litmuschaos
/
litmus
mirror of https://github.com/litmuschaos/litmus.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

chore(rbac): Consolidate the serviceaccounts in the chaos infrastructure (#4598) 

* chore(rbac): Consolidate the serviceaccounts in the chaos infrastructure

Signed-off-by: Shubham Chaudhary <shubham.chaudhary@harness.io>

* add rbac for event tracker

Signed-off-by: Shubham Chaudhary <shubham.chaudhary@harness.io>

---------

Signed-off-by: Shubham Chaudhary <shubham.chaudhary@harness.io>
This commit is contained in:
Shubham Chaudhary 2024-04-24 14:38:43 +05:30 committed by GitHub
parent a102b66dcf
commit 496ac7fd16
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
15 changed files with 567 additions and 847 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
chaoscenter/graphql/server/manifests/cluster/1b_argo_rbac.yaml
View File

@ -2,54 +2,53 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: argo
name: argo-chaos
namespace: #{INFRA_NAMESPACE}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: argo-cluster-role
name: chaos-cluster-role
rules:
- apiGroups: [""]
resources: ["pods", "pods/exec"]
verbs: ["create", "get", "list", "watch", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["create", "delete"]
- apiGroups: ["argoproj.io"]
resources: ["workflows", "workflows/finalizers"]
verbs: ["get", "list", "watch", "update", "patch", "delete", "create"]
- apiGroups: ["argoproj.io"]
resources: ["workflowtemplates","workflowtemplates/finalizers","clusterworkflowtemplates","clusterworkflowtemplates/finalizers","workflowtasksets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["argoproj.io"]
resources: ["workflowtaskresults"]
verbs: ["list", "watch", "deletecollection"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get", "list"]
- apiGroups: ["argoproj.io"]
resources: ["cronworkflows", "cronworkflows/finalizers"]
verbs: ["get", "list", "watch", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
- apiGroups: ["policy"]
resources: ["poddisruptionbudgets"]
verbs: ["create", "get", "delete"]
# for managing the pods created by workflow controller to implement individual steps in the workflow
- apiGroups: ['']
resources: ['pods', 'services']
verbs: ['create', 'get', 'watch', 'patch', 'delete', 'list']
- apiGroups: ['']
resources: ['namespaces']
verbs: ['get', 'watch', 'patch', 'list']
# for tracking & getting logs of the pods created by workflow controller to implement individual steps in the workflow
- apiGroups: ['']
resources: ['pods/log', 'pods/exec']
verbs: ['get', 'watch', 'create', 'delete', 'patch']
- apiGroups: ['']
resources: ['secrets', 'configmaps']
verbs: ['get', 'watch', 'create', 'patch']
# for creation & deletion of application in predefined workflows
- apiGroups: ['apps']
resources: ['deployments']
verbs: ['delete']
- apiGroups: ['apps']
resources: ['deployments', 'statefulsets']
verbs: ['get', 'watch', 'patch' , 'create']
# for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
- apiGroups: ["litmuschaos.io"]
resources:
["chaosengines", "chaosexperiments", "chaosresults", "chaosschedules"]
verbs: ["create", "list", "get", "patch", "delete", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: argo-binding
name: chaos-cluster-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: argo-cluster-role
name: chaos-cluster-role
subjects:
- kind: ServiceAccount
name: argo
name: argo-chaos
namespace: #{INFRA_NAMESPACE}

2
chaoscenter/graphql/server/manifests/cluster/1c_argo_deployment.yaml
View File

@ -67,4 +67,4 @@ spec:
memory: "500Mi"
cpu: "225m"
ephemeral-storage: "1Gi"
serviceAccountName: argo
serviceAccountName: #{INFRA_SERVICE_ACCOUNT}

123
chaoscenter/graphql/server/manifests/cluster/2b_litmus_admin_rbac.yaml Normal file
View File

@ -0,0 +1,123 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: litmus-admin
namespace: #{INFRA_NAMESPACE}
labels:
name: litmus-admin
---
# Source: openebs/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: litmus-admin
labels:
name: litmus-admin
rules:
# ***************************************************************************************
# Permissions needed for preparing and monitor the chaos resources by chaos-runner
# ***************************************************************************************
# The chaos operator watches the chaosengine resource and orchestrates the chaos experiment..
## .. by creating the chaos-runner
# for creating and monitoring the chaos-runner pods
- apiGroups: [""]
resources: ["pods"]
verbs: ["create","delete","get","list","patch","update", "deletecollection"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create","get","list","patch","update"]
# for fetching configmaps and secrets to inject into chaos-runner pod (if specified)
- apiGroups: [""]
resources: ["secrets", "configmaps"]
verbs: ["get", "list"]
# for tracking & getting logs of the pods created by chaos-runner to implement individual steps in the runner
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get", "list", "watch"]
# for configuring and monitor the experiment job by chaos-runner pod
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["create", "list", "get", "delete", "deletecollection"]
# ********************************************************************
# Permissions needed for creation and discovery of chaos experiments
# ********************************************************************
# The helper pods are created by experiment to perform the actual chaos injection ...
# ... for a period of chaos duration
# for creating and managing to execute comands inside target container
- apiGroups: [""]
resources: ["pods/exec","pods/eviction","replicationcontrollers"]
verbs: ["get","list","create"]
# for tracking & getting logs of the pods created by experiment pod to implement individual steps in the experiment
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get", "list", "watch"]
# for creating and monitoring liveness services or monitoring target app services during chaos injection
- apiGroups: [""]
resources: ["services"]
verbs: ["create","get","list"]
# for checking the app parent resources as deployments or sts and are eligible chaos candidates
- apiGroups: ["apps"]
resources: ["deployments", "statefulsets"]
verbs: ["list", "get", "patch", "update"]
# for checking the app parent resources as replicasets and are eligible chaos candidates
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["list", "get"]
# for checking the app parent resources as deamonsets and are eligible chaos candidates
- apiGroups: ["apps"]
resources: ["daemonsets"]
verbs: ["list","get"]
# for checking (openshift) app parent resources if they are eligible chaos candidates
- apiGroups: ["apps.openshift.io"]
resources: ["deploymentconfigs"]
verbs: ["list", "get"]
# for checking (argo) app parent resources if they are eligible chaos candidates
- apiGroups: ["argoproj.io"]
resources: ["rollouts"]
verbs: ["list", "get"]
# performs CRUD operations on the network policies
- apiGroups: ["networking.k8s.io"]
resources: ["networkpolicies"]
verbs: ["create","delete","list","get"]
# for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
- apiGroups: ["litmuschaos.io"]
resources: ["chaosengines","chaosexperiments","chaosresults"]
verbs: ["create","list","get","patch","update","delete"]
# for experiment to perform node status checks and other node level operations like taint, drain in the experiment.
- apiGroups: [""]
resources: ["nodes"]
verbs: ["patch", "get", "list", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: litmus-admin
labels:
name: litmus-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: litmus-admin
subjects:
- kind: ServiceAccount
name: litmus-admin
namespace: #{INFRA_NAMESPACE}

