From 6740c58ef8617981e367ea8ed43e66829464688d Mon Sep 17 00:00:00 2001 From: Gaelle Fournier Date: Fri, 10 Nov 2023 14:35:32 +0100 Subject: [PATCH 1/4] feat(install): Separate namespaced and descoped rbacs Ref #3165 --- config/manifests/kustomization.yaml | 1 + config/rbac/descoped/kustomization.yaml | 38 ++++ .../operator-cluster-role-binding-events.yaml | 31 +++ .../operator-cluster-role-binding-keda.yaml | 31 +++ ...operator-cluster-role-binding-knative.yaml | 31 +++ .../operator-cluster-role-binding-leases.yaml | 31 +++ ...ator-cluster-role-binding-podmonitors.yaml | 31 +++ ...operator-cluster-role-binding-strimzi.yaml | 31 +++ .../operator-cluster-role-binding.yaml | 31 +++ .../operator-cluster-role-events.yaml | 34 ++++ .../descoped/operator-cluster-role-keda.yaml | 38 ++++ .../operator-cluster-role-knative.yaml | 80 ++++++++ .../operator-cluster-role-leases.yaml | 37 ++++ .../operator-cluster-role-podmonitors.yaml | 37 ++++ .../operator-cluster-role-strimzi.yaml | 33 +++ .../rbac/descoped/operator-cluster-role.yaml | 188 ++++++++++++++++++ config/rbac/kustomization.yaml | 29 ++- config/rbac/namespaced/kustomization.yaml | 38 ++++ .../operator-role-binding-events.yaml | 0 .../operator-role-binding-keda.yaml | 0 .../operator-role-binding-knative.yaml | 0 .../operator-role-binding-leases.yaml | 0 .../operator-role-binding-podmonitors.yaml | 0 .../operator-role-binding-strimzi.yaml | 0 .../operator-role-binding.yaml | 0 .../operator-role-events.yaml | 0 .../{ => namespaced}/operator-role-keda.yaml | 0 .../operator-role-knative.yaml | 0 .../operator-role-leases.yaml | 0 .../operator-role-podmonitors.yaml | 0 .../operator-role-strimzi.yaml | 0 .../rbac/{ => namespaced}/operator-role.yaml | 0 install/Makefile | 10 +- install/setup/kustomization.yaml | 12 -- pkg/install/operator.go | 136 +++++++++---- 35 files changed, 852 insertions(+), 76 deletions(-) create mode 100644 config/rbac/descoped/kustomization.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-binding-events.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-binding-keda.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-binding-knative.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-binding-leases.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-binding-strimzi.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-binding.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-events.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-keda.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-knative.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-leases.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-podmonitors.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-strimzi.yaml create mode 100644 config/rbac/descoped/operator-cluster-role.yaml create mode 100644 config/rbac/namespaced/kustomization.yaml rename config/rbac/{ => namespaced}/operator-role-binding-events.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-binding-keda.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-binding-knative.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-binding-leases.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-binding-podmonitors.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-binding-strimzi.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-binding.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-events.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-keda.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-knative.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-leases.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-podmonitors.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-strimzi.yaml (100%) rename config/rbac/{ => namespaced}/operator-role.yaml (100%) diff --git a/config/manifests/kustomization.yaml b/config/manifests/kustomization.yaml index 94f8a27f8b..9a926be1b0 100644 --- a/config/manifests/kustomization.yaml +++ b/config/manifests/kustomization.yaml @@ -27,6 +27,7 @@ resources: - ../samples - ../scorecard - ../rbac +- ../rbac/namespaced - ../rbac/openshift patchesStrategicMerge: diff --git a/config/rbac/descoped/kustomization.yaml b/config/rbac/descoped/kustomization.yaml new file mode 100644 index 0000000000..ade2d46ba8 --- /dev/null +++ b/config/rbac/descoped/kustomization.yaml @@ -0,0 +1,38 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +# +# rbac resources applicable for all kubernetes platforms - global operator +# +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- operator-cluster-role-events.yaml +- operator-cluster-role-knative.yaml +- operator-cluster-role.yaml +- operator-cluster-role-keda.yaml +- operator-cluster-role-leases.yaml +- operator-cluster-role-podmonitors.yaml +- operator-cluster-role-strimzi.yaml +- operator-cluster-role-binding-events.yaml +- operator-cluster-role-binding-keda.yaml +- operator-cluster-role-binding-knative.yaml +- operator-cluster-role-binding-leases.yaml +- operator-cluster-role-binding-podmonitors.yaml +- operator-cluster-role-binding-strimzi.yaml +- operator-cluster-role-binding.yaml diff --git a/config/rbac/descoped/operator-cluster-role-binding-events.yaml b/config/rbac/descoped/operator-cluster-role-binding-events.yaml new file mode 100644 index 0000000000..9dd5228d26 --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-binding-events.yaml @@ -0,0 +1,31 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-events + labels: + app: "camel-k" +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: placeholder +roleRef: + kind: ClusterRole + name: camel-k-operator-events + apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/descoped/operator-cluster-role-binding-keda.yaml