diff --git a/chart/templates/tap-rbac.yaml b/chart/templates/tap-rbac.yaml index 1dd13a173..ec70a1870 100644 --- a/chart/templates/tap-rbac.yaml +++ b/chart/templates/tap-rbac.yaml @@ -22,6 +22,18 @@ rules: resources: ["jobs"] verbs: ["list" , "get", "watch"] --- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-{{.Namespace}}-tap-admin + labels: + {{.ControllerComponentLabel}}: tap + {{.ControllerNamespaceLabel}}: {{.Namespace}} +rules: +- apiGroups: ["tap.linkerd.io"] + resources: ["*/tap"] + verbs: ["watch"] +--- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: diff --git a/chart/templates/web-rbac.yaml b/chart/templates/web-rbac.yaml index 4e4b24d4a..1e8b30fd8 100644 --- a/chart/templates/web-rbac.yaml +++ b/chart/templates/web-rbac.yaml @@ -4,6 +4,24 @@ ### Web RBAC ### --- +{{- if not .RestrictDashboardPrivileges }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-{{.Namespace}}-web-admin + labels: + {{.ControllerComponentLabel}}: web + {{.ControllerNamespaceLabel}}: {{.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-{{.Namespace}}-tap-admin +subjects: +- kind: ServiceAccount + name: linkerd-web + namespace: {{.Namespace}} +--- +{{- end}} kind: ServiceAccount apiVersion: v1 metadata: diff --git a/charts/linkerd2/templates/tap-rbac.yaml b/charts/linkerd2/templates/tap-rbac.yaml index 2e241804e..4ea9ccc72 100644 --- a/charts/linkerd2/templates/tap-rbac.yaml +++ b/charts/linkerd2/templates/tap-rbac.yaml @@ -22,6 +22,18 @@ rules: resources: ["jobs"] verbs: ["list" , "get", "watch"] --- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Namespace}}-tap-admin + labels: + {{.ControllerComponentLabel}}: tap + {{.ControllerNamespaceLabel}}: {{.Namespace}} +rules: +- apiGroups: ["tap.linkerd.io"] + resources: ["*/tap"] + verbs: ["watch"] +--- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: diff --git a/charts/linkerd2/templates/web-rbac.yaml b/charts/linkerd2/templates/web-rbac.yaml index 32b6a3b39..6c551175c 100644 --- a/charts/linkerd2/templates/web-rbac.yaml +++ b/charts/linkerd2/templates/web-rbac.yaml @@ -4,6 +4,24 @@ ### Web RBAC ### --- +{{- if not .RestrictDashboardPrivileges }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Namespace}}-web-admin + labels: + {{.ControllerComponentLabel}}: web + {{.ControllerNamespaceLabel}}: {{.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-{{.Namespace}}-tap-admin +subjects: +- kind: ServiceAccount + name: linkerd-web + namespace: {{.Namespace}} +--- +{{- end}} kind: ServiceAccount apiVersion: v1 metadata: diff --git a/cli/cmd/check.go b/cli/cmd/check.go index 00866b9b8..c543ba9b1 100644 --- a/cli/cmd/check.go +++ b/cli/cmd/check.go @@ -71,7 +71,7 @@ func (options *checkOptions) validate() error { return nil } -// newCmdInstallConfig is a subcommand for `linkerd check config` +// newCmdCheckConfig is a subcommand for `linkerd check config` func newCmdCheckConfig(options *checkOptions) *cobra.Command { cmd := &cobra.Command{ Use: "config [flags]", diff --git a/cli/cmd/install.go b/cli/cmd/install.go index 40a45358c..b999357e1 100644 --- a/cli/cmd/install.go +++ b/cli/cmd/install.go @@ -32,32 +32,33 @@ type ( installValues struct { stage string - Namespace string - ClusterDomain string - ControllerImage string - WebImage string - PrometheusImage string - GrafanaImage string - ImagePullPolicy string - UUID string - CliVersion string - ControllerReplicas uint - ControllerLogLevel string - PrometheusLogLevel string - ControllerComponentLabel string - ControllerNamespaceLabel string - CreatedByAnnotation string - ProxyContainerName string - ProxyInjectAnnotation string - ProxyInjectDisabled string - LinkerdNamespaceLabel string - ControllerUID int64 - EnableH2Upgrade bool - HighAvailability bool - NoInitContainer bool - WebhookFailurePolicy string - OmitWebhookSideEffects