Skip to content

scope down permissions to namespace #315

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-robot merged 4 commits into from
Jun 11, 2019
Merged

scope down permissions to namespace #315

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6b322ce
Increase operator logging level
enxebre May 16, 2019
3ff6fad
Break down permissions
enxebre May 16, 2019
df49930
Update controllers to run namespaced and new service accounts
enxebre May 27, 2019
d086fac
Update patch for kubemark actuator to use new ClusterRole
enxebre May 27, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion config/machine-api-operator-patch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: machine-api-manager
name: machine-api-controllers
rules:
- apiGroups:
- cluster.k8s.io
Expand Down
178 changes: 134 additions & 44 deletions install/0000_30_machine-api-operator_09_rbac.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,19 +4,20 @@ metadata:
name: machine-api-operator
namespace: openshift-machine-api

---
apiVersion: v1
kind: ServiceAccount
metadata:
name: machine-api-controllers
namespace: openshift-machine-api

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
kind: Role
metadata:
creationTimestamp: null
name: machine-api-manager
name: machine-api-controllers
namespace: openshift-machine-api
rules:
- apiGroups:
- cluster.k8s.io
resources:
- '*'
verbs:
- '*'

- apiGroups:
- machine.openshift.io
Expand All @@ -33,32 +34,37 @@ rules:
- '*'

- apiGroups:
- config.openshift.io
- ""
resources:
- clusteroperators
- clusteroperators/status
- configmaps
verbs:
- create
- get
- list
- watch
- create
- update
- patch
- delete

- apiGroups:
- config.openshift.io
- ""
resources:
- infrastructures
- infrastructures/status
- secrets
verbs:
- get
- list
- watch
- create

- apiGroups:
- config.openshift.io
- ""
resources:
- featuregates
- featuregates/status
- events
verbs:
- get
- list
- create
- watch
- list
- patch

- apiGroups:
- metalkube.org
Expand All @@ -82,10 +88,17 @@ rules:
- update
- patch

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: machine-api-controllers
rules:

- apiGroups:
- apps
- ""
resources:
- deployments
- nodes
verbs:
- get
- list
Expand All @@ -98,25 +111,35 @@ rules:
- apiGroups:
- ""
resources:
- nodes
- pods
verbs:
- get
- list
- watch
- create
- update
- patch
- delete

- apiGroups:
- ""
resources:
- events
- pods/eviction
verbs:
- create
- watch

- apiGroups:
- extensions
resources:
- daemonsets
verbs:
- get
- list
- patch
- watch

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: machine-api-operator
namespace: openshift-machine-api
rules:

- apiGroups:
- ""
Expand All @@ -132,49 +155,116 @@ rules:
- delete

- apiGroups:
- ""
- apps
resources:
- secrets
- deployments
verbs:
- get
- list
- watch
- create
- update
- patch
- delete

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: machine-api-operator
rules:

- apiGroups:
- ""
- config.openshift.io
resources:
- pods
- clusteroperators
- clusteroperators/status
verbs:
- create
- get
- list
- watch
- update

- apiGroups:
- ""
- config.openshift.io
resources:
- pods/eviction
- infrastructures
- infrastructures/status
verbs:
- create
- get

- apiGroups:
- extensions
- config.openshift.io
resources:
- daemonsets
- featuregates
- featuregates/status
verbs:
- get
- list
- watch

- apiGroups:
- ""
resources:
- events
verbs:
- create
- watch
- list
- patch

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: machine-api-manager-rolebinding
name: machine-api-controllers
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: machine-api-manager
name: machine-api-controllers
subjects:
- kind: ServiceAccount
name: machine-api-controllers
namespace: openshift-machine-api

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: machine-api-controllers
namespace: openshift-machine-api
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: machine-api-controllers
subjects:
- kind: ServiceAccount
name: machine-api-controllers
namespace: openshift-machine-api

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: machine-api-operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: machine-api-operator
subjects:
- kind: ServiceAccount
name: machine-api-operator
namespace: openshift-machine-api

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: machine-api-operator
namespace: openshift-machine-api
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: machine-api-operator
subjects:
- kind: ServiceAccount
name: machine-api-operator
Expand Down
2 changes: 2 additions & 0 deletions install/0000_30_machine-api-operator_10_deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ spec:
args:
- "start"
- "--images-json=/etc/machine-api-operator-config/images/images.json"
- "--alsologtostderr"
- "--v=3"
env:
- name: RELEASE_VERSION
value: "0.0.1-snapshot"
Expand Down
8 changes: 6 additions & 2 deletions pkg/operator/sync.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -170,7 +170,7 @@ func newPodTemplateSpec(config *OperatorConfig, features map[string]bool) *corev
RunAsNonRoot: pointer.BoolPtr(true),
RunAsUser: pointer.Int64Ptr(65534),
},
ServiceAccountName: "machine-api-operator",
ServiceAccountName: "machine-api-controllers",
Tolerations: tolerations,
},
}
Expand All @@ -183,7 +183,11 @@ func newContainers(config *OperatorConfig, features map[string]bool) []corev1.Co
corev1.ResourceCPU: resource.MustParse("10m"),
},
}
args := []string{"--logtostderr=true", "--v=3"}
args := []string{
"--logtostderr=true",
"--v=3",
fmt.Sprintf("--namespace=%s", config.TargetNamespace),
}

containers := []corev1.Container{
{
Expand Down