From 90adbb9b297d11506de7aab10789a6df97a4cf8e Mon Sep 17 00:00:00 2001 From: Daisy Guo Date: Mon, 1 Jul 2019 15:05:57 +0800 Subject: [PATCH 1/6] add Kubernetes ServiceAccount for Eventing Source Controller --- config/200-serviceaccount.yaml | 8 +++ config/200-sourcecontroller-clusterrole.yaml | 59 ++++++++++++++++++++ config/201-clusterrolebinding.yaml | 17 ++++++ config/500-sources-controller.yaml | 2 +- 4 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 config/200-sourcecontroller-clusterrole.yaml diff --git a/config/200-serviceaccount.yaml b/config/200-serviceaccount.yaml index f611ef72427..f4b143df780 100644 --- a/config/200-serviceaccount.yaml +++ b/config/200-serviceaccount.yaml @@ -27,3 +27,11 @@ metadata: namespace: knative-eventing labels: eventing.knative.dev/release: devel +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: eventing-source-controller + namespace: knative-eventing + labels: + eventing.knative.dev/release: devel diff --git a/config/200-sourcecontroller-clusterrole.yaml b/config/200-sourcecontroller-clusterrole.yaml new file mode 100644 index 00000000000..2763756b5f4 --- /dev/null +++ b/config/200-sourcecontroller-clusterrole.yaml @@ -0,0 +1,59 @@ +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: knative-eventing-source-controller + labels: + eventing.knative.dev/release: devel +rules: + - apiGroups: + - "" + resources: + - "secrets" + - "configmaps" + - "services" + - "events" + - "eventtypes" + verbs: &everything + - "get" + - "list" + - "create" + - "update" + - "delete" + - "patch" + - "watch" + + # Deployments admin + - apiGroups: + - "apps" + resources: + - "deployments" + verbs: *everything + + # Source resources and statuses we care about. + - apiGroups: + - "sources.eventing.knative.dev" + resources: + - "cronjobsources" + - "cronjobsources/status" + - "cronjobsources/finalizers" + - "containersources" + - "containersources/status" + - "containersources/finalizers" + - "apiserversources" + - "apiserversources/status" + - "apiserversources/finalizers" + verbs: *everything \ No newline at end of file diff --git a/config/201-clusterrolebinding.yaml b/config/201-clusterrolebinding.yaml index e45155a6d7e..5d8bf8d9d72 100644 --- a/config/201-clusterrolebinding.yaml +++ b/config/201-clusterrolebinding.yaml @@ -77,3 +77,20 @@ roleRef: kind: ClusterRole name: knative-eventing-webhook apiGroup: rbac.authorization.k8s.io + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: eventing-source-controller + labels: + eventing.knative.dev/release: devel +subjects: + - kind: ServiceAccount + name: eventing-source-controller + namespace: knative-eventing +roleRef: + kind: ClusterRole + name: knative-eventing-source-controller + apiGroup: rbac.authorization.k8s.io diff --git a/config/500-sources-controller.yaml b/config/500-sources-controller.yaml index e7e3c082e9d..199df627362 100644 --- a/config/500-sources-controller.yaml +++ b/config/500-sources-controller.yaml @@ -32,7 +32,7 @@ spec: app: sources-controller eventing.knative.dev/release: devel spec: - serviceAccountName: eventing-controller + serviceAccountName: eventing-source-controller containers: - name: controller # This is the Go import path for the binary that is containerized From 3db6bd31a83637de60aa173d83c2bf9f5f385250 Mon Sep 17 00:00:00 2001 From: Ying Chun Guo Date: Mon, 1 Jul 2019 16:26:47 +0800 Subject: [PATCH 2/6] Update config/200-sourcecontroller-clusterrole.yaml Co-Authored-By: mattmoor-sockpuppet --- config/200-sourcecontroller-clusterrole.