From ed07bcb4b4570a77a4d14d6f93e1d2ab3202ce2b Mon Sep 17 00:00:00 2001 From: bjwswang Date: Thu, 26 Oct 2023 14:32:38 +0800 Subject: [PATCH] fix: minimize permissions to arcadia Signed-off-by: bjwswang --- charts/arcadia/Chart.yaml | 4 +- charts/arcadia/templates/rbac.yaml | 146 +++++++++++++++++- .../arcadia.kubeagi.k8s.com.cn_embedders.yaml | 2 +- config/rbac/role.yaml | 14 +- .../samples/arcadia_v1alpha1_datasource.yaml | 6 +- config/samples/example-test.sh | 12 +- controllers/embedder_controller.go | 1 + controllers/llm_controller.go | 1 + controllers/prompt_controller.go | 1 + 9 files changed, 167 insertions(+), 20 deletions(-) diff --git a/charts/arcadia/Chart.yaml b/charts/arcadia/Chart.yaml index 43d52a2b9..46a6f4b0c 100644 --- a/charts/arcadia/Chart.yaml +++ b/charts/arcadia/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: arcadia description: A Helm chart(KubeBB Component) for KubeAGI Arcadia type: application -version: 0.1.8 -appVersion: "0.0.0" +version: 0.1.9 +appVersion: "0.0.1" keywords: - kubeagi - NativeAI diff --git a/charts/arcadia/templates/rbac.yaml b/charts/arcadia/templates/rbac.yaml index 419273522..cddaca4c9 100644 --- a/charts/arcadia/templates/rbac.yaml +++ b/charts/arcadia/templates/rbac.yaml @@ -11,8 +11,152 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: cluster-admin + name: {{ .Release.Name }} subjects: - kind: ServiceAccount name: {{ .Release.Name }} namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Release.Name }} +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list +- apiGroups: + - arcadia.kubeagi.k8s.com.cn + resources: + - datasources + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - arcadia.kubeagi.k8s.com.cn + resources: + - datasources/finalizers + verbs: + - update +- apiGroups: + - arcadia.kubeagi.k8s.com.cn + resources: + - datasources/status + verbs: + - get + - patch + - update +- apiGroups: + - arcadia.kubeagi.k8s.com.cn + resources: + - embedders + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - arcadia.kubeagi.k8s.com.cn + resources: + - embedders/finalizers + verbs: + - update +- apiGroups: + - arcadia.kubeagi.k8s.com.cn + resources: + - embedders/status + verbs: + - get + - patch + - update +- apiGroups: + - arcadia.kubeagi.k8s.com.cn + resources: + - laboratories + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - arcadia.kubeagi.k8s.com.cn + resources: + - laboratories/finalizers + verbs: + - update +- apiGroups: + - arcadia.kubeagi.k8s.com.cn + resources: + - laboratories/status + verbs: + - get + - patch + - update +- apiGroups: + - arcadia.kubeagi.k8s.com.cn + resources: + - llms + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - arcadia.kubeagi.k8s.com.cn + resources: + - llms/finalizers + verbs: + - update +- apiGroups: + - arcadia.kubeagi.k8s.com.cn + resources: + - llms/status + verbs: + - get + - patch + - update +- apiGroups: + - arcadia.kubeagi.k8s.com.cn + resources: + - prompts + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - arcadia.kubeagi.k8s.com.cn + resources: + - prompts/finalizers + verbs: + - update +- apiGroups: + - arcadia.kubeagi.k8s.com.cn + resources: + - prompts/status + verbs: + - get + - patch + - update + diff --git a/config/crd/bases/arcadia.kubeagi.k8s.com.cn_embedders.yaml b/config/crd/bases/arcadia.kubeagi.k8s.com.cn_embedders.yaml index 56a3f370f..dac548065 100644 --- a/config/crd/bases/arcadia.kubeagi.k8s.com.cn_embedders.yaml +++ b/config/crd/bases/arcadia.kubeagi.k8s.com.cn_embedders.yaml @@ -39,7 +39,7 @@ spec: description: Auth keeps the authentication credentials when access embedding service keeps in k8s secret type: string - name: + displayName: description: Name of the Embedding service type: string serviceType: diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 4f49c4e82..f98ff14bf 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -5,6 +5,13 @@ metadata: creationTimestamp: null name: manager-role rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list - apiGroups: - arcadia.kubeagi.k8s.com.cn resources: @@ -135,10 +142,3 @@ rules: - get - patch - update -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list \ No newline at end of file diff --git a/config/samples/arcadia_v1alpha1_datasource.yaml b/config/samples/arcadia_v1alpha1_datasource.yaml index dbd6e20bd..a7b488aab 100644 --- a/config/samples/arcadia_v1alpha1_datasource.yaml +++ b/config/samples/arcadia_v1alpha1_datasource.yaml @@ -1,8 +1,8 @@ apiVersion: arcadia.kubeagi.k8s.com.cn/v1alpha1 kind: Datasource metadata: - name: datasource-sample + name: arcadia-oss-minio namespace: arcadia spec: - url: my-minio.arcadia.svc.cluster.local:9000 - authsecret: my-minio \ No newline at end of file + url: arcadia-oss-minio.arcadia.svc.cluster.local:9000 + authsecret: arcadia-oss-minio diff --git a/config/samples/example-test.sh b/config/samples/example-test.sh index 87c716314..51932a44b 100755 --- a/config/samples/example-test.sh +++ b/config/samples/example-test.sh @@ -172,14 +172,14 @@ function waitCRDStatusReady() { info "1. create kind cluster" make kind -info "2. install kubebb core" -info "2.1 deploy kubebb/core and minio" +info "2. install minio as arcadia oss" +info "2.1 add repo kubebb" helm repo add kubebb https://kubebb.github.io/components/ helm repo update +info "2.2 install minio" kubectl create ns arcadia -helm install -n kubebb-system --create-namespace kubebb-core kubebb/kubebb-core -helm install my-minio -n arcadia kubebb/minio -waitPodReady "arcadia" "release=my-minio" +helm install arcadia-oss -n arcadia kubebb/minio +waitPodReady "arcadia" "release=arcadia-oss" info "3. install arcadia" docker tag controller:latest controller:example-e2e @@ -189,6 +189,6 @@ kubectl wait deploy -n arcadia arcadia-controller-manager --for condition=Availa info "4. CRD datasource check" kubectl apply -f config/samples/arcadia_v1alpha1_datasource.yaml -waitCRDStatusReady "Datasource" "arcadia" "datasource-sample" +waitCRDStatusReady "Datasource" "arcadia" "arcadia-oss-minio" info "all finished! ✅" diff --git a/controllers/embedder_controller.go b/controllers/embedder_controller.go index beed10304..8edf20a6a 100644 --- a/controllers/embedder_controller.go +++ b/controllers/embedder_controller.go @@ -47,6 +47,7 @@ type EmbedderReconciler struct { //+kubebuilder:rbac:groups=arcadia.kubeagi.k8s.com.cn,resources=embedders,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=arcadia.kubeagi.k8s.com.cn,resources=embedders/status,verbs=get;update;patch //+kubebuilder:rbac:groups=arcadia.kubeagi.k8s.com.cn,resources=embedders/finalizers,verbs=update +//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. diff --git a/controllers/llm_controller.go b/controllers/llm_controller.go index 9d4f38b22..28c3f6c97 100644 --- a/controllers/llm_controller.go +++ b/controllers/llm_controller.go @@ -48,6 +48,7 @@ type LLMReconciler struct { //+kubebuilder:rbac:groups=arcadia.kubeagi.k8s.com.cn,resources=llms,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=arcadia.kubeagi.k8s.com.cn,resources=llms/status,verbs=get;update;patch //+kubebuilder:rbac:groups=arcadia.kubeagi.k8s.com.cn,resources=llms/finalizers,verbs=update +//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. diff --git a/controllers/prompt_controller.go b/controllers/prompt_controller.go index 15f8df808..ed3dc6f94 100644 --- a/controllers/prompt_controller.go +++ b/controllers/prompt_controller.go @@ -49,6 +49,7 @@ type PromptReconciler struct { //+kubebuilder:rbac:groups=arcadia.kubeagi.k8s.com.cn,resources=prompts,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=arcadia.kubeagi.k8s.com.cn,resources=prompts/status,verbs=get;update;patch //+kubebuilder:rbac:groups=arcadia.kubeagi.k8s.com.cn,resources=prompts/finalizers,verbs=update +//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state.