linkerd
/
linkerd2
mirror of https://github.com/linkerd/linkerd2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix ClusterRole for web-check (#4599) 

As reported in #4259 linkerd check run from linkerd's web cconsole is
broken as the underlying RBAC Role cannot access the apiregistration.k8s.io API Group.

With this commit the RBAC Role is fixed allowing read-only access to the API Group
apiregistration.k8s.io.

Fixes #4259

Signed-off-by: alex.berger@nexiot.ch <alex.berger@nexiot.ch>
This commit is contained in:
Alexander Berger 2020-06-15 19:21:00 +02:00 committed by GitHub
parent 99a9f1c2c2
commit b509742c7d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
36 changed files with 108 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
charts/linkerd2/templates/web-rbac.yaml
View File

@ -69,6 +69,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/install_addon_config.golden vendored
View File

@ -276,6 +276,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/install_config.golden vendored
View File

@ -276,6 +276,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/install_controlplane_tracing_output.golden vendored
View File

@ -276,6 +276,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/install_custom_registry.golden vendored
View File

@ -276,6 +276,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/install_default.golden vendored
View File

@ -276,6 +276,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/install_grafana_existing.golden vendored
View File

@ -276,6 +276,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/install_ha_output.golden vendored
View File

@ -276,6 +276,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/install_ha_with_overrides_output.golden vendored
View File

@ -276,6 +276,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/install_heartbeat_disabled_output.golden vendored
View File

@ -235,6 +235,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/install_helm_output.golden vendored
View File

@ -288,6 +288,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/install_helm_output_addons.golden vendored
View File

@ -288,6 +288,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/install_helm_output_ha.golden vendored
View File

@ -288,6 +288,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/install_no_init_container.golden vendored
View File

@ -276,6 +276,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/install_output.golden vendored
View File

@ -276,6 +276,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/install_proxy_ignores.golden vendored
View File

@ -276,6 +276,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/install_tracing.golden vendored
View File

@ -276,6 +276,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/install_tracing_overwrite.golden vendored
View File

@ -276,6 +276,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/upgrade_add-on_config.golden vendored
View File

@ -276,6 +276,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/upgrade_add-on_overwrite.golden vendored
View File

@ -276,6 +276,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/upgrade_add_add-on.golden vendored
View File

@ -276,6 +276,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/upgrade_default.golden vendored
View File

@ -276,6 +276,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/upgrade_external_issuer.golden vendored
View File

@ -276,6 +276,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/upgrade_grafana_addon_overwrite.yaml vendored
View File

@ -276,6 +276,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/upgrade_grafana_disabled.yaml vendored
View File

@ -276,6 +276,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/upgrade_grafana_enabled.yaml vendored
View File

@ -276,6 +276,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/upgrade_grafana_enabled_disabled.yaml vendored
View File

@ -276,6 +276,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/upgrade_grafana_overwrite.yaml vendored
View File

@ -276,6 +276,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/upgrade_ha.golden vendored
View File

@ -276,6 +276,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/upgrade_ha_config.golden vendored
View File

@ -276,6 +276,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/upgrade_keep_webhook_cabundle.golden vendored
View File

@ -276,6 +276,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/upgrade_nothing_addon.yaml vendored
View File

@ -276,6 +276,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/upgrade_overwrite_issuer.golden vendored
View File

@ -276,6 +276,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/upgrade_overwrite_trust_anchors-external-issuer.golden vendored
View File

@ -276,6 +276,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/upgrade_overwrite_trust_anchors.golden vendored
View File

@ -276,6 +276,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding

3
cli/cmd/testdata/upgrade_two_level_webhook_cert.golden vendored
View File

@ -276,6 +276,9 @@ rules:
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding