From b470ea55302fcb6dd29f8661f0e1a823de2c1b02 Mon Sep 17 00:00:00 2001 From: Ville Aikas Date: Fri, 8 Mar 2019 15:58:48 +0000 Subject: [PATCH 1/7] WIP: explicit cluster roles for controller/webhook, not cluster-admin --- config/200-controller-clusterrole.yaml | 27 +++++++++++++++++++++++++ config/200-serviceaccount.yaml | 6 ++++++ config/200-webhook-clusterrole.yaml | 28 ++++++++++++++++++++++++++ config/201-clusterrolebinding.yaml | 15 +++++++++++++- config/500-webhook.yaml | 2 +- 5 files changed, 76 insertions(+), 2 deletions(-) create mode 100644 config/200-controller-clusterrole.yaml create mode 100644 config/200-webhook-clusterrole.yaml diff --git a/config/200-controller-clusterrole.yaml b/config/200-controller-clusterrole.yaml new file mode 100644 index 00000000000..b82869506ac --- /dev/null +++ b/config/200-controller-clusterrole.yaml @@ -0,0 +1,27 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: knative-eventing-controller +rules: + - apiGroups: [""] + resources: ["namespaces", "secrets", "configmaps", "services", "events", "serviceaccounts"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + - apiGroups: ["serving.knative.dev"] + resources: ["routes", "services"] + verbs: ["get", "list", "watch"] + - apiGroups: ["serving.knative.dev"] + resources: ["routes/status", "services/status"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + resources: ["virtualservices"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + # Our own resources and statuses we care about + - apiGroups: ["eventing.knative.dev"] + resources: ["channels", "clusterchannelprovisioners", "subscriptions"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + - apiGroups: ["eventing.knative.dev"] + resources: ["channels/status", "clusterchannelprovisioners/status", "subscriptions/status"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] diff --git a/config/200-serviceaccount.yaml b/config/200-serviceaccount.yaml index 994c753bb0f..93870a968d4 100644 --- a/config/200-serviceaccount.yaml +++ b/config/200-serviceaccount.yaml @@ -16,3 +16,9 @@ kind: ServiceAccount metadata: name: eventing-controller namespace: knative-eventing +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: eventing-webhook + namespace: knative-eventing diff --git a/config/200-webhook-clusterrole.yaml b/config/200-webhook-clusterrole.yaml new file mode 100644 index 00000000000..dcfd0e1ec3a --- /dev/null +++ b/config/200-webhook-clusterrole.yaml @@ -0,0 +1,28 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: knative-eventing-webhook +rules: + # For watching logging configuration and getting certs + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch"] + # For manipulating certs into secrets + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "create"] + # For getting our Deployment so we can decorate with ownerref + - apiGroups: ["extensions"] + resources: ["deployments"] + verbs: ["get"] + # For actually registering our webhook + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + # Our own resources and statuses we care about + - apiGroups: ["eventing.knative.dev"] + resources: ["channels", "clusterchannelprovisioners", "subscriptions"] + verbs: ["get", "list", "create", "watch"] + - apiGroups: ["eventing.knative.dev"] + resources: ["channels/status", "clusterchannelprovisioners/status", "subscriptions/status"] + verbs: ["get", "list", "create", "watch"] diff --git a/config/201-clusterrolebinding.yaml b/config/201-clusterrolebinding.yaml index 83b463aa412..68e96356cb0 100644 --- a/config/201-clusterrolebinding.yaml +++ b/config/201-clusterrolebinding.yaml @@ -21,5 +21,18 @@ subjects: namespace: knative-eventing roleRef: kind: ClusterRole - name: cluster-admin + name: knative-eventing-controller + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: eventing-webhook-admin +subjects: + - kind: ServiceAccount + name: eventing-webhook + namespace: knative-eventing +roleRef: + kind: ClusterRole + name: knative-eventing-webhook apiGroup: rbac.authorization.k8s.io diff --git a/config/500-webhook.yaml b/config/500-webhook.yaml index d1183aee24b..5452e0568cf 100644 --- a/config/500-webhook.yaml +++ b/config/500-webhook.yaml @@ -29,7 +29,7 @@ spec: sidecar.istio.io/inject: "false" labels: *labels spec: - serviceAccountName: eventing-controller + serviceAccountName: eventing-webhook containers: - name: webhook terminationMessagePolicy: FallbackToLogsOnError From 2bcf1c600a31631baf878f2b812ba56cd91296d4 Mon Sep 17 00:00:00 2001 From: Ville Aikas Date: Tue, 26 Mar 2019 18:04:56 +0000 Subject: [PATCH 2/7] address PR feedback --- config/200-controller-clusterrole.yaml | 19 +++++++++++++++---- config/200-serviceaccount.yaml | 1 + config/200-webhook-clusterrole.yaml | 23 +++++++++++++++++------ 3 files changed, 33 insertions(+), 10 deletions(-) diff --git a/config/200-controller-clusterrole.yaml b/config/200-controller-clusterrole.yaml index b82869506ac..eb837f54824 100644 --- a/config/200-controller-clusterrole.yaml +++ b/config/200-controller-clusterrole.yaml @@ -1,14 +1,25 @@ -kind: ClusterRole +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: name: knative-eventing-controller rules: - apiGroups: [""] resources: ["namespaces", "secrets", "configmaps", "services", "events", "serviceaccounts"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - apiGroups: ["serving.knative.dev"] resources: ["routes", "services"] verbs: ["get", "list", "watch"] diff --git a/config/200-serviceaccount.yaml b/config/200-serviceaccount.yaml index 93870a968d4..7d4e642500b 100644 --- a/config/200-serviceaccount.yaml +++ b/config/200-serviceaccount.yaml @@ -11,6 +11,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. + apiVersion: v1 kind: ServiceAccount metadata: diff --git a/config/200-webhook-clusterrole.yaml b/config/200-webhook-clusterrole.yaml index dcfd0e1ec3a..3b5d3947d1c 100644 --- a/config/200-webhook-clusterrole.yaml +++ b/config/200-webhook-clusterrole.yaml @@ -1,5 +1,19 @@ -kind: ClusterRole +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: name: knative-eventing-webhook rules: @@ -12,7 +26,7 @@ rules: resources: ["secrets"] verbs: ["get", "create"] # For getting our Deployment so we can decorate with ownerref - - apiGroups: ["extensions"] + - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get"] # For actually registering our webhook @@ -21,8 +35,5 @@ rules: verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] # Our own resources and statuses we care about - apiGroups: ["eventing.knative.dev"] - resources: ["channels", "clusterchannelprovisioners", "subscriptions"] - verbs: ["get", "list", "create", "watch"] - - apiGroups: ["eventing.knative.dev"] - resources: ["channels/status", "clusterchannelprovisioners/status", "subscriptions/status"] + resources: ["brokers", "brokers/status", "channels", "channels/status", "clusterchannelprovisioners", "clusterchannelprovisioners/status", "subscriptions", "subscriptions/status", "triggers", "triggers/status",] verbs: ["get", "list", "create", "watch"] From 8e1359fed74d8f0f32c42822d4666966214c458e Mon Sep 17 00:00:00 2001 From: Ville Aikas Date: Tue, 26 Mar 2019 18:06:09 +0000 Subject: [PATCH 3/7] add broker / trigger roles --- config/200-controller-clusterrole.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/config/200-controller-clusterrole.yaml b/config/200-controller-clusterrole.yaml index eb837f54824..70fe05a9d4e 100644 --- a/config/200-controller-clusterrole.yaml +++ b/config/200-controller-clusterrole.yaml @@ -31,8 +31,5 @@ rules: verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] # Our own resources and statuses we care about - apiGroups: ["eventing.knative.dev"] - resources: ["channels", "clusterchannelprovisioners", "subscriptions"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - - apiGroups: ["eventing.knative.dev"] - resources: ["channels/status", "clusterchannelprovisioners/status", "subscriptions/status"] + resources: ["brokers", "brokers/status", "channels", "channels/status", "clusterchannelprovisioners", "clusterchannelprovisioners/status", "subscriptions", "subscriptions/status", "triggers", "triggers/status",] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] From 1777c95b239eaf085bcd27c9830bd1a1439db89e Mon Sep 17 00:00:00 2001 From: Ville Aikas Date: Tue, 26 Mar 2019 20:41:49 +0000 Subject: [PATCH 4/7] apps / rolebindings to controller-clusterrole --- config/200-controller-clusterrole.