115
chaoscenter/graphql/server/manifests/cluster/2b_litmus_rbac.yaml
View File

@ -1,115 +0,0 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: litmus-cluster-scope
namespace: #{INFRA_NAMESPACE}
labels:
app.kubernetes.io/name: litmus
# provide unique instance-id if applicable
# app.kubernetes.io/instance: litmus-abcxzy
app.kubernetes.io/version: v2.0.0
app.kubernetes.io/component: operator-serviceaccount
app.kubernetes.io/part-of: litmus
app.kubernetes.io/managed-by: kubectl
name: litmus-cluster-scope
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: litmus-cluster-scope
labels:
app.kubernetes.io/name: litmus
# provide unique instance-id if applicable
# app.kubernetes.io/instance: litmus-abcxzy
app.kubernetes.io/version: v2.0.0
app.kubernetes.io/component: operator-clusterrole
app.kubernetes.io/part-of: litmus
app.kubernetes.io/managed-by: kubectl
name: litmus-cluster-scope
rules:
- apiGroups: [""]
resources: ["replicationcontrollers", "secrets"]
verbs: ["get", "list"]
- apiGroups: ["apps.openshift.io"]
resources: ["deploymentconfigs"]
verbs: ["get", "list"]
- apiGroups: ["apps"]
resources: ["deployments", "daemonsets", "replicasets", "statefulsets"]
verbs: ["get", "list"]
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["get", "list", "deletecollection"]
- apiGroups: ["argoproj.io"]
resources: ["rollouts"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods"]
verbs:
[
"get",
"create",
"update",
"patch",
"delete",
"list",
"watch",
"deletecollection",
]
- apiGroups: [""]
resources: ["configmaps", "events", "services"]
verbs:
[
"get",
"create",
"update",
"patch",
"list",
"watch",
]
- apiGroups: ["litmuschaos.io"]
resources: ["chaosengines", "chaosexperiments", "chaosresults"]
verbs:
[
"get",
"create",
"update",
"patch",
"delete",
"list",
"watch",
"deletecollection",
]
# for validation of existance of chaosresult crd
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["list", "get"]
- apiGroups: ["litmuschaos.io"]
resources: ["chaosengines/finalizers"]
verbs: ["update"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get","create","list","update","delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: litmus-cluster-scope
labels:
app.kubernetes.io/name: litmus
# provide unique instance-id if applicable
# app.kubernetes.io/instance: litmus-abcxzy
app.kubernetes.io/version: v2.0.0
app.kubernetes.io/component: operator-clusterrolebinding
app.kubernetes.io/part-of: litmus
app.kubernetes.io/managed-by: kubectl
name: litmus-cluster-scope
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: litmus-cluster-scope
subjects:
- kind: ServiceAccount
name: litmus-cluster-scope
namespace: #{INFRA_NAMESPACE}

4
chaoscenter/graphql/server/manifests/cluster/2c_litmus_deployment.yaml
View File

@ -30,7 +30,7 @@ spec:
app.kubernetes.io/managed-by: kubectl
name: chaos-operator
spec:
serviceAccountName: litmus-cluster-scope
serviceAccountName: #{INFRA_SERVICE_ACCOUNT}
#{TOLERATIONS}
#{NODE_SELECTOR}
containers:
@ -114,7 +114,7 @@ spec:
memory: "500Mi"
cpu: "225m"
ephemeral-storage: "1Gi"
serviceAccountName: litmus-cluster-scope
serviceAccountName: #{INFRA_SERVICE_ACCOUNT}
---
apiVersion: v1
kind: Service

