From cc0f0b8a6a113e9f5e40c68dbe8ff53cd9029ecb Mon Sep 17 00:00:00 2001 From: Madhu Rajanna Date: Wed, 12 Aug 2020 20:55:36 +0530 Subject: [PATCH] deploy: remove unnecessary aggregate clusterroles The aggregate clusterrole were designed for the scenario where the rules are not completely owned by one component. the aggregate rules can be removed and simplify certain issues around upgrades. Signed-off-by: Madhu Rajanna --- .../templates/nodeplugin-clusterrole.yaml | 9 ++- .../nodeplugin-rules-clusterrole.yaml | 19 ------ .../templates/provisioner-clusterrole.yaml | 53 ++++++++++++++-- .../provisioner-rules-clusterrole.yaml | 61 ------------------ .../templates/nodeplugin-clusterrole.yaml | 9 ++- .../nodeplugin-rules-clusterrole.yaml | 19 ------ .../templates/provisioner-clusterrole.yaml | 55 ++++++++++++++-- .../provisioner-rules-clusterrole.yaml | 62 ------------------- .../kubernetes/csi-nodeplugin-rbac.yaml | 12 ---- .../kubernetes/csi-provisioner-rbac.yaml | 12 ---- .../rbd/kubernetes/csi-nodeplugin-rbac.yaml | 12 ---- .../rbd/kubernetes/csi-provisioner-rbac.yaml | 12 ---- 12 files changed, 106 insertions(+), 229 deletions(-) delete mode 100644 charts/ceph-csi-cephfs/templates/nodeplugin-rules-clusterrole.yaml delete mode 100644 charts/ceph-csi-cephfs/templates/provisioner-rules-clusterrole.yaml delete mode 100644 charts/ceph-csi-rbd/templates/nodeplugin-rules-clusterrole.yaml delete mode 100644 charts/ceph-csi-rbd/templates/provisioner-rules-clusterrole.yaml diff --git a/charts/ceph-csi-cephfs/templates/nodeplugin-clusterrole.yaml b/charts/ceph-csi-cephfs/templates/nodeplugin-clusterrole.yaml index 8e9d593c156..f5bb71ef9ce 100644 --- a/charts/ceph-csi-cephfs/templates/nodeplugin-clusterrole.yaml +++ b/charts/ceph-csi-cephfs/templates/nodeplugin-clusterrole.yaml @@ -10,10 +10,9 @@ metadata: component: {{ .Values.nodeplugin.name }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.cephfs.csi.ceph.com/aggregate-to-{{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}: "true" -rules: [] +rules: + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] {{- end }} {{- end -}} diff --git a/charts/ceph-csi-cephfs/templates/nodeplugin-rules-clusterrole.yaml b/charts/ceph-csi-cephfs/templates/nodeplugin-rules-clusterrole.yaml deleted file mode 100644 index 44ea3b51628..00000000000 --- a/charts/ceph-csi-cephfs/templates/nodeplugin-rules-clusterrole.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.rbac.create -}} -{{- if .Values.topology.enabled }} -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}-rules - labels: - app: {{ include "ceph-csi-cephfs.name" . }} - chart: {{ include "ceph-csi-cephfs.chart" . }} - component: {{ .Values.nodeplugin.name }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - rbac.cephfs.csi.ceph.com/aggregate-to-{{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}: "true" -rules: - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get"] -{{- end }} -{{- end -}} diff --git a/charts/ceph-csi-cephfs/templates/provisioner-clusterrole.yaml b/charts/ceph-csi-cephfs/templates/provisioner-clusterrole.yaml index c656b139a08..576a6f7bdf1 100644 --- a/charts/ceph-csi-cephfs/templates/provisioner-clusterrole.yaml +++ b/charts/ceph-csi-cephfs/templates/provisioner-clusterrole.yaml @@ -9,9 +9,52 @@ metadata: component: {{ .Values.provisioner.name }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.cephfs.csi.ceph.com/aggregate-to-{{ include "ceph-csi-cephfs.provisioner.fullname" . }}: "true" -rules: [] +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete","patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update"] +{{- if .Values.provisioner.attacher.enabled }} + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] +{{- end -}} +{{- if semverCompare ">=1.15" .Capabilities.KubeVersion.GitVersion -}} +{{- if .Values.provisioner.resizer.enabled }} + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] +{{- end -}} +{{- end -}} +{{- if .Values.topology.enabled }} + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] +{{- end }} {{- end -}} diff --git a/charts/ceph-csi-cephfs/templates/provisioner-rules-clusterrole.yaml b/charts/ceph-csi-cephfs/templates/provisioner-rules-clusterrole.yaml deleted file mode 100644 index