From 83240cd8e418b10695e77a756e526eb23cf4226a Mon Sep 17 00:00:00 2001 From: Abhinav Pandey Date: Mon, 25 Apr 2022 11:48:35 -0700 Subject: [PATCH] Add RBAC for tink-controller and tink-server Signed-off-by: Abhinav Pandey --- config/crd/kustomization.yaml | 13 ++++++ config/crd/kustomizeconfig.yaml | 19 +++++++++ config/default/kustomization.yaml | 23 +++++++++++ config/default/manager_image_patch.yaml | 12 ++++++ config/default/namespace.yaml | 6 +++ config/default/server_image_patch.yaml | 12 ++++++ config/manager/kustomization.yaml | 2 + config/manager/manager.yaml | 32 +++++++++++++++ config/rbac/kustomization.yaml | 11 +++++ config/rbac/leader_election_role.yaml | 36 ++++++++++++++++ config/rbac/leader_election_role_binding.yaml | 12 ++++++ config/rbac/role.yaml | 41 +++++++++++++++++++ config/rbac/role_binding.yaml | 12 ++++++ config/rbac/service_account.yaml | 5 +++ config/server-rbac/kustomization.yaml | 9 ++++ config/server-rbac/role.yaml | 36 ++++++++++++++++ config/server-rbac/role_binding.yaml | 12 ++++++ config/server-rbac/service_account.yaml | 5 +++ config/server/kustomization.yaml | 2 + config/server/server.yaml | 39 ++++++++++++++++++ kube.mk | 10 ++++- pkg/controllers/workflow/controller.go | 4 ++ server/kubernetes_api.go | 4 ++ 23 files changed, 356 insertions(+), 1 deletion(-) create mode 100644 config/crd/kustomization.yaml create mode 100644 config/crd/kustomizeconfig.yaml create mode 100644 config/default/kustomization.yaml create mode 100644 config/default/manager_image_patch.yaml create mode 100644 config/default/namespace.yaml create mode 100644 config/default/server_image_patch.yaml create mode 100644 config/manager/kustomization.yaml create mode 100644 config/manager/manager.yaml create mode 100644 config/rbac/kustomization.yaml create mode 100644 config/rbac/leader_election_role.yaml create mode 100644 config/rbac/leader_election_role_binding.yaml create mode 100644 config/rbac/role.yaml create mode 100644 config/rbac/role_binding.yaml create mode 100644 config/rbac/service_account.yaml create mode 100644 config/server-rbac/kustomization.yaml create mode 100644 config/server-rbac/role.yaml create mode 100644 config/server-rbac/role_binding.yaml create mode 100644 config/server-rbac/service_account.yaml create mode 100644 config/server/kustomization.yaml create mode 100644 config/server/server.yaml diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml new file mode 100644 index 000000000..cddd45fa6 --- /dev/null +++ b/config/crd/kustomization.yaml @@ -0,0 +1,13 @@ +# This kustomization.yaml is not intended to be run by itself, +# since it depends on service name and namespace that are out of this kustomize package. +# It should be run by config/default +resources: + - bases/tinkerbell.org_hardware.yaml + - bases/tinkerbell.org_templates.yaml + - bases/tinkerbell.org_workflows.yaml + - bases/tinkerbell.org_workflowdata.yaml +#+kubebuilder:scaffold:crdkustomizeresource + +# the following config is for teaching kustomize how to do kustomization for CRDs. +configurations: + - kustomizeconfig.yaml diff --git a/config/crd/kustomizeconfig.yaml b/config/crd/kustomizeconfig.yaml new file mode 100644 index 000000000..c1418ddee --- /dev/null +++ b/config/crd/kustomizeconfig.yaml @@ -0,0 +1,19 @@ +# This file is for teaching kustomize how to substitute name and namespace reference in CRD +nameReference: + - kind: Service + version: v1 + fieldSpecs: + - kind: CustomResourceDefinition + version: v1 + group: apiextensions.k8s.io + path: spec/conversion/webhook/clientConfig/service/name + +namespace: + - kind: CustomResourceDefinition + version: v1 + group: apiextensions.k8s.io + path: spec/conversion/webhook/clientConfig/service/namespace + create: false + +varReference: + - path: metadata/annotations diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml new file mode 100644 index 000000000..b8d5a4326 --- /dev/null +++ b/config/default/kustomization.yaml @@ -0,0 +1,23 @@ +# Adds namespace to all resources. +namespace: tink-system + +# Value of this field is prepended to the +# names of all resources, e.g. a deployment named +# "wordpress" becomes "alices-wordpress". +# Note that it should also match with the prefix (text before '-') of the namespace +# field above. +namePrefix: tink- + +resources: + - namespace.yaml + +bases: + - ../crd + - ../rbac + - ../manager + - ../server + - ../server-rbac + +patchesStrategicMerge: + - manager_image_patch.yaml + - server_image_patch.yaml diff --git a/config/default/manager_image_patch.yaml b/config/default/manager_image_patch.yaml new file mode 100644 index 000000000..b250be9d1 --- /dev/null +++ b/config/default/manager_image_patch.yaml @@ -0,0 +1,12 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + # Change the value of image field below to your controller image URL + - image: tink-controller:latest + name: manager diff --git a/config/default/namespace.yaml b/config/default/namespace.yaml new file mode 100644 index 000000000..8b55c3cd8 --- /dev/null +++ b/config/default/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: controller-manager + name: system diff --git a/config/default/server_image_patch.yaml b/config/default/server_image_patch.yaml new file mode 100644 index 000000000..64d5dc626 --- /dev/null +++ b/config/default/server_image_patch.yaml @@ -0,0 +1,12 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: server + namespace: system +spec: + template: + spec: + containers: + # Change the value of image field below to your controller image URL + - image: tink-server:latest + name: tink-server diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml new file mode 100644 index 000000000..7394a6d05 --- /dev/null +++ b/config/manager/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - manager.yaml diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml new file mode 100644 index 000000000..ae6adbf35 --- /dev/null +++ b/config/manager/manager.yaml @@ -0,0 +1,32 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system + labels: + control-plane: controller-manager +spec: + selector: + matchLabels: + control-plane: controller-manager + replicas: 1 + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + control-plane: controller-manager + spec: + containers: + - image: controller:latest + imagePullPolicy: IfNotPresent + name: manager + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + serviceAccountName: controller-manager + terminationGracePeriodSeconds: 10 diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml new file mode 100644 index 000000000..e2495a931 --- /dev/null +++ b/config/rbac/kustomization.yaml @@ -0,0 +1,11 @@ +resources: + # All RBAC will be applied under this service account in + # the deployment namespace. You may comment out this resource + # if your manager will use a service account that exists at + # runtime. Be sure to update RoleBinding and ClusterRoleBinding + # subjects if changing service account names. + - service_account.yaml + - role.yaml + - role_binding.yaml + - leader_election_role.yaml + - leader_election_role_binding.yaml diff --git a/config/rbac/leader_election_role.yaml b/config/rbac/leader_election_role.yaml new file mode 100644 index 000000000..c0a3313c3 --- /dev/null +++ b/config/rbac/leader_election_role.yaml @@ -0,0 +1,36 @@ +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: leader-election-role +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/config/rbac/leader_election_role_binding.yaml b/config/rbac/leader_election_role_binding.yaml new file mode 100644 index 000000000..887508dde --- /dev/null +++ b/config/rbac/leader_election_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: + - kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml new file mode 100644 index 000000000..ec42f978a --- /dev/null +++ b/config/rbac/role.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: manager-role +rules: + - apiGroups: + - tinkerbell.org + resources: + - hardware + - hardware/status + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - tinkerbell.org + resources: + - templates + - templates/status + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - tinkerbell.org + resources: + - workflows + - workflows/status + verbs: + - delete + - get + - list + - patch + - update + - watch diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml new file mode 100644 index 000000000..d5925c3ac --- /dev/null +++ b/config/rbac/role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: + - kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml new file mode 100644 index 000000000..7cd6025bf --- /dev/null +++ b/config/rbac/service_account.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: controller-manager + namespace: system diff --git a/config/server-rbac/kustomization.yaml b/config/server-rbac/kustomization.yaml new file mode 100644 index 000000000..2dd90991d --- /dev/null +++ b/config/server-rbac/kustomization.yaml @@ -0,0 +1,9 @@ +resources: + # All RBAC will be applied under this service account in + # the deployment namespace. You may comment out this resource + # if your manager will use a service account that exists at + # runtime. Be sure to update RoleBinding and ClusterRoleBinding + # subjects if changing service account names. + - service_account.yaml + - role.yaml + - role_binding.yaml diff --git a/config/server-rbac/role.yaml b/config/server-rbac/role.yaml new file mode 100644 index 000000000..c809a41bc --- /dev/null +++ b/config/server-rbac/role.