Merge pull request #32 from bjwswang/dev

fix: minimize permissions to arcadia
kubeagi · Oct 26, 2023 · cfeba94 · cfeba94
2 parents 153b5a5 + ed07bcb
commit cfeba94
Show file tree

Hide file tree

Showing 9 changed files with 167 additions and 20 deletions.
diff --git a/charts/arcadia/Chart.yaml b/charts/arcadia/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: arcadia
 description: A Helm chart(KubeBB Component) for KubeAGI Arcadia
 type: application
-version: 0.1.8
-appVersion: "0.0.0"
+version: 0.1.9
+appVersion: "0.0.1"
 keywords:
   - kubeagi
   - NativeAI

diff --git a/charts/arcadia/templates/rbac.yaml b/charts/arcadia/templates/rbac.yaml
@@ -11,8 +11,152 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: cluster-admin
+  name: {{ .Release.Name }}
 subjects:
 - kind: ServiceAccount
   name: {{ .Release.Name }}
   namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Release.Name }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - arcadia.kubeagi.k8s.com.cn
+  resources:
+  - datasources
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - arcadia.kubeagi.k8s.com.cn
+  resources:
+  - datasources/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - arcadia.kubeagi.k8s.com.cn
+  resources:
+  - datasources/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - arcadia.kubeagi.k8s.com.cn
+  resources:
+  - embedders
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - arcadia.kubeagi.k8s.com.cn
+  resources:
+  - embedders/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - arcadia.kubeagi.k8s.com.cn
+  resources:
+  - embedders/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - arcadia.kubeagi.k8s.com.cn
+  resources:
+  - laboratories
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - arcadia.kubeagi.k8s.com.cn
+  resources:
+  - laboratories/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - arcadia.kubeagi.k8s.com.cn
+  resources:
+  - laboratories/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - arcadia.kubeagi.k8s.com.cn
+  resources:
+  - llms
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - arcadia.kubeagi.k8s.com.cn
+  resources:
+  - llms/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - arcadia.kubeagi.k8s.com.cn
+  resources:
+  - llms/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - arcadia.kubeagi.k8s.com.cn
+  resources:
+  - prompts
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - arcadia.kubeagi.k8s.com.cn
+  resources:
+  - prompts/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - arcadia.kubeagi.k8s.com.cn
+  resources:
+  - prompts/status
+  verbs:
+  - get
+  - patch
+  - update
+
diff --git a/config/crd/bases/arcadia.kubeagi.k8s.com.cn_embedders.yaml b/config/crd/bases/arcadia.kubeagi.k8s.com.cn_embedders.yaml
@@ -39,7 +39,7 @@ spec:
                 description: Auth keeps the authentication credentials when access
                   embedding service keeps in k8s secret
                 type: string
-              name:
+              displayName:
                 description: Name of the Embedding service
                 type: string
               serviceType:

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -5,6 +5,13 @@ metadata:
   creationTimestamp: null
   name: manager-role
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
 - apiGroups:
   - arcadia.kubeagi.k8s.com.cn
   resources:
@@ -135,10 +142,3 @@ rules:
   - get
   - patch
   - update
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
diff --git a/config/samples/arcadia_v1alpha1_datasource.yaml b/config/samples/arcadia_v1alpha1_datasource.yaml
@@ -1,8 +1,8 @@
 apiVersion: arcadia.kubeagi.k8s.com.cn/v1alpha1
 kind: Datasource
 metadata:
-  name: datasource-sample
+  name: arcadia-oss-minio
   namespace: arcadia
 spec:
-  url: my-minio.arcadia.svc.cluster.local:9000
-  authsecret: my-minio
+  url: arcadia-oss-minio.arcadia.svc.cluster.local:9000
+  authsecret: arcadia-oss-minio
diff --git a/config/samples/example-test.sh b/config/samples/example-test.sh
@@ -172,14 +172,14 @@ function waitCRDStatusReady() {
 info "1. create kind cluster"
 make kind
 
-info "2. install kubebb core"
-info "2.1 deploy kubebb/core and minio"
+info "2. install minio as arcadia oss"
+info "2.1 add repo kubebb"
 helm repo add kubebb https://kubebb.github.io/components/
 helm repo update
+info "2.2 install minio"
 kubectl create ns arcadia
-helm install -n kubebb-system --create-namespace kubebb-core kubebb/kubebb-core
-helm install my-minio -n arcadia kubebb/minio
-waitPodReady "arcadia" "release=my-minio"
+helm install arcadia-oss -n arcadia kubebb/minio
+waitPodReady "arcadia" "release=arcadia-oss"
 
 info "3. install arcadia"
 docker tag controller:latest controller:example-e2e
@@ -189,6 +189,6 @@ kubectl wait deploy -n arcadia arcadia-controller-manager --for condition=Availa
 
 info "4. CRD datasource check"
 kubectl apply -f config/samples/arcadia_v1alpha1_datasource.yaml
-waitCRDStatusReady "Datasource" "arcadia" "datasource-sample"
+waitCRDStatusReady "Datasource" "arcadia" "arcadia-oss-minio"
 
 info "all finished! ✅"
diff --git a/controllers/embedder_controller.go b/controllers/embedder_controller.go
@@ -47,6 +47,7 @@ type EmbedderReconciler struct {
 //+kubebuilder:rbac:groups=arcadia.kubeagi.k8s.com.cn,resources=embedders,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=arcadia.kubeagi.k8s.com.cn,resources=embedders/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=arcadia.kubeagi.k8s.com.cn,resources=embedders/finalizers,verbs=update
+//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.

diff --git a/controllers/llm_controller.go b/controllers/llm_controller.go
@@ -48,6 +48,7 @@ type LLMReconciler struct {
 //+kubebuilder:rbac:groups=arcadia.kubeagi.k8s.com.cn,resources=llms,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=arcadia.kubeagi.k8s.com.cn,resources=llms/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=arcadia.kubeagi.k8s.com.cn,resources=llms/finalizers,verbs=update
+//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.

diff --git a/controllers/prompt_controller.go b/controllers/prompt_controller.go
@@ -49,6 +49,7 @@ type PromptReconciler struct {
 //+kubebuilder:rbac:groups=arcadia.kubeagi.k8s.com.cn,resources=prompts,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=arcadia.kubeagi.k8s.com.cn,resources=prompts/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=arcadia.kubeagi.k8s.com.cn,resources=prompts/finalizers,verbs=update
+//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.