c1ff25c086f..00000000000 --- a/charts/ceph-csi-cephfs/templates/provisioner-rules-clusterrole.yaml +++ /dev/null @@ -1,61 +0,0 @@ -{{- if .Values.rbac.create -}} -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "ceph-csi-cephfs.provisioner.fullname" . }}-rules - labels: - app: {{ include "ceph-csi-cephfs.name" . }} - chart: {{ include "ceph-csi-cephfs.chart" . }} - component: {{ .Values.provisioner.name }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - rbac.cephfs.csi.ceph.com/aggregate-to-{{ include "ceph-csi-cephfs.provisioner.fullname" . }}: "true" -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "delete","patch"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots"] - verbs: ["get", "list"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["create", "get", "list", "watch", "update", "delete"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents/status"] - verbs: ["update"] -{{- if .Values.provisioner.attacher.enabled }} - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "update", "patch"] -{{- end -}} -{{- if semverCompare ">=1.15" .Capabilities.KubeVersion.GitVersion -}} -{{- if .Values.provisioner.resizer.enabled }} - - apiGroups: [""] - resources: ["persistentvolumeclaims/status"] - verbs: ["update", "patch"] -{{- end -}} -{{- end -}} -{{- if .Values.topology.enabled }} - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", watch"] - - apiGroups: ["storage.k8s.io"] - resources: ["csinodes"] - verbs: ["get", "list", "watch"] -{{- end }} -{{- end -}} diff --git a/charts/ceph-csi-rbd/templates/nodeplugin-clusterrole.yaml b/charts/ceph-csi-rbd/templates/nodeplugin-clusterrole.yaml index 8c141582619..4a34515f174 100644 --- a/charts/ceph-csi-rbd/templates/nodeplugin-clusterrole.yaml +++ b/charts/ceph-csi-rbd/templates/nodeplugin-clusterrole.yaml @@ -10,10 +10,9 @@ metadata: component: {{ .Values.nodeplugin.name }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.rbd.csi.ceph.com/aggregate-to-{{ include "ceph-csi-rbd.nodeplugin.fullname" . }}: "true" -rules: [] +rules: + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] {{- end }} {{- end -}} diff --git a/charts/ceph-csi-rbd/templates/nodeplugin-rules-clusterrole.yaml b/charts/ceph-csi-rbd/templates/nodeplugin-rules-clusterrole.yaml deleted file mode 100644 index 802c79c35df..00000000000 --- a/charts/ceph-csi-rbd/templates/nodeplugin-rules-clusterrole.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.rbac.create -}} -{{- if .Values.topology.enabled }} -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }}-rules - labels: - app: {{ include "ceph-csi-rbd.name" . }} - chart: {{ include "ceph-csi-rbd.chart" . }} - component: {{ .Values.nodeplugin.name }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - rbac.rbd.csi.ceph.com/aggregate-to-{{ include "ceph-csi-rbd.nodeplugin.fullname" . }}: "true" -rules: - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get"] -{{- end }} -{{- end -}} diff --git a/charts/ceph-csi-rbd/templates/provisioner-clusterrole.yaml b/charts/ceph-csi-rbd/templates/provisioner-clusterrole.yaml index 21745ed4950..1dc9bdcad90 100644 --- a/charts/ceph-csi-rbd/templates/provisioner-clusterrole.yaml +++ b/charts/ceph-csi-rbd/templates/provisioner-clusterrole.yaml @@ -9,9 +9,54 @@ metadata: component: {{ .Values.provisioner.name }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.rbd.csi.ceph.com/aggregate-to-{{ include "ceph-csi-rbd.provisioner.fullname" . }}: "true" -rules: [] +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "update", "delete", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "create", "update"] +{{- if .Values.provisioner.attacher.enabled }} + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] +{{- end }} + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update"] +{{- if .Values.provisioner.resizer.enabled }} + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] +{{- end }} +{{- if .Values.topology.enabled }} + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] +{{- end }} + {{- end -}} diff --git a/charts/ceph-csi-rbd/templates/provisioner-rules-clusterrole.yaml b/charts/ceph-csi-rbd/templates/provisioner-rules-clusterrole.yaml deleted file mode 100644 index 05074df5dcf..00000000000 --- a/charts/ceph-csi-rbd/templates/provisioner-rules-clusterrole.