bookingcom · nikoloup · Dec 7, 2021 · Nov 2, 2021
diff --git a/cmd/shipperctl/cmd/clusters/clusters.go b/cmd/shipperctl/cmd/clusters/clusters.go
@@ -67,7 +67,7 @@ const (
 
 	managementClusterRoleName         = "shipper:management-cluster"
 	managementClusterRoleBindingName  = "shipper:management-cluster"
-	applicationClusterRoleName        = "cluster-admin" // needs to be able to install any kind of Helm chart
+	applicationClusterRoleName        = "shipper:application-cluster"
 	applicationClusterRoleBindingName = "shipper:application-cluster"
 )
 
@@ -212,6 +212,10 @@ func setupApplicationCluster(cmd *cobra.Command, configurator *configurator.Clus
 		return err
 	}
 
+	if err := createApplicationClusterRole(cmd, configurator); err != nil {
+		return err
+	}
+
 	if err := createApplicationClusterRoleBinding(cmd, configurator); err != nil {
 		return err
 	}
@@ -465,9 +469,9 @@ func createApplicationServiceAccount(cmd *cobra.Command, configurator *configura
 	return nil
 }
 
-func createManagementClusterRole(cmd *cobra.Command, configurator *configurator.Cluster) error {
-	cmd.Printf("Creating a ClusterRole called %s... ", managementClusterRoleName)
-	if err := configurator.CreateClusterRole(shipper.RBACManagementDomain, managementClusterRoleName); err != nil {
+func createApplicationClusterRole(cmd *cobra.Command, configurator *configurator.Cluster) error {
+	cmd.Printf("Creating a ClusterRole called %s... ", applicationClusterRoleName)
+	if err := configurator.CreateApplicationClusterRole(applicationClusterRoleName, shipper.RBACManagementDomain); err != nil {
 		if errors.IsAlreadyExists(err) {
 			cmd.Println("already exists. Skipping")
 			return nil
@@ -480,13 +484,13 @@ func createManagementClusterRole(cmd *cobra.Command, configurator *configurator.
 	return nil
 }
 
-func createManagementClusterRoleBinding(cmd *cobra.Command, configurator *configurator.Cluster) error {
-	cmd.Printf("Creating a ClusterRoleBinding called %s... ", managementClusterRoleBindingName)
+func createApplicationClusterRoleBinding(cmd *cobra.Command, configurator *configurator.Cluster) error {
+	cmd.Printf("Creating a ClusterRoleBinding called %s... ", applicationClusterRoleBindingName)
 	err := configurator.CreateClusterRoleBinding(
-		shipper.RBACManagementDomain,
-		managementClusterRoleBindingName,
-		managementClusterRoleName,
-		managementClusterServiceAccount,
+		shipper.RBACApplicationDomain,
+		applicationClusterRoleBindingName,
+		applicationClusterRoleName,
+		applicationClusterServiceAccount,
 		shipperNamespace,
 	)
 
@@ -503,13 +507,28 @@ func createManagementClusterRoleBinding(cmd *cobra.Command, configurator *config
 	return nil
 }
 
-func createApplicationClusterRoleBinding(cmd *cobra.Command, configurator *configurator.Cluster) error {
-	cmd.Printf("Creating a ClusterRoleBinding called %s... ", applicationClusterRoleBindingName)
+func createManagementClusterRole(cmd *cobra.Command, configurator *configurator.Cluster) error {
+	cmd.Printf("Creating a ClusterRole called %s... ", managementClusterRoleName)
+	if err := configurator.CreateManagementClusterRole(managementClusterRoleName, shipper.RBACManagementDomain); err != nil {
+		if errors.IsAlreadyExists(err) {
+			cmd.Println("already exists. Skipping")
+			return nil
+		} else {
+			return err
+		}
+	}
+
+	cmd.Println("done")
+	return nil
+}
+
+func createManagementClusterRoleBinding(cmd *cobra.Command, configurator *configurator.Cluster) error {
+	cmd.Printf("Creating a ClusterRoleBinding called %s... ", managementClusterRoleBindingName)
 	err := configurator.CreateClusterRoleBinding(
-		shipper.RBACApplicationDomain,
-		applicationClusterRoleBindingName,
-		applicationClusterRoleName,
-		applicationClusterServiceAccount,
+		shipper.RBACManagementDomain,
+		managementClusterRoleBindingName,
+		managementClusterRoleName,
+		managementClusterServiceAccount,
 		shipperNamespace,
 	)
 

diff --git a/cmd/shipperctl/configurator/cluster.go b/cmd/shipperctl/configurator/cluster.go
@@ -70,40 +70,18 @@ func (c *Cluster) CreateServiceAccount(domain, namespace string, name string) er
 	return err
 }
 
