From dba863095e13af9d2da4eed8cd211149ffd9f178 Mon Sep 17 00:00:00 2001
From: lonelyCZ <531187475@qq.com>
Date: Thu, 24 Mar 2022 11:54:39 +0800
Subject: [PATCH] Add cluster proxy rbac for admin when deploy Karmada control
 plane

Signed-off-by: lonelyCZ <531187475@qq.com>
---
 .../deploy/cluster-proxy-admin-rbac.yaml      | 26 +++++++++++++++++++
 hack/deploy-karmada.sh                        |  3 +++
 2 files changed, 29 insertions(+)
 create mode 100644 artifacts/deploy/cluster-proxy-admin-rbac.yaml

diff --git a/artifacts/deploy/cluster-proxy-admin-rbac.yaml b/artifacts/deploy/cluster-proxy-admin-rbac.yaml
new file mode 100644
index 000000000..b0f5d0e98
--- /dev/null
+++ b/artifacts/deploy/cluster-proxy-admin-rbac.yaml
@@ -0,0 +1,26 @@
+# This configuration is used to authorize system:admin to proxy member clusters,
+# if you don't need it, you can remove it from karmada control plane.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cluster-proxy-admin
+rules:
+- apiGroups:
+  - 'cluster.karmada.io'
+  resources:
+  - clusters/proxy
+  verbs:
+  - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-proxy-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-proxy-admin
+subjects:
+  - kind: User
+    name: "system:admin"
diff --git a/hack/deploy-karmada.sh b/hack/deploy-karmada.sh
index e556e2200..27842f9ca 100755
--- a/hack/deploy-karmada.sh
+++ b/hack/deploy-karmada.sh
@@ -227,6 +227,9 @@ kubectl apply -f "${REPO_ROOT}/artifacts/deploy/apiservice.yaml"
 # make sure apiservice for v1alpha1.cluster.karmada.io is Available
 util::wait_apiservice_ready "${KARMADA_AGGREGATION_APISERVER_LABEL}"
 
+# deploy cluster proxy rbac for admin
+kubectl apply -f "${REPO_ROOT}/artifacts/deploy/cluster-proxy-admin-rbac.yaml"
+
 kubectl config use-context "${HOST_CLUSTER_NAME}"
 
 # deploy controller-manager on host cluster