Skip to content

Commit

Permalink
Merge pull request #315 from enxebre/role
Browse files Browse the repository at this point in the history 
scope down permissions to namespace
  • Loading branch information
@openshift-merge-robot
openshift-merge-robot authored Jun 11, 2019
2 parents 3f7474e + d086fac commit c6eb133
Show file tree
Hide file tree
Showing 4 changed files with 143 additions and 47 deletions.
2 changes: 1 addition & 1 deletion config/machine-api-operator-patch.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: machine-api-manager
name: machine-api-controllers
rules:
- apiGroups:
- cluster.k8s.io
Expand Down
178 changes: 134 additions & 44 deletions install/0000_30_machine-api-operator_09_rbac.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,19 +4,20 @@ metadata:
name: machine-api-operator
namespace: openshift-machine-api

---
apiVersion: v1
kind: ServiceAccount
metadata:
name: machine-api-controllers
namespace: openshift-machine-api

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
kind: Role
metadata:
creationTimestamp: null
name: machine-api-manager
name: machine-api-controllers
namespace: openshift-machine-api
rules:
- apiGroups:
- cluster.k8s.io
resources:
- '*'
verbs:
- '*'

- apiGroups:
- machine.openshift.io
Expand All @@ -33,32 +34,37 @@ rules:
- '*'

- apiGroups:
- config.openshift.io
- ""
resources:
- clusteroperators
- clusteroperators/status
- configmaps
verbs:
- create
- get
- list
- watch
- create
- update
- patch
- delete

- apiGroups:
- config.openshift.io
- ""
resources:
- infrastructures
- infrastructures/status
- secrets
verbs:
- get
- list
- watch
- create

- apiGroups:
- config.openshift.io
- ""
resources:
- featuregates
- featuregates/status
- events
verbs:
- get
- list
- create
- watch
- list
- patch

- apiGroups:
- metalkube.org
Expand All @@ -82,10 +88,17 @@ rules:
- update
- patch

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: machine-api-controllers
rules:

- apiGroups:
- apps
- ""
resources:
- deployments
- nodes
verbs:
- get
- list
Expand All @@ -98,25 +111,35 @@ rules:
- apiGroups:
- ""
resources:
- nodes
- pods
verbs:
- get
- list
- watch
- create
- update
- patch
- delete

- apiGroups:
- ""
resources:
- events
- pods/eviction
verbs:
- create
- watch

- apiGroups:
- extensions
resources:
- daemonsets
verbs:
- get
- list
- patch
- watch

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: machine-api-operator
namespace: openshift-machine-api
rules:

- apiGroups:
- ""
Expand All @@ -132,49 +155,116 @@ rules:
- delete

- apiGroups:
- ""
- apps
resources:
- secrets
- deployments
verbs:
- get
- list
- watch
- create
- update
- patch
- delete

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: machine-api-operator
rules:

- apiGroups:
- ""
- config.openshift.io
resources:
- pods
- clusteroperators
- clusteroperators/status
verbs:
- create
- get
- list
- watch
- update

- apiGroups:
- ""
- config.openshift.io
resources:
- pods/eviction
- infrastructures
- infrastructures/status
verbs:
- create
- get

- apiGroups:
- extensions
- config.openshift.io
resources:
- daemonsets
- featuregates
- featuregates/status
verbs:
- get
- list
- watch

- apiGroups:
- ""
resources:
- events
verbs:
- create
- watch
- list
- patch

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: machine-api-manager-rolebinding
name: machine-api-controllers
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: machine-api-manager
name: machine-api-controllers
subjects:
- kind: ServiceAccount
name: machine-api-controllers
namespace: openshift-machine-api

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: machine-api-controllers
namespace: openshift-machine-api
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: machine-api-controllers
subjects:
- kind: ServiceAccount
name: machine-api-controllers
namespace: openshift-machine-api

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: machine-api-operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: machine-api-operator
subjects:
- kind: ServiceAccount
name: machine-api-operator
namespace: openshift-machine-api

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: machine-api-operator
namespace: openshift-machine-api
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: machine-api-operator
subjects:
- kind: ServiceAccount
name: machine-api-operator
Expand Down
2 changes: 2 additions & 0 deletions install/0000_30_machine-api-operator_10_deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ spec:
args:
- "start"
- "--images-json=/etc/machine-api-operator-config/images/images.json"
- "--alsologtostderr"
- "--v=3"
env:
- name: RELEASE_VERSION
value: "0.0.1-snapshot"
Expand Down
8 changes: 6 additions & 2 deletions pkg/operator/sync.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -170,7 +170,7 @@ func newPodTemplateSpec(config *OperatorConfig, features map[string]bool) *corev
RunAsNonRoot: pointer.BoolPtr(true),
RunAsUser: pointer.Int64Ptr(65534),
},
ServiceAccountName: "machine-api-operator",
ServiceAccountName: "machine-api-controllers",
Tolerations: tolerations,
},
}
Expand All @@ -183,7 +183,11 @@ func newContainers(config *OperatorConfig, features map[string]bool) []corev1.Co
corev1.ResourceCPU: resource.MustParse("10m"),
},
}
args := []string{"--logtostderr=true", "--v=3"}
args := []string{
"--logtostderr=true",
"--v=3",
fmt.Sprintf("--namespace=%s", config.TargetNamespace),
}

containers := []corev1.Container{
{
Expand Down

0 comments on commit c6eb133

Please sign in to comment.