388
chaoscenter/graphql/server/manifests/cluster/3a_agents_rbac.yaml
View File

@ -1,219 +1,95 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: litmus-admin
namespace: #{INFRA_NAMESPACE}
labels:
name: litmus-admin
---
# Source: openebs/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: litmus-admin
labels:
name: litmus-admin
name: infra-cluster-role
rules:
# ***************************************************************************************
# Permissions needed for preparing and monitor the chaos resources by chaos-runner
# ***************************************************************************************
# ***********************************************************************************************
# Permissions needed for orchestration and monitoring chaos by chaos-operator and chaos-exporter
# ***********************************************************************************************
# The chaos operator watches the chaosengine resource and orchestartes the chaos experiment..
## .. by creating the chaos-runner
# for mounting the secrets to the chaos-runner pod
- apiGroups: [ "" ]
resources: [ "secrets" ]
verbs: [ "get", "list" ]
# for creating and monitoring the chaos-runner pods
- apiGroups: [""]
resources: ["pods"]
verbs: ["create","delete","get","list","patch","update", "deletecollection"]
# for deriving the owner references of the operator pod
- apiGroups: [ "apps" ]
resources: [ "deployments", "replicasets"]
verbs: [ "get", "list" ]
- apiGroups: [""]
resources: ["events"]
verbs: ["create","get","list","patch","update"]
# for the cleanup of jobs in abort scenarios
- apiGroups: [ "batch" ]
resources: [ "jobs" ]
verbs: [ "get", "list", "deletecollection" ]
# for fetching configmaps and secrets to inject into chaos-runner pod (if specified)
- apiGroups: [""]
resources: ["secrets", "configmaps"]
verbs: ["get", "list"]
# for creation and management of the chaos-runner pod
- apiGroups: [ "" ]
resources: [ "pods" ]
verbs: ["get", "create", "update", "patch", "delete", "list", "watch", "deletecollection" ]
# for tracking & getting logs of the pods created by chaos-runner to implement individual steps in the runner
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get", "list", "watch"]
# for configuring and monitor the experiment job by chaos-runner pod
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["create", "list", "get", "delete", "deletecollection"]
# ********************************************************************
# Permissions needed for creation and discovery of chaos experiments
# ********************************************************************
# The helper pods are created by experiment to perform the actual chaos injection ...
# ... for a period of chaos duration
# for creating and managing to execute comands inside target container
- apiGroups: [""]
resources: ["pods/exec","pods/eviction","replicationcontrollers"]
verbs: ["get","list","create"]
# for tracking & getting logs of the pods created by experiment pod to implement individual steps in the experiment
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get", "list", "watch"]
# for creating and monitoring liveness services or monitoring target app services during chaos injection
- apiGroups: [""]
resources: ["services"]
verbs: ["create","get","list"]
# for checking the app parent resources as deployments or sts and are eligible chaos candidates
- apiGroups: ["apps"]
resources: ["deployments", "statefulsets"]
verbs: ["list", "get", "patch", "update"]
# for checking the app parent resources as replicasets and are eligible chaos candidates
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["list", "get"]
# for checking the app parent resources as deamonsets and are eligible chaos candidates
- apiGroups: ["apps"]
resources: ["daemonsets"]
verbs: ["list","get"]
# for checking (openshift) app parent resources if they are eligible chaos candidates
- apiGroups: ["apps.openshift.io"]
resources: ["deploymentconfigs"]
verbs: ["list", "get"]
# for checking (argo) app parent resources if they are eligible chaos candidates
- apiGroups: ["argoproj.io"]
resources: ["rollouts"]
verbs: ["list", "get"]
# performs CRUD operations on the network policies
- apiGroups: ["networking.k8s.io"]
resources: ["networkpolicies"]
verbs: ["create","delete","list","get"]
# for creating of events, monitoring and leader election
- apiGroups: [ "" ]
resources: [ "configmaps", "events", "services" ]
verbs: ["get", "create", "update", "patch", "list", "watch" ]
# for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
- apiGroups: ["litmuschaos.io"]
resources: ["chaosengines","chaosexperiments","chaosresults"]
verbs: ["create","list","get","patch","update","delete"]
- apiGroups: [ "litmuschaos.io" ]
resources: [ "chaosengines", "chaosexperiments", "chaosresults" ]
verbs: ["get", "create", "update", "patch", "delete", "list", "watch", "deletecollection" ]
# for experiment to perform node status checks and other node level operations like taint, drain in the experiment.
- apiGroups: [""]
resources: ["nodes"]
verbs: ["patch", "get", "list", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: litmus-admin
labels:
name: litmus-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: litmus-admin
subjects:
- kind: ServiceAccount
name: litmus-admin
namespace: #{INFRA_NAMESPACE}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: argo-chaos
namespace: #{INFRA_NAMESPACE}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: chaos-cluster-role
rules:
# for managing the pods created by workflow controller to implement individual steps in the workflow
- apiGroups: ['']
resources: ['pods', 'services']
verbs: ['create', 'get', 'watch', 'patch', 'delete', 'list']
# for validation of existance of chaosresult crd
- apiGroups: [ "apiextensions.k8s.io" ]
resources: [ "customresourcedefinitions" ]
verbs: [ "list", "get" ]
- apiGroups: ['']
resources: ['namespaces']
verbs: ['get', 'watch', 'patch', 'list', 'create']
# for managing the finalizers to the primary resource
- apiGroups: [ "litmuschaos.io" ]
resources: [ "chaosengines/finalizers" ]
verbs: [ "update" ]
# for tracking & getting logs of the pods created by workflow controller to implement individual steps in the workflow
- apiGroups: ['']
resources: ['pods/log']
verbs: ['get', 'watch', 'create', 'delete', 'patch']
- apiGroups: ['']
resources: ['secrets', 'configmaps']
verbs: ['get', 'watch', 'create', 'patch']
# for creation & deletion of application in predefined workflows
- apiGroups: ['apps']
resources: ['deployments']
verbs: ['delete']
- apiGroups: ['apps']
resources: ['deployments', 'statefulsets']
verbs: ['get', 'watch', 'patch' , 'create']
# for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
- apiGroups: ["litmuschaos.io"]
resources:
["chaosengines", "chaosexperiments", "chaosresults", "chaosschedules"]
verbs: ["create", "list", "get", "patch", "delete", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: chaos-cluster-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: chaos-cluster-role
subjects:
- kind: ServiceAccount
name: argo-chaos
namespace: #{INFRA_NAMESPACE}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: subscriber-cluster-role
namespace: #{INFRA_NAMESPACE}
labels:
name: subscriber-cluster-role
rules:
- apiGroups: [""]
resources: ["configmaps", "secrets"]
verbs: ["get", "create", "delete", "update"]
# for managing the leader elections in multi-replicas scenario
- apiGroups: [ "coordination.k8s.io" ]
resources: [ "leases" ]
verbs: [ "get","create","list","update","delete" ]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get", "list", "watch"]
# ******************************************************************************************************
# Permissions needed to manage and communicate between control plane and execution plane by subscriber
# *******************************************************************************************************
- apiGroups: [""]
resources: ["pods", "namespaces", "nodes", "services"]
verbs: ["get", "list", "watch"]
- apiGroups: [ "" ]
resources: [ "configmaps", "secrets" ]
verbs: [ "get", "create", "delete", "update", "patch" ]
- apiGroups: ["litmuschaos.io"]
resources: ["chaosengines", "chaosschedules", "chaosresults"]
verbs: ["get", "list", "create", "delete", "update", "watch", "patch"]
- apiGroups: [ "batch" ]
resources: [ "jobs" ]
verbs: [ "get", "create", "patch", "update" ]
- apiGroups: ["apps.openshift.io"]
resources: ["deploymentconfigs"]
verbs: ["get", "list"]
- apiGroups: [ "" ]
resources: [ "pods/log" ]
verbs: [ "get", "list", "watch" ]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["delete"]
- apiGroups: ["apps"]
resources: ["deployments", "daemonsets", "replicasets", "statefulsets"]
verbs: ["get","list"]
- apiGroups: [ "" ]
resources: [ "pods", "namespaces", "nodes", "services" ]
verbs: [ "get", "list", "watch" ]
- apiGroups: ["argoproj.io"]
- apiGroups: [ "litmuschaos.io" ]
resources: [ "chaosengines", "chaosschedules", "chaosresults" ]
verbs: [ "get", "list", "create", "delete", "update", "watch", "patch" ]
- apiGroups: [ "apps.openshift.io" ]
resources: [ "deploymentconfigs" ]
verbs: [ "get", "list" ]
- apiGroups: [ "apps" ]
resources: [ "deployments" ]
verbs: [ "delete" ]
- apiGroups: [ "apps" ]
resources: [ "deployments", "daemonsets", "replicasets", "statefulsets" ]
verbs: [ "get","list" ]
- apiGroups: [ "argoproj.io" ]
resources:
[
"workflows",
@ -226,78 +102,64 @@ rules:
"clusterworkflowtemplates/finalizers",
"rollouts",
]
verbs: ["get", "list", "create", "delete", "update", "watch", "patch"]
verbs: [ "get", "list", "create", "delete", "update", "watch", "patch" ]
# ************************************************************************
# Permissions needed to orchestrate the workflows by workflow controller
# ************************************************************************
- apiGroups: [ "" ]
resources: [ "pods", "pods/exec" ]
verbs: [ "create", "get", "list", "watch", "update", "patch", "delete" ]
- apiGroups: [ "" ]
resources: [ "configmaps" ]
verbs: [ "get", "watch", "list" ]
- apiGroups: [ "" ]
resources: [ "persistentvolumeclaims" ]
verbs: [ "create", "delete" ]
- apiGroups: [ "argoproj.io" ]
resources: [ "workflows", "workflows/finalizers" ]
verbs: [ "get", "list", "watch", "update", "patch", "delete", "create" ]
- apiGroups: [ "argoproj.io" ]
resources: [ "workflowtemplates","workflowtemplates/finalizers","clusterworkflowtemplates","clusterworkflowtemplates/finalizers","workflowtasksets","workflowartifactgctasks" ]
verbs: [ "get", "list", "watch" ]
- apiGroups: [ "argoproj.io" ]
resources: [ "workflowtaskresults" ]
verbs: [ "list", "watch", "deletecollection" ]
- apiGroups: [ "" ]
resources: [ "serviceaccounts" ]
verbs: [ "get", "list" ]
- apiGroups: [ "argoproj.io" ]
resources: [ "cronworkflows", "cronworkflows/finalizers" ]
verbs: [ "get", "list", "watch", "update", "patch", "delete" ]
- apiGroups: [ "" ]
resources: [ "events" ]
verbs: [ "create", "patch" ]
- apiGroups: [ "policy" ]
resources: [ "poddisruptionbudgets" ]
verbs: [ "create", "get", "delete" ]
# ************************************************************************
# Permissions needed to for the event-tracker
# ************************************************************************
- apiGroups: [ "eventtracker.litmuschaos.io" ]
resources: [ "eventtrackerpolicies" ]
verbs: [ "create", "get", "list", "delete", "update", "patch", "watch" ]
- apiGroups: [ "eventtracker.litmuschaos.io" ]
resources: [ "eventtrackerpolicies/status" ]
verbs: [ "get","patch", "update" ]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: subscriber-cluster-role-binding
namespace: #{INFRA_NAMESPACE}
name: infra-cluster-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: infra-cluster-role
subjects:
- kind: ServiceAccount
name: #{SUBSCRIBER_SERVICE_ACCOUNT}
name: #{INFRA_SERVICE_ACCOUNT}
namespace: #{INFRA_NAMESPACE}
roleRef:
kind: ClusterRole
name: subscriber-cluster-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: event-tracker-sa
namespace: #{INFRA_NAMESPACE}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: event-tracker-cluster-role
rules:
- apiGroups:
- eventtracker.litmuschaos.io
resources:
- eventtrackerpolicies
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- eventtracker.litmuschaos.io
resources:
- eventtrackerpolicies/status
verbs:
- get
- patch
- update
- apiGroups:
- ""
- extensions
- apps
resources:
- deployments
- daemonsets
- statefulsets
- pods
- configmaps
- secrets
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: event-tracker-clusterole-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: event-tracker-cluster-role
subjects:
- kind: ServiceAccount
name: event-tracker-sa
namespace: #{INFRA_NAMESPACE}

