karmada-io
/
karmada
mirror of https://github.com/karmada-io/karmada.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3937 from zhy76/rbac 

feat: karmadactl init: grant clusterrole admin with karamda resource permission
This commit is contained in:
karmada-bot 2023-08-25 16:28:04 +08:00 committed by GitHub
parent fd162b7228 90b944a8f6
commit 5135e8fea3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 185 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
pkg/karmadactl/cmdinit/karmada/deploy.go
View File

@ -144,6 +144,16 @@ func InitKarmadaBootstrapToken(dir string) (string, error) {
}
func createExtralResources(clientSet *kubernetes.Clientset, dir string) error {
// grant view clusterrole with karamda resource permission
if err := grantKarmadaPermissionToViewClusterRole(clientSet); err != nil {
return err
}
// grant edit clusterrole with karamda resource permission
if err := grantKarmadaPermissionToEditClusterRole(clientSet); err != nil {
return err
}
// grant proxy permission to "system:admin".
if err := grantProxyPermissionToAdmin(clientSet); err != nil {
return err

148
pkg/karmadactl/cmdinit/karmada/rbac.go
View File

@ -10,6 +10,8 @@ import (
)
const (
karamdaViewClusterRole = "karmada-view"
karmadaEditClusterRole = "karmada-edit"
karmadaAgentAccessClusterRole = "system:karmada:agent"
karmadaAgentGroup = "system:nodes"
)
@ -22,7 +24,7 @@ func grantProxyPermissionToAdmin(clientSet kubernetes.Interface) error {
Resources: []string{"clusters/proxy"},
Verbs: []string{"*"},
},
}, nil)
}, nil, nil)
err := cmdutil.CreateOrUpdateClusterRole(clientSet, proxyAdminClusterRole)
if err != nil {
return err
@ -102,7 +104,7 @@ func grantAccessPermissionToAgent(clientSet kubernetes.Interface) error {
Resources: []string{"events"},
Verbs: []string{"create", "patch", "update"},
},
}, nil)
}, nil, nil)
err := cmdutil.CreateOrUpdateClusterRole(clientSet, clusterRole)
if err != nil {
return err
@ -123,3 +125,145 @@ func grantAccessPermissionToAgent(clientSet kubernetes.Interface) error {
return nil
}
// grantKarmadaPermissionToViewClusterRole grants view clusterrole with karamda resource permission
func grantKarmadaPermissionToViewClusterRole(clientSet kubernetes.Interface) error {
annotations := map[string]string{
// refer to https://kubernetes.io/docs/reference/access-authn-authz/rbac/#auto-reconciliation
// and https://kubernetes.io/docs/reference/access-authn-authz/rbac/#kubectl-auth-reconcile
"rbac.authorization.kubernetes.io/autoupdate": "true",
}
labels := map[string]string{
// refer to https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings
"kubernetes.io/bootstrapping": "rbac-defaults",
// used to aggregate rules to view clusterrole
"rbac.authorization.k8s.io/aggregate-to-view": "true",
}
clusterRole := utils.ClusterRoleFromRules(karamdaViewClusterRole, []rbacv1.PolicyRule{
{
APIGroups: []string{"autoscaling.karmada.io"},
Resources: []string{
"cronfederatedhpas",
"cronfederatedhpas/status",
"federatedhpas",
"federatedhpas/status",
},
Verbs: []string{"get", "list", "watch"},
},
{
APIGroups: []string{"multicluster.x-k8s.io"},
Resources: []string{
"serviceexports",
"serviceexports/status",
"serviceimports",
"serviceimports/status",
},
Verbs: []string{"get", "list", "watch"},
},
{
APIGroups: []string{"networking.karmada.io"},
Resources: []string{
"multiclusteringresses",
"multiclusteringresses/status",
"multiclusterservices",
"multiclusterservices/status",
},
Verbs: []string{"get", "list", "watch"},
},
{
APIGroups: []string{"policy.karmada.io"},
Resources: []string{
"overridepolicies",
"propagationpolicies",
},
Verbs: []string{"get", "list", "watch"},
},
{
APIGroups: []string{"work.karmada.io"},
Resources: []string{
"resourcebindings",
"resourcebindings/status",
"works",
"works/status",
},
Verbs: []string{"get", "list", "watch"},
},
}, annotations, labels)
err := cmdutil.CreateOrUpdateClusterRole(clientSet, clusterRole)
if err != nil {
return err
}
return nil
}
// grantKarmadaPermissionToEditClusterRole grants edit clusterrole with karamda resource permission
func grantKarmadaPermissionToEditClusterRole(clientSet kubernetes.Interface) error {
annotations := map[string]string{
// refer to https://kubernetes.io/docs/reference/access-authn-authz/rbac/#auto-reconciliation
// and https://kubernetes.io/docs/reference/access-authn-authz/rbac/#kubectl-auth-reconcile
"rbac.authorization.kubernetes.io/autoupdate": "true",
}
labels := map[string]string{
// refer to https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings
"kubernetes.io/bootstrapping": "rbac-defaults",
// used to aggregate rules to edit clusterrole
"rbac.authorization.k8s.io/aggregate-to-edit": "true",
}
clusterRole := utils.ClusterRoleFromRules(karmadaEditClusterRole, []rbacv1.PolicyRule{
{
APIGroups: []string{"autoscaling.karmada.io"},
Resources: []string{
"cronfederatedhpas",
"cronfederatedhpas/status",
"federatedhpas",
"federatedhpas/status",
},
Verbs: []string{"create", "update", "patch", "delete", "deletecollection"},
},
{
APIGroups: []string{"multicluster.x-k8s.io"},
Resources: []string{
"serviceexports",
"serviceexports/status",
"serviceimports",
"serviceimports/status",
},
Verbs: []string{"create", "update", "patch", "delete", "deletecollection"},
},
{
APIGroups: []string{"networking.karmada.io"},
Resources: []string{
"multiclusteringresses",
"multiclusteringresses/status",
"multiclusterservices",
"multiclusterservices/status",
},
Verbs: []string{"create", "update", "patch", "delete", "deletecollection"},
},
{
APIGroups: []string{"policy.karmada.io"},
Resources: []string{
"overridepolicies",
"propagationpolicies",
},
Verbs: []string{"create", "update", "patch", "delete", "deletecollection"},
},
{
APIGroups: []string{"work.karmada.io"},
Resources: []string{
"resourcebindings",
"resourcebindings/status",
"works",
"works/status",
},
Verbs: []string{"create", "update", "patch", "delete", "deletecollection"},
},
}, annotations, labels)
err := cmdutil.CreateOrUpdateClusterRole(clientSet, clusterRole)
if err != nil {
return err
}
return nil
}

