Merge pull request K0rdent#331 from Mirantis/rbac

Add user-facing RBAC roles
zerospiel · Sep 17, 2024 · d4ea901 · d4ea901
2 parents 881e7ba + e271ed6
commit d4ea901
Show file tree

Hide file tree

Showing 12 changed files with 136 additions and 56 deletions.
diff --git a/templates/provider/hmc/templates/_helpers.tpl b/templates/provider/hmc/templates/_helpers.tpl
@@ -92,3 +92,19 @@ The name of the webhook port. Must be no more than 15 characters
 {{- define "hmc.webhook.portName" -}}
 hmc-webhook
 {{- end }}
+
+{{- define "rbac.editorVerbs" -}}
+- create
+- delete
+- get
+- list
+- patch
+- update
+- watch
+{{- end -}}
+
+{{- define "rbac.viewerVerbs" -}}
+- get
+- list
+- watch
+{{- end -}}
diff --git a/.../templates/rbac/leader-election-rbac.yaml → ...rbac/controller/leader-election-rbac.yaml b/.../templates/rbac/leader-election-rbac.yaml → ...rbac/controller/leader-election-rbac.yaml
@@ -9,26 +9,12 @@ rules:
   - ""
   resources:
   - configmaps
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-  - delete
+  verbs: {{ include "rbac.editorVerbs" . | nindent 4 }}
 - apiGroups:
   - coordination.k8s.io
   resources:
   - leases
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-  - delete
+  verbs: {{ include "rbac.editorVerbs" . | nindent 4 }}
 - apiGroups:
   - ""
   resources:
@@ -50,4 +36,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: '{{ include "hmc.fullname" . }}-controller-manager'
-  namespace: '{{ .Release.Namespace }}'
+  namespace: '{{ .Release.Namespace }}'
diff --git a/...ider/hmc/templates/rbac/rolebindings.yaml → ...mplates/rbac/controller/rolebindings.yaml b/...ider/hmc/templates/rbac/rolebindings.yaml → ...mplates/rbac/controller/rolebindings.yaml
diff --git a/...es/provider/hmc/templates/rbac/roles.yaml → .../hmc/templates/rbac/controller/roles.yaml b/...es/provider/hmc/templates/rbac/roles.yaml → .../hmc/templates/rbac/controller/roles.yaml
@@ -9,33 +9,17 @@ rules:
   - cluster.x-k8s.io
   resources:
   - clusters
-  verbs:
-  - get
-  - list
+  verbs: {{ include "rbac.viewerVerbs" . | nindent 4 }}
 - apiGroups:
   - helm.toolkit.fluxcd.io
   resources:
   - helmreleases
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
+  verbs: {{ include "rbac.editorVerbs" . | nindent 4 }}
 - apiGroups:
   - hmc.mirantis.com
   resources:
   - managedclusters
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
+  verbs: {{ include "rbac.editorVerbs" . | nindent 4 }}
 - apiGroups:
   - hmc.mirantis.com
   resources:
@@ -54,14 +38,7 @@ rules:
   - hmc.mirantis.com
   resources:
   - managements
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
+  verbs: {{ include "rbac.editorVerbs" . | nindent 4 }}
 - apiGroups:
   - hmc.mirantis.com
   resources:
@@ -124,14 +101,7 @@ rules:
   resources:
   - helmcharts
   - helmrepositories
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
+  verbs: {{ include "rbac.editorVerbs" . | nindent 4 }}
 - apiGroups:
   - cert-manager.io
   resources:
@@ -152,10 +122,7 @@ rules:
   - cluster.x-k8s.io
   resources:
   - machines
-  verbs:
-  - get
-  - list
-  - watch
+  verbs: {{ include "rbac.viewerVerbs" . | nindent 4 }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role