4
chaoscenter/graphql/server/manifests/cluster/3b_agents_deployment.yaml
View File

@ -40,7 +40,7 @@ spec:
labels:
app: subscriber
spec:
serviceAccountName: #{SUBSCRIBER_SERVICE_ACCOUNT}
serviceAccountName: #{INFRA_SERVICE_ACCOUNT}
#{TOLERATIONS}
#{NODE_SELECTOR}
containers:
@ -89,7 +89,7 @@ spec:
spec:
#{TOLERATIONS}
#{NODE_SELECTOR}
serviceAccountName: event-tracker-sa
serviceAccountName: #{INFRA_SERVICE_ACCOUNT}
containers:
- image: #{EVENT_TRACKER_IMAGE}
imagePullPolicy: Always

66
chaoscenter/graphql/server/manifests/namespace/1a_argo_rbac.yaml
View File

@ -2,59 +2,51 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: argo
name: argo-chaos
namespace: #{INFRA_NAMESPACE}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: argo-role
name: chaos-role
namespace: #{INFRA_NAMESPACE}
rules:
# for managing the pods created by workflow controller to implement individual steps in the workflow
- apiGroups: [""]
resources: ["pods", "pods/exec"]
verbs: ["create", "get", "list", "watch", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["create", "delete"]
- apiGroups: ["argoproj.io"]
resources: ["workflows", "workflows/finalizers"]
verbs: ["get", "list", "watch", "update", "patch", "delete", "create"]
- apiGroups: ["argoproj.io"]
resources: ["workflowtemplates", "workflowtemplates/finalizers", "workflowtasksets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["argoproj.io"]
resources: ["workflowtaskresults"]
verbs: ["list", "watch", "deletecollection"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
- apiGroups: ["argoproj.io"]
resources: ["cronworkflows", "cronworkflows/finalizers"]
verbs: ["get", "list", "watch", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
- apiGroups: ["policy"]
resources: ["poddisruptionbudgets"]
verbs: ["create", "get", "delete"]
resources: ["pods", "services"]
verbs: ["create", "get", "watch", "patch", "delete", "list"]
# for tracking & getting logs of the pods created by workflow controller to implement individual steps in the workflow
- apiGroups: ['']
resources: ['pods/log', 'pods/exec']
verbs: ['get', 'watch', 'create', 'delete', 'patch']
- apiGroups: ['']
resources: ['secrets', 'configmaps']
verbs: ['get', 'watch', 'create', 'patch']
# for creation & deletion of application in predefined workflows
- apiGroups: ['apps']
resources: ['deployments']
verbs: ['delete']
- apiGroups: ['apps']
resources: ['deployments', 'statefulsets']
verbs: ['get', 'watch', 'patch' , 'create']
# for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
- apiGroups: ["litmuschaos.io"]
resources: ["chaosengines", "chaosexperiments", "chaosresults", "chaosschedules"]
verbs: ["create", "list", "get", "patch", "delete", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: argo-binding
name: chaos-role-binding
namespace: #{INFRA_NAMESPACE}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: argo-role
name: chaos-role
subjects:
- kind: ServiceAccount
name: argo
name: argo-chaos
namespace: #{INFRA_NAMESPACE}

2
chaoscenter/graphql/server/manifests/namespace/1b_argo_deployment.yaml
View File

@ -72,4 +72,4 @@ spec:
memory: "500Mi"
cpu: "225m"
ephemeral-storage: "1Gi"
serviceAccountName: argo
serviceAccountName: #{INFRA_SERVICE_ACCOUNT}

119
chaoscenter/graphql/server/manifests/namespace/2a_litmus_admin_rbac.yaml Normal file
View File

@ -0,0 +1,119 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: litmus-admin
namespace: #{INFRA_NAMESPACE}
labels:
name: litmus-admin
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: litmus-admin
namespace: #{INFRA_NAMESPACE}
labels:
name: litmus-admin
rules:
# ***************************************************************************************
# Permissions needed for preparing and monitor the chaos resources by chaos-runner
# ***************************************************************************************
# The chaos operator watches the chaosengine resource and orchestrates the chaos experiment..
## .. by creating the chaos-runner
# for creating and monitoring the chaos-runner pods
- apiGroups: [""]
resources: ["pods"]
verbs: ["create", "delete", "get", "list", "patch", "update", "deletecollection"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "get", "list", "patch", "update"]
# for fetching configmaps and secrets to inject into chaos-runner pod (if specified)
- apiGroups: [""]
resources: ["secrets", "configmaps"]
verbs: ["get", "list"]
# for tracking & getting logs of the pods created by chaos-runner to implement individual steps in the runner
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get", "list", "watch"]
# for configuring and monitor the experiment job by chaos-runner pod
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["create", "list", "get", "delete", "deletecollection"]
# ********************************************************************
# Permissions needed for creation and discovery of chaos experiments
# ********************************************************************
# The helper pods are created by experiment to perform the actual chaos injection ...
# ... for a period of chaos duration
# for creating and managing to execute comands inside target container
- apiGroups: [""]
resources: ["pods/exec", "pods/eviction", "replicationcontrollers"]
verbs: ["get", "list", "create"]
# for tracking & getting logs of the pods created by experiment pod to implement individual steps in the experiment
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get", "list", "watch"]
# for creating and monitoring liveness services or monitoring target app services during chaos injection
- apiGroups: [""]
resources: ["services"]
verbs: ["create", "get", "list"]
# for checking the app parent resources as deployments or sts and are eligible chaos candidates
- apiGroups: ["apps"]
resources: ["deployments", "statefulsets"]
verbs: ["list", "get", "patch", "update"]
# for checking the app parent resources as replicasets and are eligible chaos candidates
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["list", "get"]
# for checking the app parent resources as deamonsets and are eligible chaos candidates
- apiGroups: ["apps"]
resources: ["daemonsets"]
verbs: ["list", "get"]
# for checking (openshift) app parent resources if they are eligible chaos candidates
- apiGroups: ["apps.openshift.io"]
resources: ["deploymentconfigs"]
verbs: ["list", "get"]
# for checking (argo) app parent resources if they are eligible chaos candidates
- apiGroups: ["argoproj.io"]
resources: ["rollouts"]
verbs: ["list", "get"]
# performs CRUD operations on the network policies
- apiGroups: ["networking.k8s.io"]
resources: ["networkpolicies"]
verbs: ["create","delete","list","get"]
# for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
- apiGroups: ["litmuschaos.io"]
resources: ["chaosengines", "chaosexperiments", "chaosresults"]
verbs: ["create", "list", "get", "patch", "update", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: litmus-admin
namespace: #{INFRA_NAMESPACE}
labels:
name: litmus-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: litmus-admin
subjects:
- kind: ServiceAccount
name: litmus-admin
namespace: #{INFRA_NAMESPACE}