bool - HeartbeatSchedule string + Namespace string + ClusterDomain string + ControllerImage string + WebImage string + PrometheusImage string + GrafanaImage string + ImagePullPolicy string + UUID string + CliVersion string + ControllerReplicas uint + ControllerLogLevel string + PrometheusLogLevel string + ControllerComponentLabel string + ControllerNamespaceLabel string + CreatedByAnnotation string + ProxyContainerName string + ProxyInjectAnnotation string + ProxyInjectDisabled string + LinkerdNamespaceLabel string + ControllerUID int64 + EnableH2Upgrade bool + HighAvailability bool + NoInitContainer bool + WebhookFailurePolicy string + OmitWebhookSideEffects bool + RestrictDashboardPrivileges bool + HeartbeatSchedule string Configs configJSONs @@ -125,16 +126,17 @@ type ( // in order to hold values for command line flags that apply to both inject and // install. installOptions struct { - controlPlaneVersion string - controllerReplicas uint - controllerLogLevel string - highAvailability bool - controllerUID int64 - disableH2Upgrade bool - noInitContainer bool - skipChecks bool - omitWebhookSideEffects bool - identityOptions *installIdentityOptions + controlPlaneVersion string + controllerReplicas uint + controllerLogLevel string + highAvailability bool + controllerUID int64 + disableH2Upgrade bool + noInitContainer bool + skipChecks bool + omitWebhookSideEffects bool + restrictDashboardPrivileges bool + identityOptions *installIdentityOptions *proxyConfigOptions recordedFlags []*pb.Install_Flag @@ -190,14 +192,15 @@ Otherwise, you can use the --ignore-cluster flag to overwrite the existing globa // injection-time. func newInstallOptionsWithDefaults() *installOptions { return &installOptions{ - controlPlaneVersion: version.Version, - controllerReplicas: defaultControllerReplicas, - controllerLogLevel: "info", - highAvailability: false, - controllerUID: 2103, - disableH2Upgrade: false, - noInitContainer: false, - omitWebhookSideEffects: false, + controlPlaneVersion: version.Version, + controllerReplicas: defaultControllerReplicas, + controllerLogLevel: "info", + highAvailability: false, + controllerUID: 2103, + disableH2Upgrade: false, + noInitContainer: false, + omitWebhookSideEffects: false, + restrictDashboardPrivileges: false, proxyConfigOptions: &proxyConfigOptions{ proxyVersion: version.Version, ignoreCluster: false, @@ -258,6 +261,19 @@ func newInstallIdentityOptionsWithDefaults() *installIdentityOptions { } } +// Flag configuration matrix +// +// | recordableFlagSet | allStageFlagSet | installOnlyFlagSet | installPersistentFlagSet | upgradeOnlyFlagSet | "skip-checks" | +// `linkerd install` | X | X | X | X | | | +// `linkerd install config` | | X | | X | | | +// `linkerd install control-plane` | X | X | X | X | | X | +// `linkerd upgrade` | X | X | | | X | | +// `linkerd upgrade config` | | X | | | | | +// `linkerd upgrade control-plane` | X | X | | | X | | +// +// allStageFlagSet is a subset of recordableFlagSet, but is also added to `linkerd [install|upgrade] config` +// proxyConfigOptions.flagSet is a subset of recordableFlagSet, and is used by `linkerd inject`. + // newCmdInstallConfig is a subcommand for `linkerd install config` func newCmdInstallConfig(options *installOptions, parentFlags *pflag.FlagSet) *cobra.Command { cmd := &cobra.Command{ @@ -284,14 +300,13 @@ resources for the Linkerd control plane. This command should be followed by }, } - cniEnabledFlag := parentFlags.Lookup("linkerd-cni-enabled") - cmd.Flags().AddFlag(cniEnabledFlag) + cmd.Flags().AddFlagSet(options.allStageFlagSet()) return cmd } // newCmdInstallControlPlane is a subcommand for `linkerd install control-plane` -func newCmdInstallControlPlane(options *installOptions, parentFlags *pflag.FlagSet) *cobra.Command { +func newCmdInstallControlPlane(options *installOptions) *cobra.Command { // The base flags are recorded separately so that they can be serialized into // the configuration in validateAndBuild. flags := options.recordableFlagSet() @@ -327,9 +342,6 @@ control plane. It should be run after "linkerd install config".