Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / e8beaed8dcde2c198e91addb0baa884079363581 / . / metropolis / node / kubernetes / reconciler / resources_rbac.go
blob: 60d1ba4dcc2772debcd2e1b46d7e615bea1830c4 [file] [log] [blame]
Tim Windelschmidt6d33a432025-02-04 14:34:25 +0100[diff] [blame]1// Copyright The Monogon Project Authors.
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]2// SPDX-License-Identifier: Apache-2.0
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]3
4package reconciler
5
6import (
7 "context"
8
9 rbac "k8s.io/api/rbac/v1"
10 meta "k8s.io/apimachinery/pkg/apis/meta/v1"
11 "k8s.io/client-go/kubernetes"
12)
13
14var (
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]15 clusterRoleBindingAPIServerKubeletClient = builtinRBACName("apiserver-kubelet-client")
Lorenz Bruncc078df2021-12-23 11:51:55 +0100[diff] [blame]16 clusterRoleBindingOwnerAdmin = builtinRBACName("owner-admin")
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]17 clusterRoleCSIProvisioner = builtinRBACName("csi-provisioner")
18 clusterRoleBindingCSIProvisioners = builtinRBACName("csi-provisioner")
19 clusterRoleNetServices = builtinRBACName("netservices")
20 clusterRoleBindingNetServices = builtinRBACName("netservices")
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]21)
22
23type resourceClusterRoles struct {
24 kubernetes.Interface
25}
26
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]27func (r resourceClusterRoles) List(ctx context.Context) ([]meta.Object, error) {
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]28 res, err := r.RbacV1().ClusterRoles().List(ctx, listBuiltins)
29 if err != nil {
30 return nil, err
31 }
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]32 objs := make([]meta.Object, len(res.Items))
33 for i := range res.Items {
34 objs[i] = &res.Items[i]
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]35 }
36 return objs, nil
37}
38
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]39func (r resourceClusterRoles) Create(ctx context.Context, el meta.Object) error {
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]40 _, err := r.RbacV1().ClusterRoles().Create(ctx, el.(*rbac.ClusterRole), meta.CreateOptions{})
41 return err
42}
43
Jan Schär69f5f4e2024-05-15 10:32:07 +0200[diff] [blame]44func (r resourceClusterRoles) Update(ctx context.Context, el meta.Object) error {
45 _, err := r.RbacV1().ClusterRoles().Update(ctx, el.(*rbac.ClusterRole), meta.UpdateOptions{})
46 return err
47}
48
49func (r resourceClusterRoles) Delete(ctx context.Context, name string, opts meta.DeleteOptions) error {
50 return r.RbacV1().ClusterRoles().Delete(ctx, name, opts)
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]51}
52
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]53func (r resourceClusterRoles) Expected() []meta.Object {
54 return []meta.Object{
55 &rbac.ClusterRole{
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]56 ObjectMeta: meta.ObjectMeta{
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]57 Name: clusterRoleCSIProvisioner,
58 Labels: builtinLabels(nil),
59 Annotations: map[string]string{
Jan Schär69f5f4e2024-05-15 10:32:07 +0200[diff] [blame]60 "kubernetes.io/description": "This role grants access to PersistentVolumes, PersistentVolumeClaims and StorageClassses, as used by the CSI provisioner running on nodes.",
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]61 },
62 },
63 Rules: []rbac.PolicyRule{
64 {
65 APIGroups: []string{""},
66 Resources: []string{"events"},
67 Verbs: []string{"get", "list", "watch", "create", "update", "patch"},
68 },
69 {
70 APIGroups: []string{"storage.k8s.io"},
71 Resources: []string{"storageclasses"},
72 Verbs: []string{"get", "list", "watch"},
73 },
74 {
75 APIGroups: []string{""},
76 Resources: []string{"persistentvolumes", "persistentvolumeclaims"},
77 Verbs: []string{"*"},
78 },
79 },
80 },
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]81 &rbac.ClusterRole{
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]82 ObjectMeta: meta.ObjectMeta{
83 Name: clusterRoleNetServices,
84 Labels: builtinLabels(nil),
85 Annotations: map[string]string{
86 "kubernetes.io/description": "This role grants access to the minimum set of resources that are needed to run networking services for a node.",
87 },
88 },
89 Rules: []rbac.PolicyRule{
90 {
91 APIGroups: []string{"discovery.k8s.io"},
92 Resources: []string{"endpointslices"},
93 Verbs: []string{"get", "list", "watch"},
94 },
95 {
96 APIGroups: []string{""},
97 Resources: []string{"services", "nodes", "namespaces"},
98 Verbs: []string{"get", "list", "watch"},
99 },
100 },
101 },
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]102 }
103}
104
105type resourceClusterRoleBindings struct {
