Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automated backport of #3040: Reduce submariner-operator RBAC permissions #3045

Merged
merged 10 commits into from
May 6, 2024
Merged

Automated backport of #3040: Reduce submariner-operator RBAC permissions #3045

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
8957583
Reduce submariner-operator RBAC permissions
tpantelis May 2, 2024
83d9e8d
Reduce submariner-gateway RBAC permissions
tpantelis May 2, 2024
2dcc01a
Reduce submariner-routeagent RBAC permissions
tpantelis May 2, 2024
b3c6221
Reduce submariner-globalnet RBAC permissions
tpantelis May 2, 2024
b4bbee5
Reduce lighthouse-agent RBAC permissions
tpantelis May 2, 2024
bec3ee3
Reduce lighthouse-coredns RBAC permissions
tpantelis May 2, 2024
0782515
Re-generate pkg/embeddedyamls/yamls.go
tpantelis May 2, 2024
04d57f2
Adjust code in order to remove operator RBAC permissions for namespaces
tpantelis May 4, 2024
8a063f9
Restrict config.openshift.io/networks RBAC permissions
tpantelis May 4, 2024
70d6587
Restrict operator ClusterRole*, ServiceAccount permissions
tpantelis May 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 18 additions & 4 deletions config/rbac/lighthouse-agent/cluster_role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@ rules:
- get
- list
- watch
- update
- apiGroups:
- discovery.k8s.io
resources:
Expand All @@ -32,20 +31,35 @@ rules:
- apiGroups:
- submariner.io
resources:
- "gateways"
- "globalingressips"
- gateways
- globalingressips
verbs:
- get
- list
- watch
- apiGroups:
- multicluster.x-k8s.io
resources:
- "*"
- serviceimports
- serviceimports/status
verbs:
- create
- get
- list
- watch
- update
- delete
- apiGroups:
- multicluster.x-k8s.io
resources:
- serviceexports
verbs:
- get
- list
- watch
- apiGroups:
- multicluster.x-k8s.io
resources:
- serviceexports/status
verbs:
- update
24 changes: 3 additions & 21 deletions config/rbac/lighthouse-coredns/cluster_role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,46 +5,28 @@ metadata:
creationTimestamp: null
name: submariner-lighthouse-coredns
rules:
- apiGroups:
- ""
resources:
- services
- namespaces
- endpoints
verbs:
- get
- list
- watch
- update
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- create
- get
- list
- watch
- update
- delete
- deletecollection
- apiGroups:
- submariner.io
resources:
- "gateways"
- "submariners"
- gateways
- submariners
verbs:
- get
- list
- watch
- apiGroups:
- multicluster.x-k8s.io
resources:
- "*"
- serviceimports
verbs:
- create
- get
- list
- watch
- update
- delete
40 changes: 0 additions & 40 deletions config/rbac/submariner-gateway/cluster_role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,21 +10,7 @@ rules:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- create
- update
- delete
- apiGroups: # pods and services are looked up to figure out network settings
- ""
resources:
- pods
Expand All @@ -34,29 +20,3 @@ rules:
- get
- list
- watch
- apiGroups:
- operator.openshift.io
resources:
- dnses
verbs:
- get
- list
- watch
- update
- apiGroups:
- config.openshift.io
resources:
- networks
verbs:
- get
- list
- apiGroups:
- submariner.io
resources:
- endpoints
- gateways
- clusters
verbs:
- get
- list
- watch
52 changes: 10 additions & 42 deletions config/rbac/submariner-gateway/role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,55 +9,23 @@ rules:
- ""
resources:
- pods
- services
- services/finalizers
- endpoints
- events
- configmaps
verbs:
- '*'
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- '*'
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- get
- create
- apiGroups:
- apps
resourceNames:
- submariner-operator
resources:
- deployments/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- apps
resources:
- replicasets
verbs:
- get
- patch
- apiGroups:
- submariner.io
resources:
- '*'
- clusters
- endpoints
- gateways
verbs:
- '*'
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- coordination.k8s.io
resources:
Expand Down
14 changes: 10 additions & 4 deletions config/rbac/submariner-globalnet/cluster_role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,20 @@ rules:
- apiGroups:
- ""
resources:
- pods
- namespaces
- nodes
verbs:
- get
- list
- watch
- update
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
Expand All @@ -31,8 +37,8 @@ rules:
- apiGroups:
- submariner.io
resources:
- endpoints
- clusters
- endpoints
verbs:
- get
- list
Expand All @@ -57,7 +63,7 @@ rules:
- apiGroups:
- multicluster.x-k8s.io
resources:
- "serviceexports"
- serviceexports
verbs:
- get
- list
Expand Down
55 changes: 0 additions & 55 deletions config/rbac/submariner-globalnet/role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,61 +5,6 @@ metadata:
creationTimestamp: null
name: submariner-globalnet
rules:
- apiGroups:
- ""
resources:
- pods
- services
- services/finalizers
- endpoints
- persistentvolumeclaims
- events
- configmaps
- secrets
verbs:
- '*'
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- '*'
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- get
- create
- apiGroups:
- apps
resourceNames:
- submariner-operator
resources:
- deployments/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- apps
resources:
- replicasets
verbs:
- get
- apiGroups:
- submariner.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- coordination.k8s.io
resources:
Expand Down
23 changes: 11 additions & 12 deletions config/rbac/submariner-operator/cluster_role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,9 +28,10 @@ rules:
- update
- delete
- watch
- apiGroups: # pods, services and nodes are looked up to figure out network settings
- apiGroups:
- ""
resources:
# Needed for network settings discovery
- pods
- services
- nodes
Expand All @@ -44,41 +45,39 @@ rules:
- dnses
verbs:
- get
- list
- watch
- update
- apiGroups:
- config.openshift.io
resources:
# Needed for network settings discovery
- networks
resourceNames:
- cluster
verbs:
- get
- list
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- monitoring.coreos.com
resources:
# Needed for openshift monitoring
- servicemonitors
verbs:
- get
- create
- apiGroups:
- apps
resources:
# Needed for Flannel CNI discovery
- daemonsets
verbs:
- list
- apiGroups:
- rbac.authorization.k8s.io
resources:
# Temporarily needed for network-plugin syncer removal
- clusterroles
- clusterrolebindings
resourceNames:
- ocp-submariner-networkplugin-syncer
- submariner-networkplugin-syncer
verbs:
- delete
Loading
Loading