Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 52700ae56c5d541e711fbd5f27373b3dc200f8dc / . / metropolis / node / kubernetes / reconciler / resources_rbac.go
blob: 9ce99422b5cff7c7e365c082e09a5a4d00fdddf4 [file] [log] [blame]
Tim Windelschmidt6d33a432025-02-04 14:34:25 +0100[diff] [blame]1// Copyright The Monogon Project Authors.
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]2// SPDX-License-Identifier: Apache-2.0
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]3
4package reconciler
5
6import (
7 "context"
8
9 rbac "k8s.io/api/rbac/v1"
10 meta "k8s.io/apimachinery/pkg/apis/meta/v1"
11 "k8s.io/client-go/kubernetes"
12)
13
14var (
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]15 clusterRoleBindingAPIServerKubeletClient = builtinRBACName("apiserver-kubelet-client")
Lorenz Bruncc078df2021-12-23 11:51:55 +0100[diff] [blame]16 clusterRoleBindingOwnerAdmin = builtinRBACName("owner-admin")
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]17 clusterRoleCSIProvisioner = builtinRBACName("csi-provisioner")
18 clusterRoleBindingCSIProvisioners = builtinRBACName("csi-provisioner")
19 clusterRoleNetServices = builtinRBACName("netservices")
20 clusterRoleBindingNetServices = builtinRBACName("netservices")
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]21)
22
23type resourceClusterRoles struct {
24 kubernetes.Interface
25}
26
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]27func (r resourceClusterRoles) List(ctx context.Context) ([]meta.Object, error) {
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]28 res, err := r.RbacV1().ClusterRoles().List(ctx, listBuiltins)
29 if err != nil {
30 return nil, err
31 }
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]32 objs := make([]meta.Object, len(res.Items))
33 for i := range res.Items {
34 objs[i] = &res.Items[i]
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]35 }
36 return objs, nil
37}
38
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]39func (r resourceClusterRoles) Create(ctx context.Context, el meta.Object) error {
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]40 _, err := r.RbacV1().ClusterRoles().Create(ctx, el.(*rbac.ClusterRole), meta.CreateOptions{})
41 return err
42}
43
Jan Schär69f5f4e2024-05-15 10:32:07 +0200[diff] [blame]44func (r resourceClusterRoles) Update(ctx context.Context, el meta.Object) error {
45 _, err := r.RbacV1().ClusterRoles().Update(ctx, el.(*rbac.ClusterRole), meta.UpdateOptions{})
46 return err
47}
48
49func (r resourceClusterRoles) Delete(ctx context.Context, name string, opts meta.DeleteOptions) error {
50 return r.RbacV1().ClusterRoles().Delete(ctx, name, opts)
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]51}
52
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]53func (r resourceClusterRoles) Expected() []meta.Object {
54 return []meta.Object{
55 &rbac.ClusterRole{
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]56 ObjectMeta: meta.ObjectMeta{
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]57 Name: clusterRoleCSIProvisioner,
58 Labels: builtinLabels(nil),
59 Annotations: map[string]string{
Jan Schär69f5f4e2024-05-15 10:32:07 +0200[diff] [blame]60 "kubernetes.io/description": "This role grants access to PersistentVolumes, PersistentVolumeClaims and StorageClassses, as used by the CSI provisioner running on nodes.",
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]61 },
62 },
63 Rules: []rbac.PolicyRule{
64 {
65 APIGroups: []string{""},
66 Resources: []string{"events"},
67 Verbs: []string{"get", "list", "watch", "create", "update", "patch"},
68 },
69 {
70 APIGroups: []string{"storage.k8s.io"},
71 Resources: []string{"storageclasses"},
72 Verbs: []string{"get", "list", "watch"},
73 },
74 {
75 APIGroups: []string{""},
76 Resources: []string{"persistentvolumes", "persistentvolumeclaims"},
77 Verbs: []string{"*"},
78 },
79 },
80 },
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]81 &rbac.ClusterRole{
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]82 ObjectMeta: meta.ObjectMeta{
83 Name: clusterRoleNetServices,
84 Labels: builtinLabels(nil),
85 Annotations: map[string]string{
86 "kubernetes.io/description": "This role grants access to the minimum set of resources that are needed to run networking services for a node.",
87 },
88 },
89 Rules: []rbac.PolicyRule{
90 {
91 APIGroups: []string{"discovery.k8s.io"},
92 Resources: []string{"endpointslices"},
93 Verbs: []string{"get", "list", "watch"},
94 },
95 {
96 APIGroups: []string{""},
Lorenz Brun52700ae2025-01-28 15:07:08 +0100[diff] [blame^]97 Resources: []string{"services", "nodes", "namespaces", "pods"},
98 Verbs: []string{"get", "list", "watch"},
99 },
100 {
101 APIGroups: []string{""},
102 Resources: []string{"events"},
103 Verbs: []string{"get", "list", "watch", "create", "update", "patch"},
104 },
105 {
106 APIGroups: []string{"networking.k8s.io"},
107 Resources: []string{"networkpolicies"},