-func (c *Cluster) CreateClusterRole(domain, name string) error {
-	clusterRole := &rbacv1.ClusterRole{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: name,
-			Labels: map[string]string{
-				shipper.RBACDomainLabel: domain,
-			},
-		},
-		Rules: []rbacv1.PolicyRule{
-			rbacv1.PolicyRule{
-				Verbs:     []string{rbacv1.VerbAll},
-				APIGroups: []string{shipper.SchemeGroupVersion.Group},
-				Resources: []string{rbacv1.ResourceAll},
-			},
-			rbacv1.PolicyRule{
-				Verbs:     []string{"update", "get", "list", "watch"},
-				APIGroups: []string{""},
-				Resources: []string{"secrets"},
-			},
-			rbacv1.PolicyRule{
-				Verbs:     []string{rbacv1.VerbAll},
-				APIGroups: []string{""},
-				Resources: []string{"events"},
-			},
-			rbacv1.PolicyRule{
-				Verbs:     []string{"get", "list", "watch"},
-				APIGroups: []string{""},
-				Resources: []string{"namespaces"},
-			},
-		},
-	}
+func (c *Cluster) CreateApplicationClusterRole(name, domain string) error {
+	err := c.createClusterRole(getApplicationClusterRole(name, domain))
+	return err
+}
 
-	_, err := c.KubeClient.RbacV1().ClusterRoles().Create(clusterRole)
+func (c *Cluster) CreateManagementClusterRole(name, domain string) error {
+	err := c.createClusterRole(getManagementClusterRole(name, domain))
+	return err
+}
 
+func (c *Cluster) createClusterRole(role *rbacv1.ClusterRole) error {
+	_, err := c.KubeClient.RbacV1().ClusterRoles().Create(role)
 	return err
 }
 

diff --git a/cmd/shipperctl/configurator/roles.go b/cmd/shipperctl/configurator/roles.go
@@ -0,0 +1,88 @@
+package configurator
+
+import (
+	shipper "github.com/bookingcom/shipper/pkg/apis/shipper/v1alpha1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func getManagementClusterRole(name, domain string) *rbacv1.ClusterRole {
+	return &rbacv1.ClusterRole{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+		},
+		Rules: []rbacv1.PolicyRule{
+			{
+				Verbs:     []string{rbacv1.VerbAll},
+				APIGroups: []string{shipper.SchemeGroupVersion.Group},
+				Resources: []string{rbacv1.ResourceAll},
+			},
+			{
+				Verbs:     []string{"update", "get", "list", "watch"},
+				APIGroups: []string{""},
+				Resources: []string{"secrets"},
+			},
+			{
+				Verbs:     []string{rbacv1.VerbAll},
+				APIGroups: []string{""},
+				Resources: []string{"events"},
+			},
+			{
+				Verbs:     []string{"get", "list"},
+				APIGroups: []string{""},
+				Resources: []string{"namespaces"},
+			},
+		},
+	}
+}
+
+func getApplicationClusterRole(name, domain string) *rbacv1.ClusterRole {
+	return &rbacv1.ClusterRole{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+		},
+		Rules: []rbacv1.PolicyRule{
+			{
+				Verbs: []string{
+					"get",
+					"list",
+					"watch",
+					"patch",
+					"delete",
+					"update",
+					"create",
+					"deletecollection",
+				},
+				APIGroups: []string{
+					"",
+					"extensions",
+					"apps",
+					"batch",
+					rbacv1.GroupName,
+				},
+				Resources: []string{
+					"pods",
+					"pods/log",
+					"services",
+					"deployments",
+					"replicasets",
+					"statefulsets",
+					"secrets",
+					"configmaps",
+					"jobs",
+					"cronjobs",
+					"persistentvolumeclaims",
+					"endpoints",
+					"rolebindings",
+					"roles",
+					"serviceaccounts",
+				},
+			},
+			{
+				Verbs:     []string{"get", "list"},
+				APIGroups: []string{""},
+				Resources: []string{"namespaces"},
+			},
+		},
+	}
+}