Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 10d47cc2d5d64f2a0b0e9a70b7ce09a306a14c37 / . / metropolis / node / kubernetes / reconciler / resources_rbac.go
blob: bf9885ca96e00ce655e0f1f17e0aeea2a6a7f5c5 [file] [log] [blame]
Tim Windelschmidt6d33a432025-02-04 14:34:25 +0100[diff] [blame]1// Copyright The Monogon Project Authors.
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]2// SPDX-License-Identifier: Apache-2.0
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]3
4package reconciler
5
6import (
7 "context"
8
9 rbac "k8s.io/api/rbac/v1"
10 meta "k8s.io/apimachinery/pkg/apis/meta/v1"
11 "k8s.io/client-go/kubernetes"
12)
13
14var (
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]15 clusterRoleBindingAPIServerKubeletClient = builtinRBACName("apiserver-kubelet-client")
Lorenz Bruncc078df2021-12-23 11:51:55 +0100[diff] [blame]16 clusterRoleBindingOwnerAdmin = builtinRBACName("owner-admin")
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]17 clusterRoleCSIProvisioner = builtinRBACName("csi-provisioner")
18 clusterRoleBindingCSIProvisioners = builtinRBACName("csi-provisioner")
19 clusterRoleNetServices = builtinRBACName("netservices")
20 clusterRoleBindingNetServices = builtinRBACName("netservices")
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]21)
22
23type resourceClusterRoles struct {
24 kubernetes.Interface
25}
26
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]27func (r resourceClusterRoles) List(ctx context.Context) ([]meta.Object, error) {
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]28 res, err := r.RbacV1().ClusterRoles().List(ctx, listBuiltins)
29 if err != nil {
30 return nil, err
31 }
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]32 objs := make([]meta.Object, len(res.Items))
33 for i := range res.Items {
34 objs[i] = &res.Items[i]
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]35 }
36 return objs, nil
37}
38
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]39func (r resourceClusterRoles) Create(ctx context.Context, el meta.Object) error {
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]40 _, err := r.RbacV1().ClusterRoles().Create(ctx, el.(*rbac.ClusterRole), meta.CreateOptions{})
41 return err
42}
43
Jan Schär69f5f4e2024-05-15 10:32:07 +0200[diff] [blame]44func (r resourceClusterRoles) Update(ctx context.Context, el meta.Object) error {
45 _, err := r.RbacV1().ClusterRoles().Update(ctx, el.(*rbac.ClusterRole), meta.UpdateOptions{})
46 return err
47}
48
49func (r resourceClusterRoles) Delete(ctx context.Context, name string, opts meta.DeleteOptions) error {
50 return r.RbacV1().ClusterRoles().Delete(ctx, name, opts)
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]51}
52
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]53func (r resourceClusterRoles) Expected() []meta.Object {
54 return []meta.Object{
55 &rbac.ClusterRole{
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]56 ObjectMeta: meta.ObjectMeta{
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]57 Name: clusterRoleCSIProvisioner,
58 Labels: builtinLabels(nil),
59 Annotations: map[string]string{
Jan Schär69f5f4e2024-05-15 10:32:07 +0200[diff] [blame]60 "kubernetes.io/description": "This role grants access to PersistentVolumes, PersistentVolumeClaims and StorageClassses, as used by the CSI provisioner running on nodes.",
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]61 },
62 },
63 Rules: []rbac.PolicyRule{
64 {
65 APIGroups: []string{""},
66 Resources: []string{"events"},
67 Verbs: []string{"get", "list", "watch", "create", "update", "patch"},
68 },
69 {
70 APIGroups: []string{"storage.k8s.io"},
71 Resources: []string{"storageclasses"},
72 Verbs: []string{"get", "list", "watch"},
73 },
74 {
75 APIGroups: []string{""},
Jan Schärb00f7f92025-03-06 17:27:22 +0100[diff] [blame]76 Resources: []string{"persistentvolumes"},
77 Verbs: []string{"get", "list", "watch", "create", "patch", "delete"},
78 },
79 {
80 APIGroups: []string{""},
81 Resources: []string{"persistentvolumeclaims"},
82 Verbs: []string{"get", "list", "watch"},
83 },
84 {
85 APIGroups: []string{""},
86 Resources: []string{"persistentvolumeclaims/status"},
87 Verbs: []string{"patch"},
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]88 },
89 },
90 },
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]91 &rbac.ClusterRole{
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]92 ObjectMeta: meta.ObjectMeta{
93 Name: clusterRoleNetServices,
94 Labels: builtinLabels(nil),
95 Annotations: map[string]string{
96 "kubernetes.io/description": "This role grants access to the minimum set of resources that are needed to run networking services for a node.",
97 },
98 },
99 Rules: []rbac.PolicyRule{
100 {
101 APIGroups: []string{"discovery.k8s.io"},
102 Resources: []string{"endpointslices"},
103 Verbs: []string{"get", "list", "watch"},
104 },
105 {
106 APIGroups: []string{""},
Lorenz Brun52700ae2025-01-28 15:07:08 +0100[diff] [blame]107 Resources: []string{"services", "nodes", "namespaces", "pods"},
108 Verbs: []string{"get", "list", "watch"},
109 },
110 {
111 APIGroups: []string{""},
112 Resources: []string{"events"},