112
chaoscenter/graphql/server/manifests/namespace/2a_litmus_rbac.yaml
View File

@ -1,112 +0,0 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: litmus-namespace-scope
namespace: #{INFRA_NAMESPACE}
labels:
app.kubernetes.io/name: litmus
# provide unique instance-id if applicable
# app.kubernetes.io/instance: litmus-abcxzy
app.kubernetes.io/version: v2.0.0
app.kubernetes.io/component: operator-serviceaccount
app.kubernetes.io/part-of: litmus
app.kubernetes.io/managed-by: kubectl
name: litmus-namespace-scope
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: litmus-namespace-scope
namespace: #{INFRA_NAMESPACE}
labels:
app.kubernetes.io/name: litmus
# provide unique instance-id if applicable
# app.kubernetes.io/instance: litmus-abcxzy
app.kubernetes.io/version: v2.0.0
app.kubernetes.io/component: operator-role
app.kubernetes.io/part-of: litmus
app.kubernetes.io/managed-by: kubectl
name: litmus-namespace-scope
rules:
- apiGroups: [""]
resources: ["replicationcontrollers", "secrets"]
verbs: ["get", "list"]
- apiGroups: ["apps.openshift.io"]
resources: ["deploymentconfigs"]
verbs: ["get", "list"]
- apiGroups: ["apps"]
resources: ["deployments", "daemonsets", "replicasets", "statefulsets"]
verbs: ["get", "list", "update"]
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["get", "list", "create", "deletecollection"]
- apiGroups: ["argoproj.io"]
resources: ["rollouts"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods", "pods/exec"]
verbs:
[
"get",
"create",
"update",
"patch",
"delete",
"list",
"watch",
"deletecollection",
]
- apiGroups: [""]
resources: ["configmaps", "events", "services"]
verbs:
[
"get",
"create",
"update",
"patch",
"list",
"watch",
]
- apiGroups: ["litmuschaos.io"]
resources: ["chaosengines", "chaosexperiments", "chaosresults"]
verbs:
[
"get",
"create",
"update",
"patch",
"delete",
"list",
"watch",
"deletecollection",
]
- apiGroups: ["litmuschaos.io"]
resources: ["chaosengines/finalizers"]
verbs: ["update"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get","create","list","update","delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: litmus-namespace-scope
namespace: #{INFRA_NAMESPACE}
labels:
app.kubernetes.io/name: litmus
# provide unique instance-id if applicable
# app.kubernetes.io/instance: litmus-abcxzy
app.kubernetes.io/version: v2.0.0
app.kubernetes.io/component: operator-rolebinding
app.kubernetes.io/part-of: litmus
app.kubernetes.io/managed-by: kubectl
name: litmus-namespace-scope
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: litmus-namespace-scope
subjects:
- kind: ServiceAccount
name: litmus-namespace-scope
namespace: #{INFRA_NAMESPACE}

4
chaoscenter/graphql/server/manifests/namespace/2b_litmus_deployment.yaml
View File

@ -29,7 +29,7 @@ spec:
app.kubernetes.io/managed-by: kubectl
name: chaos-operator
spec:
serviceAccountName: litmus-namespace-scope
serviceAccountName: #{INFRA_SERVICE_ACCOUNT}
#{TOLERATIONS}
#{NODE_SELECTOR}
containers:
@ -117,7 +117,7 @@ spec:
memory: "500Mi"
cpu: "225m"
ephemeral-storage: "1Gi"
serviceAccountName: litmus-namespace-scope
serviceAccountName: #{INFRA_SERVICE_ACCOUNT}
---
apiVersion: v1
kind: Service

