### RBAC Manifests ## If SELF_CLUSTER="true" then these permissions are required to apply ## https://github.com/litmuschaos/litmus/blob/master/litmus-portal/graphql-server/manifests/cluster/1b_argo_rbac.yaml --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" name: argo-aggregate-to-admin-for-litmusportal-server rules: - apiGroups: [argoproj.io] resources: [workflows, workflows/finalizers, workflowtemplates, workflowtemplates/finalizers, cronworkflows, cronworkflows/finalizers, clusterworkflowtemplates, clusterworkflowtemplates/finalizers] verbs: [create, delete, deletecollection, get, list, patch, update, watch] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: rbac.authorization.k8s.io/aggregate-to-edit: "true" name: argo-aggregate-to-edit-for-litmusportal-server rules: - apiGroups: [argoproj.io] resources: [workflows, workflows/finalizers, workflowtemplates, workflowtemplates/finalizers, cronworkflows, cronworkflows/finalizers, clusterworkflowtemplates, clusterworkflowtemplates/finalizers] verbs: [create, delete, deletecollection, get, list, patch, update, watch] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: rbac.authorization.k8s.io/aggregate-to-view: "true" name: argo-aggregate-to-view-for-litmusportal-server rules: - apiGroups: [argoproj.io] resources: [workflows, workflows/finalizers, workflowtemplates, workflowtemplates/finalizers, cronworkflows, cronworkflows/finalizers, clusterworkflowtemplates, clusterworkflowtemplates/finalizers] verbs: [get, list, watch] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: argo-cr-for-litmusportal-server rules: - apiGroups: [""] resources: [pods, pods/exec] verbs: [create, get, list, watch, update, patch, delete] - apiGroups: [""] resources: [configmaps] verbs: [get, watch, list] - apiGroups: [""] resources: [persistentvolumeclaims] verbs: [create, delete] - apiGroups: [argoproj.io] resources: [workflows, workflows/finalizers] verbs: [get, list, watch, update, patch, delete, create] - apiGroups: [argoproj.io] resources: [workflowtemplates, workflowtemplates/finalizers, clusterworkflowtemplates, clusterworkflowtemplates/finalizers] verbs: [get, list, watch] - apiGroups: [""] resources: [serviceaccounts] verbs: [get, list] - apiGroups: [argoproj.io] resources: [cronworkflows, cronworkflows/finalizers] verbs: [get, list, watch, update, patch, delete] - apiGroups: [""] resources: [events] verbs: [create, patch] - apiGroups: [policy] resources: [poddisruptionbudgets] verbs: [create, get, delete] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: argo-crb-for-litmusportal-server roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: argo-cr-for-litmusportal-server subjects: - kind: ServiceAccount name: litmus-server-account namespace: litmus --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: argo-aggregate-to-view-crb-for-litmusportal-server roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: argo-aggregate-to-view-for-litmusportal-server subjects: - kind: ServiceAccount name: litmus-server-account namespace: litmus --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: argo-aggregate-to-admin-crb-for-litmusportal-server roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: argo-aggregate-to-admin-for-litmusportal-server subjects: - kind: ServiceAccount name: litmus-server-account namespace: litmus #these permissions are required to apply https://github.com/litmuschaos/litmus/blob/master/litmus-portal/graphql-server/manifests/cluster/2b_litmus_rbac.yaml --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: litmus-cluster-scope-for-litmusportal-server labels: app.kubernetes.io/name: litmus # provide unique instance-id if applicable # app.kubernetes.io/instance: litmus-abcxzy app.kubernetes.io/version: v2.0.0 app.kubernetes.io/component: operator-clusterrole app.kubernetes.io/part-of: litmus app.kubernetes.io/managed-by: kubectl name: litmus-cluster-scope-for-litmusportal-server rules: - apiGroups: [""] resources: [replicationcontrollers, secrets] verbs: [get, list] - apiGroups: [apps.openshift.io] resources: [deploymentconfigs] verbs: [get, list] - apiGroups: [apps] resources: [deployments, daemonsets, replicasets, statefulsets] verbs: [get, list] - apiGroups: [batch] resources: [jobs] verbs: [get, list, deletecollection] - apiGroups: [argoproj.io] resources: [rollouts] verbs: [get, list] - apiGroups: [""] resources: [pods, configmaps, events, services] verbs: [get, create, update, patch, delete, list, watch, deletecollection] - apiGroups: [litmuschaos.io] resources: [chaosengines, chaosexperiments, chaosresults] verbs: [get, create, update, patch, delete, list, watch, deletecollection] - apiGroups: [apiextensions.k8s.io] resources: [customresourcedefinitions] verbs: [list, get] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: litmus-cluster-scope-crb-for-litmusportal-server labels: app.kubernetes.io/name: litmus # provide unique instance-id if applicable # app.kubernetes.io/instance: litmus-abcxzy app.kubernetes.io/version: v2.0.0 app.kubernetes.io/component: operator-clusterrolebinding app.kubernetes.io/part-of: litmus app.kubernetes.io/managed-by: kubectl name: litmus-cluster-scope-crb-for-litmusportal-server roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: litmus-cluster-scope-for-litmusportal-server subjects: - kind: ServiceAccount name: litmus-server-account namespace: litmus #these permissions are required to apply https://github.com/litmuschaos/litmus/blob/master/litmus-portal/graphql-server/manifests/cluster/3a_agents_rbac.yaml --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: litmus-admin-cr-for-litmusportal-server labels: name: litmus-admin-cr-for-litmusportal-server rules: # *************************************************************************************** # Permissions needed for preparing and monitor the chaos resources by chaos-runner # *************************************************************************************** # The chaos operator watches the chaosengine resource and orchestartes the chaos experiment.. ## .. by creating the chaos-runner # for creating and monitoring the chaos-runner pods - apiGroups: [""] resources: [pods,events] verbs: [create, delete, get, list, patch, update, deletecollection] # for fetching configmaps and secrets to inject into chaos-runner pod (if specified) - apiGroups: [""] resources: [secrets, configmaps] verbs: [get, list] # for tracking & getting logs of the pods created by chaos-runner to implement individual steps in the runner - apiGroups: [""] resources: [pods/log] verbs: [get, list, watch] # for configuring and monitor the experiment job by chaos-runner pod - apiGroups: [batch] resources: [jobs] verbs: [create, list, get, delete, deletecollection] # ******************************************************************** # Permissions needed for creation and discovery of chaos experiments # ******************************************************************** # The helper pods are created by experiment to perform the actual chaos injection ... # ... for a period of chaos duration # for creating and deleting the helper or target app pod and events by experiment - apiGroups: [""] resources: [pods] verbs: [create, delete, deletecollection] # for creating and monitoring the events for chaos operations - apiGroups: [""] resources: [events] verbs: [create, delete, get, list, patch, update, deletecollection] # for monitoring the helper and target app pod - apiGroups: [""] resources: [pods] verbs: [get, list, patch, update] # for creating and managing to execute comands inside target container - apiGroups: [""] resources: [pods/exec, pods/eviction, replicationcontrollers] verbs: [get,list,create] # for tracking & getting logs of the pods created by experiment pod to implement individual steps in the experiment - apiGroups: [""] resources: [pods/log] verbs: [get, list, watch] # for creating and monitoring liveness services or monitoring target app services during chaos injection - apiGroups: [""] resources: [services] verbs: [create, delete, get, list, delete, deletecollection] # for checking the app parent resources as deployments or sts and are eligible chaos candidates - apiGroups: [apps] resources: [deployments, statefulsets] verbs: [list, get, patch, update] # for checking the app parent resources as replicasets and are eligible chaos candidates - apiGroups: [apps] resources: [replicasets] verbs: [list, get] # for checking the app parent resources as deamonsets and are eligible chaos candidates - apiGroups: [apps] resources: [daemonsets] verbs: [list, get, delete] # for checking (openshift) app parent resources if they are eligible chaos candidates - apiGroups: [apps.openshift.io] resources: [deploymentconfigs] verbs: [list, get] # for checking (argo) app parent resources if they are eligible chaos candidates - apiGroups: [argoproj.io] resources: [rollouts] verbs: [list, get] # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow - apiGroups: [litmuschaos.io] resources: [chaosengines, chaosexperiments, chaosresults] verbs: [create, list, get, patch, update, delete] # for experiment to perform node status checks and other node level operations like taint, drain in the experiment. - apiGroups: [""] resources: [nodes] verbs: [patch, get, list, update] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: litmus-admin-crb-for-litmusportal-server labels: name: litmus-admin-crb-for-litmusportal-server roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: litmus-admin-cr-for-litmusportal-server subjects: - kind: ServiceAccount name: litmus-server-account namespace: litmus --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: chaos-cr-for-litmusportal-server rules: # for managing the pods created by workflow controller to implement individual steps in the workflow - apiGroups: [""] resources: [pods, services, namespaces] verbs: [create, get, watch, patch, delete, list] # for tracking & getting logs of the pods created by workflow controller to implement individual steps in the workflow - apiGroups: [""] resources: [pods/log, secrets, configmaps] verbs: [get, watch, create, delete, patch] # for creation & deletion of application in predefined workflows - apiGroups: [apps] resources: [deployments, statefulsets] verbs: [get, watch, patch, create, delete] # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow - apiGroups: [litmuschaos.io] resources: [chaosengines, chaosexperiments, chaosresults, chaosschedules] verbs: [create, list, get, patch, delete, watch] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: chaos-crb-for-litmusportal-server roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: chaos-cr-for-litmusportal-server subjects: - kind: ServiceAccount name: litmus-server-account namespace: litmus --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: subscriber-cr-for-litmusportal-server namespace: litmus labels: name: subscriber-cr-for-litmusportal-server rules: - apiGroups: [""] resources: [configmaps] verbs: [get, create, delete, update] - apiGroups: [""] resources: [pods/log] verbs: [get, list, watch] - apiGroups: [""] resources: [pods, namespaces, nodes, services] verbs: [get, list, watch] - apiGroups: [litmuschaos.io] resources: [chaosengines, chaosschedules, chaosresults] verbs: [get, list, create, delete, update, watch] - apiGroups: [apps.openshift.io] resources: [deploymentconfigs] verbs: [get, list] - apiGroups: [apps] resources: [deployments, daemonsets, replicasets, statefulsets] verbs: [get, list, delete] - apiGroups: [argoproj.io] resources: [workflows, workflows/finalizers, workflowtemplates, workflowtemplates/finalizers, cronworkflows, cronworkflows/finalizers, clusterworkflowtemplates, clusterworkflowtemplates/finalizers, rollouts] verbs: [get, list, create, delete, update, watch] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: subscriber-crb-for-litmusportal-server namespace: litmus subjects: - kind: ServiceAccount name: litmus-server-account namespace: litmus roleRef: kind: ClusterRole name: subscriber-cr-for-litmusportal-server apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: event-tracker-cr-for-litmusportal-server rules: - apiGroups: [eventtracker.litmuschaos.io] resources: [eventtrackerpolicies] verbs: [create, delete, get, list, patch, update, watch] - apiGroups: [eventtracker.litmuschaos.io] resources: [eventtrackerpolicies/status] verbs: [get, patch, update] - apiGroups: ["", extensions, apps] resources: [deployments, daemonsets, statefulsets, pods, configmaps] verbs: [get, list, watch] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: event-tracker-crb-for-litmusportal-server roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: event-tracker-cr-for-litmusportal-server subjects: - kind: ServiceAccount name: litmus-server-account namespace: litmus # litmus-server-cr is used by the litmusportal-server # If SELF_CLUSTER=false, then only litmus-server-cr and litmus-server-crb are required. --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: litmus-server-cr rules: - apiGroups: [networking.k8s.io, extensions] resources: [ingresses] verbs: [get] - apiGroups: [""] resources: [services, nodes, pods/log] verbs: [get, watch] - apiGroups: [apiextensions.k8s.io] resources: [customresourcedefinitions] verbs: [create] - apiGroups: [apps] resources: [deployments] verbs: [create] - apiGroups: [""] resources: [configmaps] verbs: [get] - apiGroups: [""] resources: [serviceaccounts] verbs: [create] - apiGroups: [rbac.authorization.k8s.io] resources: [rolebindings, roles, clusterrolebindings, clusterroles] verbs: [create] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: litmus-server-crb roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: litmus-server-cr subjects: - kind: ServiceAccount name: litmus-server-account namespace: litmus ## Control plane manifests --- apiVersion: v1 kind: Namespace metadata: name: litmus --- apiVersion: v1 kind: ServiceAccount metadata: name: litmus-server-account namespace: litmus --- apiVersion: v1 kind: ConfigMap metadata: name: litmus-portal-admin-config namespace: litmus data: AGENT_SCOPE: cluster AGENT_NAMESPACE: litmus DB_SERVER: "mongodb://mongo-service:27017" JWT_SECRET: "litmus-portal@123" DB_USER: "admin" DB_PASSWORD: "1234" VERSION: "2.1.0" --- apiVersion: apps/v1 kind: Deployment metadata: name: litmusportal-frontend namespace: litmus labels: component: litmusportal-frontend spec: replicas: 1 selector: matchLabels: component: litmusportal-frontend template: metadata: labels: component: litmusportal-frontend spec: containers: - name: litmusportal-frontend image: litmuschaos/litmusportal-frontend:2.1.0 imagePullPolicy: Always ports: - containerPort: 8080 env: - name: AGENT_SCOPE valueFrom: configMapKeyRef: name: litmus-portal-admin-config key: AGENT_SCOPE --- apiVersion: v1 kind: Service metadata: name: litmusportal-frontend-service namespace: litmus spec: type: NodePort ports: - name: http port: 9091 targetPort: 8080 selector: component: litmusportal-frontend --- apiVersion: apps/v1 kind: Deployment metadata: name: litmusportal-server namespace: litmus labels: component: litmusportal-server spec: replicas: 1 selector: matchLabels: component: litmusportal-server template: metadata: labels: component: litmusportal-server spec: initContainers: - name: wait-for-mongodb image: litmuschaos/curl:latest command: ["/bin/sh", "-c"] args: [ "while [[ $(curl -sw '%{http_code}' http://mongo-service:27017 -o /dev/null) -ne 200 ]]; do sleep 5; echo 'Waiting for the MongoDB to be ready...'; done; echo 'Connection with MongoDB established'", ] containers: - name: graphql-server image: litmuschaos/litmusportal-server:2.1.0 envFrom: - configMapRef: name: litmus-portal-admin-config env: - name: SELF_CLUSTER value: "true" - name: LITMUS_PORTAL_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: PORTAL_SCOPE value: "cluster" - name: SUBSCRIBER_IMAGE value: "litmuschaos/litmusportal-subscriber:2.1.0" - name: EVENT_TRACKER_IMAGE value: "litmuschaos/litmusportal-event-tracker:2.1.0" - name: ARGO_WORKFLOW_CONTROLLER_IMAGE value: "litmuschaos/workflow-controller:v2.11.0" - name: ARGO_WORKFLOW_EXECUTOR_IMAGE value: "litmuschaos/argoexec:v2.11.0" - name: LITMUS_CHAOS_OPERATOR_IMAGE value: "litmuschaos/chaos-operator:2.0.0" - name: LITMUS_CHAOS_RUNNER_IMAGE value: "litmuschaos/chaos-runner:2.0.0" - name: LITMUS_CHAOS_EXPORTER_IMAGE value: "litmuschaos/chaos-exporter:2.0.0" - name: SERVER_SERVICE_NAME value: "litmusportal-server-service" - name: AGENT_DEPLOYMENTS value: "[\"app=chaos-exporter\", \"name=chaos-operator\", \"app=event-tracker\", \"app=workflow-controller\"]" - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: INGRESS value: "false" - name: INGRESS_NAME value: "litmus-ingress" - name: CONTAINER_RUNTIME_EXECUTOR value: "k8sapi" - name: HUB_BRANCH_NAME value: "v2.0.x" ports: - containerPort: 8080 imagePullPolicy: Always - name: auth-server image: litmuschaos/litmusportal-auth-server:2.1.0 envFrom: - configMapRef: name: litmus-portal-admin-config env: - name: STRICT_PASSWORD_POLICY value: "false" - name: ADMIN_USERNAME value: "admin" - name: ADMIN_PASSWORD value: "litmus" ports: - containerPort: 3000 imagePullPolicy: Always serviceAccountName: litmus-server-account --- apiVersion: v1 kind: Service metadata: name: litmusportal-server-service namespace: litmus spec: type: NodePort ports: - name: graphql-server port: 9002 targetPort: 8080 - name: auth-server port: 9003 targetPort: 3000 selector: component: litmusportal-server --- apiVersion: apps/v1 kind: StatefulSet metadata: name: mongo namespace: litmus labels: app: mongo spec: selector: matchLabels: component: database serviceName: mongo replicas: 1 template: metadata: labels: component: database spec: containers: - name: mongo image: litmuschaos/mongo:4.2.8 ports: - containerPort: 27017 imagePullPolicy: Always volumeMounts: - name: mongo-persistent-storage mountPath: /data/db env: - name: MONGO_INITDB_ROOT_USERNAME valueFrom: configMapKeyRef: name: litmus-portal-admin-config key: DB_USER - name: MONGO_INITDB_ROOT_PASSWORD valueFrom: configMapKeyRef: name: litmus-portal-admin-config key: DB_PASSWORD volumeClaimTemplates: - metadata: name: mongo-persistent-storage spec: accessModes: - ReadWriteOnce resources: requests: storage: 20Gi --- apiVersion: v1 kind: Service metadata: labels: app: mongo name: mongo-service namespace: litmus spec: ports: - port: 27017 targetPort: 27017 selector: component: database