Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Extend RBAC under kubernetesResources to support multi roles/clusterr… #11293

Conversation

@ycliuhw
Copy link
Member

ycliuhw commented Mar 6, 2020

Please provide the following details to expedite Pull Request review:

Checklist

  • Checked if it requires a pylibjuju change?
  • Added integration tests for the PR?
  • Added or updated doc.go related to packages changed?
  • Do comments answer the question of why design decisions were made?

Description of change

Change the additional k8s RBAC resources under kubernetesResources to support multiple service accounts and multiple roles/clusterroles for each service account;

QA steps

deploy k8s charm with below k8s specs;

# spec_template.yaml
version: 3
serviceAccount:
  automountServiceAccountToken: true
  roles:
    - global: true
      rules:
        - apiGroups: [""]
          resources: ["pods"]
          verbs: ["get", "watch", "list"]
        - nonResourceURLs: ["*"]
          verbs: ["*"]

# k8s_resources.yaml
kubernetesResources:
  serviceAccounts:
    - name: rbac-foo
      automountServiceAccountToken: true
      roles:
        - name: pod-role
          rules:
            - apiGroups: [""]
              resources: ["pods"]
              verbs: ["get", "watch", "list"]
        - name: pod-cluster-role
          global: true
          rules:
            - apiGroups: [""]
              resources: ["pods"]
              verbs: ["get", "watch", "list"]
    - name: rbac-bar
      automountServiceAccountToken: true
      roles:  # roles does not have a name.
        - rules:
            - apiGroups: [""]
              resources: ["pods"]
              verbs: ["get", "watch", "list"]
        - global: true
          rules:
            - apiGroups: [""]
              resources: ["pods"]
              verbs: ["get", "watch", "list"]
$ juju deploy /tmp/charm-builds/mariadb-k8s/ --debug  --resource mysql_image=mariadb

$ mkubectl get sa,role,rolebindings,clusterrole,clusterrolebinding -n t1
NAME                                  SECRETS   AGE
serviceaccount/mariadb-k8s            1         27s
serviceaccount/rbac-bar               1         27s
serviceaccount/rbac-foo               1         27s

NAME                                                  AGE
role.rbac.authorization.k8s.io/pod-role               27s
role.rbac.authorization.k8s.io/rbac-bar               27s

NAME                                                         AGE
rolebinding.rbac.authorization.k8s.io/rbac-bar               27s
rolebinding.rbac.authorization.k8s.io/rbac-foo-pod-role      27s

NAME                                                             AGE
clusterrole.rbac.authorization.k8s.io/t1-mariadb-k8s             27s
clusterrole.rbac.authorization.k8s.io/t1-pod-cluster-role        27s
clusterrole.rbac.authorization.k8s.io/t1-rbac-bar1               27s

NAME                                                                        AGE
clusterrolebinding.rbac.authorization.k8s.io/mariadb-k8s-t1-mariadb-k8s     27s
clusterrolebinding.rbac.authorization.k8s.io/rbac-bar-t1-rbac-bar1          26s
clusterrolebinding.rbac.authorization.k8s.io/rbac-foo-t1-pod-cluster-role   27s

Documentation changes

Yes

Bug reference

https://bugs.launchpad.net/juju/+bug/1861246

…oles for each service account in k8s spec V3;
@ycliuhw

This comment has been minimized.

Copy link
Member Author

ycliuhw commented Mar 6, 2020

@ycliuhw ycliuhw force-pushed the ycliuhw:feature/less-restrict-rbac-under-kubernetesResources branch 2 times, most recently from 6e93768 to c131a0f Mar 10, 2020
@ycliuhw ycliuhw force-pushed the ycliuhw:feature/less-restrict-rbac-under-kubernetesResources branch from 3a8741a to 74dba0b Mar 10, 2020
@ycliuhw ycliuhw requested a review from wallyworld Mar 10, 2020
@ycliuhw ycliuhw marked this pull request as ready for review Mar 10, 2020
@ycliuhw ycliuhw force-pushed the ycliuhw:feature/less-restrict-rbac-under-kubernetesResources branch from 95e4a20 to 44315cc Mar 11, 2020
Copy link
Member

wallyworld left a comment

Looks good. But we need to fix the stuttering in the role name

caas/kubernetes/provider/k8s_test.go Outdated Show resolved Hide resolved
caas/kubernetes/provider/k8s_test.go Outdated Show resolved Hide resolved
caas/kubernetes/provider/rbac.go Outdated Show resolved Hide resolved
caas/kubernetes/provider/specs/v3.go Outdated Show resolved Hide resolved
caas/specs/v3.go Show resolved Hide resolved
@ycliuhw ycliuhw force-pushed the ycliuhw:feature/less-restrict-rbac-under-kubernetesResources branch from 707b6d9 to 0ae1e8d Mar 12, 2020
@ycliuhw

This comment has been minimized.

Copy link
Member Author

ycliuhw commented Mar 12, 2020

!!build!!
Temporary failure resolving 'archive.ubuntu.com'

@ycliuhw

This comment has been minimized.

Copy link
Member Author

ycliuhw commented Mar 12, 2020

$$merge$$

@jujubot jujubot merged commit 4e4cd48 into juju:develop Mar 12, 2020
4 of 5 checks passed
4 of 5 checks passed
Client Tests (ubuntu-latest) Client Tests (ubuntu-latest)
Details
Lint
Details
Schema
Details
merge-multi-juju Build started for merge commit.
Details
check-multi-juju Build finished.
Details
@ycliuhw ycliuhw deleted the ycliuhw:feature/less-restrict-rbac-under-kubernetesResources branch Mar 12, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.