From 1db669f7d44e26ed43df89d2e0f8c785ef181a3e Mon Sep 17 00:00:00 2001 From: Ahmed Abdalla Date: Mon, 1 Apr 2019 18:45:55 +0200 Subject: [PATCH 1/3] Introduce addressable resolver aggregated cluster role * Add addressable-resolver aggregated cluster role * Add broker addressable cluster role * Add channel addressable cluster role --- .../200-addressable-resolver-clusterrole.yaml | 23 ++++++++++++++ .../200-broker-addressable-clusterrole.yaml | 31 +++++++++++++++++++ .../200-channel-addressable-clusterrole.yaml | 31 +++++++++++++++++++ 3 files changed, 85 insertions(+) create mode 100644 config/200-addressable-resolver-clusterrole.yaml create mode 100644 config/200-broker-addressable-clusterrole.yaml create mode 100644 config/200-channel-addressable-clusterrole.yaml diff --git a/config/200-addressable-resolver-clusterrole.yaml b/config/200-addressable-resolver-clusterrole.yaml new file mode 100644 index 00000000000..9568503b094 --- /dev/null +++ b/config/200-addressable-resolver-clusterrole.yaml @@ -0,0 +1,23 @@ +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: addressable-resolver +aggregationRule: + clusterRoleSelectors: + - matchLabels: + eventing.knative.dev/addressable: "true" +rules: [] # Rules are automatically filled in by the controller manager. \ No newline at end of file diff --git a/config/200-broker-addressable-clusterrole.yaml b/config/200-broker-addressable-clusterrole.yaml new file mode 100644 index 00000000000..43f751bf9bc --- /dev/null +++ b/config/200-broker-addressable-clusterrole.yaml @@ -0,0 +1,31 @@ +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: broker-addressable-resolver + labels: + eventing.knative.dev/addressable: "true" +# Do not use this role directly. These rules will be added to the "addressable-resolver" role. +rules: +- apiGroups: + - eventing.knative.dev + resources: + - brokers + - brokers/status + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/config/200-channel-addressable-clusterrole.yaml b/config/200-channel-addressable-clusterrole.yaml new file mode 100644 index 00000000000..c8b16b76169 --- /dev/null +++ b/config/200-channel-addressable-clusterrole.yaml @@ -0,0 +1,31 @@ +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: channel-addressable-resolver + labels: + eventing.knative.dev/addressable: "true" +# Do not use this role directly. These rules will be added to the "addressable-resolver" role. +rules: +- apiGroups: + - eventing.knative.dev + resources: + - channels + - channels/status + verbs: + - get + - list + - watch \ No newline at end of file From 81b846124158a4dca3f25bdb43f1313dfa062e56 Mon Sep 17 00:00:00 2001 From: Ahmed Abdalla Date: Tue, 2 Apr 2019 03:57:33 +0200 Subject: [PATCH 2/3] Consolidate addressable-resolvers & include routes and Kservices --- .../200-addressable-resolver-clusterrole.yaml | 23 ----- ...200-addressable-resolvers-clusterrole.yaml | 86 +++++++++++++++++++ .../200-broker-addressable-clusterrole.yaml | 31 ------- .../200-channel-addressable-clusterrole.yaml | 31 ------- 4 files changed, 86 insertions(+), 85 deletions(-) delete mode 100644 config/200-addressable-resolver-clusterrole.yaml create mode 100644 config/200-addressable-resolvers-clusterrole.yaml delete mode 100644 config/200-broker-addressable-clusterrole.yaml delete mode 100644 config/200-channel-addressable-clusterrole.yaml diff --git a/config/200-addressable-resolver-clusterrole.yaml b/config/200-addressable-resolver-clusterrole.yaml deleted file mode 100644 index 9568503b094..00000000000 --- a/config/200-addressable-resolver-clusterrole.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2019 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: addressable-resolver -aggregationRule: - clusterRoleSelectors: - - matchLabels: - eventing.knative.dev/addressable: "true" -rules: [] # Rules are automatically filled in by the controller manager. \ No newline at end of file diff --git a/config/200-addressable-resolvers-clusterrole.yaml b/config/200-addressable-resolvers-clusterrole.yaml new file mode 100644 index 00000000000..275ee263b38 --- /dev/null +++ b/config/200-addressable-resolvers-clusterrole.yaml @@ -0,0 +1,86 @@ +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Use this aggregated ClusterRole when you need readonly access