From 9bff1e0e5f0c1fe4da49f42f48c7d44d44d05dc8 Mon Sep 17 00:00:00 2001 From: Panagiotis Nikoloutsopoulos Date: Tue, 2 Nov 2021 21:35:45 +0100 Subject: [PATCH] Create explicit Shipper application cluster role --- cmd/shipperctl/cmd/clusters/clusters.go | 51 +++++++++----- cmd/shipperctl/configurator/cluster.go | 42 +++--------- cmd/shipperctl/configurator/roles.go | 88 +++++++++++++++++++++++++ 3 files changed, 133 insertions(+), 48 deletions(-) create mode 100644 cmd/shipperctl/configurator/roles.go diff --git a/cmd/shipperctl/cmd/clusters/clusters.go b/cmd/shipperctl/cmd/clusters/clusters.go index 0e91489ce..c30754384 100644 --- a/cmd/shipperctl/cmd/clusters/clusters.go +++ b/cmd/shipperctl/cmd/clusters/clusters.go @@ -67,7 +67,7 @@ const ( managementClusterRoleName = "shipper:management-cluster" managementClusterRoleBindingName = "shipper:management-cluster" - applicationClusterRoleName = "cluster-admin" // needs to be able to install any kind of Helm chart + applicationClusterRoleName = "shipper:application-cluster" applicationClusterRoleBindingName = "shipper:application-cluster" ) @@ -212,6 +212,10 @@ func setupApplicationCluster(cmd *cobra.Command, configurator *configurator.Clus return err } + if err := createApplicationClusterRole(cmd, configurator); err != nil { + return err + } + if err := createApplicationClusterRoleBinding(cmd, configurator); err != nil { return err } @@ -465,9 +469,9 @@ func createApplicationServiceAccount(cmd *cobra.Command, configurator *configura return nil } -func createManagementClusterRole(cmd *cobra.Command, configurator *configurator.Cluster) error { - cmd.Printf("Creating a ClusterRole called %s... ", managementClusterRoleName) - if err := configurator.CreateClusterRole(shipper.RBACManagementDomain, managementClusterRoleName); err != nil { +func createApplicationClusterRole(cmd *cobra.Command, configurator *configurator.Cluster) error { + cmd.Printf("Creating a ClusterRole called %s... ", applicationClusterRoleName) + if err := configurator.CreateApplicationClusterRole(applicationClusterRoleName, shipper.RBACManagementDomain); err != nil { if errors.IsAlreadyExists(err) { cmd.Println("already exists. Skipping") return nil @@ -480,13 +484,13 @@ func createManagementClusterRole(cmd *cobra.Command, configurator *configurator. return nil } -func createManagementClusterRoleBinding(cmd *cobra.Command, configurator *configurator.Cluster) error { - cmd.Printf("Creating a ClusterRoleBinding called %s... ", managementClusterRoleBindingName) +func createApplicationClusterRoleBinding(cmd *cobra.Command, configurator *configurator.Cluster) error { + cmd.Printf("Creating a ClusterRoleBinding called %s... ", applicationClusterRoleBindingName) err := configurator.CreateClusterRoleBinding( - shipper.RBACManagementDomain, - managementClusterRoleBindingName, - managementClusterRoleName, - managementClusterServiceAccount, + shipper.RBACApplicationDomain, + applicationClusterRoleBindingName, + applicationClusterRoleName, + applicationClusterServiceAccount, shipperNamespace, ) @@ -503,13 +507,28 @@ func createManagementClusterRoleBinding(cmd *cobra.Command, configurator *config return nil } -func createApplicationClusterRoleBinding(cmd *cobra.Command, configurator *configurator.Cluster) error { - cmd.Printf("Creating a ClusterRoleBinding called %s... ", applicationClusterRoleBindingName) +func createManagementClusterRole(cmd *cobra.Command, configurator *configurator.Cluster) error { + cmd.Printf("Creating a ClusterRole called %s... ", managementClusterRoleName) + if err := configurator.CreateManagementClusterRole(managementClusterRoleName, shipper.RBACManagementDomain); err != nil { + if errors.IsAlreadyExists(err) { + cmd.Println("already exists. Skipping") + return nil + } else { + return err + } + } + + cmd.Println("done") + return nil +} + +func createManagementClusterRoleBinding(cmd *cobra.Command, configurator *configurator.Cluster) error { + cmd.Printf("Creating a ClusterRoleBinding called %s... ", managementClusterRoleBindingName) err := configurator.CreateClusterRoleBinding( - shipper.RBACApplicationDomain, - applicationClusterRoleBindingName, - applicationClusterRoleName, - applicationClusterServiceAccount, + shipper.RBACManagementDomain, + managementClusterRoleBindingName, + managementClusterRoleName, + managementClusterServiceAccount, shipperNamespace, ) diff --git a/cmd/shipperctl/configurator/cluster.go b/cmd/shipperctl/configurator/cluster.go index 4625827c8..617c9eda7 100644 --- a/cmd/shipperctl/configurator/cluster.go +++ b/cmd/shipperctl/configurator/cluster.go @@ -70,40 +70,18 @@ func (c *Cluster) CreateServiceAccount(domain, namespace string, name string) er return err } -func (c *Cluster) CreateClusterRole(domain, name string) error { - clusterRole := &rbacv1.ClusterRole{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Labels: map[string]string{ - shipper.RBACDomainLabel: domain, - }, - }, - Rules: []rbacv1.PolicyRule{ - rbacv1.PolicyRule{ - Verbs: []string{rbacv1.VerbAll}, - APIGroups: []string{shipper.SchemeGroupVersion.Group}, - Resources: []string{rbacv1.ResourceAll}, - }, - rbacv1.PolicyRule{ - Verbs: []string{"update", "get", "list", "watch"}, - APIGroups: []string{""}, - Resources: []string{"secrets"}, - }, - rbacv1.PolicyRule{ - Verbs: []string{rbacv1.VerbAll}, - APIGroups: []string{""}, - Resources: []string{"events"}, - }, - rbacv1.PolicyRule{ - Verbs: []string{"get", "list", "watch"}, - APIGroups: []string{""}, - Resources: []string{"namespaces"}, - }, - }, - } +func (c *Cluster) CreateApplicationClusterRole(name, domain string) error { + err := c.createClusterRole(getApplicationClusterRole(name, domain)) + return err +} - _, err := c.KubeClient.RbacV1().ClusterRoles().Create(clusterRole) +func (c *Cluster) CreateManagementClusterRole(name, domain string) error { + err := c.createClusterRole(getManagementClusterRole(name, domain)) + return err +} +func (c *Cluster) createClusterRole(role *rbacv1.ClusterRole) error { + _, err := c.KubeClient.RbacV1().ClusterRoles().Create(role) return err } diff --git a/cmd/shipperctl/configurator/roles.go b/cmd/shipperctl/configurator/roles.go new file mode 100644 index 000000000..def180b57 --- /dev/null +++ b/cmd/shipperctl/configurator/roles.go @@ -0,0 +1,88 @@ +package configurator + +import ( + shipper "github.com/bookingcom/shipper/pkg/apis/shipper/v1alpha1" + rbacv1 "k8s.io/api/rbac/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func getManagementClusterRole(name, domain string) *rbacv1.ClusterRole { + return &rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + }, + Rules: []rbacv1.PolicyRule{ + { + Verbs: []string{rbacv1.VerbAll}, + APIGroups: []string{shipper.SchemeGroupVersion.Group}, + Resources: []string{rbacv1.ResourceAll}, + }, + { + Verbs: []string{"update", "get", "list", "watch"}, + APIGroups: []string{""}, + Resources: []string{"secrets"}, + }, + { + Verbs: []string{rbacv1.VerbAll}, + APIGroups: []string{""}, + Resources: []string{"events"}, + }, + { + Verbs: []string{"get", "list"}, + APIGroups: []string{""}, + Resources: []string{"namespaces"}, + }, + }, + } +} + +func getApplicationClusterRole(name, domain string) *rbacv1.ClusterRole { + return &rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + }, + Rules: []rbacv1.PolicyRule{ + { + Verbs: []string{ + "get", + "list", + "watch", + "patch", + "delete", + "update", + "create", + "deletecollection", + }, + APIGroups: []string{ + "", + "extensions", + "apps", + "batch", + rbacv1.GroupName, + }, + Resources: []string{ + "pods", + "pods/log", + "services", + "deployments", + "replicasets", + "statefulsets", + "secrets", + "configmaps", + "jobs", + "cronjobs", + "persistentvolumeclaims", + "endpoints", + "rolebindings", + "roles", + "serviceaccounts", + }, + }, + { + Verbs: []string{"get", "list"}, + APIGroups: []string{""}, + Resources: []string{"namespaces"}, + }, + }, + } +}