From 0d3a15d2255b7d53e80ddc321f9687ae15889390 Mon Sep 17 00:00:00 2001 From: Carlos Eduardo Arango Gutierrez Date: Thu, 11 Mar 2021 11:45:49 -0500 Subject: [PATCH] Use separate RBAC rules for master and worker Signed-off-by: Carlos Eduardo Arango Gutierrez --- build/assets/master/0100_service_account.yaml | 2 +- build/assets/master/0200_clusterrole.yaml | 2 +- .../master/0300_clusterrole_binding.yaml | 8 ++-- .../assets/master/0400_master_daemonset.yaml | 2 +- build/assets/worker/01_worker_sa.yaml | 4 ++ build/assets/worker/02_worker_role.yaml | 13 ++++++ .../assets/worker/03_worker_rolebinding.yaml | 12 +++++ ...orker_configmap.yaml => 04_worker_cm.yaml} | 0 ...orker_daemonset.yaml => 05_worker_ds.yaml} | 2 +- config/certmanager/certificate.yaml | 4 +- .../webhook_in_nodefeaturediscoveries.yaml | 2 +- config/default/kustomization.yaml | 2 +- config/default/manager_auth_proxy_patch.yaml | 2 +- config/default/manager_config_patch.yaml | 2 +- config/manager/kustomization.yaml | 2 +- config/manager/manager.yaml | 2 +- config/prometheus/monitor.yaml | 2 +- config/rbac/auth_proxy_role_binding.yaml | 2 +- config/rbac/auth_proxy_service.yaml | 2 +- config/rbac/leader_election_role.yaml | 46 +++++++++++++++++++ config/rbac/leader_election_role_binding.yaml | 2 +- config/rbac/role_binding.yaml | 2 +- ...kubernetes.io_v1_nodefeaturediscovery.yaml | 4 +- 23 files changed, 98 insertions(+), 23 deletions(-) create mode 100644 build/assets/worker/01_worker_sa.yaml create mode 100644 build/assets/worker/02_worker_role.yaml create mode 100644 build/assets/worker/03_worker_rolebinding.yaml rename build/assets/worker/{0100_worker_configmap.yaml => 04_worker_cm.yaml} (100%) rename build/assets/worker/{0200_worker_daemonset.yaml => 05_worker_ds.yaml} (98%) diff --git a/build/assets/master/0100_service_account.yaml b/build/assets/master/0100_service_account.yaml index 9896633f..92c4058f 100644 --- a/build/assets/master/0100_service_account.yaml +++ b/build/assets/master/0100_service_account.yaml @@ -1,5 +1,5 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: nfd-operator + name: nfd-master diff --git a/build/assets/master/0200_clusterrole.yaml b/build/assets/master/0200_clusterrole.yaml index f1d98c90..4750315f 100644 --- a/build/assets/master/0200_clusterrole.yaml +++ b/build/assets/master/0200_clusterrole.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: nfd-operator + name: nfd-master rules: - apiGroups: - "" diff --git a/build/assets/master/0300_clusterrole_binding.yaml b/build/assets/master/0300_clusterrole_binding.yaml index 1f817a34..bdae9301 100644 --- a/build/assets/master/0300_clusterrole_binding.yaml +++ b/build/assets/master/0300_clusterrole_binding.yaml @@ -1,13 +1,13 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: nfd-operator + name: nfd-master roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: nfd-operator + name: nfd-master subjects: - kind: ServiceAccount - name: nfd-operator - namespace: node-feature-discovery-operator-devel + name: nfd-master + namespace: node-feature-discovery-operator \ No newline at end of file diff --git a/build/assets/master/0400_master_daemonset.yaml b/build/assets/master/0400_master_daemonset.yaml index 408ccc44..781c207f 100644 --- a/build/assets/master/0400_master_daemonset.yaml +++ b/build/assets/master/0400_master_daemonset.yaml @@ -13,7 +13,7 @@ spec: labels: app: nfd-master spec: - serviceAccount: nfd-operator + serviceAccount: nfd-master nodeSelector: node-role.kubernetes.io/master: "" tolerations: diff --git a/build/assets/worker/01_worker_sa.yaml b/build/assets/worker/01_worker_sa.yaml new file mode 100644 index 00000000..442b06c5 --- /dev/null +++ b/build/assets/worker/01_worker_sa.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nfd-worker diff --git a/build/assets/worker/02_worker_role.yaml b/build/assets/worker/02_worker_role.yaml new file mode 100644 index 00000000..c665fb9d --- /dev/null +++ b/build/assets/worker/02_worker_role.