From ea776199c1440f5411c6405f7299df87a228c3a5 Mon Sep 17 00:00:00 2001 From: Enxebre Date: Thu, 14 Feb 2019 12:13:34 +0100 Subject: [PATCH] Move rbac up to CVO. Drop admin perms --- cmd/machine-api-operator/start.go | 3 - .../0000_30_machine-api-operator_08_rbac.yaml | 118 ++++++++++++++++-- ...usterapi-manager-cluster-role-binding.yaml | 12 -- .../clusterapi-manager-cluster-role.yaml | 65 ---------- pkg/operator/operator.go | 8 -- pkg/operator/sync.go | 18 --- 6 files changed, 110 insertions(+), 114 deletions(-) delete mode 100644 owned-manifests/clusterapi-manager-cluster-role-binding.yaml delete mode 100644 owned-manifests/clusterapi-manager-cluster-role.yaml diff --git a/cmd/machine-api-operator/start.go b/cmd/machine-api-operator/start.go index e53fd5870..b8bc7f853 100644 --- a/cmd/machine-api-operator/start.go +++ b/cmd/machine-api-operator/start.go @@ -80,10 +80,7 @@ func startControllers(ctx *ControllerContext) error { startOpts.imagesFile, config, - ctx.KubeNamespacedInformerFactory.Core().V1().ServiceAccounts(), ctx.KubeNamespacedInformerFactory.Apps().V1().Deployments(), - ctx.KubeNamespacedInformerFactory.Rbac().V1().ClusterRoles(), - ctx.KubeNamespacedInformerFactory.Rbac().V1().ClusterRoleBindings(), ctx.ClientBuilder.KubeClientOrDie(componentName), ctx.ClientBuilder.OpenshiftClientOrDie(componentName), diff --git a/install/0000_30_machine-api-operator_08_rbac.yaml b/install/0000_30_machine-api-operator_08_rbac.yaml index 996565d18..9da0d48da 100644 --- a/install/0000_30_machine-api-operator_08_rbac.yaml +++ b/install/0000_30_machine-api-operator_08_rbac.yaml @@ -1,13 +1,115 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: machine-api-manager +rules: + - apiGroups: + - cluster.k8s.io + resources: + - clusters + - clusters/status + - machines + - machines/status + - machinesets + - machinesets/status + - machinedeployments + - machinedeployments/status + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + + - apiGroups: + - machine.openshift.io + resources: + - clusters + - clusters/status + - machines + - machines/status + - machinesets + - machinesets/status + - machinedeployments + - machinedeployments/status + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + + - apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + + - apiGroups: + - healthchecking.openshift.io + resources: + - '*' + verbs: + - '*' + + - apiGroups: + - config.openshift.io + resources: + - clusteroperators + - clusteroperators/status + verbs: + - create + - get + - update + --- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: - name: default-account-openshift-machine-api -subjects: -- kind: ServiceAccount - name: default - namespace: openshift-machine-api + name: machine-api-manager-rolebinding roleRef: - kind: ClusterRole - name: cluster-admin apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: machine-api-manager +subjects: + - kind: ServiceAccount + name: default + namespace: openshift-machine-api diff --git a/owned-manifests/clusterapi-manager-cluster-role-binding.yaml b/owned-manifests/clusterapi-manager-cluster-role-binding.yaml deleted file mode 100644 index def4603e1..000000000 --- a/owned-manifests/clusterapi-manager-cluster-role-binding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cluster-api-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-api-manager-role -subjects: -- kind: ServiceAccount - name: default - namespace: {{ .TargetNamespace }} diff --git a/owned-manifests/clusterapi-manager-cluster-role.yaml b/owned-manifests/clusterapi-manager-cluster-role.yaml deleted file mode 100644 index 00da933fb..000000000 --- a/owned-manifests/clusterapi-manager-cluster-role.yaml +++ /dev/null @@ -1,65 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: cluster-api-manager-role -rules: -- apiGroups: - - cluster.k8s.io - resources: - - clusters - - clusters/status - - machines - - machines/status - - machinesets - - machinesets/status - - machinedeployments - - machinedeployments/status - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - -- apiGroups: - - machine.openshift.io - resources: - - clusters - - clusters/status - - machines - - machines/status - - machinesets - - machinesets/status - - machinedeployments - - machinedeployments/status - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - -- apiGroups: - - healthchecking.openshift.io - resources: - - '*' - verbs: - - '*' diff --git a/pkg/operator/operator.go b/pkg/operator/operator.go index ea58191b1..e87555f34 100644 --- a/pkg/operator/operator.go +++ b/pkg/operator/operator.go @@ -11,8 +11,6 @@ import ( utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/apimachinery/pkg/util/wait" appsinformersv1 "k8s.io/client-go/informers/apps/v1" - coreinformersv1 "k8s.io/client-go/informers/core/v1" - rbacinformersv1 "k8s.io/client-go/informers/rbac/v1" "k8s.io/client-go/kubernetes" coreclientsetv1 "k8s.io/client-go/kubernetes/typed/core/v1" appslisterv1 "k8s.io/client-go/listers/apps/v1" @@ -60,10 +58,7 @@ func New( config string, - serviceAccountInfomer coreinformersv1.ServiceAccountInformer, deployInformer appsinformersv1.DeploymentInformer, - clusterRoleInformer rbacinformersv1.ClusterRoleInformer, - clusterRoleBindingInformer rbacinformersv1.ClusterRoleBindingInformer, kubeClient kubernetes.Interface, osClient osclientset.Interface, @@ -82,10 +77,7 @@ func New( queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "machineapioperator"), } - serviceAccountInfomer.Informer().AddEventHandler(optr.eventHandler()) deployInformer.Informer().AddEventHandler(optr.eventHandler()) - clusterRoleInformer.Informer().AddEventHandler(optr.eventHandler()) - clusterRoleBindingInformer.Informer().AddEventHandler(optr.eventHandler()) optr.config = config optr.syncHandler = optr.sync diff --git a/pkg/operator/sync.go b/pkg/operator/sync.go index 6075dda81..9962db1e2 100644 --- a/pkg/operator/sync.go +++ b/pkg/operator/sync.go @@ -51,24 +51,6 @@ func (optr *Operator) syncAll(config OperatorConfig) error { } func (optr *Operator) syncClusterAPIController(config OperatorConfig) error { - crBytes, err := PopulateTemplate(&config, filepath.Join(ownedManifestsDir, "clusterapi-manager-cluster-role.yaml")) - if err != nil { - return err - } - cr := resourceread.ReadClusterRoleV1OrDie(crBytes) - _, _, err = resourceapply.ApplyClusterRole(optr.kubeClient.RbacV1(), cr) - if err != nil { - return err - } - crbBytes, err := PopulateTemplate(&config, filepath.Join(ownedManifestsDir, "clusterapi-manager-cluster-role-binding.yaml")) - if err != nil { - return err - } - crb := resourceread.ReadClusterRoleBindingV1OrDie(crbBytes) - _, _, err = resourceapply.ApplyClusterRoleBinding(optr.kubeClient.RbacV1(), crb) - if err != nil { - return err - } controllerBytes, err := PopulateTemplate(&config, filepath.Join(ownedManifestsDir, "clusterapi-manager-controllers.yaml")) if err != nil { return err