to "Addressables" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: addressable-resolver +aggregationRule: + clusterRoleSelectors: + - matchLabels: + duck.knative.dev/addressable: "true" +rules: [] # Rules are automatically filled in by the controller manager. + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: serving-addressable-resolver + labels: + duck.knative.dev/addressable: "true" +# Do not use this role directly. These rules will be added to the "addressable-resolver" role. +rules: +- apiGroups: + - serving.knative.dev + resources: + - routes + - routes/status + - services + - services/status + verbs: + - get + - list + - watch + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: channel-addressable-resolver + labels: + duck.knative.dev/addressable: "true" +# Do not use this role directly. These rules will be added to the "addressable-resolver" role. +rules: +- apiGroups: + - eventing.knative.dev + resources: + - channels + - channels/status + verbs: + - get + - list + - watch + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: broker-addressable-resolver + labels: + duck.knative.dev/addressable: "true" +# Do not use this role directly. These rules will be added to the "addressable-resolver" role. +rules: +- apiGroups: + - eventing.knative.dev + resources: + - brokers + - brokers/status + verbs: + - get + - list + - watch diff --git a/config/200-broker-addressable-clusterrole.yaml b/config/200-broker-addressable-clusterrole.yaml deleted file mode 100644 index 43f751bf9bc..00000000000 --- a/config/200-broker-addressable-clusterrole.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright 2019 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: broker-addressable-resolver - labels: - eventing.knative.dev/addressable: "true" -# Do not use this role directly. These rules will be added to the "addressable-resolver" role. -rules: -- apiGroups: - - eventing.knative.dev - resources: - - brokers - - brokers/status - verbs: - - get - - list - - watch \ No newline at end of file diff --git a/config/200-channel-addressable-clusterrole.yaml b/config/200-channel-addressable-clusterrole.yaml deleted file mode 100644 index c8b16b76169..00000000000 --- a/config/200-channel-addressable-clusterrole.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright 2019 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: channel-addressable-resolver - labels: - eventing.knative.dev/addressable: "true" -# Do not use this role directly. These rules will be added to the "addressable-resolver" role. -rules: -- apiGroups: - - eventing.knative.dev - resources: - - channels - - channels/status - verbs: - - get - - list - - watch \ No newline at end of file From 4cf7546f140796f41c1c76d1935560f77372a66c Mon Sep 17 00:00:00 2001 From: Ahmed Abdalla Date: Tue, 2 Apr 2019 22:26:37 +0200 Subject: [PATCH 3/3] Add addressable-resolver role to eventing controller --- config/200-controller-clusterrole.yaml | 13 ------------- config/201-clusterrolebinding.yaml | 15 +++++++++++++++ 2 files changed, 15 insertions(+), 13 deletions(-) diff --git a/config/200-controller-clusterrole.yaml b/config/200-controller-clusterrole.yaml index 673507abafe..7b0d29bca4c 100644 --- a/config/200-controller-clusterrole.yaml +++ b/config/200-controller-clusterrole.yaml @@ -35,19 +35,6 @@ rules: - "patch" - "watch" - # Knative Services are Addressables that Subscriptions and Triggers often point towards. - - apiGroups: - - "serving.knative.dev" - resources: - - "routes" - - "routes/status" - - "services" - - "services/status" - verbs: - - "get" - - "list" - - "watch" - # Channels and Triggers both manipulate VirtualServices. - apiGroups: - "networking.istio.io" diff --git a/config/201-clusterrolebinding.yaml b/config/201-clusterrolebinding.yaml index f3f174906da..9dd86d2780b 100644 --- a/config/201-clusterrolebinding.yaml +++ b/config/201-clusterrolebinding.yaml @@ -27,6 +27,21 @@ roleRef: --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: eventing-controller-resolver +subjects: + - kind: ServiceAccount + name: eventing-controller + namespace: knative-eventing +roleRef: + kind: ClusterRole + name: addressable-resolver + apiGroup: rbac.authorization.k8s.io + +--- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: