Merge pull request #3937 from zhy76/rbac

feat: karmadactl init: grant clusterrole admin with karamda resource permission

pkg/karmadactl/cmdinit/karmada/deploy.go

@@ -144,6 +144,16 @@ func InitKarmadaBootstrapToken(dir string) (string, error) {
 }
 
 func createExtralResources(clientSet *kubernetes.Clientset, dir string) error {
+	// grant view clusterrole with karamda resource permission
+	if err := grantKarmadaPermissionToViewClusterRole(clientSet); err != nil {
+		return err
+	}
+
+	// grant edit clusterrole with karamda resource permission
+	if err := grantKarmadaPermissionToEditClusterRole(clientSet); err != nil {
+		return err
+	}
+
 	// grant proxy permission to "system:admin".
 	if err := grantProxyPermissionToAdmin(clientSet); err != nil {
 		return err

pkg/karmadactl/cmdinit/karmada/rbac.go

@@ -10,6 +10,8 @@ import (
 )
 
 const (
+	karamdaViewClusterRole        = "karmada-view"
+	karmadaEditClusterRole        = "karmada-edit"
 	karmadaAgentAccessClusterRole = "system:karmada:agent"
 	karmadaAgentGroup             = "system:nodes"
 )
@@ -22,7 +24,7 @@ func grantProxyPermissionToAdmin(clientSet kubernetes.Interface) error {
 			Resources: []string{"clusters/proxy"},
 			Verbs:     []string{"*"},
 		},
-	}, nil)
+	}, nil, nil)
 	err := cmdutil.CreateOrUpdateClusterRole(clientSet, proxyAdminClusterRole)
 	if err != nil {
 		return err
@@ -102,7 +104,7 @@ func grantAccessPermissionToAgent(clientSet kubernetes.Interface) error {
 			Resources: []string{"events"},
 			Verbs:     []string{"create", "patch", "update"},
 		},
-	}, nil)
+	}, nil, nil)
 	err := cmdutil.CreateOrUpdateClusterRole(clientSet, clusterRole)
 	if err != nil {
 		return err
@@ -123,3 +125,145 @@ func grantAccessPermissionToAgent(clientSet kubernetes.Interface) error {
 
