From 67162e925c41294bebe53c35e95d36f3a75a8fe3 Mon Sep 17 00:00:00 2001 From: Andrei Pavlov Date: Tue, 17 Sep 2024 17:36:59 +0700 Subject: [PATCH 1/2] Add RBAC roles associated with ManagedCluster management Signed-off-by: Andrei Pavlov --- templates/provider/hmc/templates/_helpers.tpl | 16 +++++++ .../leader-election-rbac.yaml | 20 ++------- .../rbac/{ => controller}/rolebindings.yaml | 0 .../rbac/{ => controller}/roles.yaml | 45 +++---------------- .../rbac/user-facing/clusters-editor.yaml | 10 +++++ .../rbac/user-facing/clusters-viewer.yaml | 10 +++++ .../rbac/user-facing/templates-creator.yaml | 18 ++++++++ .../rbac/user-facing/templates-viewer.yaml | 17 +++++++ 8 files changed, 80 insertions(+), 56 deletions(-) rename templates/provider/hmc/templates/rbac/{ => controller}/leader-election-rbac.yaml (79%) rename templates/provider/hmc/templates/rbac/{ => controller}/rolebindings.yaml (100%) rename templates/provider/hmc/templates/rbac/{ => controller}/roles.yaml (85%) create mode 100644 templates/provider/hmc/templates/rbac/user-facing/clusters-editor.yaml create mode 100644 templates/provider/hmc/templates/rbac/user-facing/clusters-viewer.yaml create mode 100644 templates/provider/hmc/templates/rbac/user-facing/templates-creator.yaml create mode 100644 templates/provider/hmc/templates/rbac/user-facing/templates-viewer.yaml diff --git a/templates/provider/hmc/templates/_helpers.tpl b/templates/provider/hmc/templates/_helpers.tpl index efc89aba0..2d9e15365 100644 --- a/templates/provider/hmc/templates/_helpers.tpl +++ b/templates/provider/hmc/templates/_helpers.tpl @@ -92,3 +92,19 @@ The name of the webhook port. Must be no more than 15 characters {{- define "hmc.webhook.portName" -}} hmc-webhook {{- end }} + +{{- define "rbac.editorVerbs" -}} +- create +- delete +- get +- list +- patch +- update +- watch +{{- end -}} + +{{- define "rbac.viewerVerbs" -}} +- get +- list +- watch +{{- end -}} diff --git a/templates/provider/hmc/templates/rbac/leader-election-rbac.yaml b/templates/provider/hmc/templates/rbac/controller/leader-election-rbac.yaml similarity index 79% rename from templates/provider/hmc/templates/rbac/leader-election-rbac.yaml rename to templates/provider/hmc/templates/rbac/controller/leader-election-rbac.yaml index 16c65d425..176cdf550 100644 --- a/templates/provider/hmc/templates/rbac/leader-election-rbac.yaml +++ b/templates/provider/hmc/templates/rbac/controller/leader-election-rbac.yaml @@ -9,26 +9,12 @@ rules: - "" resources: - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete + verbs: {{ include "rbac.editorVerbs" . | nindent 4 }} - apiGroups: - coordination.k8s.io resources: - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete + verbs: {{ include "rbac.editorVerbs" . | nindent 4 }} - apiGroups: - "" resources: @@ -50,4 +36,4 @@ roleRef: subjects: - kind: ServiceAccount name: '{{ include "hmc.fullname" . }}-controller-manager' - namespace: '{{ .Release.Namespace }}' \ No newline at end of file + namespace: '{{ .Release.Namespace }}' diff --git a/templates/provider/hmc/templates/rbac/rolebindings.yaml b/templates/provider/hmc/templates/rbac/controller/rolebindings.yaml similarity index 100% rename from templates/provider/hmc/templates/rbac/rolebindings.yaml rename to templates/provider/hmc/templates/rbac/controller/rolebindings.yaml diff --git a/templates/provider/hmc/templates/rbac/roles.yaml b/templates/provider/hmc/templates/rbac/controller/roles.yaml similarity index 85% rename from templates/provider/hmc/templates/rbac/roles.yaml rename to templates/provider/hmc/templates/rbac/controller/roles.yaml index bb0fa7794..69dc76918 100644 --- a/templates/provider/hmc/templates/rbac/roles.yaml +++ b/templates/provider/hmc/templates/rbac/controller/roles.yaml @@ -9,33 +9,17 @@ rules: - cluster.x-k8s.io resources: - clusters - verbs: - - get - - list + verbs: {{ include "rbac.viewerVerbs" . | nindent 4 }} - apiGroups: - helm.toolkit.fluxcd.io resources: - helmreleases - verbs: - - create - - delete - - get - - list - - patch - - update - - watch + verbs: {{ include "rbac.editorVerbs" . | nindent 4 }} - apiGroups: - hmc.mirantis.com resources: - managedclusters - verbs: - - create - - delete - - get - - list - - patch - - update - - watch + verbs: {{ include "rbac.editorVerbs" . | nindent 4 }} - apiGroups: - hmc.mirantis.com resources: @@ -54,14 +38,7 @@ rules: - hmc.mirantis.com resources: - managements - verbs: - - create - - delete - - get - - list - - patch - - update - - watch + verbs: {{ include "rbac.editorVerbs" . | nindent 4 }} - apiGroups: - hmc.mirantis.com resources: @@ -124,14 +101,7 @@ rules: resources: - helmcharts - helmrepositories - verbs: - - create - - delete - - get - - list - - patch - - update - - watch + verbs: {{ include "rbac.editorVerbs" . | nindent 4 }} - apiGroups: - cert-manager.io resources: @@ -152,10 +122,7 @@ rules: - cluster.x-k8s.io resources: - machines - verbs: - - get - - list - - watch + verbs: {{ include "rbac.viewerVerbs" . | nindent 4 }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/templates/provider/hmc/templates/rbac/user-facing/clusters-editor.yaml b/templates/provider/hmc/templates/rbac/user-facing/clusters-editor.yaml new file mode 100644 index 000000000..094e9a5cf --- /dev/null +++ b/templates/provider/hmc/templates/rbac/user-facing/clusters-editor.yaml @@ -0,0 +1,10 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "hmc.fullname" . }}-clusters-editor-role +rules: + - apiGroups: + - hmc.mirantis.com + resources: + - managedclusters + verbs: {{ include "rbac.editorVerbs" . | nindent 6 }} diff --git a/templates/provider/hmc/templates/rbac/user-facing/clusters-viewer.yaml b/templates/provider/hmc/templates/rbac/user-facing/clusters-viewer.yaml new file mode 100644 index 000000000..34b466271 --- /dev/null +++ b/templates/provider/hmc/templates/rbac/user-facing/clusters-viewer.yaml @@ -0,0 +1,10 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "hmc.fullname" . }}-clusters-viewer-role +rules: + - apiGroups: + - hmc.mirantis.com + resources: + - managedclusters + verbs: {{ include "rbac.viewerVerbs" . | nindent 6 }} diff --git a/templates/provider/hmc/templates/rbac/user-facing/templates-creator.yaml b/templates/provider/hmc/templates/rbac/user-facing/templates-creator.yaml new file mode 100644 index 000000000..a0f68e913 --- /dev/null +++ b/templates/provider/hmc/templates/rbac/user-facing/templates-creator.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "hmc.fullname" . }}-templates-creator-role +rules: + - apiGroups: + - hmc.mirantis.com + resources: + - clustertemplates + - servicetemplates + verbs: {{ include "rbac.viewerVerbs" . | nindent 6 }} + - create + - apiGroups: + - helm.toolkit.fluxcd.io + resources: + - helmcharts + - helmrepositories + verbs: {{ include "rbac.editorVerbs" . | nindent 6 }} diff --git a/templates/provider/hmc/templates/rbac/user-facing/templates-viewer.yaml b/templates/provider/hmc/templates/rbac/user-facing/templates-viewer.yaml new file mode 100644 index 000000000..53e4c245e --- /dev/null +++ b/templates/provider/hmc/templates/rbac/user-facing/templates-viewer.