Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make admin privileges configurable #89

Merged
merged 1 commit into from
Sep 28, 2023
Merged

Make admin privileges configurable #89

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ SUDO = sudo
SHELL = /bin/bash
.SHELLFLAGS = -e -o pipefail -c

PATH := $(shell aqua root-dir)/bin:$(PATH)"
export PATH

CRD_OPTIONS = "crd:crdVersions=v1,maxDescLen=220"

# for Go
Expand Down
6 changes: 5 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,11 @@ Run and try Accurate on a [kind (Kubernetes-In-Docker)][kind] cluster as follows

3. Install [aqua][].

https://aquaproj.github.io/docs/tutorial-basics/quick-start
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This page no longer exists.

```console
$ go install github.com/aquaproj/aqua/v2/cmd/aqua@latest
```

cf. https://aquaproj.github.io/docs/install

4. Go to `e2e` directory, setup shell variables, and execute `make start`.

Expand Down
27 changes: 14 additions & 13 deletions charts/accurate/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,19 +39,20 @@ $ helm install --create-namespace --namespace accurate accurate -f values.yaml a

## Values

| Key | Type | Default | Description |
|-----|------|---------|-------------|
| controller.additionalRBAC.rules | list | `[]` | Specify the RBAC rules to be added to the controller. ClusterRole and ClusterRoleBinding are created with the names `{{ release name }}-additional-resources`. The rules defined here will be used for the ClusterRole rules. |
| controller.config.annotationKeys | list | `[]` | Annotations to be propagated to sub-namespaces. It is also possible to specify a glob pattern that can be interpreted by Go's "path.Match" func. |
| controller.config.labelKeys | list | `[]` | Labels to be propagated to sub-namespaces. It is also possible to specify a glob pattern that can be interpreted by Go's "path.Match" func. |
| controller.config.watches | list | `[{"group":"rbac.authorization.k8s.io","kind":"Role","version":"v1"},{"group":"rbac.authorization.k8s.io","kind":"RoleBinding","version":"v1"},{"kind":"Secret","version":"v1"}]` | List of GVK for namespace-scoped resources that can be propagated. Any namespace-scoped resource is allowed. |
| controller.extraArgs | list | `[]` | Optional additional arguments. |
| controller.replicas | int | `2` | Specify the number of replicas of the controller Pod. |
| controller.resources | object | `{"requests":{"cpu":"100m","memory":"20Mi"}}` | Specify resources. |
| controller.terminationGracePeriodSeconds | int | `10` | Specify terminationGracePeriodSeconds. |
| image.pullPolicy | string | `nil` | Accurate image pullPolicy. |
| image.repository | string | `"ghcr.io/cybozu-go/accurate"` | Accurate image repository to use. |
| image.tag | string | `{{ .Chart.AppVersion }}` | Accurate image tag to use. |
| Key | Type | Default | Description |
| ---------------------------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| controller.additionalRBAC.rules | list | `[]` | Specify the RBAC rules to be added to the controller. ClusterRole and ClusterRoleBinding are created with the names `{{ release name }}-additional-resources`. The rules defined here will be used for the ClusterRole rules. |
| controller.additionalRBAC.clusterRoles | list | `[]` | Specify additional ClusterRoles to be granted to the accurate controller. "admin" is recommended to allow the controller to manage common namespace-scoped resources. |
| controller.config.annotationKeys | list | `[]` | Annotations to be propagated to sub-namespaces. It is also possible to specify a glob pattern that can be interpreted by Go's "path.Match" func. |
| controller.config.labelKeys | list | `[]` | Labels to be propagated to sub-namespaces. It is also possible to specify a glob pattern that can be interpreted by Go's "path.Match" func. |
| controller.config.watches | list | `[{"group":"rbac.authorization.k8s.io","kind":"Role","version":"v1"},{"group":"rbac.authorization.k8s.io","kind":"RoleBinding","version":"v1"},{"kind":"Secret","version":"v1"}]` | List of GVK for namespace-scoped resources that can be propagated. Any namespace-scoped resource is allowed. |
| controller.extraArgs | list | `[]` | Optional additional arguments. |
| controller.replicas | int | `2` | Specify the number of replicas of the controller Pod. |
| controller.resources | object | `{"requests":{"cpu":"100m","memory":"20Mi"}}` | Specify resources. |
| controller.terminationGracePeriodSeconds | int | `10` | Specify terminationGracePeriodSeconds. |
| image.pullPolicy | string | `nil` | Accurate image pullPolicy. |
| image.repository | string | `"ghcr.io/cybozu-go/accurate"` | Accurate image repository to use. |
| image.tag | string | `{{ .Chart.AppVersion }}` | Accurate image tag to use. |