 	return nil
 }
+
+// grantKarmadaPermissionToViewClusterRole grants view clusterrole with karamda resource permission
+func grantKarmadaPermissionToViewClusterRole(clientSet kubernetes.Interface) error {
+	annotations := map[string]string{
+		// refer to https://kubernetes.io/docs/reference/access-authn-authz/rbac/#auto-reconciliation
+		// and https://kubernetes.io/docs/reference/access-authn-authz/rbac/#kubectl-auth-reconcile
+		"rbac.authorization.kubernetes.io/autoupdate": "true",
+	}
+	labels := map[string]string{
+		// refer to https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings
+		"kubernetes.io/bootstrapping": "rbac-defaults",
+		// used to aggregate rules to view clusterrole
+		"rbac.authorization.k8s.io/aggregate-to-view": "true",
+	}
+	clusterRole := utils.ClusterRoleFromRules(karamdaViewClusterRole, []rbacv1.PolicyRule{
+		{
+			APIGroups: []string{"autoscaling.karmada.io"},
+			Resources: []string{
+				"cronfederatedhpas",
+				"cronfederatedhpas/status",
+				"federatedhpas",
+				"federatedhpas/status",
+			},
+			Verbs: []string{"get", "list", "watch"},
+		},
+		{
+			APIGroups: []string{"multicluster.x-k8s.io"},
+			Resources: []string{
+				"serviceexports",
+				"serviceexports/status",
+				"serviceimports",
+				"serviceimports/status",
+			},
+			Verbs: []string{"get", "list", "watch"},
+		},
+		{
+			APIGroups: []string{"networking.karmada.io"},
+			Resources: []string{
+				"multiclusteringresses",
+				"multiclusteringresses/status",
+				"multiclusterservices",
+				"multiclusterservices/status",
+			},
+			Verbs: []string{"get", "list", "watch"},
+		},
+		{
+			APIGroups: []string{"policy.karmada.io"},
+			Resources: []string{
+				"overridepolicies",
+				"propagationpolicies",
+			},
+			Verbs: []string{"get", "list", "watch"},
+		},
+		{
+			APIGroups: []string{"work.karmada.io"},
+			Resources: []string{
+				"resourcebindings",
+				"resourcebindings/status",
+				"works",
+				"works/status",
+			},
+			Verbs: []string{"get", "list", "watch"},
+		},
+	}, annotations, labels)
+
+	err := cmdutil.CreateOrUpdateClusterRole(clientSet, clusterRole)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// grantKarmadaPermissionToEditClusterRole grants edit clusterrole with karamda resource permission
+func grantKarmadaPermissionToEditClusterRole(clientSet kubernetes.Interface) error {
+	annotations := map[string]string{
+		// refer to https://kubernetes.io/docs/reference/access-authn-authz/rbac/#auto-reconciliation
+		// and https://kubernetes.io/docs/reference/access-authn-authz/rbac/#kubectl-auth-reconcile
+		"rbac.authorization.kubernetes.io/autoupdate": "true",
+	}
+	labels := map[string]string{
+		// refer to https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings
+		"kubernetes.io/bootstrapping": "rbac-defaults",
+		// used to aggregate rules to edit clusterrole
+		"rbac.authorization.k8s.io/aggregate-to-edit": "true",
+	}
+	clusterRole := utils.ClusterRoleFromRules(karmadaEditClusterRole, []rbacv1.PolicyRule{
+		{
+			APIGroups: []string{"autoscaling.karmada.io"},
+			Resources: []string{
+				"cronfederatedhpas",
+				"cronfederatedhpas/status",
+				"federatedhpas",
+				"federatedhpas/status",
+			},
+			Verbs: []string{"create", "update", "patch", "delete", "deletecollection"},
+		},
+		{
+			APIGroups: []string{"multicluster.x-k8s.io"},
+			Resources: []string{
+				"serviceexports",
+				"serviceexports/status",
+				"serviceimports",
+				"serviceimports/status",
+			},
+			Verbs: []string{"create", "update", "patch", "delete", "deletecollection"},
+		},
+		{
+			APIGroups: []string{"networking.karmada.io"},
+			Resources: []string{
+				"multiclusteringresses",
+				"multiclusteringresses/status",
+				"multiclusterservices",
+				"multiclusterservices/status",
+			},
+			Verbs: []string{"create", "update", "patch", "delete", "deletecollection"},
+		},
+		{
+			APIGroups: []string{"policy.karmada.io"},
+			Resources: []string{
+				"overridepolicies",
+				"propagationpolicies",
+			},
+			Verbs: []string{"create", "update", "patch", "delete", "deletecollection"},
+		},
+		{
+			APIGroups: []string{"work.karmada.io"},
+			Resources: []string{
+				"resourcebindings",
+				"resourcebindings/status",
+				"works",
+				"works/status",
+			},
+			Verbs: []string{"create", "update", "patch", "delete", "deletecollection"},
+		},
+	}, annotations, labels)
+
+	err := cmdutil.CreateOrUpdateClusterRole(clientSet, clusterRole)
+	if err != nil {
+		return err
+	}
+	return nil
+}

pkg/karmadactl/cmdinit/karmada/rbac_test.go

@@ -19,3 +19,17 @@ func Test_grantAccessPermissionToAgent(t *testing.T) {
 		t.Errorf("grantAccessPermissionToAgent() expected no error, but got err: %v", err)
 	}
 }
+
+func Test_grantKarmadaPermissionToViewClusterRole(t *testing.T) {
+	client := fake.NewSimpleClientset()
+	if err := grantKarmadaPermissionToViewClusterRole(client); err != nil {
+		t.Errorf("grantKarmadaPermissionToViewClusterRole() expected no error, but got err: %v", err)
+	}
+}
+
+func Test_grantKarmadaPermissionToEditClusterRole(t *testing.T) {
+	client := fake.NewSimpleClientset()
+	if err := grantKarmadaPermissionToEditClusterRole(client); err != nil {
+		t.Errorf("grantKarmadaPermissionToEditClusterRole() expected no error, but got err: %v", err)
+	}
+}

