rancher
/
dashboard
mirror of https://github.com/rancher/dashboard.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
dashboard/shell/config/roles.ts

411 lines
10 KiB
TypeScript
Raw Blame History

export const enum SCOPED_RESOURCE_GROUPS {
GLOBAL = 'globalScopedApiGroups', // eslint-disable-line no-unused-vars
CLUSTER = 'clusterScopedApiGroups', // eslint-disable-line no-unused-vars
PROJECT_NAMESPACE = 'projectScopedApiGroups', // eslint-disable-line no-unused-vars
}
/**
* Resources users can select when creating grants when managing global, cluster and project/namespace roles
*
* **************NOTE*****************
* Global roles will show ALL entries
* Cluster roles will show cluster AND project/namespace entries
* Project/Namespace roles will show ONLY project/namespace entries
*/
export const SCOPED_RESOURCES = {
// With this hardcoded list, it will be easier to curate a more useful
// and human-understandable list of resources to choose from
// when creating a role. The list is not meant to be a
// comprehensive list, but a helpful guide.
// Cluster scoped roles and project scoped roles
// are intended to restrict users, so the resource list
// in the global role creation form includes the largest resource
// list.
// The cluster role creation form includes a subset of
// the global scoped list, and the project role creation form includes a
// subset of the cluster scoped list.
[SCOPED_RESOURCE_GROUPS.GLOBAL]: {
// Global scoped resources are resources for
// Rancher's global apps, mainly Cluster
// Management and Continuous Delivery.
// A global role can include everything at the global
// scope, plus everything in the cluster and project scope.
'catalog.cattle.io': {
resources: [
'Apps',
'ClusterRepos',
'Operations',
]
},
'cluster.x-k8s.io': {
resources: [
'Clusters'
]
},
'fleet.cattle.io': {
resources: [
'Bundles',
'BundleDeployments',
'BundleNamespaceMappings',
'Clusters',
'ClusterGroups',
'ClusterRegistrations',
'ClusterRegistrationTokens',
'Contents',
'GitRepos',
'GitRepoRestrictions',
'HelmOps',
],
},
'gitjob.cattle.io': {
resources: [
'GitJobs',
]
},
'harvesterhci.io.management': {
resources: [
'Clusters'
]
},
'management.cattle.io': {
// Resources provided by the Norman API.
resources: [
'APIServices',
'AuthConfigs',
'Catalogs',
'CatalogTemplates',
'CatalogTemplateVersions',
'CisBenchmarkVersions',
'CisConfigs',
'ClusterCatalogs',
'ClusterRegistrationTokens',
'ClusterRoleTemplateBindings',
'Clusters',
'ClusterScans',
'ClusterTemplates',
'ClusterTemplateRevisions',
'ComposeConfigs',
'DynamicSchemas',
'EtcdBackups',
'Features',
'FleetWorkspaces',
'GlobalRoles',
'GlobalRoleBindings',
'Groups',
'GroupMembers',
'KontainerDrivers',
'RkeK8sSystemImages',
'MonitorMetrics',
'Nodes',
'NodeDrivers',
'NodePools',
'NodeTemplates',
'PodSecurityPolicyTemplates',
'PodSecurityPolicyTemplateProjectBindings',
'Preferences',
'Projects',
'ProjectCatalogs',
'ProjectLoggings',
'ProjectMonitorGraphs',
'ProjectNetworkPolicies',
'ProjectRoleTemplateBindings',
'RkeAddons',
'RkeK8sServiceOptions',
'RoleTemplates',
'RoleTemplateBindings',
'SamlTokens',
'Settings',
'Templates',
'TemplateContents',
'TemplateVersions',
'Tokens',
'Users',
'UserAttributes',
],
deprecatedResources: [
'ClusterAlerts', // Replaced by monitoring V2
'ClusterAlertGroups', // Replaced by monitoring V2
'ClusterAlertRules', // Replaced by monitoring V2
'ClusterLoggings', // Replaced by logging V2
'ClusterMonitorGraphs', // Replaced by monitoring V2
'GlobalDnses', // Deprecated along with legacy catalogs
'GlobalDnsProviders', // Deprecated along with legacy catalogs
'MultiClusterApps', // Replaced by Fleet
'MultiClusterAppRevisions', // Replaced by Fleet
'Notifiers', // Replaced by monitoring V2
'ProjectAlerts', // Replaced by monitoring V2
'ProjectAlertGroups', // Replaced by monitoring V2
'ProjectAlertRules', // Replaced by monitoring V2
]
},
'provisioning.cattle.io': {
resources: [
'Clusters'
]
},
},
[SCOPED_RESOURCE_GROUPS.CLUSTER]: {
// Cluster scoped resources are for non-namespaced
// resources at the cluster level, for example,
// storage resources.
// A cluster role can include everything at the cluster
// scope, plus everything in the project scope.
coreKubernetesApi: {
resources: [
// Core K8s API - Non-namespaced resources.
// These resources do not have an API group.
'APIGroups',
'Node',
'PersistentVolumes',
'ResourceQuotas',
],
deprecatedResources: [
'ComponentStatuses', // A deprecated API that provided status of etcd, kube-scheduler, and kube-controller-manager components
]
},
'admissionregistration.k8s.io': {
resources: [
'MutatingWebhookConfigurations',
'ValidatingWebhookConfigurations',
],
},
'apiextensions.k8s.io': {
resources: [
'CustomResourceDefinitions',
]
},
'apiregistration.k8s.io': {
resources: [
'APIServices'
]
},
'certificates.k8s.io': {
resources: [
'CertificateSigningRequests'
]
},
'rbac.authorization.k8s.io': {
resources: [
'ClusterRoles',
'ClusterRoleBindings',
'Roles',
'RoleBindings',
]
},
'config.gatekeeper.sh': {
resources: [
'Configs'
]
},
'scheduling.k8s.io': {
resources: [
'PriorityClasses',
],
},
'storage.k8s.io': {
resources: [
'CSIDrivers',
'CSINodes',
'CSIStorageCapacitys',
'StorageClasses',
'VolumeAttachments',
]
},
neuvectorApi: {
resources: [
'AdmissionControl',
'Authentication',
'CIScan',
'Cluster',
'Federation',
'Vulnerability',
]
}
},
[SCOPED_RESOURCE_GROUPS.PROJECT_NAMESPACE]: {
// Project scoped resources include all other namespaced
// resources.
coreKubernetesApi: {
resources: [
// Core K8s API - Namespaced resources
// that are not in an API group.
'ConfigMaps',
'LimitRanges', // enumerates compute resource constraints in a project at the pod, container, image, image stream, and persistent volume claim level
'Namespaces',
'PersistentVolumeClaims',
'Pods',
'PodTemplates',
'ReplicationControllers',
'Secrets',
'Services',
'ServiceAccounts',
],
},
apps: {
resources: [
'ControllerRevisions',
'DaemonSets',
'Deployments',
'ReplicaSets',
'StatefulSets',
]
},
autoscaling: {
resources: [
'HorizontalPodAutoscalers',
]
},
batch: {
resources: [
'CronJobs',
'Jobs',
]
},
'compliance.cattle.io': {
resources: [
'ClusterScans',
'ClusterScanReports'
]
},
'constraints.gatekeeper.sh': {
resources: [
'K8sAllowedRepos',
'K8sRequiredLabels',
'Constraints',
]
},
'templates.gatekeeper.sh': {
resources: [
'ConstraintTemplates'
]
},
'coordination.k8s.io': {
resources: [
'Leases',
]
},
'events.k8s.io': {
resources: [
'Events',
]
},
'helm.cattle.io': {
resources: [
'ProjectHelmCharts',
]
},
'monitoring.coreos.com': {
resources: [
'Alertmanagers',
'AlertmanagerConfigs',
'PodMonitors',
'Probes',
'Prometheuses',
'PrometheusRules',
'Routes',
'Receivers',
'ServiceMonitors',
'ThanosRulers'
]
},
'networking.k8s.io': {
resources: [
'Ingresses',
'IngressClasses',
'NetworkPolicies',
]
},
'io.k8s.api.discovery': {
resources: [
'Endpoints'
]
},
'discovery.k8s.io': {
resources: [
'EndpointSlices',
]
},
'node.k8s.io': {
resources: [
'RuntimeClasses',
]
},
policy: {
resources: [
'PodDisruptionBudgets',
'PodSecurityPolicies',
]
},
'project.cattle.io': {
resources: [
'Apps',
'AppRevisions'
],
deprecatedResources: [
'Pipelines', // Replaced by Fleet
'PipelineExecutions', // Replaced by Fleet
'PipelineSettings', // Replaced by Fleet
'SourceCodeCredentials', // Replaced by Fleet
'SourceCodeProviderConfigs', // Replaced by Fleet
'SourceCodeRepositories', // Replaced by Fleet
]
},
'logging.banzaicloud.io': {
resources: [
'ClusterFlows',
'ClusterOutputs',
'Flows',
'Loggings',
'Outputs',
]
},
'install.istio.io': {
resources: [
'IstioOperators',
]
},
'security.istio.io': {
resources: [
'AuthorizationPolicies',
'RequestAuthentications',
'PeerAuthentications',
]
},
'status.gatekeeper.sh': {
resources: [
'ConstraintPodStatuses',
'ConstraintTemplatePodStatuses',
]
},
'networking.istio.io': {
resources: [
'DestinationRules',
'EnvoyFilters',
'Gateways',
'ServiceEntries',
'Sidecars',
'VirtualServices',
'WorkloadEntries',
'WorkloadGroups'
]
},
neuvectorApi: {
resources: [
'AuditEvents',
'Authorization',
'Compliance',
'Events',
'Namespace',
'RegistryScan',
'RuntimePolicy',
'RuntimeScan',
'SecurityEvents',
'SystemConfig',
]
}
}
};
Reference in New Issue View Git Blame Copy Permalink