b/config/rbac/descoped/operator-cluster-role-binding-keda.yaml new file mode 100644 index 0000000000..92e154e878 --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-binding-keda.yaml @@ -0,0 +1,31 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-keda + labels: + app: "camel-k" +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: placeholder +roleRef: + kind: ClusterRole + name: camel-k-operator-keda + apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/descoped/operator-cluster-role-binding-knative.yaml b/config/rbac/descoped/operator-cluster-role-binding-knative.yaml new file mode 100644 index 0000000000..739b0dd06a --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-binding-knative.yaml @@ -0,0 +1,31 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-knative + labels: + app: "camel-k" +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: placeholder +roleRef: + kind: ClusterRole + name: camel-k-operator-knative + apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/descoped/operator-cluster-role-binding-leases.yaml b/config/rbac/descoped/operator-cluster-role-binding-leases.yaml new file mode 100644 index 0000000000..35d667fd12 --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-binding-leases.yaml @@ -0,0 +1,31 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-leases + labels: + app: "camel-k" +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: placeholder +roleRef: + kind: ClusterRole + name: camel-k-operator-leases + apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml b/config/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml new file mode 100644 index 0000000000..bef231b078 --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml @@ -0,0 +1,31 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-podmonitors + labels: + app: "camel-k" +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: placeholder +roleRef: + kind: ClusterRole + name: camel-k-operator-podmonitors + apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/descoped/operator-cluster-role-binding-strimzi.yaml b/config/rbac/descoped/operator-cluster-role-binding-strimzi.yaml new file mode 100644 index 0000000000..fefd143525 --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-binding-strimzi.yaml @@ -0,0 +1,31 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-strimzi + labels: + app: "camel-k" +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: placeholder +roleRef: + kind: ClusterRole + name: camel-k-operator-strimzi + apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/descoped/operator-cluster-role-binding.yaml b/config/rbac/descoped/operator-cluster-role-binding.yaml new file mode 100644 index 0000000000..83f227d628 --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-binding.yaml @@ -0,0 +1,31 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator + labels: + app: "camel-k" +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: placeholder +roleRef: + kind: ClusterRole + name: camel-k-operator + apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/descoped/operator-cluster-role-events.yaml b/config/rbac/descoped/operator-cluster-role-events.yaml new file mode 100644 index 0000000000..1dfd24b01e --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-events.yaml @@ -0,0 +1,34 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-events + labels: + app: "camel-k" +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - get + - list + - watch diff --git a/config/rbac/descoped/operator-cluster-role-keda.yaml b/config/rbac/descoped/operator-cluster-role-keda.yaml new file mode 100644 index 0000000000..3b3f432ebb --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-keda.yaml @@ -0,0 +1,38 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-keda + labels: + app: "camel-k" +rules: +- apiGroups: + - "keda.sh" + resources: + - scaledobjects + - triggerauthentications + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch diff --git a/config/rbac/descoped/operator-cluster-role-knative.yaml b/config/rbac/descoped/operator-cluster-role-knative.yaml new file mode 100644 index 0000000000..305d26b624 --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-knative.yaml @@ -0,0 +1,80 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-knative + labels: + app: "camel-k" +rules: +- apiGroups: + - serving.knative.dev + resources: + - services + - routes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - eventing.knative.dev + resources: + - triggers + - brokers + verbs: + - create + - delete + - get + - list + - patch + - update +- apiGroups: + - messaging.knative.dev + resources: + - subscriptions + - channels + - inmemorychannels + verbs: + - create + - delete + - get + - list + - patch + - update +- apiGroups: + - sources.knative.dev + resources: + - sinkbindings + verbs: + - create + - delete + - get + - list + - patch + - update +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - patch diff --git a/config/rbac/descoped/operator-cluster-role-leases.yaml b/config/rbac/descoped/operator-cluster-role-leases.yaml new file mode 100644 index 0000000000..6ea671bd28 --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-leases.yaml @@ -0,0 +1,37 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-leases + labels: + app: "camel-k" +rules: +- apiGroups: + - "coordination.k8s.io" + resources: + - leases + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch diff --git a/config/rbac/descoped/operator-cluster-role-podmonitors.yaml b/config/rbac/descoped/operator-cluster-role-podmonitors.yaml new file mode 100644 index 0000000000..2578103c38 --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-podmonitors.yaml @@ -0,0 +1,37 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-podmonitors + labels: + app: "camel-k" +rules: +- apiGroups: + - monitoring.coreos.com + resources: + - podmonitors + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch diff --git a/config/rbac/descoped/operator-cluster-role-strimzi.yaml b/config/rbac/descoped/operator-cluster-role-strimzi.yaml new file mode 100644 index 0000000000..9ccea139fd --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-strimzi.yaml @@ -0,0 +1,33 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-strimzi + labels: + app: "camel-k" +rules: +- apiGroups: + - "kafka.strimzi.io" + resources: + - kafkatopics + - kafkas + verbs: + - get + - list + - watch diff --git a/config/rbac/descoped/operator-cluster-role.yaml b/config/rbac/descoped/operator-cluster-role.yaml new file mode 100644 index 0000000000..d7ee2fa399 --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role.yaml @@ -0,0 +1,188 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator + labels: + app: "camel-k" +rules: +- apiGroups: + - camel.apache.org + resources: + - builds + - camelcatalogs + - integrationkits + - integrationplatforms + - integrations + - pipes + # Deprecated: kameletbindings CR + - kameletbindings + - kamelets + verbs: + - create + - get + - list + - patch + - update + - watch +- apiGroups: + - camel.apache.org + resources: + - builds + verbs: + - delete +- apiGroups: + - camel.apache.org + resources: + - builds/status + - camelcatalogs/status + - integrationkits/status + - integrationplatforms/status + - integrations/scale + - integrations/status + - pipes/status + - pipes/scale + # Deprecated: kameletbindings CR + - kameletbindings/status + - kameletbindings/scale + - kamelets/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - pods + - services + - endpoints + - persistentvolumeclaims + - configmaps + - secrets + - serviceaccounts + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create +- apiGroups: + - "" + resources: + - pods/proxy + - pods/log + verbs: + - get +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - delete + - get + - update + - list + - patch + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + - clusterrolebindings + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - batch + resources: + - cronjobs + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - batch + resources: + - jobs + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index f2600f1626..5b3e03f558 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -23,23 +23,22 @@ kind: Kustomization resources: - user-cluster-role.yaml -- operator-role-events.yaml -- operator-role-knative.yaml -- operator-role.yaml -- operator-role-keda.yaml -- operator-role-leases.yaml -- operator-role-podmonitors.yaml -- operator-role-strimzi.yaml -- operator-role-binding-events.yaml -- operator-role-binding-keda.yaml -- operator-role-binding-knative.yaml -- operator-role-binding-leases.yaml -- operator-role-binding-local-registry.yaml -- operator-role-binding-podmonitors.yaml -- operator-role-binding-strimzi.yaml -- operator-role-binding.yaml - operator-cluster-role-custom-resource-definitions.yaml - operator-cluster-role-binding-custom-resource-definitions.yaml - operator-cluster-role-addressable-resolver.yaml - operator-cluster-role-binding-addressable-resolver.yaml - operator-cluster-role-local-registry.yaml +- operator-role-binding-local-registry.yaml + + +transformers: +- |- + apiVersion: builtin + kind: PatchTransformer + metadata: + name: fix-local-registry-rbac-namespace + patch: '[{"op": "replace", "path": "/metadata/namespace", "value": "kube-public"}]' + target: + group: rbac.authorization.k8s.io + kind: RoleBinding + name: camel-k-operator-local-registry \ No newline at end of file diff --git a/config/rbac/namespaced/kustomization.yaml b/config/rbac/namespaced/kustomization.yaml new file mode 100644 index 0000000000..510beb4d57 --- /dev/null +++ b/config/rbac/namespaced/kustomization.yaml @@ -0,0 +1,38 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +# +# rbac resources applicable for all kubernetes platforms - namespaced operator +# +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- operator-role-events.yaml +- operator-role-knative.yaml +- operator-role.yaml +- operator-role-keda.yaml +- operator-role-leases.yaml +- operator-role-podmonitors.yaml +- operator-role-strimzi.yaml +- operator-role-binding-events.yaml +- operator-role-binding-keda.yaml +- operator-role-binding-knative.yaml +- operator-role-binding-leases.yaml +- operator-role-binding-podmonitors.yaml +- operator-role-binding-strimzi.yaml +- operator-role-binding.yaml diff --git a/config/rbac/operator-role-binding-events.yaml b/config/rbac/namespaced/operator-role-binding-events.yaml similarity index 100% rename from config/rbac/operator-role-binding-events.yaml rename to config/rbac/namespaced/operator-role-binding-events.yaml diff --git a/config/rbac/operator-role-binding-keda.yaml b/config/rbac/namespaced/operator-role-binding-keda.yaml similarity index 100% rename from config/rbac/operator-role-binding-keda.yaml rename to config/rbac/namespaced/operator-role-binding-keda.yaml diff --git a/config/rbac/operator-role-binding-knative.yaml b/config/rbac/namespaced/operator-role-binding-knative.yaml similarity index 100% rename from config/rbac/operator-role-binding-knative.yaml rename to config/rbac/namespaced/operator-role-binding-knative.yaml diff --git a/config/rbac/operator-role-binding-leases.yaml b/config/rbac/namespaced/operator-role-binding-leases.yaml similarity index 100% rename from config/rbac/operator-role-binding-leases.yaml rename to config/rbac/namespaced/operator-role-binding-leases.yaml diff --git a/config/rbac/operator-role-binding-podmonitors.yaml b/config/rbac/namespaced/operator-role-binding-podmonitors.yaml similarity index 100% rename from config/rbac/operator-role-binding-podmonitors.yaml rename to config/rbac/namespaced/operator-role-binding-podmonitors.yaml diff --git a/config/rbac/operator-role-binding-strimzi.yaml b/config/rbac/namespaced/operator-role-binding-strimzi.yaml similarity index 100% rename from config/rbac/operator-role-binding-strimzi.yaml rename to config/rbac/namespaced/operator-role-binding-strimzi.yaml diff --git a/config/rbac/operator-role-binding.yaml b/config/rbac/namespaced/operator-role-binding.yaml similarity index 100% rename from config/rbac/operator-role-binding.yaml rename to config/rbac/namespaced/operator-role-binding.yaml diff --git a/config/rbac/operator-role-events.yaml b/config/rbac/namespaced/operator-role-events.yaml similarity index 100% rename from config/rbac/operator-role-events.yaml rename to config/rbac/namespaced/operator-role-events.yaml diff --git a/config/rbac/operator-role-keda.yaml b/config/rbac/namespaced/operator-role-keda.yaml similarity index 100% rename from config/rbac/operator-role-keda.yaml rename to config/rbac/namespaced/operator-role-keda.yaml diff --git a/config/rbac/operator-role-knative.yaml b/config/rbac/namespaced/operator-role-knative.yaml similarity index 100% rename from config/rbac/operator-role-knative.yaml rename to config/rbac/namespaced/operator-role-knative.yaml diff --git a/config/rbac/operator-role-leases.yaml b/config/rbac/namespaced/operator-role-leases.yaml similarity index 100% rename from config/rbac/operator-role-leases.yaml rename to config/rbac/namespaced/operator-role-leases.yaml diff --git a/config/rbac/operator-role-podmonitors.yaml b/config/rbac/namespaced/operator-role-podmonitors.yaml similarity index 100% rename from config/rbac/operator-role-podmonitors.yaml rename to config/rbac/namespaced/operator-role-podmonitors.yaml diff --git a/config/rbac/operator-role-strimzi.yaml b/config/rbac/namespaced/operator-role-strimzi.yaml similarity index 100% rename from config/rbac/operator-role-strimzi.yaml rename to config/rbac/namespaced/operator-role-strimzi.yaml diff --git a/config/rbac/operator-role.yaml b/config/rbac/namespaced/operator-role.yaml similarity index 100% rename from config/rbac/operator-role.yaml rename to config/rbac/namespaced/operator-role.yaml diff --git a/install/Makefile b/install/Makefile index ce329c6d51..a80f5e3da9 100644 --- a/install/Makefile +++ b/install/Makefile @@ -241,13 +241,11 @@ endif setup: setup-cluster # Set the namespace in the setup kustomization yaml @$(call set-kustomize-namespace,$@) -# If GLOBAL then add the conversion patches for all roles and rolebindings -ifeq ($(GLOBAL),true) - @$(call add-remove-kind-patch,setup,add,../$(ROLE_TO_CROLE_PATCH).$(YAML),Role) - @$(call add-remove-kind-patch,setup,add,../$(ROLEBIN_TO_CROLEBIN_PATCH).$(YAML),RoleBinding) +# If GLOBAL then add the versions with clusterroles and clusterrolebindings +ifeq ($(GLOBAL), true) + @cd $@ || exit 1 && $(KUSTOMIZE) edit add resource ../$(RBAC)/descoped && cd - &> /dev/null; else - @$(call add-remove-kind-patch,setup,remove,../$(ROLE_TO_CROLE_PATCH).$(YAML),Role) - @$(call add-remove-kind-patch,setup,remove,../$(ROLEBIN_TO_CROLEBIN_PATCH).$(YAML),RoleBinding) + @cd $@ || exit 1 && $(KUSTOMIZE) edit add resource ../$(RBAC)/namespaced && cd - &> /dev/null; endif ifeq ($(PLATFORM), openshift) @for res in $(RBAC_OS)/operator-role*; do \ diff --git a/install/setup/kustomization.yaml b/install/setup/kustomization.yaml index 9598726cae..c10dfd6538 100644 --- a/install/setup/kustomization.yaml +++ b/install/setup/kustomization.yaml @@ -19,15 +19,3 @@ kind: Kustomization resources: - ../config/rbac - -transformers: -- |- - apiVersion: builtin - kind: PatchTransformer - metadata: - name: fix-local-registry-rbac-namespace - patch: '[{"op": "replace", "path": "/metadata/namespace", "value": "kube-public"}]' - target: - group: rbac.authorization.k8s.io - kind: RoleBinding - name: camel-k-operator-local-registry diff --git a/pkg/install/operator.go b/pkg/install/operator.go index 9daf61ee0c..2db3fde3d6 100644 --- a/pkg/install/operator.go +++ b/pkg/install/operator.go @@ -260,7 +260,7 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client, } // Install Kubernetes RBAC resources (roles and bindings) - if err := installKubernetesRoles(ctx, c, cfg.Namespace, customizer, collection, force); err != nil { + if err := installKubernetesRoles(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil { return err } @@ -289,7 +289,7 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client, return err } if isKnative { - if err := installKnative(ctx, c, cfg.Namespace, customizer, collection, force); err != nil { + if err := installKnative(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil { return err } if err := installClusterRoleBinding(ctx, c, collection, cfg.Namespace, "camel-k-operator-bind-addressable-resolver", "/rbac/operator-cluster-role-binding-addressable-resolver.yaml"); err != nil { @@ -301,35 +301,35 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client, } } - if err = installEvents(ctx, c, cfg.Namespace, customizer, collection, force); err != nil { + if err = installEvents(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil { if k8serrors.IsAlreadyExists(err) { return err } fmt.Fprintln(cmd.ErrOrStderr(), "Warning: the operator will not be able to publish Kubernetes events. Try installing as cluster-admin to allow it to generate events.") } - if err = installKedaBindings(ctx, c, cfg.Namespace, customizer, collection, force); err != nil { + if err = installKedaBindings(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil { if k8serrors.IsAlreadyExists(err) { return err } fmt.Fprintln(cmd.ErrOrStderr(), "Warning: the operator will not be able to create KEDA resources. Try installing as cluster-admin.") } - if err = installPodMonitors(ctx, c, cfg.Namespace, customizer, collection, force); err != nil { + if err = installPodMonitors(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil { if k8serrors.IsAlreadyExists(err) { return err } fmt.Fprintln(cmd.ErrOrStderr(), "Warning: the operator will not be able to create PodMonitor resources. Try installing as cluster-admin.") } - if err := installStrimziBindings(ctx, c, cfg.Namespace, customizer, collection, force); err != nil { + if err := installStrimziBindings(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil { if k8serrors.IsAlreadyExists(err) { return err } fmt.Fprintln(cmd.ErrOrStderr(), "Warning: the operator will not be able to lookup strimzi kafka resources. Try installing as cluster-admin to allow the lookup of strimzi kafka resources.") } - if err = installLeaseBindings(ctx, c, cfg.Namespace, customizer, collection, force); err != nil { + if err = installLeaseBindings(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil { if k8serrors.IsAlreadyExists(err) { return err } @@ -491,12 +491,20 @@ func installOpenShiftRoles(ctx context.Context, c client.Client, namespace strin ) } -func installKubernetesRoles(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error { - return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, - "/manager/operator-service-account.yaml", - "/rbac/operator-role.yaml", - "/rbac/operator-role-binding.yaml", - ) +func installKubernetesRoles(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error { + if global { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/manager/operator-service-account.yaml", + "/rbac/descoped/operator-cluster-role.yaml", + "/rbac/descoped/operator-cluster-role-binding.yaml", + ) + } else { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/manager/operator-service-account.yaml", + "/rbac/namespaced/operator-role.yaml", + "/rbac/namespaced/operator-role-binding.yaml", + ) + } } func installOperator(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error { @@ -505,39 +513,74 @@ func installOperator(ctx context.Context, c client.Client, namespace string, cus ) } -func installKedaBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error { - return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, - "/rbac/operator-role-keda.yaml", - "/rbac/operator-role-binding-keda.yaml", - ) +func installKedaBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error { + if global { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/descoped/operator-cluster-role-keda.yaml", + "/rbac/descoped/operator-cluster-role-binding-keda.yaml", + ) + } else { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/namespaced/operator-role-keda.yaml", + "/rbac/namespaced/operator-role-binding-keda.yaml", + ) + } } -func installKnative(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error { - return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, - "/rbac/operator-role-knative.yaml", - "/rbac/operator-role-binding-knative.yaml", - ) +func installKnative(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error { + if global { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/descoped/operator-cluster-role-knative.yaml", + "/rbac/descoped/operator-cluster-role-binding-knative.yaml", + ) + } else { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/namespaced/operator-role-knative.yaml", + "/rbac/namespaced/operator-role-binding-knative.yaml", + ) + } } -func installEvents(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error { - return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, - "/rbac/operator-role-events.yaml", - "/rbac/operator-role-binding-events.yaml", - ) +func installEvents(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error { + if global { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/descoped/operator-cluster-role-events.yaml", + "/rbac/descoped/operator-cluster-role-binding-events.yaml", + ) + } else { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/namespaced/operator-role-events.yaml", + "/rbac/namespaced/operator-role-binding-events.yaml", + ) + } } -func installPodMonitors(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error { - return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, - "/rbac/operator-role-podmonitors.yaml", - "/rbac/operator-role-binding-podmonitors.yaml", - ) +func installPodMonitors(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error { + if global { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/descoped/operator-cluster-role-podmonitors.yaml", + "/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml", + ) + } else { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/namespaced/operator-role-podmonitors.yaml", + "/rbac/namespaced/operator-role-binding-podmonitors.yaml", + ) + } } -func installStrimziBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error { - return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, - "/rbac/operator-role-strimzi.yaml", - "/rbac/operator-role-binding-strimzi.yaml", - ) +func installStrimziBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error { + if global { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/descoped/operator-cluster-role-strimzi.yaml", + "/rbac/descoped/operator-cluster-role-binding-strimzi.yaml", + ) + } else { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/namespaced/operator-role-strimzi.yaml", + "/rbac/namespaced/operator-role-binding-strimzi.yaml", + ) + } } func installMonitoringResources(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error { @@ -547,11 +590,18 @@ func installMonitoringResources(ctx context.Context, c client.Client, namespace ) } -func installLeaseBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error { - return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, - "/rbac/operator-role-leases.yaml", - "/rbac/operator-role-binding-leases.yaml", - ) +func installLeaseBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error { + if global { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/descoped/operator-cluster-role-leases.yaml", + "/rbac/descoped/operator-cluster-role-binding-leases.yaml", + ) + } else { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/namespaced/operator-role-leases.yaml", + "/rbac/namespaced/operator-role-binding-leases.yaml", + ) + } } // NewPlatform creates a new IntegrationPlatform instance. From 65d6b22080dd8494f2089c9b1aef80cce5e0f003 Mon Sep 17 00:00:00 2001 From: Gaelle Fournier Date: Fri, 8 Dec 2023 22:07:20 +0100 Subject: [PATCH 2/4] feat(install): Separate namespaced and descoped openshift rbacs --- config/manifests/kustomization.yaml | 1 + .../openshift/descoped/kustomization.yaml | 26 +++++ ...erator-cluster-role-binding-openshift.yaml | 31 ++++++ .../operator-cluster-role-openshift.yaml | 99 +++++++++++++++++++ config/rbac/openshift/kustomization.yaml | 2 - .../openshift/namespaced/kustomization.yaml | 26 +++++ .../operator-role-binding-openshift.yaml | 0 .../operator-role-openshift.yaml | 0 e2e/support/test_support.go | 4 +- install/Makefile | 16 ++- pkg/install/operator.go | 19 ++-- 11 files changed, 204 insertions(+), 20 deletions(-) create mode 100644 config/rbac/openshift/descoped/kustomization.yaml create mode 100644 config/rbac/openshift/descoped/operator-cluster-role-binding-openshift.yaml create mode 100644 config/rbac/openshift/descoped/operator-cluster-role-openshift.yaml create mode 100644 config/rbac/openshift/namespaced/kustomization.yaml rename config/rbac/openshift/{ => namespaced}/operator-role-binding-openshift.yaml (100%) rename config/rbac/openshift/{ => namespaced}/operator-role-openshift.yaml (100%) diff --git a/config/manifests/kustomization.yaml b/config/manifests/kustomization.yaml index 9a926be1b0..f97882bcf4 100644 --- a/config/manifests/kustomization.yaml +++ b/config/manifests/kustomization.yaml @@ -29,6 +29,7 @@ resources: - ../rbac - ../rbac/namespaced - ../rbac/openshift +- ../rbac/openshift/namespaced patchesStrategicMerge: - patch-delete-user-cluster-role.yaml diff --git a/config/rbac/openshift/descoped/kustomization.yaml b/config/rbac/openshift/descoped/kustomization.yaml new file mode 100644 index 0000000000..35cf76e40c --- /dev/null +++ b/config/rbac/openshift/descoped/kustomization.yaml @@ -0,0 +1,26 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +# +# rbac resources applicable for all kubernetes platforms - global operator +# +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- operator-cluster-role-openshift.yaml +- operator-cluster-role-binding-openshift.yaml diff --git a/config/rbac/openshift/descoped/operator-cluster-role-binding-openshift.yaml b/config/rbac/openshift/descoped/operator-cluster-role-binding-openshift.yaml new file mode 100644 index 0000000000..8cf0a8fc9e --- /dev/null +++ b/config/rbac/openshift/descoped/operator-cluster-role-binding-openshift.yaml @@ -0,0 +1,31 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-openshift + labels: + app: "camel-k" +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: placeholder +roleRef: + kind: ClusterRole + name: camel-k-operator-openshift + apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/openshift/descoped/operator-cluster-role-openshift.yaml b/config/rbac/openshift/descoped/operator-cluster-role-openshift.yaml new file mode 100644 index 0000000000..5589d77933 --- /dev/null +++ b/config/rbac/openshift/descoped/operator-cluster-role-openshift.yaml @@ -0,0 +1,99 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-openshift + labels: + app: "camel-k" +rules: +- apiGroups: + - camel.apache.org + resources: + - builds/finalizers + - integrationkits/finalizers + - integrationplatforms/finalizers + - integrations/finalizers + - pipes/finalizers + - kameletbindings/finalizers + verbs: + - update +- apiGroups: + - "" + - "build.openshift.io" + resources: + - buildconfigs + - buildconfigs/webhooks + - builds + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + - "image.openshift.io" + resources: + - imagestreamimages + - imagestreammappings + - imagestreams + - imagestreams/secrets + - imagestreamtags + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + - build.openshift.io + resources: + - buildconfigs/instantiate + - buildconfigs/instantiatebinary + - builds/clone + verbs: + - create +- apiGroups: + - "" + - "route.openshift.io" + resources: + - routes + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + - route.openshift.io + resources: + - routes/custom-host + verbs: + - create diff --git a/config/rbac/openshift/kustomization.yaml b/config/rbac/openshift/kustomization.yaml index 2813c7aad9..4920f66007 100644 --- a/config/rbac/openshift/kustomization.yaml +++ b/config/rbac/openshift/kustomization.yaml @@ -24,5 +24,3 @@ kind: Kustomization resources: - operator-cluster-role-console-binding-openshift.yaml - operator-cluster-role-console-openshift.yaml -- operator-role-openshift.yaml -- operator-role-binding-openshift.yaml diff --git a/config/rbac/openshift/namespaced/kustomization.yaml b/config/rbac/openshift/namespaced/kustomization.yaml new file mode 100644 index 0000000000..0fc7813209 --- /dev/null +++ b/config/rbac/openshift/namespaced/kustomization.yaml @@ -0,0 +1,26 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +# +# rbac resources applicable for all kubernetes platforms - global operator +# +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- operator-role-openshift.yaml +- operator-role-binding-openshift.yaml diff --git a/config/rbac/openshift/operator-role-binding-openshift.yaml b/config/rbac/openshift/namespaced/operator-role-binding-openshift.yaml similarity index 100% rename from config/rbac/openshift/operator-role-binding-openshift.yaml rename to config/rbac/openshift/namespaced/operator-role-binding-openshift.yaml diff --git a/config/rbac/openshift/operator-role-openshift.yaml b/config/rbac/openshift/namespaced/operator-role-openshift.yaml similarity index 100% rename from config/rbac/openshift/operator-role-openshift.yaml rename to config/rbac/openshift/namespaced/operator-role-openshift.yaml diff --git a/e2e/support/test_support.go b/e2e/support/test_support.go index ec1f5d5e16..2415efee29 100644 --- a/e2e/support/test_support.go +++ b/e2e/support/test_support.go @@ -2404,7 +2404,7 @@ func CreateOperatorRole(ns string) (err error) { return err } if oc { - return install.Resource(TestContext, TestClient(), ns, true, install.IdentityResourceCustomizer, "/rbac/openshift/operator-role-openshift.yaml") + return install.Resource(TestContext, TestClient(), ns, true, install.IdentityResourceCustomizer, "/rbac/openshift/namespaced/operator-role-openshift.yaml") } return nil } @@ -2419,7 +2419,7 @@ func CreateOperatorRoleBinding(ns string) error { return err } if oc { - return install.Resource(TestContext, TestClient(), ns, true, install.IdentityResourceCustomizer, "/rbac/openshift/operator-role-binding-openshift.yaml") + return install.Resource(TestContext, TestClient(), ns, true, install.IdentityResourceCustomizer, "/rbac/openshift/namespaced/operator-role-binding-openshift.yaml") } return nil } diff --git a/install/Makefile b/install/Makefile index a80f5e3da9..692d32f9ad 100644 --- a/install/Makefile +++ b/install/Makefile @@ -202,11 +202,7 @@ setup-cluster: check-admin check-crd-api-support have-platform kustomize kubectl # Set the namespace in the setup-cluster kustomization yaml @$(call set-kustomize-namespace,$@) ifeq ($(PLATFORM), openshift) - @for res in $(RBAC_OS)/operator-cluster*; do \ - cd $@ || exit 1 && \ - $(KUSTOMIZE) edit add resource ../$$res && \ - cd - &> /dev/null; \ - done + @cd $@ || exit 1 && $(KUSTOMIZE) edit add resource ../$(RBAC_OS) && cd - &> /dev/null; endif # # Build the resources @@ -248,11 +244,11 @@ else @cd $@ || exit 1 && $(KUSTOMIZE) edit add resource ../$(RBAC)/namespaced && cd - &> /dev/null; endif ifeq ($(PLATFORM), openshift) - @for res in $(RBAC_OS)/operator-role*; do \ - cd $@ || exit 1 && \ - $(KUSTOMIZE) edit add resource ../$$res && \ - cd - &> /dev/null; \ - done +ifeq ($(GLOBAL), true) + @cd $@ || exit 1 && $(KUSTOMIZE) edit add resource ../$(RBAC_OS)/descoped && cd - &> /dev/null; +else + @cd $@ || exit 1 && $(KUSTOMIZE) edit add resource ../$(RBAC_OS)/namespaced && cd - &> /dev/null; +endif endif # # Build the resources diff --git a/pkg/install/operator.go b/pkg/install/operator.go index 2db3fde3d6..b12cb734cb 100644 --- a/pkg/install/operator.go +++ b/pkg/install/operator.go @@ -266,7 +266,7 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client, // Install OpenShift RBAC resources if needed (roles and bindings) if isOpenShift { - if err := installOpenShiftRoles(ctx, c, cfg.Namespace, customizer, collection, force); err != nil { + if err := installOpenShiftRoles(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil { return err } if err := installClusterRoleBinding(ctx, c, collection, cfg.Namespace, "camel-k-operator-console-openshift", "/rbac/openshift/operator-cluster-role-console-binding-openshift.yaml"); err != nil { @@ -484,11 +484,18 @@ func installClusterRoleBinding(ctx context.Context, c client.Client, collection return c.Patch(ctx, existing, ctrl.RawPatch(types.MergePatchType, p)) } -func installOpenShiftRoles(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error { - return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, - "/rbac/openshift/operator-role-openshift.yaml", - "/rbac/openshift/operator-role-binding-openshift.yaml", - ) +func installOpenShiftRoles(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error { + if global { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/openshift/descoped/operator-cluster-role-openshift.yaml", + "/rbac/openshift/descoped/operator-cluster-role-binding-openshift.yaml", + ) + } else { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/openshift/namespaced/operator-role-openshift.yaml", + "/rbac/openshift/namespaced/operator-role-binding-openshift.yaml", + ) + } } func installKubernetesRoles(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error { From 8d103a984aee2dab3d0a1d030978a7ec0907323c Mon Sep 17 00:00:00 2001 From: Gaelle Fournier Date: Mon, 13 Nov 2023 14:13:08 +0100 Subject: [PATCH 3/4] feat(install): Adaptations for namespaced/descoped separation rbacs --- e2e/support/test_support.go | 4 +-- install/setup/kustomization.yaml | 12 +++++++ pkg/install/operator.go | 55 +++++++++++++------------------- 3 files changed, 36 insertions(+), 35 deletions(-) diff --git a/e2e/support/test_support.go b/e2e/support/test_support.go index 2415efee29..371e8491ae 100644 --- a/e2e/support/test_support.go +++ b/e2e/support/test_support.go @@ -2399,7 +2399,7 @@ func CreateOperatorRole(ns string) (err error) { // This should ideally be removed from the common RBAC manifest. customizer = install.RemoveIngressRoleCustomizer } - err = install.Resource(TestContext, TestClient(), ns, true, customizer, "/rbac/operator-role.yaml") + err = install.Resource(TestContext, TestClient(), ns, true, customizer, "/rbac/namespaced/operator-role.yaml") if err != nil { return err } @@ -2414,7 +2414,7 @@ func CreateOperatorRoleBinding(ns string) error { if err != nil { failTest(err) } - err = install.Resource(TestContext, TestClient(), ns, true, install.IdentityResourceCustomizer, "/rbac/operator-role-binding.yaml") + err = install.Resource(TestContext, TestClient(), ns, true, install.IdentityResourceCustomizer, "/rbac/namespaced/operator-role-binding.yaml") if err != nil { return err } diff --git a/install/setup/kustomization.yaml b/install/setup/kustomization.yaml index c10dfd6538..9598726cae 100644 --- a/install/setup/kustomization.yaml +++ b/install/setup/kustomization.yaml @@ -19,3 +19,15 @@ kind: Kustomization resources: - ../config/rbac + +transformers: +- |- + apiVersion: builtin + kind: PatchTransformer + metadata: + name: fix-local-registry-rbac-namespace + patch: '[{"op": "replace", "path": "/metadata/namespace", "value": "kube-public"}]' + target: + group: rbac.authorization.k8s.io + kind: RoleBinding + name: camel-k-operator-local-registry diff --git a/pkg/install/operator.go b/pkg/install/operator.go index b12cb734cb..b24dbe2f30 100644 --- a/pkg/install/operator.go +++ b/pkg/install/operator.go @@ -200,41 +200,30 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client, envvar.SetVal(&d.Spec.Template.Spec.Containers[0].Env, "WATCH_NAMESPACE", "") } } - - // Turn Role & RoleBinding into their equivalent cluster types - if r, ok := o.(*rbacv1.Role); ok { - if strings.HasPrefix(r.Name, "camel-k-operator") { - o = &rbacv1.ClusterRole{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: cfg.Namespace, - Name: r.Name, - Labels: map[string]string{ - "app": "camel-k", - }, - }, - Rules: r.Rules, + // Configure subject on ClusterRoleBindings + if crb, ok := o.(*rbacv1.ClusterRoleBinding); ok { + if strings.HasPrefix(crb.Name, "camel-k-operator") { + crb.ObjectMeta.Name = fmt.Sprintf("%s-%s", crb.ObjectMeta.Name, cfg.Namespace) + bound := false + for i, subject := range crb.Subjects { + if subject.Name == "camel-k-operator" { + if subject.Namespace == cfg.Namespace { + bound = true + break + } else if subject.Namespace == "" || subject.Namespace == "placeholder" { + crb.Subjects[i].Namespace = cfg.Namespace + bound = true + break + } + } } - } - } - - if rb, ok := o.(*rbacv1.RoleBinding); ok { - if strings.HasPrefix(rb.Name, "camel-k-operator") { - rb.Subjects[0].Namespace = cfg.Namespace - o = &rbacv1.ClusterRoleBinding{ - ObjectMeta: metav1.ObjectMeta{ + if !bound { + crb.Subjects = append(crb.Subjects, rbacv1.Subject{ + Kind: "ServiceAccount", Namespace: cfg.Namespace, - Name: fmt.Sprintf("%s-%s", rb.Name, cfg.Namespace), - Labels: map[string]string{ - "app": "camel-k", - }, - }, - Subjects: rb.Subjects, - RoleRef: rbacv1.RoleRef{ - APIGroup: rb.RoleRef.APIGroup, - Kind: "ClusterRole", - Name: rb.RoleRef.Name, - }, + Name: "camel-k-operator", + }) } } } @@ -444,7 +433,7 @@ func installClusterRoleBinding(ctx context.Context, c client.Client, collection bound = true break - } else if subject.Namespace == "" { + } else if subject.Namespace == "" || subject.Namespace == "placeholder" { target.Subjects[i].Namespace = namespace bound = true From 17ffb5b23c9edcfe8e02db5397a2316f4c5c2997 Mon Sep 17 00:00:00 2001 From: Gaelle Fournier Date: Tue, 12 Dec 2023 15:38:58 +0100 Subject: [PATCH 4/4] feat(doc): Kustomize installation procedure --- .../ROOT/pages/installation/installation.adoc | 40 ++++++++++++++++++- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/docs/modules/ROOT/pages/installation/installation.adoc b/docs/modules/ROOT/pages/installation/installation.adoc index 605dd6ff6f..f0b40a2946 100644 --- a/docs/modules/ROOT/pages/installation/installation.adoc +++ b/docs/modules/ROOT/pages/installation/installation.adoc @@ -29,6 +29,8 @@ For CRC, this means executing `oc login -u system:admin` then `kamel install --c Camel K can be installed using https://kustomize.io[Kustomize], providing an interface for configuring more advanced features. +**First you need to get the kustomize files** + ``` # Clone the project repository $ https://github.com/apache/camel-k.git @@ -36,13 +38,47 @@ $ cd camel-k # You can use any release branch or skip this step to use it the last code on `main` $ git checkout release-a.b.x $ cd install -$ kubectl apply -k setup-cluster +``` + +**Next you need to apply configuration at cluster level** + +``` +$ kubectl kustomize --load-restrictor LoadRestrictionsNone setup-cluster/ | kubectl create -f - +``` + +**Then the roles and privileges needs to be added** + +``` $ kubectl apply -k setup +$ kubectl apply -k config/rbac/namespaced +# For openshift +$ kubectl apply -k config/rbac/openshift +$ kubectl apply -k config/rbac/openshift/namespaced +``` + +Should you want your operator operator to watch all namespaces (global operator), you will replace `config/rbac/namespaced` by `config/rbac/descoped` and `config/rbac/openshift/namespaced` by `config/rbac/openshift/descoped`. + +**Finally the operator can be deployed** + +``` $ kubectl apply -k operator $ kubectl apply -k platform ``` -NOTE: you probably want to edit the configuration. Please, do any change right after cloning the repository. +By default the operator is configured to get the registry information from a Configmap expected the namespace `kube-public` like this example: + +``` +apiVersion: v1 +kind: ConfigMap +metadata: + name: local-registry-hosting + namespace: kube-public +data: + localRegistryHosting.v1: | + hostFromContainerRuntime: "registry:5000" +``` + +NOTE: you probably want to edit the configuration. Please, do any change right after cloning the repository. Be careful to avoid making any modification in the `install/config` folder. More information on the xref:installation/advanced/kustomize.adoc[Kustomize Camel K installation procedure] page.