Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 69f5f4e5ffac12c1d8e45e4cc9dc72868aa3af41 / . / metropolis / node / kubernetes / reconciler / resources_rbac.go
blob: 5ae5246c3c8c9cfe8acf8063175e7a9aa77c2925 [file] [log] [blame]
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]1// Copyright 2020 The Monogon Project Authors.
2//
3// SPDX-License-Identifier: Apache-2.0
4//
5// Licensed under the Apache License, Version 2.0 (the "License");
6// you may not use this file except in compliance with the License.
7// You may obtain a copy of the License at
8//
9// http://www.apache.org/licenses/LICENSE-2.0
10//
11// Unless required by applicable law or agreed to in writing, software
12// distributed under the License is distributed on an "AS IS" BASIS,
13// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14// See the License for the specific language governing permissions and
15// limitations under the License.
16
17package reconciler
18
19import (
20 "context"
21
22 rbac "k8s.io/api/rbac/v1"
23 meta "k8s.io/apimachinery/pkg/apis/meta/v1"
24 "k8s.io/client-go/kubernetes"
25)
26
27var (
28 clusterRolePSPDefault = builtinRBACName("psp-default")
29 clusterRoleBindingDefaultPSP = builtinRBACName("default-psp-for-sa")
30 clusterRoleBindingAPIServerKubeletClient = builtinRBACName("apiserver-kubelet-client")
Lorenz Bruncc078df2021-12-23 11:51:55 +0100[diff] [blame]31 clusterRoleBindingOwnerAdmin = builtinRBACName("owner-admin")
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]32 clusterRoleCSIProvisioner = builtinRBACName("csi-provisioner")
33 clusterRoleBindingCSIProvisioners = builtinRBACName("csi-provisioner")
34 clusterRoleNetServices = builtinRBACName("netservices")
35 clusterRoleBindingNetServices = builtinRBACName("netservices")
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]36)
37
38type resourceClusterRoles struct {
39 kubernetes.Interface
40}
41
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]42func (r resourceClusterRoles) List(ctx context.Context) ([]meta.Object, error) {
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]43 res, err := r.RbacV1().ClusterRoles().List(ctx, listBuiltins)
44 if err != nil {
45 return nil, err
46 }
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]47 objs := make([]meta.Object, len(res.Items))
48 for i := range res.Items {
49 objs[i] = &res.Items[i]
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]50 }
51 return objs, nil
52}
53
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]54func (r resourceClusterRoles) Create(ctx context.Context, el meta.Object) error {
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]55 _, err := r.RbacV1().ClusterRoles().Create(ctx, el.(*rbac.ClusterRole), meta.CreateOptions{})
56 return err
57}
58
Jan Schär69f5f4e2024-05-15 10:32:07 +0200[diff] [blame^]59func (r resourceClusterRoles) Update(ctx context.Context, el meta.Object) error {
60 _, err := r.RbacV1().ClusterRoles().Update(ctx, el.(*rbac.ClusterRole), meta.UpdateOptions{})
61 return err
62}
63
64func (r resourceClusterRoles) Delete(ctx context.Context, name string, opts meta.DeleteOptions) error {
65 return r.RbacV1().ClusterRoles().Delete(ctx, name, opts)
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]66}
67
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]68func (r resourceClusterRoles) Expected() []meta.Object {
69 return []meta.Object{
70 &rbac.ClusterRole{
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]71 ObjectMeta: meta.ObjectMeta{
72 Name: clusterRolePSPDefault,
73 Labels: builtinLabels(nil),
74 Annotations: map[string]string{
75 "kubernetes.io/description": "This role grants access to the \"default\" PSP.",
76 },
77 },
78 Rules: []rbac.PolicyRule{
79 {
80 APIGroups: []string{"policy"},
81 Resources: []string{"podsecuritypolicies"},
82 ResourceNames: []string{"default"},
83 Verbs: []string{"use"},
84 },
85 },
86 },
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]87 &rbac.ClusterRole{
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]88 ObjectMeta: meta.ObjectMeta{
89 Name: clusterRoleCSIProvisioner,
90 Labels: builtinLabels(nil),
91 Annotations: map[string]string{
Jan Schär69f5f4e2024-05-15 10:32:07 +0200[diff] [blame^]92 "kubernetes.io/description": "This role grants access to PersistentVolumes, PersistentVolumeClaims and StorageClassses, as used by the CSI provisioner running on nodes.",
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]93 },
94 },
95 Rules: []rbac.PolicyRule{
96 {
97 APIGroups: []string{""},
98 Resources: []string{"events"},
99 Verbs: []string{"get", "list", "watch", "create", "update", "patch"},
100 },
101 {
102 APIGroups: []string{"storage.k8s.io"},
103 Resources: []string{"storageclasses"},
104 Verbs: []string{"get", "list", "watch"},
105 },
106 {
107 APIGroups: []string{""},
108 Resources: []string{"persistentvolumes", "persistentvolumeclaims"},
109 Verbs: []string{"*"},
110 },
111 },
112 },
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]113 &rbac.ClusterRole{
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]114 ObjectMeta: meta.ObjectMeta{
115 Name: clusterRoleNetServices,
116 Labels: builtinLabels(nil),
117 Annotations: map[string]string{
118 "kubernetes.io/description": "This role grants access to the minimum set of resources that are needed to run networking services for a node.",
119 },
120 },
121 Rules: []rbac.PolicyRule{
122 {
123 APIGroups: []string{"discovery.k8s.io"},
124 Resources: []string{"endpointslices"},
125 Verbs: []string{"get", "list", "watch"},
126 },
127 {
128 APIGroups: []string{""},
129 Resources: []string{"services", "nodes", "namespaces"},
130 Verbs: []string{"get", "list", "watch"},
131 },
132 },
133 },
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]134 }
135}
136
137type resourceClusterRoleBindings struct {
138 kubernetes.Interface
139}
140
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]141func (r resourceClusterRoleBindings) List(ctx context.Context) ([]meta.Object, error) {
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]142 res, err := r.RbacV1().ClusterRoleBindings().List(ctx, listBuiltins)
143 if err != nil {
144 return nil, err
145 }
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]146 objs := make([]meta.Object, len(res.Items))
147 for i := range res.Items {
148 objs[i] = &res.Items[i]
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]149 }
150 return objs, nil
151}
152
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]153func (r resourceClusterRoleBindings) Create(ctx context.Context, el meta.Object) error {
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]154 _, err := r.RbacV1().ClusterRoleBindings().Create(ctx, el.(*rbac.ClusterRoleBinding), meta.CreateOptions{})
155 return err
156}
157
Jan Schär69f5f4e2024-05-15 10:32:07 +0200[diff] [blame^]158func (r resourceClusterRoleBindings) Update(ctx context.Context, el meta.Object) error {
159 _, err := r.RbacV1().ClusterRoleBindings().Update(ctx, el.(*rbac.ClusterRoleBinding), meta.UpdateOptions{})
160 return err
161}
162
163func (r resourceClusterRoleBindings) Delete(ctx context.Context, name string, opts meta.DeleteOptions) error {
164 return r.RbacV1().ClusterRoleBindings().Delete(ctx, name, opts)
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]165}
166
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]167func (r resourceClusterRoleBindings) Expected() []meta.Object {
168 return []meta.Object{
169 &rbac.ClusterRoleBinding{
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]170 ObjectMeta: meta.ObjectMeta{