## Generate Manifests

Expand Down
22 changes: 20 additions & 2 deletions charts/accurate/templates/additional-rbac.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{ if .Values.controller.additionalRBAC.rules }}
{{- if .Values.controller.additionalRBAC.rules }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
Expand All @@ -19,4 +19,22 @@ subjects:
name: {{ template "accurate.fullname" . }}-controller-manager
namespace: {{ .Release.Namespace }}
---
{{ end }}
{{- end }}
{{- if .Values.controller.additionalRBAC.clusterRoles }}
{{- $root := . }}
{{- range .Values.controller.additionalRBAC.clusterRoles }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "accurate.fullname" $root }}-manager-{{ . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ . }}
subjects:
- kind: ServiceAccount
name: {{ template "accurate.fullname" $root }}-controller-manager
namespace: {{ $root.Release.Namespace }}
---
{{- end }}
{{- end }}
26 changes: 0 additions & 26 deletions charts/accurate/templates/generated/generated.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,14 +74,6 @@ rules:
- patch
- update
- watch
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- accurate.cybozu.com
resources:
Expand Down Expand Up @@ -187,24 +179,6 @@ subjects:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/managed-by: '{{ .Release.Service }}'
app.kubernetes.io/name: '{{ include "accurate.name" . }}'
app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
helm.sh/chart: '{{ include "accurate.chart" . }}'
name: '{{ template "accurate.fullname" . }}-manager-admin'
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
subjects:
- kind: ServiceAccount
name: '{{ template "accurate.fullname" . }}-controller-manager'
namespace: '{{ .Release.Namespace }}'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/managed-by: '{{ .Release.Service }}'
Expand Down
5 changes: 5 additions & 0 deletions charts/accurate/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,3 +102,8 @@ controller:
- update
- patch
- delete
# controller.additionalRBAC.clusterRoles -- Specify additional ClusterRoles to be granted
# to the accurate controller. "admin" is recommended to allow the controller to manage
# common namespace-scoped resources.
clusterRoles:
- admin
ymmt2005 marked this conversation as resolved.
Show resolved Hide resolved
8 changes: 0 additions & 8 deletions config/rbac/role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,14 +16,6 @@ rules:
- patch
- update
- watch
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- accurate.cybozu.com
resources:
Expand Down
13 changes: 0 additions & 13 deletions config/rbac/role_binding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,16 +10,3 @@ subjects:
- kind: ServiceAccount
name: controller-manager
namespace: system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: manager-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
subjects:
- kind: ServiceAccount
name: controller-manager
namespace: system
2 changes: 0 additions & 2 deletions controllers/propagate.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,8 +54,6 @@ func cloneResource(res *unstructured.Unstructured, ns string) *unstructured.Unst
return c
}

//+kubebuilder:rbac:groups=*,resources=*,verbs=get;list;watch

// PropagateController propagates objects of a namespace-scoped resource.
type PropagateController struct {
client.Client
Expand Down
2 changes: 2 additions & 0 deletions e2e/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,3 +56,5 @@ controller:
- update
- patch
- delete
clusterRoles:
- admin