karmada-io
/
karmada
mirror of https://github.com/karmada-io/karmada.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

karmada-controller-manager removes unnecessary permissions 

Signed-off-by: carlory <baofa.fan@daocloud.io>
This commit is contained in:
carlory 2022-09-13 17:33:23 +08:00
parent ade913173e
commit c247537d66
8 changed files with 0 additions and 138 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
artifacts/deploy/clusterrole.yaml
View File

@ -1,10 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: karmada-controller-manager
rules:
- apiGroups: ['*']
resources: ['*']
verbs: ["get", "watch", "list", "create", "update", "delete"]
- nonResourceURLs: ['*']
verbs: ["get"]

12
artifacts/deploy/clusterrolebinding.yaml
View File

@ -1,12 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: karmada-controller-manager
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: karmada-controller-manager
subjects:
- kind: ServiceAccount
name: karmada-controller-manager
namespace: karmada-system

24
charts/karmada/templates/karmada-controller-manager.yaml
View File

@ -74,28 +74,4 @@ spec:
resources: resources:
{{- toYaml .Values.controllerManager.resources | nindent 12 }} {{- toYaml .Values.controllerManager.resources | nindent 12 }}
--- ---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ $name }}-controller-manager
rules:
- apiGroups: ['*']
resources: ['*']
verbs: ["get", "watch", "list", "create", "patch", "update", "delete"]
- nonResourceURLs: ['*']
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ $name }}-controller-manager
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ $name }}-controller-manager
subjects:
- kind: ServiceAccount
name: {{ $name }}-controller-manager
namespace: {{ include "karmada.namespace" . }}
---
{{- end }} {{- end }}

2
hack/deploy-karmada.sh
View File

@ -149,8 +149,6 @@ kubectl --context="${HOST_CLUSTER_NAME}" apply -f "${REPO_ROOT}/artifacts/deploy
# create service account, cluster role for controller-manager # create service account, cluster role for controller-manager
kubectl --context="${HOST_CLUSTER_NAME}" apply -f "${REPO_ROOT}/artifacts/deploy/serviceaccount.yaml" kubectl --context="${HOST_CLUSTER_NAME}" apply -f "${REPO_ROOT}/artifacts/deploy/serviceaccount.yaml"
kubectl --context="${HOST_CLUSTER_NAME}" apply -f "${REPO_ROOT}/artifacts/deploy/clusterrole.yaml"
kubectl --context="${HOST_CLUSTER_NAME}" apply -f "${REPO_ROOT}/artifacts/deploy/clusterrolebinding.yaml"
KARMADA_CRT=$(base64 "${CERT_DIR}/karmada.crt" | tr -d '\r\n') KARMADA_CRT=$(base64 "${CERT_DIR}/karmada.crt" | tr -d '\r\n')
KARMADA_KEY=$(base64 "${CERT_DIR}/karmada.key" | tr -d '\r\n') KARMADA_KEY=$(base64 "${CERT_DIR}/karmada.key" | tr -d '\r\n')

5
pkg/karmadactl/cmdinit/kubernetes/deploy.go
View File

@ -450,11 +450,6 @@ func (i *CommandInitOption) RunInit(parentCommand string) error {
return err return err
} }
// Create karmada-controller-manager ClusterRole and ClusterRoleBinding
if err := i.CreateControllerManagerRBAC(); err != nil {
return err
}
// Create Secrets // Create Secrets
if err := i.createCertsSecrets(); err != nil { if err := i.createCertsSecrets(); err != nil {
return err return err

2
pkg/karmadactl/cmdinit/kubernetes/deployments.go
View File

@ -38,8 +38,6 @@ const (
webhookTargetPort = 8443 webhookTargetPort = 8443
webhookPort = 443 webhookPort = 443
karmadaAggregatedAPIServerDeploymentAndServiceName = "karmada-aggregated-apiserver" karmadaAggregatedAPIServerDeploymentAndServiceName = "karmada-aggregated-apiserver"
karmadaBootstrappingLabelKey = "karmada.io/bootstrapping"
karmadaBootstrappingLabelValue = "rbac-defaults"
) )
var ( var (

