Skip to content

Commit

Permalink
Merge pull request #144 from ArangoGutierrez/devel/rbac_hardening
Browse files Browse the repository at this point in the history 
Update kubebuilder rbac
  • Loading branch information
@k8s-ci-robot
k8s-ci-robot authored Apr 19, 2022
2 parents c8d3fd7 + f2ad4b9 commit 93e7b7e
Show file tree
Hide file tree
Showing 3 changed files with 35 additions and 179 deletions.
42 changes: 0 additions & 42 deletions config/rbac/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,45 +13,3 @@ resources:
- auth_proxy_role.yaml
- auth_proxy_role_binding.yaml
- auth_proxy_client_clusterrole.yaml

# needed for nfd-worker
# this patch is needed given that
# +kubebuilder does not allow resourceNames
patchesJSON6902:
- target:
kind: ClusterRole
name: manager-role
patch: |-
- op: add
path: /rules/0
value:
apiGroups:
- policy
resources:
- podsecuritypolicies
verbs:
- use
resourceNames:
- nfd-worker
- op: add
path: /rules/1
value:
apiGroups:
- nfd.k8s-sigs.io
resources:
- nodefeaturerules
verbs:
- get
- list
- watch
- op: add
path: /rules/2
value:
apiGroups:
- topology.node.k8s.io
resources:
- noderesourcetopologies
verbs:
- create
- get
- update
147 changes: 26 additions & 121 deletions config/rbac/role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,14 @@ metadata:
creationTimestamp: null
name: manager-role
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- create
- update
- watch
- apiGroups:
- apps
resources:
Expand All @@ -30,56 +38,44 @@ rules:
- update
- watch
- apiGroups:
- coordination.k8s.io
- cert-manager.io
resources:
- leases
- certificates
verbs:
- create
- delete
- get
- list
- update
- watch
- apiGroups:
- ""
- cert-manager.io
resources:
- configmaps
- issuers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
- coordination.k8s.io
resources:
- endpoints
- leases
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- events
- configmaps
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- imagestreams/layers
verbs:
- get
- apiGroups:
- ""
resources:
Expand All @@ -97,8 +93,6 @@ rules:
resources:
- nodes
verbs:
- create
- delete
- get
- list
- patch
Expand All @@ -112,25 +106,6 @@ rules:
- get
- patch
- update
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get
- list
- update
- watch
- apiGroups:
- ""
resources:
- persistentvolumes
verbs:
- create
- delete
- get
- list
- watch
- apiGroups:
- ""
resources:
Expand All @@ -143,24 +118,6 @@ rules:
- patch
- update
- watch
- apiGroups:
- ""
resources:
- pods/log
verbs:
- get
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
Expand All @@ -186,55 +143,21 @@ rules:
- update
- watch
- apiGroups:
- monitoring.coreos.com
resources:
- prometheusrules
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- nfd.kubernetes.io
- nfd.k8s-sigs.io
resources:
- nodefeaturediscoveries
- nodefeaturerules
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- nfd.kubernetes.io
- policy
resourceNames:
- nfd-worker
resources:
- nodefeaturediscoveries/finalizers
- podsecuritypolicies
verbs:
- update
- apiGroups:
- nfd.kubernetes.io
resources:
- nodefeaturediscoveries/status
verbs:
- get
- patch
- update
- use
- apiGroups:
- rbac.authorization.k8s.io
resources:
Expand Down Expand Up @@ -284,28 +207,10 @@ rules:
- update
- watch
- apiGroups:
- storage.k8s.io
- topology.node.k8s.io
resources:
- csidrivers
- noderesourcetopologies
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- storage.k8s.io
resources:
- csinodes
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- watch
25 changes: 9 additions & 16 deletions controllers/nodefeaturediscovery_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,35 +97,28 @@ func validateUpdateEvent(e *event.UpdateEvent) bool {
return true
}

// +kubebuilder:rbac:groups=nfd.kubernetes.io,resources=nodefeaturediscoveries,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=nfd.kubernetes.io,resources=nodefeaturediscoveries/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=nfd.kubernetes.io,resources=nodefeaturediscoveries/finalizers,verbs=update
// +kubebuilder:rbac:groups=core,resources=nodes,verbs=update
// +kubebuilder:rbac:groups=core,resources=nodes/status,verbs=get;patch;update
// +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=core,resources=pods/log,verbs=get
// +kubebuilder:rbac:groups=apps,resources=daemonsets,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=core,resources=namespaces,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=core,resources=nodes,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=core,resources=imagestreams/layers,verbs=get
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=core,resources=events,verbs=list;watch;create;update;patch
// +kubebuilder:rbac:groups=core,resources=persistentvolumeclaims,verbs=get;list;watch;update;
// +kubebuilder:rbac:groups=core,resources=persistentvolumes,verbs=get;list;watch;create;delete
// +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;watch;create;update;delete
// +kubebuilder:rbac:groups=storage.k8s.io,resources=csinodes,verbs=get;list;watch
// +kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=watch
// +kubebuilder:rbac:groups=storage.k8s.io,resources=csidrivers,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=core,resources=endpoints,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=monitoring.coreos.com,resources=servicemonitors,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=monitoring.coreos.com,resources=prometheusrules,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups="",resources=events,verbs=create;watch;update
// +kubebuilder:rbac:groups=core,resources=nodes,verbs=get;list;watch;patch
// +kubebuilder:rbac:groups=policy,resources=podsecuritypolicies,verbs=use,resourceNames=nfd-worker
// +kubebuilder:rbac:groups=cert-manager.io,resources=issuers,verbs=get;list;watch
// +kubebuilder:rbac:groups=cert-manager.io,resources=certificates,verbs=get;list;watch
// +kubebuilder:rbac:groups=topology.node.k8s.io,resources=noderesourcetopologies,verbs=create;update;get
// +kubebuilder:rbac:groups=nfd.k8s-sigs.io,resources=nodefeaturerules,verbs=get;list;watch

// Reconcile is part of the main kubernetes reconciliation loop which aims
// to move the current state of the cluster closer to the desired state.
Expand Down

0 comments on commit 93e7b7e

Please sign in to comment.