113 Verbs: []string{"get", "list", "watch", "create", "update", "patch"},
114 },
115 {
116 APIGroups: []string{"networking.k8s.io"},
117 Resources: []string{"networkpolicies"},
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]118 Verbs: []string{"get", "list", "watch"},
119 },
120 },
121 },
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]122 }
123}
124
125type resourceClusterRoleBindings struct {
126 kubernetes.Interface
127}
128
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]129func (r resourceClusterRoleBindings) List(ctx context.Context) ([]meta.Object, error) {
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]130 res, err := r.RbacV1().ClusterRoleBindings().List(ctx, listBuiltins)
131 if err != nil {
132 return nil, err
133 }
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]134 objs := make([]meta.Object, len(res.Items))
135 for i := range res.Items {
136 objs[i] = &res.Items[i]
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]137 }
138 return objs, nil
139}
140
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]141func (r resourceClusterRoleBindings) Create(ctx context.Context, el meta.Object) error {
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]142 _, err := r.RbacV1().ClusterRoleBindings().Create(ctx, el.(*rbac.ClusterRoleBinding), meta.CreateOptions{})
143 return err
144}
145
Jan Schär69f5f4e2024-05-15 10:32:07 +0200[diff] [blame]146func (r resourceClusterRoleBindings) Update(ctx context.Context, el meta.Object) error {
147 _, err := r.RbacV1().ClusterRoleBindings().Update(ctx, el.(*rbac.ClusterRoleBinding), meta.UpdateOptions{})
148 return err
149}
150
151func (r resourceClusterRoleBindings) Delete(ctx context.Context, name string, opts meta.DeleteOptions) error {
152 return r.RbacV1().ClusterRoleBindings().Delete(ctx, name, opts)
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]153}
154
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]155func (r resourceClusterRoleBindings) Expected() []meta.Object {
156 return []meta.Object{
157 &rbac.ClusterRoleBinding{
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]158 ObjectMeta: meta.ObjectMeta{
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]159 Name: clusterRoleBindingAPIServerKubeletClient,
160 Labels: builtinLabels(nil),
161 Annotations: map[string]string{
162 "kubernetes.io/description": "This binding grants the apiserver access to the kubelets. This enables " +
163 "lots of built-in functionality like reading logs or forwarding ports via the API.",
164 },
165 },
166 RoleRef: rbac.RoleRef{
167 APIGroup: rbac.GroupName,
168 Kind: "ClusterRole",
169 Name: "system:kubelet-api-admin",
170 },
171 Subjects: []rbac.Subject{
172 {
173 APIGroup: rbac.GroupName,
174 Kind: "User",
175 // TODO(q3k): describe this name's contract, or unify with whatever creates this.
Serge Bazanski662b5b32020-12-21 13:49:00 +0100[diff] [blame]176 Name: "metropolis:apiserver-kubelet-client",
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]177 },
178 },
179 },
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]180 &rbac.ClusterRoleBinding{
Lorenz Bruncc078df2021-12-23 11:51:55 +0100[diff] [blame]181 ObjectMeta: meta.ObjectMeta{
182 Name: clusterRoleBindingOwnerAdmin,
183 Labels: builtinLabels(nil),
184 Annotations: map[string]string{
185 "kubernetes.io/description": "This binding grants the Metropolis Cluster owner access to the " +
186 "cluster-admin role on Kubernetes.",
187 },
188 },
189 RoleRef: rbac.RoleRef{
190 APIGroup: rbac.GroupName,
191 Kind: "ClusterRole",
192 Name: "cluster-admin",
193 },
194 Subjects: []rbac.Subject{
195 {
196 APIGroup: rbac.GroupName,
197 Kind: "User",
198 Name: "owner",
199 },
200 },
201 },
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]202 &rbac.ClusterRoleBinding{
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]203 ObjectMeta: meta.ObjectMeta{
204 Name: clusterRoleBindingCSIProvisioners,
205 Labels: builtinLabels(nil),
206 Annotations: map[string]string{
207 "kubernetes.io/description": "This role binding grants CSI provisioners running on nodes access to the necessary resources.",
208 },
209 },
210 RoleRef: rbac.RoleRef{
211 APIGroup: rbac.GroupName,
212 Kind: "ClusterRole",
213 Name: clusterRoleCSIProvisioner,
214 },
215 Subjects: []rbac.Subject{
216 {
217 APIGroup: rbac.GroupName,
218 Kind: "Group",
219 Name: "metropolis:csi-provisioner",
220 },
221 },
222 },
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]223 &rbac.ClusterRoleBinding{
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]224 ObjectMeta: meta.ObjectMeta{
225 Name: clusterRoleBindingNetServices,
226 Labels: builtinLabels(nil),
227 Annotations: map[string]string{
228 "kubernetes.io/description": "This role binding grants node network services access to necessary resources.",
229 },
230 },
231 RoleRef: rbac.RoleRef{
232 APIGroup: rbac.GroupName,
233 Kind: "ClusterRole",
234 Name: clusterRoleNetServices,
235 },
236 Subjects: []rbac.Subject{
237 {
238 APIGroup: rbac.GroupName,
239 Kind: "Group",
240 Name: "metropolis:netservices",
241 },
242 },
243 },
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]244 }
245}