44
pkg/karmadactl/cmdinit/kubernetes/rbac.go
View File

@ -1,44 +0,0 @@
package kubernetes
import (
rbacv1 "k8s.io/api/rbac/v1"
"github.com/karmada-io/karmada/pkg/karmadactl/cmdinit/utils"
)
// CreateControllerManagerRBAC karmada-controller-manager ClusterRole and ClusterRoleBinding
func (i *CommandInitOption) CreateControllerManagerRBAC() error {
labels := map[string]string{karmadaBootstrappingLabelKey: karmadaBootstrappingLabelValue}
// ClusterRole
clusterRole := utils.ClusterRoleFromRules(controllerManagerDeploymentAndServiceName, []rbacv1.PolicyRule{
{
APIGroups: []string{"*"},
Resources: []string{"*"},
Verbs: []string{"get", "watch", "list", "create", "update", "delete"},
},
{
NonResourceURLs: []string{"*"},
Verbs: []string{"get"},
},
}, labels)
err := utils.CreateIfNotExistClusterRole(i.KubeClientSet, clusterRole)
if err != nil {
return err
}
// ClusterRoleBinding
clusterRoleBinding := utils.ClusterRoleBindingFromSubjects(controllerManagerDeploymentAndServiceName, controllerManagerDeploymentAndServiceName,
[]rbacv1.Subject{
{
Kind: "ServiceAccount",
Name: controllerManagerDeploymentAndServiceName,
Namespace: i.Namespace,
},
}, labels)
err = utils.CreateIfNotExistClusterRoleBinding(i.KubeClientSet, clusterRoleBinding)
if err != nil {
return err
}
return nil
}

39
pkg/karmadactl/deinit.go
View File

@ -141,10 +141,6 @@ func (o *CommandDeInitOption) delete() error {
} }
} }
if err = o.deleteRBAC(); err != nil {
return err
}
// Delete namespace where Karmada components are installed // Delete namespace where Karmada components are installed
fmt.Printf("delete Namespace %q\n", o.Namespace) fmt.Printf("delete Namespace %q\n", o.Namespace)
if o.DryRun { if o.DryRun {
@ -157,41 +153,6 @@ func (o *CommandDeInitOption) delete() error {
return nil return nil
} }
func (o *CommandDeInitOption) deleteRBAC() error {
// Delete ClusterRole by karmadaBootstrappingLabelKey
clusterRoleClient := o.KubeClientSet.RbacV1().ClusterRoles()
clusterRoles, err := clusterRoleClient.List(context.TODO(), metav1.ListOptions{LabelSelector: karmadaBootstrappingLabelKey})
if err != nil {
return err
}
for _, clusterRole := range clusterRoles.Items {
fmt.Printf("delete ClusterRole %q\n", clusterRole.Name)
if o.DryRun {
continue
}
if err := clusterRoleClient.Delete(context.TODO(), clusterRole.Name, metav1.DeleteOptions{}); err != nil {
return err
}
}
// Delete ClusterRoleBinding by karmadaBootstrappingLabelKey
clusterRoleBindingClient := o.KubeClientSet.RbacV1().ClusterRoleBindings()
clusterRoleBindings, err := clusterRoleBindingClient.List(context.TODO(), metav1.ListOptions{LabelSelector: karmadaBootstrappingLabelKey})
if err != nil {
return err
}
for _, clusterRoleBinding := range clusterRoleBindings.Items {
fmt.Printf("delete ClusterRoleBinding %q\n", clusterRoleBinding.Name)
if o.DryRun {
continue
}
if err := clusterRoleBindingClient.Delete(context.TODO(), clusterRoleBinding.Name, metav1.DeleteOptions{}); err != nil {
return err
}
}
return nil
}
func (o *CommandDeInitOption) deleteWorkload() error { func (o *CommandDeInitOption) deleteWorkload() error {
// Delete deployment by karmadaBootstrappingLabelKey // Delete deployment by karmadaBootstrappingLabelKey
deploymentClient := o.KubeClientSet.AppsV1().Deployments(o.Namespace) deploymentClient := o.KubeClientSet.AppsV1().Deployments(o.Namespace)