Merge pull request #2511 from carlory/fix-karmada-controllermanager

karmada-controller-manager removes unnecessary permissions
2022-09-17 22:56:47 +08:00 · 2022-09-17 22:56:47 +08:00 · 25af090405
parent 636817ae42 c247537d66
commit 25af090405
8 changed files with 0 additions and 138 deletions
--- a/artifacts/deploy/clusterrole.yaml
+++ b/artifacts/deploy/clusterrole.yaml
@ -1,10 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: karmada-controller-manager
-rules:
-  - apiGroups: ['*']
-    resources: ['*']
-    verbs: ["get", "watch", "list", "create", "update", "delete"]
-  - nonResourceURLs: ['*']
-    verbs: ["get"]
--- a/artifacts/deploy/clusterrolebinding.yaml
+++ b/artifacts/deploy/clusterrolebinding.yaml
@ -1,12 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: karmada-controller-manager
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: karmada-controller-manager
-subjects:
-  - kind: ServiceAccount
-    name: karmada-controller-manager
-    namespace: karmada-system
--- a/charts/karmada/templates/karmada-controller-manager.yaml
+++ b/charts/karmada/templates/karmada-controller-manager.yaml
@ -74,28 +74,4 @@ spec:
          resources:
          {{- toYaml .Values.controllerManager.resources | nindent 12 }}
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ $name }}-controller-manager
-rules:
-  - apiGroups: ['*']
-    resources: ['*']
-    verbs: ["get", "watch", "list", "create", "patch", "update", "delete"]
-  - nonResourceURLs: ['*']
-    verbs: ["get"]
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ $name }}-controller-manager
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ $name }}-controller-manager
-subjects:
-  - kind: ServiceAccount
-    name: {{ $name }}-controller-manager
-    namespace: {{ include "karmada.namespace" . }}
---
 {{- end }}
--- a/hack/deploy-karmada.sh
+++ b/hack/deploy-karmada.sh
@ -149,8 +149,6 @@ kubectl --context="${HOST_CLUSTER_NAME}" apply -f "${REPO_ROOT}/artifacts/deploy

 # create service account, cluster role for controller-manager
 kubectl --context="${HOST_CLUSTER_NAME}" apply -f "${REPO_ROOT}/artifacts/deploy/serviceaccount.yaml"
-kubectl --context="${HOST_CLUSTER_NAME}" apply -f "${REPO_ROOT}/artifacts/deploy/clusterrole.yaml"
-kubectl --context="${HOST_CLUSTER_NAME}" apply -f "${REPO_ROOT}/artifacts/deploy/clusterrolebinding.yaml"

 KARMADA_CRT=$(base64 "${CERT_DIR}/karmada.crt" | tr -d '\r\n')
 KARMADA_KEY=$(base64 "${CERT_DIR}/karmada.key" | tr -d '\r\n')
--- a/pkg/karmadactl/cmdinit/kubernetes/deploy.go
+++ b/pkg/karmadactl/cmdinit/kubernetes/deploy.go
@ -447,11 +447,6 @@ func (i *CommandInitOption) RunInit(parentCommand string) error {
 		return err
 	}

-	// Create karmada-controller-manager ClusterRole and ClusterRoleBinding
-	if err := i.CreateControllerManagerRBAC(); err != nil {
-		return err
-	}
-
 	// Create Secrets
 	if err := i.createCertsSecrets(); err != nil {
 		return err
--- a/pkg/karmadactl/cmdinit/kubernetes/deployments.go
+++ b/pkg/karmadactl/cmdinit/kubernetes/deployments.go
@ -38,8 +38,6 @@ const (
 	webhookTargetPort                                           = 8443
 	webhookPort                                                 = 443
 	karmadaAggregatedAPIServerDeploymentAndServiceName          = "karmada-aggregated-apiserver"
-	karmadaBootstrappingLabelKey                                = "karmada.io/bootstrapping"
-	karmadaBootstrappingLabelValue                              = "rbac-defaults"
 )

 var (
--- a/pkg/karmadactl/cmdinit/kubernetes/rbac.go
+++ b/pkg/karmadactl/cmdinit/kubernetes/rbac.go
@ -1,44 +0,0 @@
-package kubernetes
-
-import (
-	rbacv1 "k8s.io/api/rbac/v1"
-
-	"github.com/karmada-io/karmada/pkg/karmadactl/cmdinit/utils"
-)
-
-// CreateControllerManagerRBAC karmada-controller-manager ClusterRole and ClusterRoleBinding
-func (i *CommandInitOption) CreateControllerManagerRBAC() error {
-	labels := map[string]string{karmadaBootstrappingLabelKey: karmadaBootstrappingLabelValue}
-	// ClusterRole
-	clusterRole := utils.ClusterRoleFromRules(controllerManagerDeploymentAndServiceName, []rbacv1.PolicyRule{
-		{
-			APIGroups: []string{"*"},
-			Resources: []string{"*"},
-			Verbs:     []string{"get", "watch", "list", "create", "update", "delete"},
-		},
-		{
-			NonResourceURLs: []string{"*"},
-			Verbs:           []string{"get"},
-		},
-	}, labels)
-	err := utils.CreateIfNotExistClusterRole(i.KubeClientSet, clusterRole)
-	if err != nil {
-		return err
-	}
-
-	// ClusterRoleBinding
-	clusterRoleBinding := utils.ClusterRoleBindingFromSubjects(controllerManagerDeploymentAndServiceName, controllerManagerDeploymentAndServiceName,
-		[]rbacv1.Subject{
-			{
-				Kind:      "ServiceAccount",
-				Name:      controllerManagerDeploymentAndServiceName,
-				Namespace: i.Namespace,
-			},
-		}, labels)
-	err = utils.CreateIfNotExistClusterRoleBinding(i.KubeClientSet, clusterRoleBinding)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
--- a/pkg/karmadactl/deinit.go
+++ b/pkg/karmadactl/deinit.go
@ -141,10 +141,6 @@ func (o *CommandDeInitOption) delete() error {
 		}
 	}

-	if err = o.deleteRBAC(); err != nil {
-		return err
-	}
-
 	// Delete namespace where Karmada components are installed
 	fmt.Printf("delete Namespace %q\n", o.Namespace)
 	if o.DryRun {
@ -157,41 +153,6 @@ func (o *CommandDeInitOption) delete() error {
 	return nil
 }

-func (o *CommandDeInitOption) deleteRBAC() error {
-	// Delete ClusterRole by karmadaBootstrappingLabelKey
-	clusterRoleClient := o.KubeClientSet.RbacV1().ClusterRoles()
-	clusterRoles, err := clusterRoleClient.List(context.TODO(), metav1.ListOptions{LabelSelector: karmadaBootstrappingLabelKey})
-	if err != nil {
-		return err
-	}
-	for _, clusterRole := range clusterRoles.Items {
-		fmt.Printf("delete ClusterRole %q\n", clusterRole.Name)
-		if o.DryRun {
-			continue
-		}
-		if err := clusterRoleClient.Delete(context.TODO(), clusterRole.Name, metav1.DeleteOptions{}); err != nil {
-			return err
-		}
-	}
-
-	// Delete ClusterRoleBinding by karmadaBootstrappingLabelKey
-	clusterRoleBindingClient := o.KubeClientSet.RbacV1().ClusterRoleBindings()
-	clusterRoleBindings, err := clusterRoleBindingClient.List(context.TODO(), metav1.ListOptions{LabelSelector: karmadaBootstrappingLabelKey})
-	if err != nil {
-		return err
-	}
-	for _, clusterRoleBinding := range clusterRoleBindings.Items {
-		fmt.Printf("delete ClusterRoleBinding %q\n", clusterRoleBinding.Name)
-		if o.DryRun {
-			continue
-		}
-		if err := clusterRoleBindingClient.Delete(context.TODO(), clusterRoleBinding.Name, metav1.DeleteOptions{}); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
 func (o *CommandDeInitOption) deleteWorkload() error {
 	// Delete deployment by karmadaBootstrappingLabelKey
 	deploymentClient := o.KubeClientSet.AppsV1().Deployments(o.Namespace)