diff --git a/templates/provider/hmc/templates/rbac/user-facing/clusters-editor.yaml b/templates/provider/hmc/templates/rbac/user-facing/clusters-editor.yaml
@@ -0,0 +1,10 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "hmc.fullname" . }}-clusters-editor-role
+rules:
+  - apiGroups:
+      - hmc.mirantis.com
+    resources:
+      - managedclusters
+    verbs: {{ include "rbac.editorVerbs" . | nindent 6 }}
diff --git a/templates/provider/hmc/templates/rbac/user-facing/clusters-viewer.yaml b/templates/provider/hmc/templates/rbac/user-facing/clusters-viewer.yaml
@@ -0,0 +1,10 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "hmc.fullname" . }}-clusters-viewer-role
+rules:
+  - apiGroups:
+      - hmc.mirantis.com
+    resources:
+      - managedclusters
+    verbs: {{ include "rbac.viewerVerbs" . | nindent 6 }}
diff --git a/templates/provider/hmc/templates/rbac/user-facing/management-editor.yaml b/templates/provider/hmc/templates/rbac/user-facing/management-editor.yaml
@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "hmc.fullname" . }}-management-editor-role
+rules:
+  - apiGroups:
+      - hmc.mirantis.com
+    resources:
+      - management
+    verbs: {{ include "rbac.editorVerbs" . | nindent 6 }}
+  - apiGroups:
+      - hmc.mirantis.com
+    resources:
+      - providertemplates
+    verbs: {{ include "rbac.viewerVerbs" . | nindent 6 }}
+      - create
diff --git a/templates/provider/hmc/templates/rbac/user-facing/management-viewer.yaml b/templates/provider/hmc/templates/rbac/user-facing/management-viewer.yaml
@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "hmc.fullname" . }}-management-viewer-role
+rules:
+  - apiGroups:
+      - hmc.mirantis.com
+    resources:
+      - management
+      - providertemplates
+    verbs: {{ include "rbac.viewerVerbs" . | nindent 6 }}
diff --git a/templates/provider/hmc/templates/rbac/user-facing/templatemanagement-editor.yaml b/templates/provider/hmc/templates/rbac/user-facing/templatemanagement-editor.yaml
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "hmc.fullname" . }}-templatemanagement-editor-role
+rules:
+  - apiGroups:
+      - hmc.mirantis.com
+    resources:
+      - templatemanagements
+    verbs: {{ include "rbac.editorVerbs" . | nindent 6 }}
+  - apiGroups:
+      - hmc.mirantis.com
+    resources:
+      - servicetemplatechains
+      - clustertemplatechains
+    verbs: {{ include "rbac.viewerVerbs" . | nindent 6 }}
+      - create
diff --git a/templates/provider/hmc/templates/rbac/user-facing/templatemanagement-viewer.yaml b/templates/provider/hmc/templates/rbac/user-facing/templatemanagement-viewer.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "hmc.fullname" . }}-templatemanagement-viewer-role
+rules:
+  - apiGroups:
+      - hmc.mirantis.com
+    resources:
+      - templatemanagements
+      - clustertemplatechains
+      - servicetemplatechains
+    verbs: {{ include "rbac.viewerVerbs" . | nindent 6 }}
diff --git a/templates/provider/hmc/templates/rbac/user-facing/templates-creator.yaml b/templates/provider/hmc/templates/rbac/user-facing/templates-creator.yaml
@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "hmc.fullname" . }}-templates-creator-role
+rules:
+  - apiGroups:
+      - hmc.mirantis.com
+    resources:
+      - clustertemplates
+      - servicetemplates
+    verbs: {{ include "rbac.viewerVerbs" . | nindent 6 }}
+      - create
+  - apiGroups:
+      - helm.toolkit.fluxcd.io
+    resources:
+      - helmcharts
+      - helmrepositories
+    verbs: {{ include "rbac.editorVerbs" . | nindent 6 }}
diff --git a/templates/provider/hmc/templates/rbac/user-facing/templates-viewer.yaml b/templates/provider/hmc/templates/rbac/user-facing/templates-viewer.yaml
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "hmc.fullname" . }}-templates-viewer-role
+rules:
+  - apiGroups:
+      - hmc.mirantis.com
+    resources:
+      - clustertemplates
+      - servicetemplates
+    verbs: {{ include "rbac.viewerVerbs" . | nindent 6 }}
+  - apiGroups:
+      - helm.toolkit.fluxcd.io
+    resources:
+      - helmcharts
+      - helmrepositories
+    verbs: {{ include "rbac.viewerVerbs" . | nindent 6 }}