400
chaoscenter/graphql/server/manifests/namespace/3a_agents_rbac.yaml
View File

@ -2,38 +2,86 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: subscriber-role
name: infra-role
namespace: #{INFRA_NAMESPACE}
labels:
name: subscriber-role
name: infra-role
rules:
- apiGroups: [""]
resources: ["configmaps", "secrets"]
verbs: ["get", "create", "delete", "update"]
# ***********************************************************************************************
# Permissions needed for orchestration and monitoring chaos by chaos-operator and chaos-exporter
# ***********************************************************************************************
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get", "list", "watch"]
# for mounting the secrets to the chaos-runner pod
- apiGroups: [ "" ]
resources: ["secrets" ]
verbs: [ "get", "list" ]
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["get", "list", "watch"]
# for deriving the owner references of the operator pod
- apiGroups: [ "apps" ]
resources: [ "deployments", "replicasets"]
verbs: [ "get", "list" ]
- apiGroups: ["litmuschaos.io"]
resources: ["chaosengines", "chaosschedules", "chaosresults"]
verbs: ["get", "list", "create", "delete", "update", "watch", "patch"]
# for the cleanup of jobs in abort scenarios
- apiGroups: [ "batch" ]
resources: [ "jobs" ]
verbs: [ "get", "list", "create", "deletecollection" ]
- apiGroups: ["apps.openshift.io"]
resources: ["deploymentconfigs"]
verbs: ["get", "list"]
# for creation and management of the chaos-runner pod
- apiGroups: [ "" ]
resources: [ "pods"]
verbs: ["get", "create", "update", "patch", "delete", "list", "watch", "deletecollection" ]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["delete"]
- apiGroups: ["apps"]
resources: ["deployments", "daemonsets", "replicasets", "statefulsets"]
verbs: ["get", "list"]
- apiGroups: ["argoproj.io"]
# for creating of events, monitoring and leader election
- apiGroups: [ "" ]
resources: [ "configmaps", "events", "services" ]
verbs: ["get", "create", "update", "patch", "list", "watch" ]
# for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
- apiGroups: [ "litmuschaos.io" ]
resources: [ "chaosengines", "chaosexperiments", "chaosresults" ]
verbs: ["get", "create", "update", "patch", "delete", "list", "watch", "deletecollection" ]
# for managing the finalizers to the primary resource
- apiGroups: [ "litmuschaos.io" ]
resources: [ "chaosengines/finalizers" ]
verbs: [ "update" ]
# for managing the leader elections in multi-replicas scenario
- apiGroups: [ "coordination.k8s.io" ]
resources: [ "leases" ]
verbs: [ "get","create","list","update","delete" ]
# ******************************************************************************************************
# Permissions needed to manage and communicate between control plane and execution plane by subscriber
# *******************************************************************************************************
- apiGroups: [ "" ]
resources: [ "configmaps", "secrets" ]
verbs: [ "get", "create", "delete", "update", "patch" ]
- apiGroups: [ "" ]
resources: [ "pods/log" ]
verbs: [ "get", "list", "watch" ]
- apiGroups: [ "" ]
resources: [ "pods", "services" ]
verbs: [ "get", "list", "watch" ]
- apiGroups: [ "litmuschaos.io" ]
resources: [ "chaosengines", "chaosschedules", "chaosresults" ]
verbs: [ "get", "list", "create", "delete", "update", "watch", "patch" ]
- apiGroups: [ "apps.openshift.io" ]
resources: [ "deploymentconfigs" ]
verbs: [ "get", "list" ]
- apiGroups: [ "apps" ]
resources: [ "deployments" ]
verbs: [ "delete" ]
- apiGroups: [ "apps" ]
resources: [ "deployments", "daemonsets", "replicasets", "statefulsets" ]
verbs: [ "get", "list" ]
- apiGroups: [ "argoproj.io" ]
resources:
[
"workflows",
@ -44,264 +92,68 @@ rules:
"cronworkflows/finalizers",
"rollouts",
]
verbs: ["get", "list", "create", "delete", "update", "watch", "patch"]
verbs: [ "get", "list", "create", "delete", "update", "watch", "patch" ]
# ************************************************************************
# Permissions needed to orchestrate the workflows by workflow controller
# ************************************************************************
- apiGroups: [ "" ]
resources: [ "pods", "pods/exec" ]
verbs: [ "create", "get", "list", "watch", "update", "patch", "delete" ]
- apiGroups: [ "" ]
resources: [ "configmaps" ]
verbs: [ "get", "watch", "list" ]
- apiGroups: [ "" ]
resources: [ "persistentvolumeclaims" ]
verbs: [ "create", "delete" ]
- apiGroups: [ "argoproj.io" ]
resources: [ "workflows", "workflows/finalizers" ]
verbs: [ "get", "list", "watch", "update", "patch", "delete", "create" ]
- apiGroups: [ "argoproj.io" ]
resources: [ "workflowtemplates", "workflowtemplates/finalizers", "workflowtasksets", "workflowartifactgctasks" ]
verbs: [ "get", "list", "watch" ]
- apiGroups: [ "argoproj.io" ]
resources: [ "workflowtaskresults" ]
verbs: [ "list", "watch", "deletecollection" ]
- apiGroups: [ "" ]
resources: [ "serviceaccounts" ]
verbs: [ "get", "list" ]
- apiGroups: [ "" ]
resources: [ "secrets" ]
verbs: [ "get" ]
- apiGroups: [ "argoproj.io" ]
resources: [ "cronworkflows", "cronworkflows/finalizers" ]
verbs: [ "get", "list", "watch", "update", "patch", "delete" ]
- apiGroups: [ "" ]
resources: [ "events" ]
verbs: [ "create", "patch" ]
- apiGroups: [ "policy" ]
resources: [ "poddisruptionbudgets" ]
verbs: [ "create", "get", "delete" ]
# ************************************************************************
# Permissions needed to for the event-tracker
# ************************************************************************
- apiGroups: [ "eventtracker.litmuschaos.io" ]
resources: [ "eventtrackerpolicies" ]
verbs: [ "create", "get", "list", "delete", "update", "patch", "watch" ]
- apiGroups: [ "eventtracker.litmuschaos.io" ]
resources: [ "eventtrackerpolicies/status" ]
verbs: [ "get","patch", "update" ]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: subscriber-role-binding
name: infra-role-binding
namespace: #{INFRA_NAMESPACE}
subjects:
- kind: ServiceAccount
name: #{SUBSCRIBER_SERVICE_ACCOUNT}
name: #{INFRA_SERVICE_ACCOUNT}
namespace: #{INFRA_NAMESPACE}
roleRef:
kind: Role
name: subscriber-role
name: infra-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: litmus-admin
namespace: #{INFRA_NAMESPACE}
labels:
name: litmus-admin
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: litmus-admin
namespace: #{INFRA_NAMESPACE}
labels:
name: litmus-admin
rules:
# ***************************************************************************************
# Permissions needed for preparing and monitor the chaos resources by chaos-runner
# ***************************************************************************************
# The chaos operator watches the chaosengine resource and orchestartes the chaos experiment..
## .. by creating the chaos-runner
# for creating and monitoring the chaos-runner pods
- apiGroups: [""]
resources: ["pods"]
verbs:
["create", "delete", "get", "list", "patch", "update", "deletecollection"]
- apiGroups: [""]
resources: ["events"]
verbs:
["create", "get", "list", "patch", "update"]
# for fetching configmaps and secrets to inject into chaos-runner pod (if specified)
- apiGroups: [""]
resources: ["secrets", "configmaps"]
verbs: ["get", "list"]
# for tracking & getting logs of the pods created by chaos-runner to implement individual steps in the runner
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get", "list", "watch"]
# for configuring and monitor the experiment job by chaos-runner pod
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["create", "list", "get", "delete", "deletecollection"]
# ********************************************************************
# Permissions needed for creation and discovery of chaos experiments
# ********************************************************************
# The helper pods are created by experiment to perform the actual chaos injection ...
# ... for a period of chaos duration
# for creating and managing to execute comands inside target container
- apiGroups: [""]
resources: ["pods/exec", "pods/eviction", "replicationcontrollers"]
verbs: ["get", "list", "create"]
# for tracking & getting logs of the pods created by experiment pod to implement individual steps in the experiment
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get", "list", "watch"]
# for creating and monitoring liveness services or monitoring target app services during chaos injection
- apiGroups: [""]
resources: ["services"]
verbs: ["create", "get", "list"]
# for checking the app parent resources as deployments or sts and are eligible chaos candidates
- apiGroups: ["apps"]
resources: ["deployments", "statefulsets"]
verbs: ["list", "get", "patch", "update"]
# for checking the app parent resources as replicasets and are eligible chaos candidates
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["list", "get"]
# for checking the app parent resources as deamonsets and are eligible chaos candidates
- apiGroups: ["apps"]
resources: ["daemonsets"]
verbs: ["list", "get"]
# for checking (openshift) app parent resources if they are eligible chaos candidates
- apiGroups: ["apps.openshift.io"]
resources: ["deploymentconfigs"]
verbs: ["list", "get"]
# for checking (argo) app parent resources if they are eligible chaos candidates
- apiGroups: ["argoproj.io"]
resources: ["rollouts"]
verbs: ["list", "get"]
# performs CRUD operations on the network policies
- apiGroups: ["networking.k8s.io"]
resources: ["networkpolicies"]
verbs: ["create","delete","list","get"]
# for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
- apiGroups: ["litmuschaos.io"]
resources: ["chaosengines", "chaosexperiments", "chaosresults"]
verbs: ["create", "list", "get", "patch", "update", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: litmus-admin
namespace: #{INFRA_NAMESPACE}
labels:
name: litmus-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: litmus-admin
subjects:
- kind: ServiceAccount
name: litmus-admin
namespace: #{INFRA_NAMESPACE}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: argo-chaos
namespace: #{INFRA_NAMESPACE}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: chaos-role
namespace: #{INFRA_NAMESPACE}
rules:
# for managing the pods created by workflow controller to implement individual steps in the workflow
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["create", "get", "watch", "patch", "delete", "list"]
# for tracking & getting logs of the pods created by workflow controller to implement individual steps in the workflow
- apiGroups: ['']
resources: ['pods/log']
verbs: ['get', 'watch', 'create', 'delete', 'patch']
- apiGroups: ['']
resources: ['secrets', 'configmaps']
verbs: ['get', 'watch', 'create', 'patch']
# for creation & deletion of application in predefined workflows
- apiGroups: ['apps']
resources: ['deployments']
verbs: ['delete']
- apiGroups: ['apps']
resources: ['deployments', 'statefulsets']
verbs: ['get', 'watch', 'patch' , 'create']
# for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
- apiGroups: ["litmuschaos.io"]
resources:
["chaosengines", "chaosexperiments", "chaosresults", "chaosschedules"]
verbs: ["create", "list", "get", "patch", "delete", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: chaos-role-binding
namespace: #{INFRA_NAMESPACE}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: chaos-role
subjects:
- kind: ServiceAccount
name: argo-chaos
namespace: #{INFRA_NAMESPACE}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: event-tracker-sa
namespace: #{INFRA_NAMESPACE}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: event-tracker-role
namespace: #{INFRA_NAMESPACE}
rules:
- apiGroups:
- eventtracker.litmuschaos.io
resources:
- eventtrackerpolicies
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- eventtracker.litmuschaos.io
resources:
- eventtrackerpolicies/status
verbs:
- get
- patch
- update
- apiGroups:
- ""
resources:
- pods
- configmaps
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- apps
resources:
- deployments
- daemonsets
- statefulsets
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: event-tracker-role-binding
namespace: #{INFRA_NAMESPACE}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: event-tracker-role
subjects:
- kind: ServiceAccount
name: event-tracker-sa
namespace: #{INFRA_NAMESPACE}

