From 6b322cefe10ac55652f9458be17b5461d1e3e918 Mon Sep 17 00:00:00 2001 From: Enxebre Date: Thu, 16 May 2019 19:11:23 +0200 Subject: [PATCH 1/4] Increase operator logging level --- install/0000_30_machine-api-operator_10_deployment.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/install/0000_30_machine-api-operator_10_deployment.yaml b/install/0000_30_machine-api-operator_10_deployment.yaml index de06915424..8934b181fb 100644 --- a/install/0000_30_machine-api-operator_10_deployment.yaml +++ b/install/0000_30_machine-api-operator_10_deployment.yaml @@ -25,6 +25,8 @@ spec: args: - "start" - "--images-json=/etc/machine-api-operator-config/images/images.json" + - "--alsologtostderr" + - "--v=3" env: - name: RELEASE_VERSION value: "0.0.1-snapshot" From 3ff6fad28af2001cae0497babef82b2073cf0ec3 Mon Sep 17 00:00:00 2001 From: Enxebre Date: Thu, 16 May 2019 19:12:22 +0200 Subject: [PATCH 2/4] Break down permissions --- .../0000_30_machine-api-operator_09_rbac.yaml | 178 +++++++++++++----- 1 file changed, 134 insertions(+), 44 deletions(-) diff --git a/install/0000_30_machine-api-operator_09_rbac.yaml b/install/0000_30_machine-api-operator_09_rbac.yaml index 6da776f06f..b7d51959c0 100644 --- a/install/0000_30_machine-api-operator_09_rbac.yaml +++ b/install/0000_30_machine-api-operator_09_rbac.yaml @@ -4,19 +4,20 @@ metadata: name: machine-api-operator namespace: openshift-machine-api +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: machine-api-controllers + namespace: openshift-machine-api + --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: - creationTimestamp: null - name: machine-api-manager + name: machine-api-controllers + namespace: openshift-machine-api rules: - - apiGroups: - - cluster.k8s.io - resources: - - '*' - verbs: - - '*' - apiGroups: - machine.openshift.io @@ -33,32 +34,37 @@ rules: - '*' - apiGroups: - - config.openshift.io + - "" resources: - - clusteroperators - - clusteroperators/status + - configmaps verbs: - - create - get + - list + - watch + - create - update + - patch + - delete - apiGroups: - - config.openshift.io + - "" resources: - - infrastructures - - infrastructures/status + - secrets verbs: - get + - list + - watch + - create - apiGroups: - - config.openshift.io + - "" resources: - - featuregates - - featuregates/status + - events verbs: - - get - - list + - create - watch + - list + - patch - apiGroups: - metalkube.org @@ -82,10 +88,17 @@ rules: - update - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: machine-api-controllers +rules: + - apiGroups: - - apps + - "" resources: - - deployments + - nodes verbs: - get - list @@ -98,25 +111,35 @@ rules: - apiGroups: - "" resources: - - nodes + - pods verbs: - get - list - watch - - create - - update - - patch - - delete - apiGroups: - "" resources: - - events + - pods/eviction verbs: - create - - watch + + - apiGroups: + - extensions + resources: + - daemonsets + verbs: + - get - list - - patch + - watch + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: machine-api-operator + namespace: openshift-machine-api +rules: - apiGroups: - "" @@ -132,49 +155,116 @@ rules: - delete - apiGroups: - - "" + - apps resources: - - secrets + - deployments verbs: - get - list - watch - create + - update + - patch + - delete + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: machine-api-operator +rules: - apiGroups: - - "" + - config.openshift.io resources: - - pods + - clusteroperators + - clusteroperators/status verbs: + - create - get - - list - - watch + - update - apiGroups: - - "" + - config.openshift.io resources: - - pods/eviction + - infrastructures + - infrastructures/status verbs: - - create + - get - apiGroups: - - extensions + - config.openshift.io resources: - - daemonsets + - featuregates + - featuregates/status verbs: - get - list - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - watch + - list + - patch + --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: machine-api-manager-rolebinding + name: machine-api-controllers roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: machine-api-manager + name: machine-api-controllers +subjects: + - kind: ServiceAccount + name: machine-api-controllers + namespace: openshift-machine-api + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: machine-api-controllers + namespace: openshift-machine-api +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: machine-api-controllers +subjects: + - kind: ServiceAccount + name: machine-api-controllers + namespace: openshift-machine-api + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: machine-api-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: machine-api-operator +subjects: + - kind: ServiceAccount + name: machine-api-operator + namespace: openshift-machine-api + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: machine-api-operator + namespace: openshift-machine-api +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: machine-api-operator subjects: - kind: ServiceAccount name: machine-api-operator From df499308edb3ddc61c54bf1400e84a5cb24d3837 Mon Sep 17 00:00:00 2001 From: Enxebre Date: Mon, 27 May 2019 15:06:24 +0200 Subject: [PATCH 3/4] Update controllers to run namespaced and new service accounts --- pkg/operator/sync.go | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/pkg/operator/sync.go b/pkg/operator/sync.go index 1b6931c461..35d3be7c43 100644 --- a/pkg/operator/sync.go +++ b/pkg/operator/sync.go @@ -170,7 +170,7 @@ func newPodTemplateSpec(config *OperatorConfig, features map[string]bool) *corev RunAsNonRoot: pointer.BoolPtr(true), RunAsUser: pointer.Int64Ptr(65534), }, - ServiceAccountName: "machine-api-operator", + ServiceAccountName: "machine-api-controllers", Tolerations: tolerations, }, } @@ -183,7 +183,11 @@ func newContainers(config *OperatorConfig, features map[string]bool) []corev1.Co corev1.ResourceCPU: resource.MustParse("10m"), }, } - args := []string{"--logtostderr=true", "--v=3"} + args := []string{ + "--logtostderr=true", + "--v=3", + fmt.Sprintf("--namespace=%s", config.TargetNamespace), + } containers := []corev1.Container{ { From d086facbf9df124d8dfc134031c15abb3558e75d Mon Sep 17 00:00:00 2001 From: Enxebre Date: Mon, 27 May 2019 15:09:03 +0200 Subject: [PATCH 4/4] Update patch for kubemark actuator to use new ClusterRole --- config/machine-api-operator-patch.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/machine-api-operator-patch.yaml b/config/machine-api-operator-patch.yaml index e09c83b949..3aa583f4fc 100644 --- a/config/machine-api-operator-patch.yaml +++ b/config/machine-api-operator-patch.yaml @@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null - name: machine-api-manager + name: machine-api-controllers rules: - apiGroups: - cluster.k8s.io