106 kubernetes.Interface
107}
108
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]109func (r resourceClusterRoleBindings) List(ctx context.Context) ([]meta.Object, error) {
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]110 res, err := r.RbacV1().ClusterRoleBindings().List(ctx, listBuiltins)
111 if err != nil {
112 return nil, err
113 }
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]114 objs := make([]meta.Object, len(res.Items))
115 for i := range res.Items {
116 objs[i] = &res.Items[i]
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]117 }
118 return objs, nil
119}
120
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]121func (r resourceClusterRoleBindings) Create(ctx context.Context, el meta.Object) error {
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]122 _, err := r.RbacV1().ClusterRoleBindings().Create(ctx, el.(*rbac.ClusterRoleBinding), meta.CreateOptions{})
123 return err
124}
125
Jan Schär69f5f4e2024-05-15 10:32:07 +0200[diff] [blame]126func (r resourceClusterRoleBindings) Update(ctx context.Context, el meta.Object) error {
127 _, err := r.RbacV1().ClusterRoleBindings().Update(ctx, el.(*rbac.ClusterRoleBinding), meta.UpdateOptions{})
128 return err
129}
130
131func (r resourceClusterRoleBindings) Delete(ctx context.Context, name string, opts meta.DeleteOptions) error {
132 return r.RbacV1().ClusterRoleBindings().Delete(ctx, name, opts)
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]133}
134
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]135func (r resourceClusterRoleBindings) Expected() []meta.Object {
136 return []meta.Object{
137 &rbac.ClusterRoleBinding{
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]138 ObjectMeta: meta.ObjectMeta{
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]139 Name: clusterRoleBindingAPIServerKubeletClient,
140 Labels: builtinLabels(nil),
141 Annotations: map[string]string{
142 "kubernetes.io/description": "This binding grants the apiserver access to the kubelets. This enables " +
143 "lots of built-in functionality like reading logs or forwarding ports via the API.",
144 },
145 },
146 RoleRef: rbac.RoleRef{
147 APIGroup: rbac.GroupName,
148 Kind: "ClusterRole",
149 Name: "system:kubelet-api-admin",
150 },
151 Subjects: []rbac.Subject{
152 {
153 APIGroup: rbac.GroupName,
154 Kind: "User",
155 // TODO(q3k): describe this name's contract, or unify with whatever creates this.
Serge Bazanski662b5b32020-12-21 13:49:00 +0100[diff] [blame]156 Name: "metropolis:apiserver-kubelet-client",
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]157 },
158 },
159 },
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]160 &rbac.ClusterRoleBinding{
Lorenz Bruncc078df2021-12-23 11:51:55 +0100[diff] [blame]161 ObjectMeta: meta.ObjectMeta{
162 Name: clusterRoleBindingOwnerAdmin,
163 Labels: builtinLabels(nil),
164 Annotations: map[string]string{
165 "kubernetes.io/description": "This binding grants the Metropolis Cluster owner access to the " +
166 "cluster-admin role on Kubernetes.",
167 },
168 },
169 RoleRef: rbac.RoleRef{
170 APIGroup: rbac.GroupName,
171 Kind: "ClusterRole",
172 Name: "cluster-admin",
173 },
174 Subjects: []rbac.Subject{
175 {
176 APIGroup: rbac.GroupName,
177 Kind: "User",
178 Name: "owner",
179 },
180 },
181 },
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]182 &rbac.ClusterRoleBinding{
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]183 ObjectMeta: meta.ObjectMeta{
184 Name: clusterRoleBindingCSIProvisioners,
185 Labels: builtinLabels(nil),
186 Annotations: map[string]string{
187 "kubernetes.io/description": "This role binding grants CSI provisioners running on nodes access to the necessary resources.",
188 },
189 },
190 RoleRef: rbac.RoleRef{
191 APIGroup: rbac.GroupName,
192 Kind: "ClusterRole",
193 Name: clusterRoleCSIProvisioner,
194 },
195 Subjects: []rbac.Subject{
196 {
197 APIGroup: rbac.GroupName,
198 Kind: "Group",
199 Name: "metropolis:csi-provisioner",
200 },
201 },
202 },
Jan Schär7f727482024-03-25 13:03:51 +0100[diff] [blame]203 &rbac.ClusterRoleBinding{
Serge Bazanski2cfafc92023-03-21 16:42:47 +0100[diff] [blame]204 ObjectMeta: meta.ObjectMeta{
205 Name: clusterRoleBindingNetServices,
206 Labels: builtinLabels(nil),
207 Annotations: map[string]string{
208 "kubernetes.io/description": "This role binding grants node network services access to necessary resources.",
209 },
210 },
211 RoleRef: rbac.RoleRef{
212 APIGroup: rbac.GroupName,
213 Kind: "ClusterRole",
214 Name: clusterRoleNetServices,
215 },
216 Subjects: []rbac.Subject{
217 {
218 APIGroup: rbac.GroupName,
219 Kind: "Group",
220 Name: "metropolis:netservices",
221 },
222 },
223 },
Serge Bazanskie6030f62020-06-03 17:52:59 +0200[diff] [blame]224 }
225}