From c247537d66c0bbbd775690485b16e982746fc1b3 Mon Sep 17 00:00:00 2001 From: carlory Date: Tue, 13 Sep 2022 17:33:23 +0800 Subject: [PATCH] karmada-controller-manager removes unnecessary permissions Signed-off-by: carlory --- artifacts/deploy/clusterrole.yaml | 10 ----- artifacts/deploy/clusterrolebinding.yaml | 12 ----- .../templates/karmada-controller-manager.yaml | 24 ---------- hack/deploy-karmada.sh | 2 - pkg/karmadactl/cmdinit/kubernetes/deploy.go | 5 --- .../cmdinit/kubernetes/deployments.go | 2 - pkg/karmadactl/cmdinit/kubernetes/rbac.go | 44 ------------------- pkg/karmadactl/deinit.go | 39 ---------------- 8 files changed, 138 deletions(-) delete mode 100644 artifacts/deploy/clusterrole.yaml delete mode 100644 artifacts/deploy/clusterrolebinding.yaml delete mode 100644 pkg/karmadactl/cmdinit/kubernetes/rbac.go diff --git a/artifacts/deploy/clusterrole.yaml b/artifacts/deploy/clusterrole.yaml deleted file mode 100644 index a9e076d50..000000000 --- a/artifacts/deploy/clusterrole.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: karmada-controller-manager -rules: - - apiGroups: ['*'] - resources: ['*'] - verbs: ["get", "watch", "list", "create", "update", "delete"] - - nonResourceURLs: ['*'] - verbs: ["get"] diff --git a/artifacts/deploy/clusterrolebinding.yaml b/artifacts/deploy/clusterrolebinding.yaml deleted file mode 100644 index 3bbd88243..000000000 --- a/artifacts/deploy/clusterrolebinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: karmada-controller-manager -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: karmada-controller-manager -subjects: - - kind: ServiceAccount - name: karmada-controller-manager - namespace: karmada-system diff --git a/charts/karmada/templates/karmada-controller-manager.yaml b/charts/karmada/templates/karmada-controller-manager.yaml index 0deee24e5..5e3765d57 100644 --- a/charts/karmada/templates/karmada-controller-manager.yaml +++ b/charts/karmada/templates/karmada-controller-manager.yaml @@ -74,28 +74,4 @@ spec: resources: {{- toYaml .Values.controllerManager.resources | nindent 12 }} --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ $name }}-controller-manager -rules: - - apiGroups: ['*'] - resources: ['*'] - verbs: ["get", "watch", "list", "create", "patch", "update", "delete"] - - nonResourceURLs: ['*'] - verbs: ["get"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ $name }}-controller-manager -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ $name }}-controller-manager -subjects: - - kind: ServiceAccount - name: {{ $name }}-controller-manager - namespace: {{ include "karmada.namespace" . }} ---- {{- end }} diff --git a/hack/deploy-karmada.sh b/hack/deploy-karmada.sh index 152f16432..431485bb2 100755 --- a/hack/deploy-karmada.sh +++ b/hack/deploy-karmada.sh @@ -149,8 +149,6 @@ kubectl --context="${HOST_CLUSTER_NAME}" apply -f "${REPO_ROOT}/artifacts/deploy # create service account, cluster role for controller-manager kubectl --context="${HOST_CLUSTER_NAME}" apply -f "${REPO_ROOT}/artifacts/deploy/serviceaccount.yaml" -kubectl --context="${HOST_CLUSTER_NAME}" apply -f "${REPO_ROOT}/artifacts/deploy/clusterrole.yaml" -kubectl --context="${HOST_CLUSTER_NAME}" apply -f "${REPO_ROOT}/artifacts/deploy/clusterrolebinding.yaml" KARMADA_CRT=$(base64 "${CERT_DIR}/karmada.crt" | tr -d '\r\n') KARMADA_KEY=$(base64 "${CERT_DIR}/karmada.key" | tr -d '\r\n') diff --git a/pkg/karmadactl/cmdinit/kubernetes/deploy.go b/pkg/karmadactl/cmdinit/kubernetes/deploy.go index 67f6c0626..ac4054adf 100644 --- a/pkg/karmadactl/cmdinit/kubernetes/deploy.go +++ b/pkg/karmadactl/cmdinit/kubernetes/deploy.go @@ -450,11 +450,6 @@ func (i *CommandInitOption) RunInit(parentCommand string) error { return err } - // Create karmada-controller-manager ClusterRole and ClusterRoleBinding - if err := i.CreateControllerManagerRBAC(); err != nil { - return err - } - // Create Secrets if err := i.createCertsSecrets(); err != nil { return err diff --git