Skip to content

Commit

Permalink
further reduce the permissions of karmada-agent
Browse files Browse the repository at this point in the history
Signed-off-by: zhzhuang-zju <m17799853869@163.com>
  • Loading branch information
zhzhuang-zju committed Nov 26, 2024
1 parent 34685bd commit 697929c
Show file tree
Hide file tree
Showing 2 changed files with 120 additions and 52 deletions.
86 changes: 60 additions & 26 deletions docs/administrator/security/component-permission.md
Original file line number Diff line number Diff line change
@@ -1,39 +1,73 @@
---
title: RBAC Permissions for Karmada Components
title: Component Permissions
---

# RBAC Permissions for Karmada Components
# Permissions for Karmada Components

This document provides a detailed explanation of the Role-Based Access Control (RBAC) permissions required for key components of Karmada. It aims to ensure secure management and compliant access to resources within the system. As a multi-cluster management framework, controlling permissions between Karmada components is essential for maintaining the security and stability of the entire system. This guide will help administrators understand and configure the RBAC permissions needed for Karmada components effectively.

For more detailed information about RBAC permissions, please refer to the [official RBAC documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/).

*Note: The resources in this document are all Karmada control plane resources.*

## karmada-operator

| API Group | Resource | Verbs | Description |
|-----------|----------|-------|-------------|
| coordination.k8s.io | leases | get, create, update | Required for leader election. |
| operator.karmada.io | karmadas | get, list, watch, update | To manage Karmada instances. |
| operator.karmada.io | karmadas/status | update | To update the status subresource of Karmada instances. |
| "" (core) | events | create | Allows karmada-operator to record events in the Kubernetes API server. |
| "" (core) | nodes, pods | list | List cluster nodes and pods to get node information and for health checks. |
| "" (core) | namespaces | get | To get information about namespaces, and deploy resources into specific namespaces. |
| "" (core) | secrets, services | get, create, update, delete | To manage secrets which might contain sensitive data like credentials and services to expose applications within the cluster. |
| apps | statefulsets, deployments | get, create, update, delete | To manage StatefulSets, e.g., etcd, and Deployments, e.g., karmada-operator. |
### Component Description:

The Karmada operator is a method for installing, upgrading, and deleting Karmada instances. It builds upon the basic Karmada resource and controller concepts, provides convenience to centrally manage entire lifecycle of Karmada instances in a global cluster.

### Component Permissions:

#### Cluster-Scope:

| Resource | API Group | Resource Names | Verbs | Description |
| --------------- | ------------------- | -------------- | --------------------------- | ------------------------------------------------------------ |
| leases | coordination.k8s.io | / | get, create, update | Required for leader election |
| karmadas | operator.karmada.io | / | get, list, watch, update | To manage Karmada instances |
| karmadas/status | operator.karmada.io | / | update | To update the status subresource of Karmada instances |
| events | "" | / | create | Allows karmada-operator to record events in the Kubernetes API server |
| nodes | "" | / | list | To get Node IP |
| pods | "" | / | list | For pod health checks |
| namespaces | "" | / | get | To get information about namespaces, and deploy resources into specific namespaces |
| secrets | "" | / | get, create, update, delete | To manage secrets which might contain sensitive data like credentials |
| services | "" | / | get, create, update, delete | To manage services to expose applications within the cluster |
| statefulsets | "" | / | get, create, update, delete | To manage StatefulSets, e.g., etcd |
| deployments | apps | / | get, create, update, delete | To manage Deployments, e.g., karmada-operator |

| Non-Resource URLs | Verbs | Description |
|-------------|-------|-------------|
| /healthz | get | Used to check whether the Karmada API server is healthy. |


## karmada-agent

| API Group | Resource | Verbs | Description |
|-----------|----------|-------|-------------|
| cluster.karmada.io | clusters | list, watch | To manage and monitor clusters. |
| cluster.karmada.io | clusters | get, create, delete | resourceNames: {{clustername}} |
| cluster.karmada.io | clusters/status | update | resourceNames: {{clustername}} |
| config.karmada.io | resourceinterpreterwebhookconfigurations, resourceinterpretercustomizations | get, list, watch | To list and watch resource interpreter configurations. |
| "" (core) | namespaces | get | To get information about namespaces. |
| coordination.k8s.io | leases | get, create, update | Required for leader election. |
| certificates.k8s.io | certificatesigningrequests | get, create | To get and create CSR. |
| "" (core) | events | create, patch, update | Allows karmada-agent to record events in the Karmada API server. |
| "" (core) | secrets | get, create, patch | To manage secrets which might contain sensitive data like credentials. |
| work.karmada.io | works | get, list, watch, create, update, delete | To manage work resources. |
| work.karmada.io | works/status | patch, update | To update the status of work resources. |
### Component Description:

karmada-agent can register a specific cluster to the Karmada control plane and sync manifests from the Karmada control plane to the member cluster. In addition, it also syncs the status of member cluster and manifests to the Karmada control plane.