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: nfd-worker +rules: +- apiGroups: + - policy + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - nfd-worker diff --git a/build/assets/worker/03_worker_rolebinding.yaml b/build/assets/worker/03_worker_rolebinding.yaml new file mode 100644 index 00000000..aa99cd45 --- /dev/null +++ b/build/assets/worker/03_worker_rolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: nfd-worker +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: nfd-worker +subjects: +- kind: ServiceAccount + name: nfd-worker + namespace: node-feature-discovery-operator diff --git a/build/assets/worker/0100_worker_configmap.yaml b/build/assets/worker/04_worker_cm.yaml similarity index 100% rename from build/assets/worker/0100_worker_configmap.yaml rename to build/assets/worker/04_worker_cm.yaml diff --git a/build/assets/worker/0200_worker_daemonset.yaml b/build/assets/worker/05_worker_ds.yaml similarity index 98% rename from build/assets/worker/0200_worker_daemonset.yaml rename to build/assets/worker/05_worker_ds.yaml index 18caaa7e..28c20e02 100644 --- a/build/assets/worker/0200_worker_daemonset.yaml +++ b/build/assets/worker/05_worker_ds.yaml @@ -28,7 +28,7 @@ spec: operator: Exists hostNetwork: true dnsPolicy: ClusterFirstWithHostNet - serviceAccount: nfd-operator + serviceAccount: nfd-worker readOnlyRootFilesystem: true containers: - env: diff --git a/config/certmanager/certificate.yaml b/config/certmanager/certificate.yaml index 85c6bb68..a63408ce 100644 --- a/config/certmanager/certificate.yaml +++ b/config/certmanager/certificate.yaml @@ -5,7 +5,7 @@ apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: selfsigned-issuer - namespace: node-feature-discovery-operator-devel + namespace: node-feature-discovery-operator spec: selfSigned: {} --- @@ -13,7 +13,7 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml - namespace: node-feature-discovery-operator-devel + namespace: node-feature-discovery-operator spec: # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize dnsNames: diff --git a/config/crd/patches/webhook_in_nodefeaturediscoveries.yaml b/config/crd/patches/webhook_in_nodefeaturediscoveries.yaml index ce1c283c..ee4109f5 100644 --- a/config/crd/patches/webhook_in_nodefeaturediscoveries.yaml +++ b/config/crd/patches/webhook_in_nodefeaturediscoveries.yaml @@ -9,6 +9,6 @@ spec: webhook: clientConfig: service: - namespace: node-feature-discovery-operator-devel + namespace: node-feature-discovery-operator name: webhook-service path: /convert diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 5bd4656a..261c9b66 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -1,5 +1,5 @@ # Adds namespace to all resources. -namespace: node-feature-discovery-operator-devel +namespace: node-feature-discovery-operator # Value of this field is prepended to the # names of all resources, e.g. a deployment named diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml index edbd2bb7..6df282d3 100644 --- a/config/default/manager_auth_proxy_patch.yaml +++ b/config/default/manager_auth_proxy_patch.yaml @@ -4,7 +4,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: controller-manager - namespace: node-feature-discovery-operator-devel + namespace: node-feature-discovery-operator spec: template: spec: diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml index 2badb18f..69bde919 100644 --- a/config/default/manager_config_patch.yaml +++ b/config/default/manager_config_patch.yaml @@ -2,7 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: controller-manager - namespace: node-feature-discovery-operator-devel + namespace: node-feature-discovery-operator spec: template: spec: diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 2521b010..36e28e06 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -13,4 +13,4 @@ kind: Kustomization images: - name: controller newName: quay.io/eduardoarango/node-feature-discovery-operator - newTag: sdk + newTag: v0.2.0-11-g5aabd286-dirty diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index e9032066..a55e0b5a 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -9,7 +9,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: controller-manager - namespace: node-feature-discovery-operator-devel + namespace: node-feature-discovery-operator labels: control-plane: controller-manager spec: diff --git a/config/prometheus/monitor.yaml b/config/prometheus/monitor.yaml index 5a0b9d00..caac19bf 100644 --- a/config/prometheus/monitor.yaml +++ b/config/prometheus/monitor.yaml @@ -6,7 +6,7 @@ metadata: labels: control-plane: controller-manager name: controller-manager-metrics-monitor - namespace: node-feature-discovery-operator-devel + namespace: node-feature-discovery-operator spec: endpoints: - path: /metrics diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/auth_proxy_role_binding.yaml index 61bb4cbf..aeab4cba 100644 --- a/config/rbac/auth_proxy_role_binding.yaml +++ b/config/rbac/auth_proxy_role_binding.yaml @@ -9,4 +9,4 @@ roleRef: subjects: - kind: ServiceAccount name: default - namespace: node-feature-discovery-operator-devel + namespace: node-feature-discovery-operator diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml index fad08995..647dbabf 100644 --- a/config/rbac/auth_proxy_service.yaml +++ b/config/rbac/auth_proxy_service.yaml @@ -4,7 +4,7 @@ metadata: labels: control-plane: controller-manager name: controller-manager-metrics-service - namespace: node-feature-discovery-operator-devel + namespace: node-feature-discovery-operator spec: ports: - name: https diff --git a/config/rbac/leader_election_role.yaml b/config/rbac/leader_election_role.yaml index 6334cc51..a3e57ab5 100644 --- a/config/rbac/leader_election_role.yaml +++ b/config/rbac/leader_election_role.yaml @@ -25,3 +25,49 @@ rules: verbs: - create - patch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + - clusterroles + - clusterrolebindings + verbs: + - '*' +- apiGroups: + - "" + resources: + - pods + - services + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + - serviceaccounts + - nodes + verbs: + - '*' +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - '*' +- apiGroups: + - nfd.kubernetes.io + resources: + - '*' + verbs: + - '*' diff --git a/config/rbac/leader_election_role_binding.yaml b/config/rbac/leader_election_role_binding.yaml index 4daeb311..bd75c4bf 100644 --- a/config/rbac/leader_election_role_binding.yaml +++ b/config/rbac/leader_election_role_binding.yaml @@ -9,4 +9,4 @@ roleRef: subjects: - kind: ServiceAccount name: default - namespace: node-feature-discovery-operator-devel + namespace: node-feature-discovery-operator diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml index 5e35a8b0..cd901661 100644 --- a/config/rbac/role_binding.yaml +++ b/config/rbac/role_binding.yaml @@ -9,4 +9,4 @@ roleRef: subjects: - kind: ServiceAccount name: default - namespace: node-feature-discovery-operator-devel + namespace: node-feature-discovery-operator diff --git a/config/samples/nfd.kubernetes.io_v1_nodefeaturediscovery.yaml b/config/samples/nfd.kubernetes.io_v1_nodefeaturediscovery.yaml index f2de9d54..feb49cce 100644 --- a/config/samples/nfd.kubernetes.io_v1_nodefeaturediscovery.yaml +++ b/config/samples/nfd.kubernetes.io_v1_nodefeaturediscovery.yaml @@ -2,10 +2,10 @@ apiVersion: nfd.kubernetes.io/v1 kind: NodeFeatureDiscovery metadata: name: nfd-master-server - namespace: node-feature-discovery-operator-devel + namespace: node-feature-discovery-operator spec: operand: - namespace: node-feature-discovery-operator-devel + namespace: node-feature-discovery-operator image: quay.io/openshift/origin-node-feature-discovery:4.7 imagePullPolicy: Always workerConfig: