Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 7887f758de8f9106a484ca59d9734304aa919e36 / . / metropolis / node / kubernetes / reconciler / resources_rbac.go
blob: 42cd202d4d7ddbd9d94093043a0ac5639e5e323f [file] [log] [blame]
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]1// Copyright 2020 The Monogon Project Authors.
2//
3// SPDX-License-Identifier: Apache-2.0
4//
5// Licensed under the Apache License, Version 2.0 (the "License");
6// you may not use this file except in compliance with the License.
7// You may obtain a copy of the License at
8//
9// http://www.apache.org/licenses/LICENSE-2.0
10//
11// Unless required by applicable law or agreed to in writing, software
12// distributed under the License is distributed on an "AS IS" BASIS,
13// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14// See the License for the specific language governing permissions and
15// limitations under the License.
16
17package reconciler
18
19import (
20 "context"
21
22 rbac "k8s.io/api/rbac/v1"
23 meta "k8s.io/apimachinery/pkg/apis/meta/v1"
24 "k8s.io/client-go/kubernetes"
25)
26
27var (
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]28 clusterRoleBindingAPIServerKubeletClient = builtinRBACName("apiserver-kubelet-client")
Lorenz Bruncc078df2021-12-23 11:51:55 +0100[diff] [blame]29 clusterRoleBindingOwnerAdmin = builtinRBACName("owner-admin")
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]30 clusterRoleCSIProvisioner = builtinRBACName("csi-provisioner")
31 clusterRoleBindingCSIProvisioners = builtinRBACName("csi-provisioner")
32 clusterRoleNetServices = builtinRBACName("netservices")
33 clusterRoleBindingNetServices = builtinRBACName("netservices")
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]34)
35
36type resourceClusterRoles struct {
37 kubernetes.Interface
38}
39
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]40func (r resourceClusterRoles) List(ctx context.Context) ([]meta.Object, error) {
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]41 res, err := r.RbacV1().ClusterRoles().List(ctx, listBuiltins)
42 if err != nil {
43 return nil, err
44 }
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]45 objs := make([]meta.Object, len(res.Items))
46 for i := range res.Items {
47 objs[i] = &res.Items[i]
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]48 }
49 return objs, nil
50}
51
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]52func (r resourceClusterRoles) Create(ctx context.Context, el meta.Object) error {
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]53 _, err := r.RbacV1().ClusterRoles().Create(ctx, el.(*rbac.ClusterRole), meta.CreateOptions{})
54 return err
55}
56
Jan Schär69f5f4e2024-05-15 10:32:07 +0200[diff] [blame]57func (r resourceClusterRoles) Update(ctx context.Context, el meta.Object) error {
58 _, err := r.RbacV1().ClusterRoles().Update(ctx, el.(*rbac.ClusterRole), meta.UpdateOptions{})
59 return err
60}
61
62func (r resourceClusterRoles) Delete(ctx context.Context, name string, opts meta.DeleteOptions) error {
63 return r.RbacV1().ClusterRoles().Delete(ctx, name, opts)
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]64}
65
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]66func (r resourceClusterRoles) Expected() []meta.Object {
67 return []meta.Object{
68 &rbac.ClusterRole{
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]69 ObjectMeta: meta.ObjectMeta{
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]70 Name: clusterRoleCSIProvisioner,
71 Labels: builtinLabels(nil),
72 Annotations: map[string]string{
Jan Schär69f5f4e2024-05-15 10:32:07 +0200[diff] [blame]73 "kubernetes.io/description": "This role grants access to PersistentVolumes, PersistentVolumeClaims and StorageClassses, as used by the CSI provisioner running on nodes.",
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]74 },
75 },
76 Rules: []rbac.PolicyRule{
77 {
78 APIGroups: []string{""},
79 Resources: []string{"events"},
80 Verbs: []string{"get", "list", "watch", "create", "update", "patch"},
81 },
82 {
83 APIGroups: []string{"storage.k8s.io"},
84 Resources: []string{"storageclasses"},
85 Verbs: []string{"get", "list", "watch"},
86 },
87 {
88 APIGroups: []string{""},
89 Resources: []string{"persistentvolumes", "persistentvolumeclaims"},
90 Verbs: []string{"*"},
91 },
92 },
93 },
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]94 &rbac.ClusterRole{
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]95 ObjectMeta: meta.ObjectMeta{
96 Name: clusterRoleNetServices,
97 Labels: builtinLabels(nil),
98 Annotations: map[string]string{
99 "kubernetes.io/description": "This role grants access to the minimum set of resources that are needed to run networking services for a node.",
100 },
101 },
102 Rules: []rbac.PolicyRule{
103 {
104 APIGroups: []string{"discovery.k8s.io"},
105 Resources: []string{"endpointslices"},
106 Verbs: []string{"get", "list", "watch"},
107 },
108 {
109 APIGroups: []string{""},
110 Resources: []string{"services", "nodes", "namespaces"},
111 Verbs: []string{"get", "list", "watch"},
112 },
113 },
114 },
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]115 }
116}
117
118type resourceClusterRoleBindings struct {
119 kubernetes.Interface
120}
121
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]122func (r resourceClusterRoleBindings) List(ctx context.Context) ([]meta.Object, error) {
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]123 res, err := r.RbacV1().ClusterRoleBindings().List(ctx, listBuiltins)
124 if err != nil {
125 return nil, err
126 }
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]127 objs := make([]meta.Object, len(res.Items))
128 for i := range res.Items {
129 objs[i] = &res.Items[i]
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]130 }
131 return objs, nil
132}
133
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]134func (r resourceClusterRoleBindings) Create(ctx context.Context, el meta.Object) error {
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]135 _, err := r.RbacV1().ClusterRoleBindings().Create(ctx, el.(*rbac.ClusterRoleBinding), meta.CreateOptions{})
136 return err
137}
138
Jan Schär69f5f4e2024-05-15 10:32:07 +0200[diff] [blame]139func (r resourceClusterRoleBindings) Update(ctx context.Context, el meta.Object) error {
140 _, err := r.RbacV1().ClusterRoleBindings().Update(ctx, el.(*rbac.ClusterRoleBinding), meta.UpdateOptions{})
141 return err
142}
143
144func (r resourceClusterRoleBindings) Delete(ctx context.Context, name string, opts meta.DeleteOptions) error {
145 return r.RbacV1().ClusterRoleBindings().Delete(ctx, name, opts)
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]146}
147
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]148func (r resourceClusterRoleBindings) Expected() []meta.Object {
149 return []meta.Object{
150 &rbac.ClusterRoleBinding{
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]151 ObjectMeta: meta.ObjectMeta{
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]152 Name: clusterRoleBindingAPIServerKubeletClient,
153 Labels: builtinLabels(nil),
154 Annotations: map[string]string{
155 "kubernetes.io/description": "This binding grants the apiserver access to the kubelets. This enables " +
156 "lots of built-in functionality like reading logs or forwarding ports via the API.",
157 },
158 },
159 RoleRef: rbac.RoleRef{
160 APIGroup: rbac.GroupName,
161 Kind: "ClusterRole",
162 Name: "system:kubelet-api-admin",
163 },
164 Subjects: []rbac.Subject{
165 {
166 APIGroup: rbac.GroupName,
167 Kind: "User",
168 // TODO(q3k): describe this name's contract, or unify with whatever creates this.
Serge Bazanski662b5b32020-12-21 13:49:00 +0100[diff] [blame]169 Name: "metropolis:apiserver-kubelet-client",
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]170 },
171 },
172 },
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]173 &rbac.ClusterRoleBinding{
Lorenz Bruncc078df2021-12-23 11:51:55 +0100[diff] [blame]174 ObjectMeta: meta.ObjectMeta{
175 Name: clusterRoleBindingOwnerAdmin,
176 Labels: builtinLabels(nil),
177 Annotations: map[string]string{
178 "kubernetes.io/description": "This binding grants the Metropolis Cluster owner access to the " +
179 "cluster-admin role on Kubernetes.",
180 },
181 },
182 RoleRef: rbac.RoleRef{
183 APIGroup: rbac.GroupName,
184 Kind: "ClusterRole",
185 Name: "cluster-admin",
186 },
187 Subjects: []rbac.Subject{
188 {
189 APIGroup: rbac.GroupName,
190 Kind: "User",
191 Name: "owner",
192 },
193 },
194 },
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]195 &rbac.ClusterRoleBinding{
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]196 ObjectMeta: meta.ObjectMeta{
197 Name: clusterRoleBindingCSIProvisioners,
198 Labels: builtinLabels(nil),
199 Annotations: map[string]string{
200 "kubernetes.io/description": "This role binding grants CSI provisioners running on nodes access to the necessary resources.",
201 },
202 },
203 RoleRef: rbac.RoleRef{
204 APIGroup: rbac.GroupName,
205 Kind: "ClusterRole",
206 Name: clusterRoleCSIProvisioner,
207 },
208 Subjects: []rbac.Subject{
209 {
210 APIGroup: rbac.GroupName,
211 Kind: "Group",
212 Name: "metropolis:csi-provisioner",
213 },
214 },
215 },
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]216 &rbac.ClusterRoleBinding{
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]217 ObjectMeta: meta.ObjectMeta{
218 Name: clusterRoleBindingNetServices,
219 Labels: builtinLabels(nil),
220 Annotations: map[string]string{
221 "kubernetes.io/description": "This role binding grants node network services access to necessary resources.",
222 },
223 },
224 RoleRef: rbac.RoleRef{
225 APIGroup: rbac.GroupName,
226 Kind: "ClusterRole",
227 Name: clusterRoleNetServices,
228 },
229 Subjects: []rbac.Subject{
230 {
231 APIGroup: rbac.GroupName,
232 Kind: "Group",
233 Name: "metropolis:netservices",
234 },
235 },
236 },
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]237 }
238}