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/200-sourcecontroller-clusterrole.yaml b/config/200-sourcecontroller-clusterrole.yaml index 2763756b5f4..4a19a04275c 100644 --- a/config/200-sourcecontroller-clusterrole.yaml +++ b/config/200-sourcecontroller-clusterrole.yaml @@ -56,4 +56,4 @@ rules: - "apiserversources" - "apiserversources/status" - "apiserversources/finalizers" - verbs: *everything \ No newline at end of file + verbs: *everything From f7432c92548f7a743cec5ad371ee83715e8bdae2 Mon Sep 17 00:00:00 2001 From: Daisy Guo Date: Tue, 2 Jul 2019 11:20:41 +0800 Subject: [PATCH 3/6] update sourcecontroller clusterrole --- config/200-sourcecontroller-clusterrole.yaml | 23 ++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/config/200-sourcecontroller-clusterrole.yaml b/config/200-sourcecontroller-clusterrole.yaml index 4a19a04275c..be0b0be9510 100644 --- a/config/200-sourcecontroller-clusterrole.yaml +++ b/config/200-sourcecontroller-clusterrole.yaml @@ -25,8 +25,6 @@ rules: - "secrets" - "configmaps" - "services" - - "events" - - "eventtypes" verbs: &everything - "get" - "list" @@ -57,3 +55,24 @@ rules: - "apiserversources/status" - "apiserversources/finalizers" verbs: *everything + + # Knative Services admin + - apiGroups: + - serving.knative.dev + resources: + - services + verbs: *everything + + # EventTypes admin + - apiGroups: + - eventing.knative.dev + resources: + - eventtypes + verbs: *everything + + # Events admin + - apiGroups: + - "" + resources: + - events + verbs: *everything From a7c92a735cf8739cc48dad6b102d67d80e9b3bb0 Mon Sep 17 00:00:00 2001 From: Daisy Guo Date: Tue, 2 Jul 2019 13:54:07 +0800 Subject: [PATCH 4/6] remove sources resources from controller clusterrole --- config/200-controller-clusterrole.yaml | 15 --------------- config/200-sourcecontroller-clusterrole.yaml | 2 +- 2 files changed, 1 insertion(+), 16 deletions(-) diff --git a/config/200-controller-clusterrole.yaml b/config/200-controller-clusterrole.yaml index 507b393a8d3..72a5a69ddfd 100644 --- a/config/200-controller-clusterrole.yaml +++ b/config/200-controller-clusterrole.yaml @@ -94,21 +94,6 @@ rules: verbs: - "update" - # Source resources and statuses we care about. - - apiGroups: - - "sources.eventing.knative.dev" - resources: - - "cronjobsources" - - "cronjobsources/status" - - "cronjobsources/finalizers" - - "containersources" - - "containersources/status" - - "containersources/finalizers" - - "apiserversources" - - "apiserversources/status" - - "apiserversources/finalizers" - verbs: *everything - # The subscription controller needs to retrieve and watch CustomResourceDefinitions. - apiGroups: - "apiextensions.k8s.io" diff --git a/config/200-sourcecontroller-clusterrole.yaml b/config/200-sourcecontroller-clusterrole.yaml index be0b0be9510..96f6d49c78b 100644 --- a/config/200-sourcecontroller-clusterrole.yaml +++ b/config/200-sourcecontroller-clusterrole.yaml @@ -75,4 +75,4 @@ rules: - "" resources: - events - verbs: *everything + verbs: *everything \ No newline at end of file From 7443bb452a3aa208621449b28d17379fd51f3c3f Mon Sep 17 00:00:00 2001 From: Ying Chun Guo Date: Tue, 2 Jul 2019 13:57:45 +0800 Subject: [PATCH 5/6] Update config/200-sourcecontroller-clusterrole.yaml Co-Authored-By: mattmoor-sockpuppet --- config/200-sourcecontroller-clusterrole.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/200-sourcecontroller-clusterrole.yaml b/config/200-sourcecontroller-clusterrole.yaml index 96f6d49c78b..be0b0be9510 100644 --- a/config/200-sourcecontroller-clusterrole.yaml +++ b/config/200-sourcecontroller-clusterrole.yaml @@ -75,4 +75,4 @@ rules: - "" resources: - events - verbs: *everything \ No newline at end of file + verbs: *everything From be47bc55c23b1be296a163ea3487c1bbe566ee67 Mon Sep 17 00:00:00 2001 From: Daisy Guo Date: Wed, 3 Jul 2019 02:14:58 +0800 Subject: [PATCH 6/6] add addressable-resolver to eventing-source-controller --- config/201-clusterrolebinding.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/config/201-clusterrolebinding.yaml b/config/201-clusterrolebinding.yaml index 5d8bf8d9d72..141874a0cb8 100644 --- a/config/201-clusterrolebinding.yaml +++ b/config/201-clusterrolebinding.yaml @@ -94,3 +94,20 @@ roleRef: kind: ClusterRole name: knative-eventing-source-controller apiGroup: rbac.authorization.k8s.io + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: eventing-source-controller-resolver + labels: + eventing.knative.dev/release: devel +subjects: + - kind: ServiceAccount + name: eventing-source-controller + namespace: knative-eventing +roleRef: + kind: ClusterRole + name: addressable-resolver + apiGroup: rbac.authorization.k8s.io