### Component Permissions:

In the following table, `{{cluster_name}}` represents the name of the member cluster that has been registered by the karmada-agent, and `{{cluster_namespace}}` indicates the namespace where the secrets resource of the member cluster is deployed, which is `karmada-cluster` by default.

#### Cluster-Scope:

| Resource | API Group | Resource Names | Verbs | Description |
| ---------------------------------------- | ------------------- | ------------------ | --------------------- | ------------------------------------------------------------ |
| clusters | cluster.karmada.io | / | list, watch,create | Used to create cluster and listen for cluster status |
| clusters | cluster.karmada.io | `{{cluster_name}}` | get, delete | To manager specific clusters |
| clusters/status | cluster.karmada.io | `{{cluster_name}}` | update | Used to update the status of a specific cluster |
| resourceinterpreterwebhookconfigurations | config.karmada.io | / | get, list, watch | Used to get the resourceinterpreterwebhookconfigurations resource |
| resourceinterpretercustomizations | config.karmada.io | / | get, list, watch | Used to get the resourceinterpretercustomizations resource |
| namespaces | "" | / | get | Used to get namespaces |
| leases | coordination.k8s.io | / | get, create, update | Required for leader election |
| certificatesigningrequests | certificates.k8s.io | / | get, create | Obtaining and creating CSRs for Karmada-agent's certificate rotation |
| services | "" | / | list, watch | Used to build the ClusterIPServiceResolver resource interpreter. |
| events | "" | / | create, patch, update | Allow karmada-agent to log events in Karmada API Server |

#### Namespaced-Scope:

| Resource | API Group | Resource Names | Namespace | Verbs | Description |
| ------------ | --------------- | ------------------ | ----------------------------- | ---------------------------------------- | ------------------------------------------------------------ |
| secrets | "" | `{{cluster_name}}` | `{{cluster_namespace}}` | get, patch | For accessing and modifying specific secret resources |
| secrets | "" | / | `{{cluster_namespace}}` | create | Used to create secret resources |
| works | work.karmada.io | / | karmada-es-`{{cluster_name}}` | get, create, list, watch, update, delete | Used to create and manage work resources in a specific namespace |
| works/status | work.karmada.io | / | karmada-es-`{{cluster_name}}` | patch, update | Used to update the status of work in a specific namespace |
Original file line number Diff line number Diff line change
@@ -1,39 +1,73 @@
---
title: Karmada 组件的 RBAC 权限
title: 组件权限
---

# Karmada 组件的 RBAC 权限
# Karmada 组件权限

本文档旨在详细说明 Karmada 关键组件所需的角色基访问控制(RBAC)权限,以确保资源的安全管理和合规访问。Karmada作为一个多集群管理框架,其组件之间的权限控制对于维护整个系统的安全性和稳定性至关重要。本文档将为管理员提供一个全面的指南,以理解和配置 Karmada 组件的 RBAC权限。

更多 RBAC 权限的含义和配置信息可以参考[rbac 官方文档](https://kubernetes.io/zh-cn/docs/reference/access-authn-authz/rbac/)

*注意:本文档涉及的资源均为 Karmada 控制面的资源*

## karmada-operator

| API Group | Resource | Verbs | Description |
|-----------|----------|-------|-------------|
| coordination.k8s.io | leases | get, create, update | 用于 leader 选举。 |
| operator.karmada.io | karmadas | get, list, watch, update | 用于管理 Karmada 实例。 |
| operator.karmada.io | karmadas/status | update | 用于更新 Karmada 实例的状态。 |
| "" (core) | events | create | 允许 karmada-operator 在 Kubernetes API Server 中记录 events。 |
| "" (core) | nodes, pods | list | 列出集群节点与 Pod,用于获取节点信息和 Pod 健康检查。 |
| "" (core) | namespaces | get | 用于获取命名空间信息,并将资源部署到特定命名空间中。 |
| "" (core) | secrets, services | get, create, update, delete | 用于管理 Secret(可能包含敏感数据,如认证信息)和 Service(为集群内应用提供服务发现)。 |
| apps | statefulsets, deployments | get, create, update, delete | 用于管理 StatefulSet(如 etcd)和 Deployment(如 karmada-operator)。 |
### 组件简介:

Karmada-operator 是一种用于安装、升级和删除 Karmada 实例的组件。它基于 Karmada 资源和控制器的基本概念,提供了方便的方式来集中管理 Karmada 实例的整个生命周期。