pkg/karmadactl/cmdinit/kubernetes/deployments.go

@@ -287,7 +287,7 @@ func (i *CommandInitOption) makeKarmadaKubeControllerManagerDeployment() *appsv1
 					fmt.Sprintf("--cluster-name=%s", options.ClusterName),
 					fmt.Sprintf("--cluster-signing-cert-file=%s/%s.crt", karmadaCertsVolumeMountPath, options.CaCertAndKeyName),
 					fmt.Sprintf("--cluster-signing-key-file=%s/%s.key", karmadaCertsVolumeMountPath, options.CaCertAndKeyName),
-					"--controllers=namespace,garbagecollector,serviceaccount-token,ttl-after-finished,bootstrapsigner,tokencleaner,csrapproving,csrcleaner,csrsigning",
+					"--controllers=namespace,garbagecollector,serviceaccount-token,ttl-after-finished,bootstrapsigner,tokencleaner,csrapproving,csrcleaner,csrsigning,clusterrole-aggregation",
 					"--kubeconfig=/etc/kubeconfig",
 					"--leader-elect=true",
 					fmt.Sprintf("--leader-elect-resource-namespace=%s", i.Namespace),

pkg/karmadactl/cmdinit/utils/rbac.go

@@ -6,15 +6,16 @@ import (
 )
 
 // ClusterRoleFromRules ClusterRole Rules
-func ClusterRoleFromRules(name string, rules []rbacv1.PolicyRule, labels map[string]string) *rbacv1.ClusterRole {
+func ClusterRoleFromRules(name string, rules []rbacv1.PolicyRule, annotations map[string]string, labels map[string]string) *rbacv1.ClusterRole {
 	return &rbacv1.ClusterRole{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: "rbac.authorization.k8s.io/v1",
 			Kind:       "ClusterRole",
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Name:   name,
+			Name:        name,
-			Labels: labels,
+			Annotations: annotations,
+			Labels:      labels,
 		},
 		Rules: rules,
 	}

pkg/karmadactl/cmdinit/utils/rbac_test.go

@@ -10,9 +10,10 @@ import (
 
 func TestClusterRoleFromRules(t *testing.T) {
 	type args struct {
-		name   string
+		name        string
-		rules  []rbacv1.PolicyRule
+		rules       []rbacv1.PolicyRule
-		labels map[string]string
+		annotations map[string]string
+		labels      map[string]string
 	}
 	tests := []struct {
 		name string
@@ -30,7 +31,8 @@ func TestClusterRoleFromRules(t *testing.T) {
 						Verbs:     []string{"*"},
 					},
 				},
-				labels: map[string]string{"foo": "bar"},
+				annotations: map[string]string{"foo": "bar"},
+				labels:      map[string]string{"foo": "bar"},
 			},
 			want: &rbacv1.ClusterRole{
 				TypeMeta: metav1.TypeMeta{
@@ -38,8 +40,9 @@ func TestClusterRoleFromRules(t *testing.T) {
 					Kind:       "ClusterRole",
 				},
 				ObjectMeta: metav1.ObjectMeta{
-					Name:   "foo",
+					Name:        "foo",
-					Labels: map[string]string{"foo": "bar"},
+					Annotations: map[string]string{"foo": "bar"},
+					Labels:      map[string]string{"foo": "bar"},
 				},
 				Rules: []rbacv1.PolicyRule{
 					{
@@ -53,7 +56,7 @@ func TestClusterRoleFromRules(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if got := ClusterRoleFromRules(tt.args.name, tt.args.rules, tt.args.labels); !reflect.DeepEqual(got, tt.want) {
+			if got := ClusterRoleFromRules(tt.args.name, tt.args.rules, tt.args.annotations, tt.args.labels); !reflect.DeepEqual(got, tt.want) {
 				t.Errorf("ClusterRoleFromRules() = %v, want %v", got, tt.want)
 			}
 		})