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "hmc.fullname" . }}-templates-viewer-role +rules: + - apiGroups: + - hmc.mirantis.com + resources: + - clustertemplates + - servicetemplates + verbs: {{ include "rbac.viewerVerbs" . | nindent 6 }} + - apiGroups: + - helm.toolkit.fluxcd.io + resources: + - helmcharts + - helmrepositories + verbs: {{ include "rbac.viewerVerbs" . | nindent 6 }} From e271ed644c4587a9f84ae59a76af2026692e767d Mon Sep 17 00:00:00 2001 From: Andrei Pavlov Date: Tue, 17 Sep 2024 17:57:10 +0700 Subject: [PATCH 2/2] Add RBAC roles associated with HMC management Signed-off-by: Andrei Pavlov --- .../rbac/user-facing/management-editor.yaml | 16 ++++++++++++++++ .../rbac/user-facing/management-viewer.yaml | 11 +++++++++++ .../user-facing/templatemanagement-editor.yaml | 17 +++++++++++++++++ .../user-facing/templatemanagement-viewer.yaml | 12 ++++++++++++ 4 files changed, 56 insertions(+) create mode 100644 templates/provider/hmc/templates/rbac/user-facing/management-editor.yaml create mode 100644 templates/provider/hmc/templates/rbac/user-facing/management-viewer.yaml create mode 100644 templates/provider/hmc/templates/rbac/user-facing/templatemanagement-editor.yaml create mode 100644 templates/provider/hmc/templates/rbac/user-facing/templatemanagement-viewer.yaml diff --git a/templates/provider/hmc/templates/rbac/user-facing/management-editor.yaml b/templates/provider/hmc/templates/rbac/user-facing/management-editor.yaml new file mode 100644 index 000000000..4ff8ea863 --- /dev/null +++ b/templates/provider/hmc/templates/rbac/user-facing/management-editor.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "hmc.fullname" . }}-management-editor-role +rules: + - apiGroups: + - hmc.mirantis.com + resources: + - management + verbs: {{ include "rbac.editorVerbs" . | nindent 6 }} + - apiGroups: + - hmc.mirantis.com + resources: + - providertemplates + verbs: {{ include "rbac.viewerVerbs" . | nindent 6 }} + - create diff --git a/templates/provider/hmc/templates/rbac/user-facing/management-viewer.yaml b/templates/provider/hmc/templates/rbac/user-facing/management-viewer.yaml new file mode 100644 index 000000000..eb8a6308d --- /dev/null +++ b/templates/provider/hmc/templates/rbac/user-facing/management-viewer.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "hmc.fullname" . }}-management-viewer-role +rules: + - apiGroups: + - hmc.mirantis.com + resources: + - management + - providertemplates + verbs: {{ include "rbac.viewerVerbs" . | nindent 6 }} diff --git a/templates/provider/hmc/templates/rbac/user-facing/templatemanagement-editor.yaml b/templates/provider/hmc/templates/rbac/user-facing/templatemanagement-editor.yaml new file mode 100644 index 000000000..81a19d634 --- /dev/null +++ b/templates/provider/hmc/templates/rbac/user-facing/templatemanagement-editor.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "hmc.fullname" . }}-templatemanagement-editor-role +rules: + - apiGroups: + - hmc.mirantis.com + resources: + - templatemanagements + verbs: {{ include "rbac.editorVerbs" . | nindent 6 }} + - apiGroups: + - hmc.mirantis.com + resources: + - servicetemplatechains + - clustertemplatechains + verbs: {{ include "rbac.viewerVerbs" . | nindent 6 }} + - create diff --git a/templates/provider/hmc/templates/rbac/user-facing/templatemanagement-viewer.yaml b/templates/provider/hmc/templates/rbac/user-facing/templatemanagement-viewer.yaml new file mode 100644 index 000000000..35d795f22 --- /dev/null +++ b/templates/provider/hmc/templates/rbac/user-facing/templatemanagement-viewer.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "hmc.fullname" . }}-templatemanagement-viewer-role +rules: + - apiGroups: + - hmc.mirantis.com + resources: + - templatemanagements + - clustertemplatechains + - servicetemplatechains + verbs: {{ include "rbac.viewerVerbs" . | nindent 6 }}