### 组件权限:

#### 集群级别:

| Resource | API Group | Resource Names | Verbs | Description |
| --------------- | ------------------- | -------------- | --------------------------- | ------------------------------------------------------------ |
| leases | coordination.k8s.io | / | get, create, update | 用于 leader 选举 |
| karmadas | operator.karmada.io | / | get, list, watch, update | 用于管理 Karmada 实例 |
| karmadas/status | operator.karmada.io | / | update | 用于更新 Karmada 实例的状态 |
| events | "" | / | create | 允许 karmada-operator 在 Kubernetes API Server 中记录 events。 |
| nodes | "" | / | list | 用于获取 Node IP |
| pods | "" | / | list | 用于 pod 的健康检查 |
| namespaces | "" | / | get | 用于获取命名空间信息,并将资源部署到特定命名空间中 |
| secrets | "" | / | get, create, update, delete | 用于管理 Secret(可能包含敏感数据,如认证信息) |
| services | "" | / | get, create, update, delete | 用于管理Service,为集群内应用提供服务发现 |
| statefulsets | "" | / | get, create, update, delete | 用于管理 StatefulSet(如 etcd) |
| deployments | apps | / | get, create, update, delete | 用于管理Deployment(如 karmada-apiserver) |

| Non-Resource URLs | Verbs | Description |
|-------------|-------|-------------|
| /healthz | get | 用于检查 Karmada API Server 的健康状态。 |


## karmada-agent

| API Group | Resource | Verbs | Description |
|-----------|----------|-------|-------------|
| cluster.karmada.io | clusters | list, watch | 用于管理和查看集群。 |
| cluster.karmada.io | clusters | get, create, delete | resourceNames: {{clustername}} |
| cluster.karmada.io | clusters/status | update | 用于更新集群状态。resourceNames: {{clustername}} |
| config.karmada.io | resourceinterpreterwebhookconfigurations, resourceinterpretercustomizations | get, list, watch | 用于获取 ResourceInterpreterCustomizations 和 ResourceInterpreterWebhookConfigurations。 |
| "" (core) | namespaces | get | 用于获取命名空间。 |
| coordination.k8s.io | leases | get, create, update | 用于 leader 选举。 |
| certificates.k8s.io | certificatesigningrequests | get, create | 用于获取和创建 CSR 资源。 |
| "" (core) | events | create, patch, update | 允许 karmada-agent 在 Karmada API Server 中记录 events。 |
| "" (core) | secrets | get, create, patch | 用于管理 Secret(可能包含敏感数据,如认证信息)。 |
| work.karmada.io | works | get, list, watch, create, update, delete | 用于管理 Work 自定义资源。 |
| work.karmada.io | works/status | patch, update | 用于更新 Work 自定义资源状态。 |
### 组件简介:

Karmada-agent 将特定集群注册到 Karmada 控制平面,并将工作负载清单从 Karmada 控制平面同步到成员集群。 此外,它也负责将成员集群及其资源的状态同步到 Karmada 控制平面。

### 组件权限:

下表中,`{{cluster_name}}` 为 karmada-agent 注册的成员集群的集群名,`{{cluster_namespace}}` 为部署成员集群 secrets 资源的命名空间,默认为 `karmada-cluster`

#### 集群级别:

| Resource | API Group | Resource Names | Verbs | Description |
| ---------------------------------------- | ------------------- | ------------------ | --------------------- | ------------------------------------------------------ |
| clusters | cluster.karmada.io | / | list, watch,create | 用于创建集群并监听集群状态 |
| clusters | cluster.karmada.io | `{{cluster_name}}` | get, delete | 删查特定的集群 |
| clusters/status | cluster.karmada.io | `{{cluster_name}}` | update | 用于更新特定集群的状态 |
| resourceinterpreterwebhookconfigurations | config.karmada.io | / | get, list, watch | 用于获取 resourceinterpreterwebhookconfigurations资源 |
| resourceinterpretercustomizations | config.karmada.io | / | get, list, watch | 用于获取 resourceinterpretercustomizations 资源 |
| namespaces | "" | / | get | 用于获取命名空间 |
| leases | coordination.k8s.io | / | get, create, update | 用于 leader 选举 |
| certificatesigningrequests | certificates.k8s.io | / | get, create | 获取和创建 CSR 资源,用于 Karmada-agent 的证书轮转 |
| services | "" | / | list, watch | 用于构建 ClusterIPServiceResolver 资源解释器 |
| events | "" | / | create, patch, update | 允许 karmada-agent 在 Karmada API Server 中记录 events |

#### 命名空间级别:

| Resource | API Group | Resource Names | Namespace | Verbs | Description |
| ------------ | --------------- | ------------------ | ----------------------------- | ---------------------------------------- | ----------------------------------------- |
| secrets | "" | `{{cluster_name}}` | `{{cluster_namespace}}` | get, patch | 用于获取和修改特定 secret资源 |
| secrets | "" | / | `{{cluster_namespace}}` | create | 用于创建 secret资源 |
| works | work.karmada.io | / | karmada-es-`{{cluster_name}}` | get, create, list, watch, update, delete | 用于创建和管理特定命名空间下 的 work 资源 |
| works/status | work.karmada.io | / | karmada-es-`{{cluster_name}}` | patch, update | 用于更新特定命名空间下 work 的状态 |

0 comments on commit 697929c

Please sign in to comment.