From ba6c8972e6dcee6a33d0434e68f519920575073b Mon Sep 17 00:00:00 2001 From: "naman.gupta" Date: Fri, 28 Jun 2024 18:28:21 +0530 Subject: [PATCH] Adding clusterrole and service account config. Adding clusterrole and service account config. Change-Id: I1390da5e3b0b07398834fc382b992d32b40e98dd Signed-off-by: naman.gupta --- .../config/rbac/auth_proxy_client_clusterrole.yaml | 16 ++++++++ .../config/rbac/auth_proxy_role.yaml | 24 ++++++++++++ .../config/rbac/auth_proxy_role_binding.yaml | 19 ++++++++++ .../config/rbac/auth_proxy_service.yaml | 21 +++++++++++ .../config/rbac/kustomization.yaml | 18 +++++++++ .../config/rbac/leader_election_role.yaml | 44 ++++++++++++++++++++++ .../config/rbac/leader_election_role_binding.yaml | 19 ++++++++++ .../config/rbac/ricplatform_editor_role.yaml | 31 +++++++++++++++ .../config/rbac/ricplatform_viewer_role.yaml | 27 +++++++++++++ depRicKubernetesOperator/config/rbac/role.yaml | 32 ++++++++++++++++ .../config/rbac/role_binding.yaml | 19 ++++++++++ .../config/rbac/service_account.yaml | 12 ++++++ 12 files changed, 282 insertions(+) create mode 100644 depRicKubernetesOperator/config/rbac/auth_proxy_client_clusterrole.yaml create mode 100644 depRicKubernetesOperator/config/rbac/auth_proxy_role.yaml create mode 100644 depRicKubernetesOperator/config/rbac/auth_proxy_role_binding.yaml create mode 100644 depRicKubernetesOperator/config/rbac/auth_proxy_service.yaml create mode 100644 depRicKubernetesOperator/config/rbac/kustomization.yaml create mode 100644 depRicKubernetesOperator/config/rbac/leader_election_role.yaml create mode 100644 depRicKubernetesOperator/config/rbac/leader_election_role_binding.yaml create mode 100644 depRicKubernetesOperator/config/rbac/ricplatform_editor_role.yaml create mode 100644 depRicKubernetesOperator/config/rbac/ricplatform_viewer_role.yaml create mode 100644 depRicKubernetesOperator/config/rbac/role.yaml create mode 100644 depRicKubernetesOperator/config/rbac/role_binding.yaml create mode 100644 depRicKubernetesOperator/config/rbac/service_account.yaml diff --git a/depRicKubernetesOperator/config/rbac/auth_proxy_client_clusterrole.yaml b/depRicKubernetesOperator/config/rbac/auth_proxy_client_clusterrole.yaml new file mode 100644 index 0000000..04d5318 --- /dev/null +++ b/depRicKubernetesOperator/config/rbac/auth_proxy_client_clusterrole.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: clusterrole + app.kubernetes.io/instance: metrics-reader + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: depriclatest26oct + app.kubernetes.io/part-of: depriclatest26oct + app.kubernetes.io/managed-by: kustomize + name: metrics-reader +rules: +- nonResourceURLs: + - "/metrics" + verbs: + - get diff --git a/depRicKubernetesOperator/config/rbac/auth_proxy_role.yaml b/depRicKubernetesOperator/config/rbac/auth_proxy_role.yaml new file mode 100644 index 0000000..cd3d60f --- /dev/null +++ b/depRicKubernetesOperator/config/rbac/auth_proxy_role.yaml @@ -0,0 +1,24 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: clusterrole + app.kubernetes.io/instance: proxy-role + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: depriclatest26oct + app.kubernetes.io/part-of: depriclatest26oct + app.kubernetes.io/managed-by: kustomize + name: proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/depRicKubernetesOperator/config/rbac/auth_proxy_role_binding.yaml b/depRicKubernetesOperator/config/rbac/auth_proxy_role_binding.yaml new file mode 100644 index 0000000..c534aee --- /dev/null +++ b/depRicKubernetesOperator/config/rbac/auth_proxy_role_binding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: clusterrolebinding + app.kubernetes.io/instance: proxy-rolebinding + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: depriclatest26oct + app.kubernetes.io/part-of: depriclatest26oct + app.kubernetes.io/managed-by: kustomize + name: proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: proxy-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/depRicKubernetesOperator/config/rbac/auth_proxy_service.yaml b/depRicKubernetesOperator/config/rbac/auth_proxy_service.yaml new file mode 100644 index 0000000..a130714 --- /dev/null +++ b/depRicKubernetesOperator/config/rbac/auth_proxy_service.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: service + app.kubernetes.io/instance: controller-manager-metrics-service + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: depriclatest26oct + app.kubernetes.io/part-of: depriclatest26oct + app.kubernetes.io/managed-by: kustomize + name: controller-manager-metrics-service + namespace: system +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + selector: + control-plane: controller-manager diff --git a/depRicKubernetesOperator/config/rbac/kustomization.yaml b/depRicKubernetesOperator/config/rbac/kustomization.yaml new file mode 100644 index 0000000..731832a --- /dev/null +++ b/depRicKubernetesOperator/config/rbac/kustomization.yaml @@ -0,0 +1,18 @@ +resources: +# All RBAC will be applied under this service account in +# the deployment namespace. You may comment out this resource +# if your manager will use a service account that exists at +# runtime. Be sure to update RoleBinding and ClusterRoleBinding +# subjects if changing service account names. +- service_account.yaml +- role.yaml +- role_binding.yaml +- leader_election_role.yaml +- leader_election_role_binding.yaml +# Comment the following 4 lines if you want to disable +# the auth proxy (https://github.com/brancz/kube-rbac-proxy) +# which protects your /metrics endpoint. +- auth_proxy_service.yaml +- auth_proxy_role.yaml +- auth_proxy_role_binding.yaml +- auth_proxy_client_clusterrole.yaml diff --git a/depRicKubernetesOperator/config/rbac/leader_election_role.yaml b/depRicKubernetesOperator/config/rbac/leader_election_role.yaml new file mode 100644 index 0000000..0321d5e --- /dev/null +++ b/depRicKubernetesOperator/config/rbac/leader_election_role.yaml @@ -0,0 +1,44 @@ +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: role + app.kubernetes.io/instance: leader-election-role + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: depriclatest26oct + app.kubernetes.io/part-of: depriclatest26oct + app.kubernetes.io/managed-by: kustomize + name: leader-election-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/depRicKubernetesOperator/config/rbac/leader_election_role_binding.yaml b/depRicKubernetesOperator/config/rbac/leader_election_role_binding.yaml new file mode 100644 index 0000000..7ec1d57 --- /dev/null +++ b/depRicKubernetesOperator/config/rbac/leader_election_role_binding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: rolebinding + app.kubernetes.io/instance: leader-election-rolebinding + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: depriclatest26oct + app.kubernetes.io/part-of: depriclatest26oct + app.kubernetes.io/managed-by: kustomize + name: leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/depRicKubernetesOperator/config/rbac/ricplatform_editor_role.yaml b/depRicKubernetesOperator/config/rbac/ricplatform_editor_role.yaml new file mode 100644 index 0000000..e6932d1 --- /dev/null +++ b/depRicKubernetesOperator/config/rbac/ricplatform_editor_role.yaml @@ -0,0 +1,31 @@ +# permissions for end users to edit ricplatforms. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: clusterrole + app.kubernetes.io/instance: ricplatform-editor-role + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: depriclatest26oct + app.kubernetes.io/part-of: depriclatest26oct + app.kubernetes.io/managed-by: kustomize + name: ricplatform-editor-role +rules: +- apiGroups: + - ricdeploy.ricplt.com + resources: + - ricplatforms + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - ricdeploy.ricplt.com + resources: + - ricplatforms/status + verbs: + - get diff --git a/depRicKubernetesOperator/config/rbac/ricplatform_viewer_role.yaml b/depRicKubernetesOperator/config/rbac/ricplatform_viewer_role.yaml new file mode 100644 index 0000000..6301141 --- /dev/null +++ b/depRicKubernetesOperator/config/rbac/ricplatform_viewer_role.yaml @@ -0,0 +1,27 @@ +# permissions for end users to view ricplatforms. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: clusterrole + app.kubernetes.io/instance: ricplatform-viewer-role + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: depriclatest26oct + app.kubernetes.io/part-of: depriclatest26oct + app.kubernetes.io/managed-by: kustomize + name: ricplatform-viewer-role +rules: +- apiGroups: + - ricdeploy.ricplt.com + resources: + - ricplatforms + verbs: + - get + - list + - watch +- apiGroups: + - ricdeploy.ricplt.com + resources: + - ricplatforms/status + verbs: + - get diff --git a/depRicKubernetesOperator/config/rbac/role.yaml b/depRicKubernetesOperator/config/rbac/role.yaml new file mode 100644 index 0000000..8c08d40 --- /dev/null +++ b/depRicKubernetesOperator/config/rbac/role.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: manager-role +rules: +- apiGroups: + - ricdeploy.ricplt.com + resources: + - ricplatforms + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - ricdeploy.ricplt.com + resources: + - ricplatforms/finalizers + verbs: + - update +- apiGroups: + - ricdeploy.ricplt.com + resources: + - ricplatforms/status + verbs: + - get + - patch + - update diff --git a/depRicKubernetesOperator/config/rbac/role_binding.yaml b/depRicKubernetesOperator/config/rbac/role_binding.yaml new file mode 100644 index 0000000..0966bed --- /dev/null +++ b/depRicKubernetesOperator/config/rbac/role_binding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: clusterrolebinding + app.kubernetes.io/instance: manager-rolebinding + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: depriclatest26oct + app.kubernetes.io/part-of: depriclatest26oct + app.kubernetes.io/managed-by: kustomize + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/depRicKubernetesOperator/config/rbac/service_account.yaml b/depRicKubernetesOperator/config/rbac/service_account.yaml new file mode 100644 index 0000000..1556b3f --- /dev/null +++ b/depRicKubernetesOperator/config/rbac/service_account.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: serviceaccount + app.kubernetes.io/instance: controller-manager-sa + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: depriclatest26oct + app.kubernetes.io/part-of: depriclatest26oct + app.kubernetes.io/managed-by: kustomize + name: controller-manager + namespace: system -- 2.16.6