171 Name: clusterRoleBindingDefaultPSP,
172 Labels: builtinLabels(nil),
173 Annotations: map[string]string{
174 "kubernetes.io/description": "This binding grants every service account access to the \"default\" PSP. " +
175 "Creation of Pods is still restricted by other RBAC roles. Otherwise no pods (unprivileged or not) " +
176 "can be created.",
177 },
178 },
179 RoleRef: rbac.RoleRef{
180 APIGroup: rbac.GroupName,
181 Kind: "ClusterRole",
182 Name: clusterRolePSPDefault,
183 },
184 Subjects: []rbac.Subject{
185 {
186 APIGroup: rbac.GroupName,
187 Kind: "Group",
188 Name: "system:serviceaccounts",
189 },
190 },
191 },
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]192 &rbac.ClusterRoleBinding{
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]193 ObjectMeta: meta.ObjectMeta{
194 Name: clusterRoleBindingAPIServerKubeletClient,
195 Labels: builtinLabels(nil),
196 Annotations: map[string]string{
197 "kubernetes.io/description": "This binding grants the apiserver access to the kubelets. This enables " +
198 "lots of built-in functionality like reading logs or forwarding ports via the API.",
199 },
200 },
201 RoleRef: rbac.RoleRef{
202 APIGroup: rbac.GroupName,
203 Kind: "ClusterRole",
204 Name: "system:kubelet-api-admin",
205 },
206 Subjects: []rbac.Subject{
207 {
208 APIGroup: rbac.GroupName,
209 Kind: "User",
210 // TODO(q3k): describe this name's contract, or unify with whatever creates this.
Serge Bazanski662b5b32020-12-21 13:49:00 +0100[diff] [blame]211 Name: "metropolis:apiserver-kubelet-client",
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]212 },
213 },
214 },
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]215 &rbac.ClusterRoleBinding{
Lorenz Bruncc078df2021-12-23 11:51:55 +0100[diff] [blame]216 ObjectMeta: meta.ObjectMeta{
217 Name: clusterRoleBindingOwnerAdmin,
218 Labels: builtinLabels(nil),
219 Annotations: map[string]string{
220 "kubernetes.io/description": "This binding grants the Metropolis Cluster owner access to the " +
221 "cluster-admin role on Kubernetes.",
222 },
223 },
224 RoleRef: rbac.RoleRef{
225 APIGroup: rbac.GroupName,
226 Kind: "ClusterRole",
227 Name: "cluster-admin",
228 },
229 Subjects: []rbac.Subject{
230 {
231 APIGroup: rbac.GroupName,
232 Kind: "User",
233 Name: "owner",
234 },
235 },
236 },
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]237 &rbac.ClusterRoleBinding{
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]238 ObjectMeta: meta.ObjectMeta{
239 Name: clusterRoleBindingCSIProvisioners,
240 Labels: builtinLabels(nil),
241 Annotations: map[string]string{
242 "kubernetes.io/description": "This role binding grants CSI provisioners running on nodes access to the necessary resources.",
243 },
244 },
245 RoleRef: rbac.RoleRef{
246 APIGroup: rbac.GroupName,
247 Kind: "ClusterRole",
248 Name: clusterRoleCSIProvisioner,
249 },
250 Subjects: []rbac.Subject{
251 {
252 APIGroup: rbac.GroupName,
253 Kind: "Group",
254 Name: "metropolis:csi-provisioner",
255 },
256 },
257 },
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]258 &rbac.ClusterRoleBinding{
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]259 ObjectMeta: meta.ObjectMeta{
260 Name: clusterRoleBindingNetServices,
261 Labels: builtinLabels(nil),
262 Annotations: map[string]string{
263 "kubernetes.io/description": "This role binding grants node network services access to necessary resources.",
264 },
265 },
266 RoleRef: rbac.RoleRef{
267 APIGroup: rbac.GroupName,
268 Kind: "ClusterRole",
269 Name: clusterRoleNetServices,
270 },
271 Subjects: []rbac.Subject{
272 {
273 APIGroup: rbac.GroupName,
274 Kind: "Group",
275 Name: "metropolis:netservices",
276 },
277 },
278 },
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]279 }
280}