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/config/200-controller-clusterrole.yaml b/config/200-controller-clusterrole.yaml index 70fe05a9d4e..73761eb61ff 100644 --- a/config/200-controller-clusterrole.yaml +++ b/config/200-controller-clusterrole.yaml @@ -33,3 +33,9 @@ rules: - apiGroups: ["eventing.knative.dev"] resources: ["brokers", "brokers/status", "channels", "channels/status", "clusterchannelprovisioners", "clusterchannelprovisioners/status", "subscriptions", "subscriptions/status", "triggers", "triggers/status",] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + - apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "list", "watch"] + - apiGroups: ["rbac.authorization.k8s.io"] + resources: ["rolebindings"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] From 03e150d5e46b8fdc57e8e6580dc1521a97c57c46 Mon Sep 17 00:00:00 2001 From: Ville Aikas Date: Tue, 26 Mar 2019 21:10:21 +0000 Subject: [PATCH 5/7] need to create deployments --- config/200-controller-clusterrole.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/200-controller-clusterrole.yaml b/config/200-controller-clusterrole.yaml index 73761eb61ff..e970dc2ee3e 100644 --- a/config/200-controller-clusterrole.yaml +++ b/config/200-controller-clusterrole.yaml @@ -35,7 +35,7 @@ rules: verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - apiGroups: ["apps"] resources: ["deployments"] - verbs: ["get", "list", "watch"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - apiGroups: ["rbac.authorization.k8s.io"] resources: ["rolebindings"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] From 0f22d99aa5da14a045fb4b5bd18c82249aeb1e6f Mon Sep 17 00:00:00 2001 From: Ville Aikas Date: Tue, 26 Mar 2019 22:56:44 +0000 Subject: [PATCH 6/7] pr feedback round 239 --- config/200-controller-clusterrole.yaml | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/config/200-controller-clusterrole.yaml b/config/200-controller-clusterrole.yaml index e970dc2ee3e..8bc50d1a5da 100644 --- a/config/200-controller-clusterrole.yaml +++ b/config/200-controller-clusterrole.yaml @@ -21,21 +21,18 @@ rules: resources: ["namespaces", "secrets", "configmaps", "services", "events", "serviceaccounts"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - apiGroups: ["serving.knative.dev"] - resources: ["routes", "services"] - verbs: ["get", "list", "watch"] - - apiGroups: ["serving.knative.dev"] - resources: ["routes/status", "services/status"] + resources: ["routes", "routes/status", "services", "services/status"] verbs: ["get", "list", "watch"] - apiGroups: ["networking.istio.io"] resources: ["virtualservices"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - # Our own resources and statuses we care about - - apiGroups: ["eventing.knative.dev"] - resources: ["brokers", "brokers/status", "channels", "channels/status", "clusterchannelprovisioners", "clusterchannelprovisioners/status", "subscriptions", "subscriptions/status", "triggers", "triggers/status",] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - apiGroups: ["rbac.authorization.k8s.io"] resources: ["rolebindings"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + # Our own resources and statuses we care about + - apiGroups: ["eventing.knative.dev"] + resources: ["brokers", "brokers/status", "channels", "channels/status", "clusterchannelprovisioners", "clusterchannelprovisioners/status", "subscriptions", "subscriptions/status", "triggers", "triggers/status",] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] From 64f838fbf34ab237734bf66f95ebc271a660dfcd Mon Sep 17 00:00:00 2001 From: Ville Aikas Date: Wed, 27 Mar 2019 19:51:05 +0000 Subject: [PATCH 7/7] webhook uses extensions instead of apps --- config/200-webhook-clusterrole.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/200-webhook-clusterrole.yaml b/config/200-webhook-clusterrole.yaml index 3b5d3947d1c..ef424a6cc28 100644 --- a/config/200-webhook-clusterrole.yaml +++ b/config/200-webhook-clusterrole.yaml @@ -26,7 +26,7 @@ rules: resources: ["secrets"] verbs: ["get", "create"] # For getting our Deployment so we can decorate with ownerref - - apiGroups: ["apps"] + - apiGroups: ["extensions"] resources: ["deployments"] verbs: ["get"] # For actually registering our webhook