14
pkg/karmadactl/cmdinit/karmada/rbac_test.go
View File

@ -19,3 +19,17 @@ func Test_grantAccessPermissionToAgent(t *testing.T) {
t.Errorf("grantAccessPermissionToAgent() expected no error, but got err: %v", err)
}
}
func Test_grantKarmadaPermissionToViewClusterRole(t *testing.T) {
client := fake.NewSimpleClientset()
if err := grantKarmadaPermissionToViewClusterRole(client); err != nil {
t.Errorf("grantKarmadaPermissionToViewClusterRole() expected no error, but got err: %v", err)
}
}
func Test_grantKarmadaPermissionToEditClusterRole(t *testing.T) {
client := fake.NewSimpleClientset()
if err := grantKarmadaPermissionToEditClusterRole(client); err != nil {
t.Errorf("grantKarmadaPermissionToEditClusterRole() expected no error, but got err: %v", err)
}
}

2
pkg/karmadactl/cmdinit/kubernetes/deployments.go
View File

@ -287,7 +287,7 @@ func (i *CommandInitOption) makeKarmadaKubeControllerManagerDeployment() *appsv1
fmt.Sprintf("--cluster-name=%s", options.ClusterName),
fmt.Sprintf("--cluster-signing-cert-file=%s/%s.crt", karmadaCertsVolumeMountPath, options.CaCertAndKeyName),
fmt.Sprintf("--cluster-signing-key-file=%s/%s.key", karmadaCertsVolumeMountPath, options.CaCertAndKeyName),
"--controllers=namespace,garbagecollector,serviceaccount-token,ttl-after-finished,bootstrapsigner,tokencleaner,csrapproving,csrcleaner,csrsigning",
"--controllers=namespace,garbagecollector,serviceaccount-token,ttl-after-finished,bootstrapsigner,tokencleaner,csrapproving,csrcleaner,csrsigning,clusterrole-aggregation",
"--kubeconfig=/etc/kubeconfig",
"--leader-elect=true",
fmt.Sprintf("--leader-elect-resource-namespace=%s", i.Namespace),

7
pkg/karmadactl/cmdinit/utils/rbac.go
View File

@ -6,15 +6,16 @@ import (
)
// ClusterRoleFromRules ClusterRole Rules
func ClusterRoleFromRules(name string, rules []rbacv1.PolicyRule, labels map[string]string) *rbacv1.ClusterRole {
func ClusterRoleFromRules(name string, rules []rbacv1.PolicyRule, annotations map[string]string, labels map[string]string) *rbacv1.ClusterRole {
return &rbacv1.ClusterRole{
TypeMeta: metav1.TypeMeta{
APIVersion: "rbac.authorization.k8s.io/v1",
Kind: "ClusterRole",
},
ObjectMeta: metav1.ObjectMeta{
Name: name,
Labels: labels,
Name: name,
Annotations: annotations,
Labels: labels,
},
Rules: rules,
}

17
pkg/karmadactl/cmdinit/utils/rbac_test.go
View File

@ -10,9 +10,10 @@ import (
func TestClusterRoleFromRules(t *testing.T) {
type args struct {
name string
rules []rbacv1.PolicyRule
labels map[string]string
name string
rules []rbacv1.PolicyRule
annotations map[string]string
labels map[string]string
}
tests := []struct {
name string
@ -30,7 +31,8 @@ func TestClusterRoleFromRules(t *testing.T) {
Verbs: []string{"*"},
},
},
labels: map[string]string{"foo": "bar"},
annotations: map[string]string{"foo": "bar"},
labels: map[string]string{"foo": "bar"},
},
want: &rbacv1.ClusterRole{
TypeMeta: metav1.TypeMeta{
@ -38,8 +40,9 @@ func TestClusterRoleFromRules(t *testing.T) {
Kind: "ClusterRole",
},
ObjectMeta: metav1.ObjectMeta{
Name: "foo",
Labels: map[string]string{"foo": "bar"},
Name: "foo",
Annotations: map[string]string{"foo": "bar"},
Labels: map[string]string{"foo": "bar"},
},
Rules: []rbacv1.PolicyRule{
{
@ -53,7 +56,7 @@ func TestClusterRoleFromRules(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := ClusterRoleFromRules(tt.args.name, tt.args.rules, tt.args.labels); !reflect.DeepEqual(got, tt.want) {
if got := ClusterRoleFromRules(tt.args.name, tt.args.rules, tt.args.annotations, tt.args.labels); !reflect.DeepEqual(got, tt.want) {
t.Errorf("ClusterRoleFromRules() = %v, want %v", got, tt.want)
}
})