Merge pull request #3915 from XiShanYongYe-Chang/grant-clusterrole-admin-with-karmada-resource-permission
grant clusterrole admin with karamda resource permission
This commit is contained in:
karmada-bot
GitHub
commit
37cee8d51d
|
|
@ -0,0 +1,149 @@
|
|||
# This configuration is used to grant the admin clusterrole read
|
||||
# and write permissions for Karmada resources.
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
annotations:
|
||||
# refer to https://kubernetes.io/docs/reference/access-authn-authz/rbac/#auto-reconciliation
|
||||
# and https://kubernetes.io/docs/reference/access-authn-authz/rbac/#kubectl-auth-reconcile
|
||||
rbac.authorization.kubernetes.io/autoupdate: "true"
|
||||
labels:
|
||||
# refer to https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings
|
||||
kubernetes.io/bootstrapping: rbac-defaults
|
||||
# used to aggregate rules to view clusterrole
|
||||
rbac.authorization.k8s.io/aggregate-to-view: "true"
|
||||
name: karmada-view
|
||||
rules:
|
||||
- apiGroups:
|
||||
- "autoscaling.karmada.io"
|
||||
resources:
|
||||
- cronfederatedhpas
|
||||
- cronfederatedhpas/status
|
||||
- federatedhpas
|
||||
- federatedhpas/status
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- "multicluster.x-k8s.io"
|
||||
resources:
|
||||
- serviceexports
|
||||
- serviceexports/status
|
||||
- serviceimports
|
||||
- serviceimports/status
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- "networking.karmada.io"
|
||||
resources:
|
||||
- multiclusteringresses
|
||||
- multiclusteringresses/status
|
||||
- multiclusterservices
|
||||
- multiclusterservices/status
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- "policy.karmada.io"
|
||||
resources:
|
||||
- overridepolicies
|
||||
- propagationpolicies
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- "work.karmada.io"
|
||||
resources:
|
||||
- resourcebindings
|
||||
- resourcebindings/status
|
||||
- works
|
||||
- works/status
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
annotations:
|
||||
# refer to https://kubernetes.io/docs/reference/access-authn-authz/rbac/#auto-reconciliation
|
||||
# and https://kubernetes.io/docs/reference/access-authn-authz/rbac/#kubectl-auth-reconcile
|
||||
rbac.authorization.kubernetes.io/autoupdate: "true"
|
||||
labels:
|
||||
# refer to https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings
|
||||
kubernetes.io/bootstrapping: rbac-defaults
|
||||
# used to aggregate rules to view clusterrole
|
||||
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
||||
name: karmada-edit
|
||||
rules:
|
||||
- apiGroups:
|
||||
- "autoscaling.karmada.io"
|
||||
resources:
|
||||
- cronfederatedhpas
|
||||
- cronfederatedhpas/status
|
||||
- federatedhpas
|
||||
- federatedhpas/status
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- deletecollection
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- "multicluster.x-k8s.io"
|
||||
resources:
|
||||
- serviceexports
|
||||
- serviceexports/status
|
||||
- serviceimports
|
||||
- serviceimports/status
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- deletecollection
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- "networking.karmada.io"
|
||||
resources:
|
||||
- multiclusteringresses
|
||||
- multiclusteringresses/status
|
||||
- multiclusterservices
|
||||
- multiclusterservices/status
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- deletecollection
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- "policy.karmada.io"
|
||||
resources:
|
||||
- overridepolicies
|
||||
- propagationpolicies
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- deletecollection
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- "work.karmada.io"
|
||||
resources:
|
||||
- resourcebindings
|
||||
- resourcebindings/status
|
||||
- works
|
||||
- works/status
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- deletecollection
|
||||
- patch
|
||||
- update
|
||||
|
|
@ -43,7 +43,7 @@ spec:
|
|||
- --cluster-name=karmada
|
||||
- --cluster-signing-cert-file=/etc/karmada/pki/ca.crt
|
||||
- --cluster-signing-key-file=/etc/karmada/pki/ca.key
|
||||
- --controllers=namespace,garbagecollector,serviceaccount-token,ttl-after-finished,bootstrapsigner,tokencleaner,csrapproving,csrcleaner,csrsigning
|
||||
- --controllers=namespace,garbagecollector,serviceaccount-token,ttl-after-finished,bootstrapsigner,tokencleaner,csrapproving,csrcleaner,csrsigning,clusterrole-aggregation
|
||||
- --kubeconfig=/etc/kubeconfig
|
||||
- --leader-elect=true
|
||||
- --node-cidr-mask-size=24
|
||||
|
|
|
|||
|
|
@ -268,6 +268,9 @@ kubectl --context="karmada-apiserver" apply -f "${REPO_ROOT}/artifacts/deploy/ka
|
|||
# make sure apiservice for karmada metrics adapter is Available
|
||||
util::wait_apiservice_ready "karmada-apiserver" "${KARMADA_METRICS_ADAPTER_LABEL}"
|
||||
|
||||
# grant the admin clusterrole read and write permissions for Karmada resources
|
||||
kubectl --context="karmada-apiserver" apply -f "${REPO_ROOT}/artifacts/deploy/admin-clusterrole-aggregation.yaml"
|
||||
|
||||
# deploy cluster proxy rbac for admin
|
||||
kubectl --context="karmada-apiserver" apply -f "${REPO_ROOT}/artifacts/deploy/cluster-proxy-admin-rbac.yaml"
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue