From 1904215fd9cb4942e42188ff9709531d65aa5556 Mon Sep 17 00:00:00 2001 From: Tim Buckley Date: Tue, 27 Feb 2018 12:52:03 -0700 Subject: [PATCH 1/2] [monasca] add RBAC rules for monasca-agent and the cleanup job Adds RBAC rules based on the newest bits from the init charts. Note that the RBAC flag has been renamed to remain consistent with Helm community conventions as well as our other charts. - old: `rbac.enabled=true` - new: `rbac.create=true` The agent will now attempt to create and use its own `ServiceAccount` rather than applying a `ClusterRole` to the existing `default` account. A new account, role, and role binding will also be created for the cleanup job. Additionally, override ServiceAccounts can be specified with the following values: - `agent.serviceAccount=...` - `cleanup.serviceAccount=...` The built-in `ServiceAccount`, `Role`/`ClusterRole`, and `RoleBinding`/`ClusterRoleBinding` will not be created if a premade serviceAccount is configured using this flag. Signed-off-by: Tim Buckley --- monasca/templates/agent-clusterrole.yaml | 30 +++++++++++++++ .../templates/agent-clusterrolebinding.yaml | 20 ++++++++++ monasca/templates/agent-daemonset.yaml | 5 +++ monasca/templates/agent-deployment.yaml | 5 +++ monasca/templates/agent-serviceaccount.yaml | 12 ++++++ monasca/templates/cleanup-hook.yaml | 5 +++ monasca/templates/cleanup-role.yaml | 25 +++++++++++++ monasca/templates/cleanup-rolebinding.yaml | 26 +++++++++++++ monasca/templates/cleanup-serviceaccount.yaml | 12 ++++++ monasca/templates/role.yaml | 37 ------------------- monasca/values.yaml | 18 +++++++-- 11 files changed, 154 insertions(+), 41 deletions(-) create mode 100644 monasca/templates/agent-clusterrole.yaml create mode 100644 monasca/templates/agent-clusterrolebinding.yaml create mode 100644 monasca/templates/agent-serviceaccount.yaml create mode 100644 monasca/templates/cleanup-role.yaml create mode 100644 monasca/templates/cleanup-rolebinding.yaml create mode 100644 monasca/templates/cleanup-serviceaccount.yaml delete mode 100644 monasca/templates/role.yaml diff --git a/monasca/templates/agent-clusterrole.yaml b/monasca/templates/agent-clusterrole.yaml new file mode 100644 index 0000000..b00ed85 --- /dev/null +++ b/monasca/templates/agent-clusterrole.yaml @@ -0,0 +1,30 @@ +{{- if and (.Values.rbac.create) (not .Values.agent.serviceAccount) }} +kind: ClusterRole +{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1" }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1alpha1" }} +apiVersion: rbac.authorization.k8s.io/v1alpha1 +{{- end }} +metadata: + name: "{{ template "agent.fullname" . }}" +rules: + - apiGroups: ["", "extensions", "storage.k8s.io"] + verbs: ["get", "list"] + resources: + - namespaces + - pods + - replicasets + - deployments + - replicationcontrollers + - nodes + - services + - componentstatuses + - storageclasses + - apiGroups: ["", "batch", "extensions", "storage.k8s.io"] + verbs: ["get", "list", "delete"] + resources: + - jobs + - pods +{{- end }} diff --git a/monasca/templates/agent-clusterrolebinding.yaml b/monasca/templates/agent-clusterrolebinding.yaml new file mode 100644 index 0000000..616ceb9 --- /dev/null +++ b/monasca/templates/agent-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if and (.Values.rbac.create) (not .Values.agent.serviceAccount) }} +kind: ClusterRoleBinding +{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1" }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1alpha1" }} +apiVersion: rbac.authorization.k8s.io/v1alpha1 +{{- end }} +metadata: + name: "{{ template "agent.fullname" . }}" +subjects: + - kind: ServiceAccount + name: "{{ template "agent.fullname" . }}" + namespace: "{{ .Release.Namespace }}" +roleRef: + kind: ClusterRole + name: "{{ template "agent.fullname" . }}" + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/monasca/templates/agent-daemonset.yaml b/monasca/templates/agent-daemonset.yaml index fe272c6..cbf994b 100644 --- a/monasca/templates/agent-daemonset.yaml +++ b/monasca/templates/agent-daemonset.yaml @@ -149,4 +149,9 @@ spec: value: {{ .Values.agent.forwarder.backlog_send_rate | quote }} - name: HOSTNAME_FROM_KUBERNETES value: "true" + {{- if .Values.agent.serviceAccount }} + serviceAccountName: {{ .Values.agent.serviceAccount | quote }} + {{- else if .Values.rbac.create }} + serviceAccountName: "{{ template "agent.fullname" . }}" + {{- end }} {{- end}} diff --git a/monasca/templates/agent-deployment.yaml b/monasca/templates/agent-deployment.yaml index ed72b63..909bcd2 100644 --- a/monasca/templates/agent-deployment.yaml +++ b/monasca/templates/agent-deployment.yaml @@ -147,4 +147,9 @@ spec: configMap: name: {{ template "agent.fullname" . }} {{- end}} + {{- if .Values.agent.serviceAccount }} + serviceAccountName: {{ .Values.agent.serviceAccount | quote }} + {{- else if .Values.rbac.create }} + serviceAccountName: "{{ template "agent.fullname" . }}" + {{- end }} {{- end}} diff --git a/monasca/templates/agent-serviceaccount.yaml b/monasca/templates/agent-serviceaccount.yaml new file mode 100644 index 0000000..626830a --- /dev/null +++ b/monasca/templates/agent-serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if and (.Values.rbac.create) (not .Values.agent.serviceAccount) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "{{ template "agent.fullname" . }}" + labels: + app: {{ template "fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + component: "{{ .Values.agent.name }}" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- end }} diff --git a/monasca/templates/cleanup-hook.yaml b/monasca/templates/cleanup-hook.yaml index ee00284..d50e4a2 100644 --- a/monasca/templates/cleanup-hook.yaml +++ b/monasca/templates/cleanup-hook.yaml @@ -40,3 +40,8 @@ spec: value: "{{ .Values.cleanup.wait.delay }}" - name: "WAIT_TIMEOUT" value: "{{ .Values.cleanup.wait.timeout }}" + {{- if .Values.cleanup.serviceAccount }} + serviceAccountName: {{ .Values.cleanup.serviceAccount | quote }} + {{- else if .Values.rbac.create }} + serviceAccountName: "{{ template "cleanup.fullname" . }}" + {{- end }} diff --git a/monasca/templates/cleanup-role.yaml b/monasca/templates/cleanup-role.yaml new file mode 100644 index 0000000..6240a8f --- /dev/null +++ b/monasca/templates/cleanup-role.yaml @@ -0,0 +1,25 @@ +{{- if and (.Values.rbac.create) (not .Values.cleanup.serviceAccount) }} +{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1" }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1alpha1" }} +apiVersion: rbac.authorization.k8s.io/v1alpha1 +{{- end }} +kind: Role +metadata: + name: {{ template "cleanup.fullname" . }} + labels: + app: {{ template "fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + component: "{{ .Values.cleanup.name }}" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "delete", "patch"] + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["get", "list", "delete"] +{{- end }} diff --git a/monasca/templates/cleanup-rolebinding.yaml b/monasca/templates/cleanup-rolebinding.yaml new file mode 100644 index 0000000..92d88a0 --- /dev/null +++ b/monasca/templates/cleanup-rolebinding.yaml @@ -0,0 +1,26 @@ +{{- if and (.Values.rbac.create) (not .Values.cleanup.serviceAccount) }} +{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1" }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1alpha1" }} +apiVersion: rbac.authorization.k8s.io/v1alpha1 +{{- end }} +kind: RoleBinding +metadata: + name: {{ template "cleanup.fullname" . }} + labels: + app: {{ template "fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + component: "{{ .Values.cleanup.name }}" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +subjects: + - kind: ServiceAccount + name: {{ template "cleanup.fullname" . }} + namespace: "{{ .Release.Namespace }}" +roleRef: + kind: Role + name: {{ template "cleanup.fullname" . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/monasca/templates/cleanup-serviceaccount.yaml b/monasca/templates/cleanup-serviceaccount.yaml new file mode 100644 index 0000000..c021a7f --- /dev/null +++ b/monasca/templates/cleanup-serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if and (.Values.rbac.create) (not .Values.cleanup.serviceAccount) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "cleanup.fullname" . }} + labels: + app: {{ template "fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + component: "{{ .Values.cleanup.name }}" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- end }} diff --git a/monasca/templates/role.yaml b/monasca/templates/role.yaml deleted file mode 100644 index 51451d6..0000000 --- a/monasca/templates/role.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{- if .Values.rbac.enabled }} -kind: ClusterRole -apiVersion: "{{ .Values.rbac.apiVersion }}" -metadata: - name: "{{ .Release.Name }}-role" -rules: - - apiGroups: ["", "extensions", "storage.k8s.io"] - verbs: ["get", "list"] - resources: - - namespaces - - pods - - replicasets - - deployments - - replicationcontrollers - - nodes - - services - - componentstatuses - - storageclasses - - apiGroups: ["", "batch", "extensions", "storage.k8s.io"] - verbs: ["get", "list", "delete"] - resources: - - jobs - - pods ---- -kind: ClusterRoleBinding -apiVersion: "{{ .Values.rbac.apiVersion }}" -metadata: - name: "{{ .Release.Name }}-role-binding" -subjects: - - kind: ServiceAccount - name: default - namespace: "{{ .Release.Namespace }}" -roleRef: - kind: ClusterRole - name: "{{ .Release.Name }}-role" - apiGroup: rbac.authorization.k8s.io -{{- end }} diff --git a/monasca/values.yaml b/monasca/values.yaml index 4887f6a..e03561f 100644 --- a/monasca/values.yaml +++ b/monasca/values.yaml @@ -111,6 +111,12 @@ mysql: agent: name: agent + + # an optional preexisting ServiceAccount to use + # to create a service account automatically for the agent, deploy with: + # rbac.create=true + serviceAccount: '' + daemonset_enabled: true deployment_enabled: true daemonset_toleration: @@ -667,11 +673,15 @@ client: project_domain_name: Default rbac: - enabled: false - apiVersion: rbac.authorization.k8s.io/v1beta1 + create: false cleanup: name: cleanup + + # an optional preexisting ServiceAccount to use + # to create a service account for the job automatically, deploy with: + # rbac.create=true + serviceAccount: '' image: repository: monasca/job-cleanup tag: 1.2.1 @@ -1600,8 +1610,8 @@ smoke_tests: alarm_definition_controller: name: adc - controller_enabled: true - resource_enabled: true + controller_enabled: false + resource_enabled: false image: repository: monasca/alarm-definition-controller tag: 1.1.0 From 6b3d15b6f1d5052cd99449b8c9d66502501b1212 Mon Sep 17 00:00:00 2001 From: Tim Buckley Date: Tue, 27 Feb 2018 13:10:09 -0700 Subject: [PATCH 2/2] Bump chart version Signed-off-by: Tim Buckley --- monasca/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/monasca/Chart.yaml b/monasca/Chart.yaml index e2d5418..349676e 100644 --- a/monasca/Chart.yaml +++ b/monasca/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 description: A Helm chart for Monasca running in Kubernetes name: monasca -version: 0.5.0 +version: 0.6.0 sources: - https://wiki.openstack.org/wiki/Monasca maintainers: