmigrations"] verbs: ["create", "get", "list", "update", "watch", "patch", "delete"] +# Some rbac needed in cluster-manager +- apiGroups: ["addon.open-cluster-management.io"] + resources: ["managedclusteraddons", "clustermanagementaddons"] + verbs: ["create", "update", "patch", "get", "list", "watch", "delete"] +- apiGroups: ["addon.open-cluster-management.io"] + resources: ["managedclusteraddons/status", "clustermanagementaddons/status"] + verbs: ["patch", "update"] +- apiGroups: ["addon.open-cluster-management.io"] + resources: [managedclusteraddons/finalizers, "clustermanagementaddons/finalizers"] + verbs: ["update"] +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["create", "get", "list", "watch"] +- apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests/approval", "certificatesigningrequests/status"] + verbs: ["update"] +- apiGroups: ["certificates.k8s.io"] + resources: ["signers"] + resourceNames: ["kubernetes.io/kube-apiserver-client"] + verbs: ["approve"] +- apiGroups: ["cluster.open-cluster-management.io"] + resources: ["managedclusters"] + verbs: ["get", "list", "watch", "update", "patch"] +- apiGroups: ["cluster.open-cluster-management.io"] + resources: ["managedclustersetbindings", "placements", "addonplacementscores"] + verbs: ["get", "list", "watch"] +- apiGroups: ["cluster.open-cluster-management.io"] + resources: ["managedclustersets","placementdecisions"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: ["cluster.open-cluster-management.io"] + resources: ["managedclusters/status","managedclustersetbindings/status", "managedclustersets/status", "placements/status", "placementdecisions/status"] + verbs: ["update", "patch"] +- apiGroups: ["cluster.open-cluster-management.io"] + resources: ["placements/finalizers"] + verbs: ["update"] +- apiGroups: ["register.open-cluster-management.io"] + resources: ["managedclusters/clientcertificates"] + verbs: ["renew"] +- apiGroups: ["work.open-cluster-management.io"] + resources: ["manifestworkreplicasets"] + verbs: ["get", "list", "watch", "create", "update", "delete", "deletecollection", "patch"] +- apiGroups: ["work.open-cluster-management.io"] + resources: ["manifestworkreplicasets/finalizers"] + verbs: ["update"] +- apiGroups: ["work.open-cluster-management.io"] + resources: ["manifestworks"] + verbs: ["get", "list", "watch", "create", "update", "delete", "deletecollection", "patch", "execute-as"] +- apiGroups: ["work.open-cluster-management.io"] + resources: ["manifestworks/status", "manifestworkreplicasets/status"] + verbs: ["update", "patch"] +- apiGroups: ["flowcontrol.apiserver.k8s.io"] + resources: ["flowschemas", "prioritylevelconfigurations"] + verbs: ["get", "list", "watch"] +- apiGroups: ["config.openshift.io"] + resources: ["infrastructures"] + verbs: ["get"] diff --git a/deploy/cluster-manager/olm-catalog/cluster-manager/manifests/cluster-manager.clusterserviceversion.yaml b/deploy/cluster-manager/olm-catalog/cluster-manager/manifests/cluster-manager.clusterserviceversion.yaml index 4c5126137..a39114704 100644 --- a/deploy/cluster-manager/olm-catalog/cluster-manager/manifests/cluster-manager.clusterserviceversion.yaml +++ b/deploy/cluster-manager/olm-catalog/cluster-manager/manifests/cluster-manager.clusterserviceversion.yaml @@ -11,6 +11,14 @@ metadata: "name": "cluster-manager" }, "spec": { + "addOnManagerConfiguration": { + "featureGates": [ + { + "feature": "AddonManagement", + "mode": "Enable" + } + ] + }, "addOnManagerImagePullSpec": "quay.io/open-cluster-management/addon-manager", "deployOption": { "mode": "Default" @@ -21,10 +29,30 @@ metadata: { "feature": "DefaultClusterSet", "mode": "Enable" + }, + { + "feature": "V1beta1CSRAPICompatibility", + "mode": "Enable" + }, + { + "feature": "ManagedClusterAutoApproval", + "mode": "Enable" } ] }, "registrationImagePullSpec": "quay.io/open-cluster-management/registration", + "workConfiguration": { + "featureGates": [ + { + "feature": "ManifestWorkReplicaSet", + "mode": "Enable" + }, + { + "feature": "NilExecutorValidating", + "mode": "Enable" + } + ] + }, "workImagePullSpec": "quay.io/open-cluster-management/work" } }, @@ -124,6 +152,7 @@ spec: - namespaces - serviceaccounts - services + - pods verbs: - create - get @@ -132,6 +161,7 @@ spec: - watch - patch - delete + - deletecollection - apiGroups: - "" resourceNames: @@ -170,6 +200,7 @@ spec: - update - watch - patch + - delete - apiGroups: - "" resources: @@ -184,15 +215,21 @@ spec: - subjectaccessreviews verbs: - create + - get - apiGroups: - "" - events.k8s.io resources: - events verbs: + - get + - list + - watch - create - patch - update + - delete + - deletecollection - apiGroups: - apps resources: @@ -205,6 +242,12 @@ spec: - watch - patch - delete + - apiGroups: + - apps + resources: + - replicasets + verbs: + - get - apiGroups: - rbac.authorization.k8s.io resources: @@ -231,8 +274,6 @@ spec: - watch - patch - delete - - escalate - - bind - apiGroups: - apiextensions.k8s.io resources: @@ -306,6 +347,176 @@ spec: - watch - patch - delete + - apiGroups: + - addon.open-cluster-management.io + resources: + - managedclusteraddons + - clustermanagementaddons + verbs: + - create + - update + - patch + - get + - list + - watch + - delete + - apiGroups: + - addon.open-cluster-management.io + resources: + - managedclusteraddons/status + - clustermanagementaddons/status + verbs: + - patch + - update + - apiGroups: + - addon.open-cluster-management.io + resources: + - managedclusteraddons/finalizers + - clustermanagementaddons/finalizers + verbs: + - update + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - create + - get + - list + - watch + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests/approval + - certificatesigningrequests/status + verbs: + - update + - apiGroups: + - certificates.k8s.io + resourceNames: + - kubernetes.io/kube-apiserver-client + resources: + - signers + verbs: + - approve + - apiGroups: + - cluster.open-cluster-management.io + resources: + - managedclusters + verbs: + - get + - list + - watch + - update + - patch + - apiGroups: + - cluster.open-cluster-management.io + resources: + - managedclustersetbindings + - placements + - addonplacementscores + verbs: + - get + - list + - watch + - apiGroups: + - cluster.open-cluster-management.io + resources: + - managedclustersets + - placementdecisions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - cluster.open-cluster-management.io + resources: + - managedclusters/status + - managedclustersetbindings/status + - managedclustersets/status + - placements/status + - placementdecisions/status + verbs: + - update + - patch + - apiGroups: + - cluster.open-cluster-management.io + resources: + - placements/finalizers + verbs: + - update + - apiGroups: + - register.open-cluster-management.io + resources: + - managedclusters/clientcertificates + verbs: + - renew + - apiGroups: + - work.open-cluster-management.io + resources: + - manifestworkreplicasets + verbs: + - get + - list + - watch + - create + - update + - delete + - deletecollection + - patch + - apiGroups: + - work.open-cluster-management.io + resources: + - manifestworkreplicasets/finalizers + verbs: + - update + - apiGroups: + - work.open-cluster-management.io + resources: + - manifestworks + verbs: + - get + - list + - watch + - create + - update + - delete + - deletecollection + - patch + - execute-as + - apiGroups: + - work.open-cluster-management.io + resources: + - manifestworks/status + - manifestworkreplicasets/status + verbs: + - update + - patch + - apiGroups: + - flowcontrol.apiserver.k8s.io + resources: + - flowschemas + - prioritylevelconfigurations + verbs: + - get + - list + - watch + - apiGroups: + - config.openshift.io + resources: + - infrastructures + verbs: + - get serviceAccountName: cluster-manager deployments: - name: cluster-manager diff --git a/manifests/cluster-manager/hub/cluster-manager-addon-manager-clusterrole.yaml