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: server-role +rules: + - apiGroups: + - tinkerbell.org + resources: + - hardware + - hardware/status + verbs: + - get + - list + - watch + - apiGroups: + - tinkerbell.org + resources: + - templates + - templates/status + verbs: + - get + - list + - watch + - apiGroups: + - tinkerbell.org + resources: + - workflows + - workflows/status + verbs: + - get + - list + - patch + - update + - watch diff --git a/config/server-rbac/role_binding.yaml b/config/server-rbac/role_binding.yaml new file mode 100644 index 000000000..a93ee4f92 --- /dev/null +++ b/config/server-rbac/role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: server-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: server-role +subjects: + - kind: ServiceAccount + name: server + namespace: system diff --git a/config/server-rbac/service_account.yaml b/config/server-rbac/service_account.yaml new file mode 100644 index 000000000..03754eaee --- /dev/null +++ b/config/server-rbac/service_account.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: server + namespace: system diff --git a/config/server/kustomization.yaml b/config/server/kustomization.yaml new file mode 100644 index 000000000..b07afcd04 --- /dev/null +++ b/config/server/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - server.yaml diff --git a/config/server/server.yaml b/config/server/server.yaml new file mode 100644 index 000000000..18db2fe03 --- /dev/null +++ b/config/server/server.yaml @@ -0,0 +1,39 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: server + namespace: system + labels: + control-plane: server +spec: + selector: + matchLabels: + control-plane: server + replicas: 1 + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: server + labels: + control-plane: server + spec: + containers: + - args: + - "--backend=kubernetes" + - "--tls=false" + image: server:latest + imagePullPolicy: IfNotPresent + name: tink-server + ports: + - containerPort: 42113 + hostPort: 42113 + name: grpc + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + serviceAccountName: server + terminationGracePeriodSeconds: 10 diff --git a/kube.mk b/kube.mk index 7e1b3e942..11d967403 100644 --- a/kube.mk +++ b/kube.mk @@ -15,4 +15,12 @@ generate-manifests: bin/controller-gen # Generate manifests e.g. CRD, RBAC etc. output:crd:dir=./config/crd/bases \ output:webhook:dir=./config/webhook \ webhook - prettier --write ./config/crd/ + controller-gen \ + paths=./pkg/controllers/... \ + output:rbac:dir=./config/rbac/ \ + rbac:roleName=manager-role + controller-gen \ + paths=./server/... \ + output:rbac:dir=./config/server-rbac \ + rbac:roleName=server-role + prettier --write ./config/ diff --git a/pkg/controllers/workflow/controller.go b/pkg/controllers/workflow/controller.go index 2641f2a17..8f7b8d3c6 100644 --- a/pkg/controllers/workflow/controller.go +++ b/pkg/controllers/workflow/controller.go @@ -31,6 +31,10 @@ func NewController(kubeClient client.Client) *Controller { } } +// +kubebuilder:rbac:groups=tinkerbell.org,resources=hardware;hardware/status,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=tinkerbell.org,resources=templates;templates/status,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=tinkerbell.org,resources=workflows;workflows/status,verbs=get;list;watch;update;patch;delete + func (c *Controller) Reconcile(ctx context.Context, req reconcile.Request) (reconcile.Result, error) { stored := &v1alpha1.Workflow{} if err := c.kubeClient.Get(ctx, req.NamespacedName, stored); err != nil { diff --git a/server/kubernetes_api.go b/server/kubernetes_api.go index 4b5c0d14d..f1d2c11ef 100644 --- a/server/kubernetes_api.go +++ b/server/kubernetes_api.go @@ -14,6 +14,10 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" ) +// +kubebuilder:rbac:groups=tinkerbell.org,resources=hardware;hardware/status,verbs=get;list;watch +// +kubebuilder:rbac:groups=tinkerbell.org,resources=templates;templates/status,verbs=get;list;watch +// +kubebuilder:rbac:groups=tinkerbell.org,resources=workflows;workflows/status,verbs=get;list;watch;update;patch + // NewKubeBackedServer returns a server that implements the Workflow server interface for a given kubeconfig. func NewKubeBackedServer(logger log.Logger, kubeconfig, apiserver string) (*KubernetesBackedServer, error) { ccfg := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(