Skip to content

Commit

Permalink
Merge pull request #89 from cybozu-go/remove-too-permissive-rbac
Browse files Browse the repository at this point in the history
Make admin privileges configurable
  • Loading branch information
ymmt2005 authored Sep 28, 2023
2 parents 0924d8b + f8bff61 commit 7573c38
Show file tree
Hide file tree
Showing 10 changed files with 49 additions and 65 deletions.
3 changes: 3 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ SUDO = sudo
SHELL = /bin/bash
.SHELLFLAGS = -e -o pipefail -c

PATH := $(shell aqua root-dir)/bin:$(PATH)"
export PATH

CRD_OPTIONS = "crd:crdVersions=v1,maxDescLen=220"

# for Go
Expand Down
6 changes: 5 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,11 @@ Run and try Accurate on a [kind (Kubernetes-In-Docker)][kind] cluster as follows

3. Install [aqua][].

https://aquaproj.github.io/docs/tutorial-basics/quick-start
```console
$ go install github.com/aquaproj/aqua/v2/cmd/aqua@latest
```

cf. https://aquaproj.github.io/docs/install
4. Go to `e2e` directory, setup shell variables, and execute `make start`.

Expand Down
27 changes: 14 additions & 13 deletions charts/accurate/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,19 +39,20 @@ $ helm install --create-namespace --namespace accurate accurate -f values.yaml a

## Values

| Key | Type | Default | Description |
|-----|------|---------|-------------|
| controller.additionalRBAC.rules | list | `[]` | Specify the RBAC rules to be added to the controller. ClusterRole and ClusterRoleBinding are created with the names `{{ release name }}-additional-resources`. The rules defined here will be used for the ClusterRole rules. |
| controller.config.annotationKeys | list | `[]` | Annotations to be propagated to sub-namespaces. It is also possible to specify a glob pattern that can be interpreted by Go's "path.Match" func. |
| controller.config.labelKeys | list | `[]` | Labels to be propagated to sub-namespaces. It is also possible to specify a glob pattern that can be interpreted by Go's "path.Match" func. |
| controller.config.watches | list | `[{"group":"rbac.authorization.k8s.io","kind":"Role","version":"v1"},{"group":"rbac.authorization.k8s.io","kind":"RoleBinding","version":"v1"},{"kind":"Secret","version":"v1"}]` | List of GVK for namespace-scoped resources that can be propagated. Any namespace-scoped resource is allowed. |
| controller.extraArgs | list | `[]` | Optional additional arguments. |
| controller.replicas | int | `2` | Specify the number of replicas of the controller Pod. |
| controller.resources | object | `{"requests":{"cpu":"100m","memory":"20Mi"}}` | Specify resources. |
| controller.terminationGracePeriodSeconds | int | `10` | Specify terminationGracePeriodSeconds. |
| image.pullPolicy | string | `nil` | Accurate image pullPolicy. |
| image.repository | string | `"ghcr.io/cybozu-go/accurate"` | Accurate image repository to use. |
| image.tag | string | `{{ .Chart.AppVersion }}` | Accurate image tag to use. |
| Key | Type | Default | Description |
| ---------------------------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| controller.additionalRBAC.rules | list | `[]` | Specify the RBAC rules to be added to the controller. ClusterRole and ClusterRoleBinding are created with the names `{{ release name }}-additional-resources`. The rules defined here will be used for the ClusterRole rules. |
| controller.additionalRBAC.clusterRoles | list | `[]` | Specify additional ClusterRoles to be granted to the accurate controller. "admin" is recommended to allow the controller to manage common namespace-scoped resources. |
| controller.config.annotationKeys | list | `[]` | Annotations to be propagated to sub-namespaces. It is also possible to specify a glob pattern that can be interpreted by Go's "path.Match" func. |
| controller.config.labelKeys | list | `[]` | Labels to be propagated to sub-namespaces. It is also possible to specify a glob pattern that can be interpreted by Go's "path.Match" func. |
| controller.config.watches | list | `[{"group":"rbac.authorization.k8s.io","kind":"Role","version":"v1"},{"group":"rbac.authorization.k8s.io","kind":"RoleBinding","version":"v1"},{"kind":"Secret","version":"v1"}]` | List of GVK for namespace-scoped resources that can be propagated. Any namespace-scoped resource is allowed. |
| controller.extraArgs | list | `[]` | Optional additional arguments. |
| controller.replicas | int | `2` | Specify the number of replicas of the controller Pod. |
| controller.resources | object | `{"requests":{"cpu":"100m","memory":"20Mi"}}` | Specify resources. |
| controller.terminationGracePeriodSeconds | int | `10` | Specify terminationGracePeriodSeconds. |
| image.pullPolicy | string | `nil` | Accurate image pullPolicy. |
| image.repository | string | `"ghcr.io/cybozu-go/accurate"` | Accurate image repository to use. |
| image.tag | string | `{{ .Chart.AppVersion }}` | Accurate image tag to use. |

## Generate Manifests

Expand Down
22 changes: 20 additions & 2 deletions charts/accurate/templates/additional-rbac.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{ if .Values.controller.additionalRBAC.rules }}
{{- if .Values.controller.additionalRBAC.rules }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
Expand All @@ -19,4 +19,22 @@ subjects:
name: {{ template "accurate.fullname" . }}-controller-manager
namespace: {{ .Release.Namespace }}
---
{{ end }}
{{- end }}
{{- if .Values.controller.additionalRBAC.clusterRoles }}
{{- $root := . }}
{{- range .Values.controller.additionalRBAC.clusterRoles }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "accurate.fullname" $root }}-manager-{{ . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ . }}
subjects:
- kind: ServiceAccount
name: {{ template "accurate.fullname" $root }}-controller-manager
namespace: {{ $root.Release.Namespace }}
---
{{- end }}
{{- end }}
26 changes: 0 additions & 26 deletions charts/accurate/templates/generated/generated.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -74,14 +74,6 @@ rules:
- patch
- update
- watch
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- accurate.cybozu.com
resources:
Expand Down Expand Up @@ -187,24 +179,6 @@ subjects:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/managed-by: '{{ .Release.Service }}'
app.kubernetes.io/name: '{{ include "accurate.name" . }}'
app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
helm.sh/chart: '{{ include "accurate.chart" . }}'
name: '{{ template "accurate.fullname" . }}-manager-admin'
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
subjects:
- kind: ServiceAccount
name: '{{ template "accurate.fullname" . }}-controller-manager'
namespace: '{{ .Release.Namespace }}'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/managed-by: '{{ .Release.Service }}'
Expand Down
5 changes: 5 additions & 0 deletions charts/accurate/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -102,3 +102,8 @@ controller:
- update
- patch
- delete
# controller.additionalRBAC.clusterRoles -- Specify additional ClusterRoles to be granted
# to the accurate controller. "admin" is recommended to allow the controller to manage
# common namespace-scoped resources.
clusterRoles:
- admin
8 changes: 0 additions & 8 deletions config/rbac/role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,14 +16,6 @@ rules:
- patch
- update
- watch
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- accurate.cybozu.com
resources:
Expand Down
13 changes: 0 additions & 13 deletions config/rbac/role_binding.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,16 +10,3 @@ subjects:
- kind: ServiceAccount
name: controller-manager
namespace: system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: manager-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
subjects:
- kind: ServiceAccount
name: controller-manager
namespace: system
2 changes: 0 additions & 2 deletions controllers/propagate.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,8 +54,6 @@ func cloneResource(res *unstructured.Unstructured, ns string) *unstructured.Unst
return c
}

//+kubebuilder:rbac:groups=*,resources=*,verbs=get;list;watch

// PropagateController propagates objects of a namespace-scoped resource.
type PropagateController struct {
client.Client
Expand Down
2 changes: 2 additions & 0 deletions e2e/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -56,3 +56,5 @@ controller:
- update
- patch
- delete
clusterRoles:
- admin

0 comments on commit 7573c38

Please sign in to comment.