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]108 Verbs: []string{"get", "list", "watch"},
109 },
110 },
111 },
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]112 }
113}
114
115type resourceClusterRoleBindings struct {
116 kubernetes.Interface
117}
118
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]119func (r resourceClusterRoleBindings) List(ctx context.Context) ([]meta.Object, error) {
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]120 res, err := r.RbacV1().ClusterRoleBindings().List(ctx, listBuiltins)
121 if err != nil {
122 return nil, err
123 }
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]124 objs := make([]meta.Object, len(res.Items))
125 for i := range res.Items {
126 objs[i] = &res.Items[i]
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]127 }
128 return objs, nil
129}
130
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]131func (r resourceClusterRoleBindings) Create(ctx context.Context, el meta.Object) error {
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]132 _, err := r.RbacV1().ClusterRoleBindings().Create(ctx, el.(*rbac.ClusterRoleBinding), meta.CreateOptions{})
133 return err
134}
135
Jan Schär69f5f4e2024-05-15 10:32:07 +0200[diff] [blame]136func (r resourceClusterRoleBindings) Update(ctx context.Context, el meta.Object) error {
137 _, err := r.RbacV1().ClusterRoleBindings().Update(ctx, el.(*rbac.ClusterRoleBinding), meta.UpdateOptions{})
138 return err
139}
140
141func (r resourceClusterRoleBindings) Delete(ctx context.Context, name string, opts meta.DeleteOptions) error {
142 return r.RbacV1().ClusterRoleBindings().Delete(ctx, name, opts)
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]143}
144
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]145func (r resourceClusterRoleBindings) Expected() []meta.Object {
146 return []meta.Object{
147 &rbac.ClusterRoleBinding{
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]148 ObjectMeta: meta.ObjectMeta{
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]149 Name: clusterRoleBindingAPIServerKubeletClient,
150 Labels: builtinLabels(nil),
151 Annotations: map[string]string{
152 "kubernetes.io/description": "This binding grants the apiserver access to the kubelets. This enables " +
153 "lots of built-in functionality like reading logs or forwarding ports via the API.",
154 },
155 },
156 RoleRef: rbac.RoleRef{
157 APIGroup: rbac.GroupName,
158 Kind: "ClusterRole",
159 Name: "system:kubelet-api-admin",
160 },
161 Subjects: []rbac.Subject{
162 {
163 APIGroup: rbac.GroupName,
164 Kind: "User",
165 // TODO(q3k): describe this name's contract, or unify with whatever creates this.
Serge Bazanski662b5b32020-12-21 13:49:00 +0100[diff] [blame]166 Name: "metropolis:apiserver-kubelet-client",
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]167 },
168 },
169 },
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]170 &rbac.ClusterRoleBinding{
Lorenz Bruncc078df2021-12-23 11:51:55 +0100[diff] [blame]171 ObjectMeta: meta.ObjectMeta{
172 Name: clusterRoleBindingOwnerAdmin,
173 Labels: builtinLabels(nil),
174 Annotations: map[string]string{
175 "kubernetes.io/description": "This binding grants the Metropolis Cluster owner access to the " +
176 "cluster-admin role on Kubernetes.",
177 },
178 },
179 RoleRef: rbac.RoleRef{
180 APIGroup: rbac.GroupName,
181 Kind: "ClusterRole",
182 Name: "cluster-admin",
183 },
184 Subjects: []rbac.Subject{
185 {
186 APIGroup: rbac.GroupName,
187 Kind: "User",
188 Name: "owner",
189 },
190 },
191 },
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]192 &rbac.ClusterRoleBinding{
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]193 ObjectMeta: meta.ObjectMeta{
194 Name: clusterRoleBindingCSIProvisioners,
195 Labels: builtinLabels(nil),
196 Annotations: map[string]string{
197 "kubernetes.io/description": "This role binding grants CSI provisioners running on nodes access to the necessary resources.",
198 },
199 },
200 RoleRef: rbac.RoleRef{
201 APIGroup: rbac.GroupName,
202 Kind: "ClusterRole",
203 Name: clusterRoleCSIProvisioner,
204 },
205 Subjects: []rbac.Subject{
206 {
207 APIGroup: rbac.GroupName,
208 Kind: "Group",
209 Name: "metropolis:csi-provisioner",
210 },
211 },
212 },
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]213 &rbac.ClusterRoleBinding{
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]214 ObjectMeta: meta.ObjectMeta{
215 Name: clusterRoleBindingNetServices,
216 Labels: builtinLabels(nil),
217 Annotations: map[string]string{
218 "kubernetes.io/description": "This role binding grants node network services access to necessary resources.",
219 },
220 },
221 RoleRef: rbac.RoleRef{
222 APIGroup: rbac.GroupName,
223 Kind: "ClusterRole",
224 Name: clusterRoleNetServices,
225 },
226 Subjects: []rbac.Subject{
227 {
228 APIGroup: rbac.GroupName,
229 Kind: "Group",
230 Name: "metropolis:netservices",
231 },
232 },
233 },
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]234 }
235}