a/pkg/karmadactl/cmdinit/kubernetes/deployments.go b/pkg/karmadactl/cmdinit/kubernetes/deployments.go index fee7ef32a..135d2842e 100644 --- a/pkg/karmadactl/cmdinit/kubernetes/deployments.go +++ b/pkg/karmadactl/cmdinit/kubernetes/deployments.go @@ -38,8 +38,6 @@ const ( webhookTargetPort = 8443 webhookPort = 443 karmadaAggregatedAPIServerDeploymentAndServiceName = "karmada-aggregated-apiserver" - karmadaBootstrappingLabelKey = "karmada.io/bootstrapping" - karmadaBootstrappingLabelValue = "rbac-defaults" ) var ( diff --git a/pkg/karmadactl/cmdinit/kubernetes/rbac.go b/pkg/karmadactl/cmdinit/kubernetes/rbac.go deleted file mode 100644 index fe4084ac9..000000000 --- a/pkg/karmadactl/cmdinit/kubernetes/rbac.go +++ /dev/null @@ -1,44 +0,0 @@ -package kubernetes - -import ( - rbacv1 "k8s.io/api/rbac/v1" - - "github.com/karmada-io/karmada/pkg/karmadactl/cmdinit/utils" -) - -// CreateControllerManagerRBAC karmada-controller-manager ClusterRole and ClusterRoleBinding -func (i *CommandInitOption) CreateControllerManagerRBAC() error { - labels := map[string]string{karmadaBootstrappingLabelKey: karmadaBootstrappingLabelValue} - // ClusterRole - clusterRole := utils.ClusterRoleFromRules(controllerManagerDeploymentAndServiceName, []rbacv1.PolicyRule{ - { - APIGroups: []string{"*"}, - Resources: []string{"*"}, - Verbs: []string{"get", "watch", "list", "create", "update", "delete"}, - }, - { - NonResourceURLs: []string{"*"}, - Verbs: []string{"get"}, - }, - }, labels) - err := utils.CreateIfNotExistClusterRole(i.KubeClientSet, clusterRole) - if err != nil { - return err - } - - // ClusterRoleBinding - clusterRoleBinding := utils.ClusterRoleBindingFromSubjects(controllerManagerDeploymentAndServiceName, controllerManagerDeploymentAndServiceName, - []rbacv1.Subject{ - { - Kind: "ServiceAccount", - Name: controllerManagerDeploymentAndServiceName, - Namespace: i.Namespace, - }, - }, labels) - err = utils.CreateIfNotExistClusterRoleBinding(i.KubeClientSet, clusterRoleBinding) - if err != nil { - return err - } - - return nil -} diff --git a/pkg/karmadactl/deinit.go b/pkg/karmadactl/deinit.go index c728206f4..c7910ec57 100644 --- a/pkg/karmadactl/deinit.go +++ b/pkg/karmadactl/deinit.go @@ -141,10 +141,6 @@ func (o *CommandDeInitOption) delete() error { } } - if err = o.deleteRBAC(); err != nil { - return err - } - // Delete namespace where Karmada components are installed fmt.Printf("delete Namespace %q\n", o.Namespace) if o.DryRun { @@ -157,41 +153,6 @@ func (o *CommandDeInitOption) delete() error { return nil } -func (o *CommandDeInitOption) deleteRBAC() error { - // Delete ClusterRole by karmadaBootstrappingLabelKey - clusterRoleClient := o.KubeClientSet.RbacV1().ClusterRoles() - clusterRoles, err := clusterRoleClient.List(context.TODO(), metav1.ListOptions{LabelSelector: karmadaBootstrappingLabelKey}) - if err != nil { - return err - } - for _, clusterRole := range clusterRoles.Items { - fmt.Printf("delete ClusterRole %q\n", clusterRole.Name) - if o.DryRun { - continue - } - if err := clusterRoleClient.Delete(context.TODO(), clusterRole.Name, metav1.DeleteOptions{}); err != nil { - return err - } - } - - // Delete ClusterRoleBinding by karmadaBootstrappingLabelKey - clusterRoleBindingClient := o.KubeClientSet.RbacV1().ClusterRoleBindings() - clusterRoleBindings, err := clusterRoleBindingClient.List(context.TODO(), metav1.ListOptions{LabelSelector: karmadaBootstrappingLabelKey}) - if err != nil { - return err - } - for _, clusterRoleBinding := range clusterRoleBindings.Items { - fmt.Printf("delete ClusterRoleBinding %q\n", clusterRoleBinding.Name) - if o.DryRun { - continue - } - if err := clusterRoleBindingClient.Delete(context.TODO(), clusterRoleBinding.Name, metav1.DeleteOptions{}); err != nil { - return err - } - } - return nil -} - func (o *CommandDeInitOption) deleteWorkload() error { // Delete deployment by karmadaBootstrappingLabelKey deploymentClient := o.KubeClientSet.AppsV1().Deployments(o.Namespace)