`, }, } - cniEnabledFlag := parentFlags.Lookup("linkerd-cni-enabled") - cmd.Flags().AddFlag(cniEnabledFlag) - cmd.PersistentFlags().BoolVar( &options.skipChecks, "skip-checks", options.skipChecks, `Skip checks for namespace existence`, @@ -383,7 +395,7 @@ control plane.`, cmd.PersistentFlags().AddFlagSet(installPersistentFlags) cmd.AddCommand(newCmdInstallConfig(options, flags)) - cmd.AddCommand(newCmdInstallControlPlane(options, flags)) + cmd.AddCommand(newCmdInstallControlPlane(options)) return cmd } @@ -447,16 +459,13 @@ func (options *installOptions) recordableFlagSet() *pflag.FlagSet { flags := pflag.NewFlagSet("install", e) flags.AddFlagSet(options.proxyConfigOptions.flagSet(e)) + flags.AddFlagSet(options.allStageFlagSet()) flags.UintVar( &options.controllerReplicas, "controller-replicas", options.controllerReplicas, "Replicas of the controller to deploy", ) - flags.BoolVar(&options.noInitContainer, "linkerd-cni-enabled", options.noInitContainer, - "Experimental: Omit the NET_ADMIN capability in the PSP and the proxy-init container when injecting the proxy; requires the linkerd-cni plugin to already be installed", - ) - flags.StringVar( &options.controllerLogLevel, "controller-log-level", options.controllerLogLevel, "Log level for the controller and web components", @@ -492,6 +501,24 @@ func (options *installOptions) recordableFlagSet() *pflag.FlagSet { return flags } +// allStageFlagSet returns flags usable for single and multi-stage installs and +// upgrades. For multi-stage installs, users must set these flags consistently +// across commands. +func (options *installOptions) allStageFlagSet() *pflag.FlagSet { + flags := pflag.NewFlagSet("all-stage", pflag.ExitOnError) + + flags.BoolVar(&options.noInitContainer, "linkerd-cni-enabled", options.noInitContainer, + "Experimental: Omit the NET_ADMIN capability in the PSP and the proxy-init container when injecting the proxy; requires the linkerd-cni plugin to already be installed", + ) + + flags.BoolVar( + &options.restrictDashboardPrivileges, "restrict-dashboard-privileges", options.restrictDashboardPrivileges, + "Restrict the Linkerd Dashboard's default privileges to disallow Tap", + ) + + return flags +} + // installOnlyFlagSet includes flags that are only accessible at install-time // and not at upgrade-time. func (options *installOptions) installOnlyFlagSet() *pflag.FlagSet { @@ -625,19 +652,20 @@ func (options *installOptions) buildValuesWithoutIdentity(configs *pb.All) (*ins LinkerdNamespaceLabel: k8s.LinkerdNamespaceLabel, // Controller configuration: - Namespace: controlPlaneNamespace, - ClusterDomain: defaultClusterDomain, - UUID: configs.GetInstall().GetUuid(), - ControllerReplicas: options.controllerReplicas, - ControllerLogLevel: options.controllerLogLevel, - ControllerUID: options.controllerUID, - HighAvailability: options.highAvailability, - EnableH2Upgrade: !options.disableH2Upgrade, - NoInitContainer: options.noInitContainer, - WebhookFailurePolicy: "Ignore", - OmitWebhookSideEffects: options.omitWebhookSideEffects, - PrometheusLogLevel: toPromLogLevel(strings.ToLower(options.controllerLogLevel)), - HeartbeatSchedule: options.heartbeatSchedule(), + Namespace: controlPlaneNamespace, + ClusterDomain: defaultClusterDomain, + UUID: configs.GetInstall().GetUuid(), + ControllerReplicas: options.controllerReplicas, + ControllerLogLevel: options.controllerLogLevel, + ControllerUID: options.controllerUID, + HighAvailability: options.highAvailability, + EnableH2Upgrade: !options.disableH2Upgrade, + NoInitContainer: options.noInitContainer, + WebhookFailurePolicy: "Ignore", + OmitWebhookSideEffects: options.omitWebhookSideEffects, + RestrictDashboardPrivileges: options.restrictDashboardPrivileges, + PrometheusLogLevel: toPromLogLevel(strings.ToLower(options.controllerLogLevel)), + HeartbeatSchedule: options.heartbeatSchedule(), Configs: configJSONs{ Global: globalJSON, diff --git a/cli/cmd/install_test.go b/cli/cmd/install_test.go index 3303473b0..76d348e7c 100644 --- a/cli/cmd/install_test.go +++ b/cli/cmd/install_test.go @@ -34,28 +34,31 @@ func TestRender(t *testing.T) { metaConfig := metaOptions.configs(nil) metaConfig.Global.LinkerdNamespace = "Namespace" metaValues := &installValues{ - Namespace: "Namespace", - ClusterDomain: "cluster.local", - ControllerImage: "ControllerImage", - WebImage: "WebImage", - PrometheusImage: "PrometheusImage", - GrafanaImage: "GrafanaImage", - ImagePullPolicy: "ImagePullPolicy", - UUID: "UUID", - CliVersion: "CliVersion", - ControllerLogLevel: "ControllerLogLevel", - PrometheusLogLevel: "PrometheusLogLevel", - ControllerComponentLabel: "ControllerComponentLabel", - ControllerNamespaceLabel: "ControllerNamespaceLabel", - CreatedByAnnotation: "CreatedByAnnotation", - ProxyContainerName: "ProxyContainerName", - ProxyInjectAnnotation: "ProxyInjectAnnotation", - ProxyInjectDisabled: "ProxyInjectDisabled", - LinkerdNamespaceLabel: "LinkerdNamespaceLabel", - ControllerUID: 2103, - EnableH2Upgrade: true, - NoInitContainer: false, - WebhookFailurePolicy: "WebhookFailurePolicy", + Namespace: "Namespace", + ClusterDomain: "cluster.local", + ControllerImage: "ControllerImage", + WebImage: "WebImage", + PrometheusImage: "PrometheusImage", + GrafanaImage: "GrafanaImage", + ImagePullPolicy: "ImagePullPolicy", + UUID: "UUID", + CliVersion: "CliVersion", + ControllerLogLevel: "ControllerLogLevel", + PrometheusLogLevel: "PrometheusLogLevel", + ControllerComponentLabel: "ControllerComponentLabel", + ControllerNamespaceLabel: "ControllerNamespaceLabel", + CreatedByAnnotation: "CreatedByAnnotation", + ProxyContainerName: "ProxyContainerName", + ProxyInjectAnnotation: "ProxyInjectAnnotation", + ProxyInjectDisabled: "ProxyInjectDisabled", + LinkerdNamespaceLabel: "LinkerdNamespaceLabel", + ControllerUID: 2103, + EnableH2Upgrade: true, + HighAvailability: false, + NoInitContainer: false, + WebhookFailurePolicy: "WebhookFailurePolicy", + OmitWebhookSideEffects: false, + RestrictDashboardPrivileges: false, Configs: configJSONs{ Global: "GlobalConfig", Proxy: "ProxyConfig", diff --git a/cli/cmd/testdata/install_config.golden b/cli/cmd/testdata/install_config.golden index 2e51678f9..0005e241d 100644 --- a/cli/cmd/testdata/install_config.golden +++ b/cli/cmd/testdata/install_config.golden @@ -152,6 +152,22 @@ metadata: ### Web RBAC ### --- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-linkerd-web-admin + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-tap-admin +subjects: +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd +--- kind: ServiceAccount apiVersion: v1 metadata: @@ -465,6 +481,18 @@ rules: resources: ["jobs"] verbs: ["list" , "get", "watch"] --- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-linkerd-tap-admin + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ["tap.linkerd.io"] + resources: ["*/tap"] + verbs: ["watch"] +--- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: diff --git a/cli/cmd/testdata/install_default.golden b/cli/cmd/testdata/install_default.golden index aaa178c34..09100cbdd 100644 --- a/cli/cmd/testdata/install_default.golden +++ b/cli/cmd/testdata/install_default.golden @@ -152,6 +152,22 @@ metadata: ### Web RBAC ### --- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-linkerd-web-admin + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-tap-admin +subjects: +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd +--- kind: ServiceAccount apiVersion: v1 metadata: @@ -465,6 +481,18 @@ rules: resources: ["jobs"] verbs: ["list" , "get", "watch"] --- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-linkerd-tap-admin + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ["tap.linkerd.io"] + resources: ["*/tap"] + verbs: ["watch"] +--- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: diff --git a/cli/cmd/testdata/install_ha_output.golden b/cli/cmd/testdata/install_ha_output.golden index 478d9f055..f9d02cde2 100644 --- a/cli/cmd/testdata/install_ha_output.golden +++ b/cli/cmd/testdata/install_ha_output.golden @@ -152,6 +152,22 @@ metadata: ### Web RBAC ### --- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-linkerd-web-admin + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-tap-admin +subjects: +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd +--- kind: ServiceAccount apiVersion: v1 metadata: @@ -465,6 +481,18 @@ rules: resources: ["jobs"] verbs: ["list" , "get", "watch"] --- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-linkerd-tap-admin + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ["tap.linkerd.io"] + resources: ["*/tap"] + verbs: ["watch"] +--- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: diff --git a/cli/cmd/testdata/install_ha_with_overrides_output.golden b/cli/cmd/testdata/install_ha_with_overrides_output.golden index 23528a05a..a81b920c1 100644 --- a/cli/cmd/testdata/install_ha_with_overrides_output.golden +++ b/cli/cmd/testdata/install_ha_with_overrides_output.golden @@ -152,6 +152,22 @@ metadata: ### Web RBAC ### --- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-linkerd-web-admin + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-tap-admin +subjects: +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd +--- kind: ServiceAccount apiVersion: v1 metadata: @@ -465,6 +481,18 @@ rules: resources: ["jobs"] verbs: ["list" , "get", "watch"] --- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-linkerd-tap-admin + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ["tap.linkerd.io"] + resources: ["*/tap"] + verbs: ["watch"] +--- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: diff --git a/cli/cmd/testdata/install_no_init_container.golden b/cli/cmd/testdata/install_no_init_container.golden index 930be87f1..2e3372567 100644 --- a/cli/cmd/testdata/install_no_init_container.golden +++ b/cli/cmd/testdata/install_no_init_container.golden @@ -152,6 +152,22 @@ metadata: ### Web RBAC ### --- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-linkerd-web-admin + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-tap-admin +subjects: +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd +--- kind: ServiceAccount apiVersion: v1 metadata: @@ -465,6 +481,18 @@ rules: resources: ["jobs"] verbs: ["list" , "get", "watch"] --- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-linkerd-tap-admin + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ["tap.linkerd.io"] + resources: ["*/tap"] + verbs: ["watch"] +--- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: diff --git a/cli/cmd/testdata/install_output.golden b/cli/cmd/testdata/install_output.golden index 3acea8916..fc9474980 100644 --- a/cli/cmd/testdata/install_output.golden +++ b/cli/cmd/testdata/install_output.golden @@ -152,6 +152,22 @@ metadata: ### Web RBAC ### --- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-Namespace-web-admin + labels: + ControllerComponentLabel: web + ControllerNamespaceLabel: Namespace +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-Namespace-tap-admin +subjects: +- kind: ServiceAccount + name: linkerd-web + namespace: Namespace +--- kind: ServiceAccount apiVersion: v1 metadata: @@ -465,6 +481,18 @@ rules: resources: ["jobs"] verbs: ["list" , "get", "watch"] --- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-Namespace-tap-admin + labels: + ControllerComponentLabel: tap + ControllerNamespaceLabel: Namespace +rules: +- apiGroups: ["tap.linkerd.io"] + resources: ["*/tap"] + verbs: ["watch"] +--- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: diff --git a/cli/cmd/testdata/upgrade_default.golden b/cli/cmd/testdata/upgrade_default.golden index 54008b5a1..c60ad3a34 100644 --- a/cli/cmd/testdata/upgrade_default.golden +++ b/cli/cmd/testdata/upgrade_default.golden @@ -152,6 +152,22 @@ metadata: ### Web RBAC ### --- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-linkerd-web-admin + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-tap-admin +subjects: +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd +--- kind: ServiceAccount apiVersion: v1 metadata: @@ -465,6 +481,18 @@ rules: resources: ["jobs"] verbs: ["list" , "get", "watch"] --- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-linkerd-tap-admin + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ["tap.linkerd.io"] + resources: ["*/tap"] + verbs: ["watch"] +--- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: diff --git a/cli/cmd/testdata/upgrade_ha.golden b/cli/cmd/testdata/upgrade_ha.golden index 5b1b0abe7..c5229ad9d 100644 --- a/cli/cmd/testdata/upgrade_ha.golden +++ b/cli/cmd/testdata/upgrade_ha.golden @@ -152,6 +152,22 @@ metadata: ### Web RBAC ### --- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-linkerd-web-admin + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-tap-admin +subjects: +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd +--- kind: ServiceAccount apiVersion: v1 metadata: @@ -465,6 +481,18 @@ rules: resources: ["jobs"] verbs: ["list" , "get", "watch"] --- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-linkerd-tap-admin + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ["tap.linkerd.io"] + resources: ["*/tap"] + verbs: ["watch"] +--- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: diff --git a/cli/cmd/testdata/upgrade_ha_config.golden b/cli/cmd/testdata/upgrade_ha_config.golden index c0975eb2d..76a05bb7b 100644 --- a/cli/cmd/testdata/upgrade_ha_config.golden +++ b/cli/cmd/testdata/upgrade_ha_config.golden @@ -152,6 +152,22 @@ metadata: ### Web RBAC ### --- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-linkerd-web-admin + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-tap-admin +subjects: +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd +--- kind: ServiceAccount apiVersion: v1 metadata: @@ -465,6 +481,18 @@ rules: resources: ["jobs"] verbs: ["list" , "get", "watch"] --- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-linkerd-tap-admin + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ["tap.linkerd.io"] + resources: ["*/tap"] + verbs: ["watch"] +--- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: diff --git a/cli/cmd/upgrade.go b/cli/cmd/upgrade.go index c306827c9..632b495f2 100644 --- a/cli/cmd/upgrade.go +++ b/cli/cmd/upgrade.go @@ -56,7 +56,6 @@ func (options *upgradeOptions) upgradeOnlyFlagSet() *pflag.FlagSet { // newCmdUpgradeConfig is a subcommand for `linkerd upgrade config` func newCmdUpgradeConfig(options *upgradeOptions) *cobra.Command { - flags := options.recordableFlagSet() cmd := &cobra.Command{ Use: "config [flags]", Args: cobra.NoArgs, @@ -67,10 +66,12 @@ Note that this command should be followed by "linkerd upgrade control-plane".`, Example: ` # Default upgrade. linkerd upgrade config | kubectl apply -f -`, RunE: func(cmd *cobra.Command, args []string) error { - return upgradeRunE(options, configStage, flags) + return upgradeRunE(options, configStage, options.recordableFlagSet()) }, } + cmd.Flags().AddFlagSet(options.allStageFlagSet()) + return cmd }