4
chaoscenter/graphql/server/manifests/namespace/3b_agents_deployment.yaml
View File

@ -42,7 +42,7 @@ spec:
spec:
#{TOLERATIONS}
#{NODE_SELECTOR}
serviceAccountName: #{SUBSCRIBER_SERVICE_ACCOUNT}
serviceAccountName: #{INFRA_SERVICE_ACCOUNT}
containers:
- name: subscriber
image: #{SUBSCRIBER_IMAGE}
@ -89,7 +89,7 @@ spec:
spec:
#{TOLERATIONS}
#{NODE_SELECTOR}
serviceAccountName: event-tracker-sa
serviceAccountName: #{INFRA_SERVICE_ACCOUNT}
containers:
- image: #{EVENT_TRACKER_IMAGE}
imagePullPolicy: Always

2
chaoscenter/graphql/server/pkg/chaos_infrastructure/infra_utils.go
View File

@ -188,7 +188,7 @@ func ManifestParser(infra dbChaosInfra.ChaosInfra, rootPath string, config *Subs
newContent = strings.Replace(newContent, "#{SUBSCRIBER_IMAGE}", utils.Config.SubscriberImage, -1)
newContent = strings.Replace(newContent, "#{EVENT_TRACKER_IMAGE}", utils.Config.EventTrackerImage, -1)
newContent = strings.Replace(newContent, "#{INFRA_NAMESPACE}", InfraNamespace, -1)
newContent = strings.Replace(newContent, "#{SUBSCRIBER_SERVICE_ACCOUNT}", ServiceAccountName, -1)
newContent = strings.Replace(newContent, "#{INFRA_SERVICE_ACCOUNT}", ServiceAccountName, -1)
newContent = strings.Replace(newContent, "#{INFRA_SCOPE}", infra.InfraScope, -1)
newContent = strings.Replace(newContent, "#{ARGO_WORKFLOW_CONTROLLER}", utils.Config.ArgoWorkflowControllerImage, -1)
newContent = strings.Replace(newContent, "#{LITMUS_CHAOS_OPERATOR}", utils.Config.LitmusChaosOperatorImage, -1)