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{- if .Values.rbac.create -}} -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "ceph-csi-rbd.provisioner.fullname" . }}-rules - labels: - app: {{ include "ceph-csi-rbd.name" . }} - chart: {{ include "ceph-csi-rbd.chart" . }} - component: {{ .Values.provisioner.name }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - rbac.rbd.csi.ceph.com/aggregate-to-{{ include "ceph-csi-rbd.provisioner.fullname" . }}: "true" -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "update", "delete", "patch"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "create", "update"] -{{- if .Values.provisioner.attacher.enabled }} - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "update", "patch"] -{{- end }} - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots"] - verbs: ["get", "list"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["create", "get", "list", "watch", "update", "delete"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents/status"] - verbs: ["update"] -{{- if .Values.provisioner.resizer.enabled }} - - apiGroups: [""] - resources: ["persistentvolumeclaims/status"] - verbs: ["update", "patch"] -{{- end }} -{{- if .Values.topology.enabled }} - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", watch"] - - apiGroups: ["storage.k8s.io"] - resources: ["csinodes"] - verbs: ["get", "list", "watch"] -{{- end }} -{{- end -}} diff --git a/deploy/cephfs/kubernetes/csi-nodeplugin-rbac.yaml b/deploy/cephfs/kubernetes/csi-nodeplugin-rbac.yaml index b8d56176301..1c1ccda3fc1 100644 --- a/deploy/cephfs/kubernetes/csi-nodeplugin-rbac.yaml +++ b/deploy/cephfs/kubernetes/csi-nodeplugin-rbac.yaml @@ -8,18 +8,6 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cephfs-csi-nodeplugin -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.cephfs.csi.ceph.com/aggregate-to-cephfs-csi-nodeplugin: "true" -rules: [] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cephfs-csi-nodeplugin-rules - labels: - rbac.cephfs.csi.ceph.com/aggregate-to-cephfs-csi-nodeplugin: "true" rules: - apiGroups: [""] resources: ["nodes"] diff --git a/deploy/cephfs/kubernetes/csi-provisioner-rbac.yaml b/deploy/cephfs/kubernetes/csi-provisioner-rbac.yaml index c93697b19f2..645f4081c44 100644 --- a/deploy/cephfs/kubernetes/csi-provisioner-rbac.yaml +++ b/deploy/cephfs/kubernetes/csi-provisioner-rbac.yaml @@ -9,18 +9,6 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cephfs-external-provisioner-runner -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.cephfs.csi.ceph.com/aggregate-to-cephfs-external-provisioner-runner: "true" -rules: [] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cephfs-external-provisioner-runner-rules - labels: - rbac.cephfs.csi.ceph.com/aggregate-to-cephfs-external-provisioner-runner: "true" rules: - apiGroups: [""] resources: ["nodes"] diff --git a/deploy/rbd/kubernetes/csi-nodeplugin-rbac.yaml b/deploy/rbd/kubernetes/csi-nodeplugin-rbac.yaml index 96a553d1b9a..db1245cd9fc 100644 --- a/deploy/rbd/kubernetes/csi-nodeplugin-rbac.yaml +++ b/deploy/rbd/kubernetes/csi-nodeplugin-rbac.yaml @@ -8,18 +8,6 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rbd-csi-nodeplugin -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.rbd.csi.ceph.com/aggregate-to-rbd-csi-nodeplugin: "true" -rules: [] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rbd-csi-nodeplugin-rules - labels: - rbac.rbd.csi.ceph.com/aggregate-to-rbd-csi-nodeplugin: "true" rules: - apiGroups: [""] resources: ["nodes"] diff --git a/deploy/rbd/kubernetes/csi-provisioner-rbac.yaml b/deploy/rbd/kubernetes/csi-provisioner-rbac.yaml index 4cce4d75168..d4f4fe128fb 100644 --- a/deploy/rbd/kubernetes/csi-provisioner-rbac.yaml +++ b/deploy/rbd/kubernetes/csi-provisioner-rbac.yaml @@ -9,18 +9,6 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rbd-external-provisioner-runner -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.rbd.csi.ceph.com/aggregate-to-rbd-external-provisioner-runner: "true" -rules: [] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rbd-external-provisioner-runner-rules - labels: - rbac.rbd.csi.ceph.com/aggregate-to-rbd-external-provisioner-runner: "true" rules: - apiGroups: [""] resources: ["nodes"]