From 1cd1a26d35d0ee89a65d0047ea66963c3dc83973 Mon Sep 17 00:00:00 2001 From: Stano Bocinec <stano@redpanda.com> Date: Thu, 4 May 2023 16:18:07 +0200 Subject: [PATCH] Add RBAC role, constrain pods write ops to namespace Signed-off-by: Stano Bocinec <stano@redpanda.com> --- .../templates/clusterrole.yaml | 27 +++++++++------- .../templates/role.yaml | 13 ++++++++ .../templates/rolebinding.yaml | 17 ++++++++++ deploy/local-path-storage.yaml | 31 ++++++++++++++++++- examples/quota/local-path-storage.yaml | 31 ++++++++++++++++++- 5 files changed, 105 insertions(+), 14 deletions(-) create mode 100644 deploy/chart/local-path-provisioner/templates/role.yaml create mode 100644 deploy/chart/local-path-provisioner/templates/rolebinding.yaml diff --git a/deploy/chart/local-path-provisioner/templates/clusterrole.yaml b/deploy/chart/local-path-provisioner/templates/clusterrole.yaml index a9fd1c67..7f58506a 100644 --- a/deploy/chart/local-path-provisioner/templates/clusterrole.yaml +++ b/deploy/chart/local-path-provisioner/templates/clusterrole.yaml @@ -6,16 +6,19 @@ metadata: labels: {{ include "local-path-provisioner.labels" . | indent 4 }} rules: -- apiGroups: [""] - resources: ["nodes", "persistentvolumeclaims", "configmaps"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["endpoints", "persistentvolumes", "pods"] - verbs: ["*"] -- apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] -- apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes", "persistentvolumeclaims", "configmaps"] + verbs: ["get", "list", "watch"] + - apiGroups: [ "" ] + resources: [ "pods" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [""] + resources: ["endpoints", "persistentvolumes"] + verbs: ["*"] + - apiGroups: [ "" ] + resources: [ "events" ] + verbs: [ "create", "patch" ] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] {{- end -}} diff --git a/deploy/chart/local-path-provisioner/templates/role.yaml b/deploy/chart/local-path-provisioner/templates/role.yaml new file mode 100644 index 00000000..9562816b --- /dev/null +++ b/deploy/chart/local-path-provisioner/templates/role.yaml @@ -0,0 +1,13 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "local-path-provisioner.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: +{{ include "local-path-provisioner.labels" . | indent 4 }} +rules: + - apiGroups: [ "" ] + resources: [ "pods" ] + verbs: ["get", "list", "watch", "create", "patch", "update", "delete"] +{{- end -}} diff --git a/deploy/chart/local-path-provisioner/templates/rolebinding.yaml b/deploy/chart/local-path-provisioner/templates/rolebinding.yaml new file mode 100644 index 00000000..53295c31 --- /dev/null +++ b/deploy/chart/local-path-provisioner/templates/rolebinding.yaml @@ -0,0 +1,17 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "local-path-provisioner.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: +{{ include "local-path-provisioner.labels" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "local-path-provisioner.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "local-path-provisioner.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/deploy/local-path-storage.yaml b/deploy/local-path-storage.yaml index 2130dfea..81864f05 100644 --- a/deploy/local-path-storage.yaml +++ b/deploy/local-path-storage.yaml @@ -10,6 +10,17 @@ metadata: name: local-path-provisioner-service-account namespace: local-path-storage +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: local-path-provisioner-role + namespace: local-path-storage +rules: + - apiGroups: [ "" ] + resources: [ "pods" ] + verbs: ["get", "list", "watch", "create", "patch", "update", "delete"] + --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -20,7 +31,10 @@ rules: resources: [ "nodes", "persistentvolumeclaims", "configmaps" ] verbs: [ "get", "list", "watch" ] - apiGroups: [ "" ] - resources: [ "endpoints", "persistentvolumes", "pods" ] + resources: [ "pods" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [ "" ] + resources: [ "endpoints", "persistentvolumes" ] verbs: [ "*" ] - apiGroups: [ "" ] resources: [ "events" ] @@ -29,6 +43,21 @@ rules: resources: [ "storageclasses" ] verbs: [ "get", "list", "watch" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: local-path-provisioner-bind + namespace: local-path-storage +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: local-path-provisioner-role +subjects: + - kind: ServiceAccount + name: local-path-provisioner-service-account + namespace: local-path-storage + --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/examples/quota/local-path-storage.yaml b/examples/quota/local-path-storage.yaml index 9edb948e..e489eca7 100644 --- a/examples/quota/local-path-storage.yaml +++ b/examples/quota/local-path-storage.yaml @@ -10,6 +10,17 @@ metadata: name: local-path-provisioner-service-account namespace: local-path-storage +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: local-path-provisioner-role + namespace: local-path-storage +rules: + - apiGroups: [ "" ] + resources: [ "pods" ] + verbs: ["get", "list", "watch", "create", "patch", "update", "delete"] + --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -20,7 +31,10 @@ rules: resources: [ "nodes", "persistentvolumeclaims", "configmaps" ] verbs: [ "get", "list", "watch" ] - apiGroups: [ "" ] - resources: [ "endpoints", "persistentvolumes", "pods" ] + resources: [ "pods" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [ "" ] + resources: [ "endpoints", "persistentvolumes" ] verbs: [ "*" ] - apiGroups: [ "" ] resources: [ "events" ] @@ -29,6 +43,21 @@ rules: resources: [ "storageclasses" ] verbs: [ "get", "list", "watch" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: local-path-provisioner-bind + namespace: local-path-storage +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: local-path-provisioner-role +subjects: + - kind: ServiceAccount + name: local-path-provisioner-service-account + namespace: local-path-storage + --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding -- GitLab