173 lines
5.4 KiB
YAML
173 lines
5.4 KiB
YAML
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: cluster-info
|
|
namespace: kube-public
|
|
data:
|
|
kubeconfig: |
|
|
apiVersion: v1
|
|
clusters:
|
|
- cluster:
|
|
certificate-authority-data: {{ca_crt}}
|
|
server: {{apiserver_address}}
|
|
kind: Config
|
|
|
|
---
|
|
# Define a role with permission to get the cluster-info configmap
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
labels:
|
|
karmada.io/bootstrapping: rbac-defaults
|
|
name: system:karmada:bootstrap-signer-clusterinfo
|
|
namespace: kube-public
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resourceNames:
|
|
- cluster-info
|
|
resources:
|
|
- configmaps
|
|
verbs:
|
|
- get
|
|
|
|
---
|
|
# An anonymous user can get `cluster-info` configmap, which is used to obtain the control plane API server's server
|
|
# address and `certificate-authority-data` during the `karmadactl register` process.
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
labels:
|
|
karmada.io/bootstrapping: rbac-defaults
|
|
name: system:karmada:bootstrap-signer-clusterinfo
|
|
namespace: kube-public
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: system:karmada:bootstrap-signer-clusterinfo
|
|
subjects:
|
|
- apiGroup: rbac.authorization.k8s.io
|
|
kind: User
|
|
name: system:anonymous
|
|
|
|
---
|
|
# Group `system:bootstrappers:karmada:default-cluster-token` is the user group of the bootstrap token
|
|
# used by `karmadactl register` when registering a new pull mode cluster.
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
labels:
|
|
karmada.io/bootstrapping: rbac-defaults
|
|
name: system:karmada:agent-bootstrap
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:node-bootstrapper
|
|
subjects:
|
|
- apiGroup: rbac.authorization.k8s.io
|
|
kind: Group
|
|
name: system:bootstrappers:karmada:default-cluster-token
|
|
|
|
---
|
|
# Define a ClusterRole with permissions to automatically approve the agent CSRs when the agentcsrapproving controller is enabled by karmada-controller-manager.
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
labels:
|
|
karmada.io/bootstrapping: rbac-defaults
|
|
name: system:karmada:certificatesigningrequest:autoapprover
|
|
rules:
|
|
- apiGroups:
|
|
- certificates.k8s.io
|
|
resources:
|
|
- certificatesigningrequests/clusteragent
|
|
verbs:
|
|
- create
|
|
|
|
---
|
|
# Group `system:bootstrappers:karmada:default-cluster-token` is the user group of the bootstrap token
|
|
# used by `karmadactl register` when registering a new pull mode cluster.
|
|
# When the `agentcsrapproving` controller is enabled by the karmada-controller-manager,
|
|
# it can automatically approve the agent CSRs requested by the user group system:bootstrappers:karmada:default-cluster-token.
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
labels:
|
|
karmada.io/bootstrapping: rbac-defaults
|
|
name: system:karmada:agent-autoapprove-bootstrap
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:karmada:certificatesigningrequest:autoapprover
|
|
subjects:
|
|
- apiGroup: rbac.authorization.k8s.io
|
|
kind: Group
|
|
name: system:bootstrappers:karmada:default-cluster-token
|
|
|
|
---
|
|
# Define a ClusterRole with permissions to automatically approve the agent CSRs
|
|
# where the user name and group of requester match those in the CSRs when the agentcsrapproving controller is enabled by karmada-controller-manager.
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
labels:
|
|
karmada.io/bootstrapping: rbac-defaults
|
|
name: system:karmada:certificatesigningrequest:selfautoapprover
|
|
rules:
|
|
- apiGroups:
|
|
- certificates.k8s.io
|
|
resources:
|
|
- certificatesigningrequests/selfclusteragent
|
|
verbs:
|
|
- create
|
|
|
|
---
|
|
# Group `system:karmada:agents` is the user group used by the karmada-agent to access the Karmada API server.
|
|
# When the agentcsrapproving controller is enabled by the karmada-controller-manager, it can automatically approve
|
|
# the agent CSRs(csr.Subject.CommonName = agent username) requested by the user group system:karmada:agents.
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
labels:
|
|
karmada.io/bootstrapping: rbac-defaults
|
|
name: system:karmada:agent-autoapprove-certificate-rotation
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:karmada:certificatesigningrequest:selfautoapprover
|
|
subjects:
|
|
- apiGroup: rbac.authorization.k8s.io
|
|
kind: Group
|
|
name: system:karmada:agents
|
|
|
|
---
|
|
# ClusterRole `system:karmada:agent-rbac-generator` is not used for the connection between the karmada-agent and the control plane,
|
|
# but is used by karmadactl register to generate the RBAC resources required by the karmada-agent.
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
labels:
|
|
karmada.io/bootstrapping: rbac-defaults
|
|
name: system:karmada:agent-rbac-generator
|
|
rules:
|
|
- apiGroups: ['*']
|
|
resources: ['*']
|
|
verbs: ['*']
|
|
|
|
---
|
|
# User `system:karmada:agent:rbac-generator` is specifically used during the `karmadactl register` process to generate restricted RBAC resources for the `karmada-agent`.
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
labels:
|
|
karmada.io/bootstrapping: rbac-defaults
|
|
name: system:karmada:agent-rbac-generator
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:karmada:agent-rbac-generator
|
|
subjects:
|
|
- apiGroup: rbac.authorization.k8s.io
|
|
kind: User
|
|
name: system:karmada:agent:rbac-generator
|