b/manifests/cluster-manager/hub/cluster-manager-addon-manager-clusterrole.yaml index 0b8431f76..65a745e9f 100644 --- a/manifests/cluster-manager/hub/cluster-manager-addon-manager-clusterrole.yaml +++ b/manifests/cluster-manager/hub/cluster-manager-addon-manager-clusterrole.yaml @@ -7,6 +7,9 @@ rules: - apiGroups: [""] resources: ["configmaps", "events"] verbs: ["get", "list", "watch", "create", "update", "delete", "deletecollection", "patch"] +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "list", "watch", "create", "update", "patch"] diff --git a/manifests/cluster-manager/hub/cluster-manager-manifestworkreplicaset-clusterrole.yaml b/manifests/cluster-manager/hub/cluster-manager-manifestworkreplicaset-clusterrole.yaml index aa3685dab..b80393e32 100644 --- a/manifests/cluster-manager/hub/cluster-manager-manifestworkreplicaset-clusterrole.yaml +++ b/manifests/cluster-manager/hub/cluster-manager-manifestworkreplicaset-clusterrole.yaml @@ -34,3 +34,9 @@ rules: - apiGroups: [ "cluster.open-cluster-management.io" ] resources: [ "placements", "placementdecisions" ] verbs: [ "get", "list", "watch"] +- apiGroups: ["config.openshift.io"] + resources: ["infrastructures"] + verbs: ["get"] +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get"] diff --git a/manifests/cluster-manager/hub/cluster-manager-placement-clusterrole.yaml b/manifests/cluster-manager/hub/cluster-manager-placement-clusterrole.yaml index 9c75bac83..41a0e7beb 100644 --- a/manifests/cluster-manager/hub/cluster-manager-placement-clusterrole.yaml +++ b/manifests/cluster-manager/hub/cluster-manager-placement-clusterrole.yaml @@ -5,8 +5,11 @@ metadata: rules: # Allow controller to get/list/watch/create/delete configmaps - apiGroups: [""] - resources: ["configmaps"] + resources: ["configmaps", "pods"] verbs: ["get", "list", "watch", "create", "delete", "update"] +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get"] # Allow controller to create/patch/update events - apiGroups: ["", "events.k8s.io"] resources: ["events"] @@ -36,3 +39,6 @@ rules: - apiGroups: ["cluster.open-cluster-management.io"] resources: ["placements/finalizers"] verbs: ["update"] +- apiGroups: ["config.openshift.io"] + resources: ["infrastructures"] + verbs: ["get"] diff --git a/manifests/cluster-manager/hub/cluster-manager-registration-clusterrole.yaml b/manifests/cluster-manager/hub/cluster-manager-registration-clusterrole.yaml index 7a44837b5..f9efb2c13 100644 --- a/manifests/cluster-manager/hub/cluster-manager-registration-clusterrole.yaml +++ b/manifests/cluster-manager/hub/cluster-manager-registration-clusterrole.yaml @@ -17,6 +17,9 @@ rules: - apiGroups: ["", "events.k8s.io"] resources: ["events"] verbs: ["create", "patch", "update"] +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get"] - apiGroups: ["authorization.k8s.io"] resources: ["subjectaccessreviews"] verbs: ["create"] @@ -26,7 +29,7 @@ rules: verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["rbac.authorization.k8s.io"] resources: ["clusterroles", "roles"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "escalate", "bind"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # Allow hub to manage coordination.k8s.io/lease - apiGroups: ["coordination.k8s.io"] resources: ["leases"] @@ -42,6 +45,9 @@ rules: - apiGroups: ["work.open-cluster-management.io"] resources: ["manifestworks"] verbs: ["get", "list", "watch","create", "update", "delete", "deletecollection", "patch", "execute-as"] +- apiGroups: [ "work.open-cluster-management.io" ] + resources: [ "manifestworks/status" ] + verbs: [ "patch", "update" ] # Allow hub to monitor manifestworkreplicasets - apiGroups: ["work.open-cluster-management.io"] resources: ["manifestworkreplicasets"] @@ -85,3 +91,6 @@ rules: - apiGroups: ["addon.open-cluster-management.io"] resources: ["managedclusteraddons/status"] verbs: ["patch", "update"] +- apiGroups: ["register.open-cluster-management.io"] + resources: ["managedclusters/clientcertificates"] + verbs: ["renew"]