add virtual-kubelet local ClusterRole

liqotech · May 21, 2021 · 266e69b · 266e69b
1 parent 8476758
commit 266e69b
Show file tree

Hide file tree

Showing 5 changed files with 139 additions and 1 deletion.
diff --git a/Makefile b/Makefile
@@ -65,6 +65,7 @@ rbacs: controller-gen
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) paths="./pkg/peering-roles/basic" rbac:roleName=liqo-remote-peering-basic output:rbac:stdout | awk -v RS="---\n" 'NR>1{f="./deployments/liqo/files/liqo-remote-peering-basic-" $$4 ".yaml";printf "%s",$$0 > f; close(f)}' &&  sed -i -n '/rules/,$$p' deployments/liqo/files/liqo-remote-peering-basic-ClusterRole.yaml
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) paths="./pkg/peering-roles/incoming" rbac:roleName=liqo-remote-peering-incoming output:rbac:stdout | awk -v RS="---\n" 'NR>1{f="./deployments/liqo/files/liqo-remote-peering-incoming-" $$4 ".yaml";printf "%s",$$0 > f; close(f)}' &&  sed -i -n '/rules/,$$p' deployments/liqo/files/liqo-remote-peering-incoming-ClusterRole.yaml
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) paths="./pkg/peering-roles/outgoing" rbac:roleName=liqo-remote-peering-outgoing output:rbac:stdout | awk -v RS="---\n" 'NR>1{f="./deployments/liqo/files/liqo-remote-peering-outgoing-" $$4 ".yaml";printf "%s",$$0 > f; close(f)}' &&  sed -i -n '/rules/,$$p' deployments/liqo/files/liqo-remote-peering-outgoing-ClusterRole.yaml
+	$(CONTROLLER_GEN) $(CRD_OPTIONS) paths="./pkg/virtualKubelet/roles" rbac:roleName=liqo-virtual-kubelet-local output:rbac:stdout | awk -v RS="---\n" 'NR>1{f="./deployments/liqo/files/liqo-virtual-kubelet-local-" $$4 ".yaml";printf "%s",$$0 > f; close(f)}' &&  sed -i -n '/rules/,$$p' deployments/liqo/files/liqo-virtual-kubelet-local-ClusterRole.yaml
 
 # Run go fmt against code
 fmt:

diff --git a/deployments/liqo/files/liqo-virtual-kubelet-local-ClusterRole.yaml b/deployments/liqo/files/liqo-virtual-kubelet-local-ClusterRole.yaml
@@ -0,0 +1,114 @@
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - namespaces
+  - nodes
+  - pods
+  - secrets
+  - services
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces/status
+  - nodes/status
+  - pods/status
+  - services/status
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - replicasets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - replicasets/status
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests/approval
+  verbs:
+  - update
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - net.liqo.io
+  resources:
+  - tunnelendpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - sharing.liqo.io
+  resources:
+  - advertisements
+  verbs:
+  - delete
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - virtualkubelet.liqo.io
+  resources:
+  - namespacenattingtables
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
diff --git a/deployments/liqo/templates/liqo-virtual-kubelet-local.yaml b/deployments/liqo/templates/liqo-virtual-kubelet-local.yaml
@@ -0,0 +1,9 @@
+{{- $virtualKubeletConfig := (merge (dict "name" "virtual-kubelet-local" "module" "virtualkubelet") .) -}}
+
+# to be enabled with the creation of the Tenant Control Namespace,
+# this ClusterRole has the basic permissions to give to a remote cluster
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "liqo.prefixedName" $virtualKubeletConfig }}
+{{ .Files.Get (include "liqo.cluster-role-filename" (dict "prefix" ( include "liqo.prefixedName" $virtualKubeletConfig))) }}
diff --git a/pkg/virtualKubelet/roles/role.go b/pkg/virtualKubelet/roles/role.go
@@ -0,0 +1,14 @@
+// Package roles defines the ClusterRole containing the permissions required by the virtual kubelet in the local cluster.
+package roles
+
+// +kubebuilder:rbac:groups="",resources=configmaps;pods;services;namespaces;secrets;nodes,verbs=get;update;patch;list;watch;delete;create
+// +kubebuilder:rbac:groups="",resources=pods/status;services/status;namespaces/status;nodes/status,verbs=get;update;patch;list;watch;delete;create
+// +kubebuilder:rbac:groups=apps,resources=replicasets,verbs=get;update;patch;list;watch;delete;create
+// +kubebuilder:rbac:groups=apps,resources=replicasets/status,verbs=get;update;patch;list;watch;delete;create
+// +kubebuilder:rbac:groups=discovery.k8s.io,resources=endpointslices,verbs=get;update;patch;list;watch;delete;create
+// +kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests,verbs=create;get;list;watch
+// +kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests/approval,verbs=update
+
+// +kubebuilder:rbac:groups=virtualkubelet.liqo.io,resources=namespacenattingtables,verbs=get;update;patch;list;watch;delete;create
+// +kubebuilder:rbac:groups=net.liqo.io,resources=tunnelendpoints,verbs=get;list;watch
+// +kubebuilder:rbac:groups=sharing.liqo.io,resources=advertisements,verbs=get;list;watch;update;delete
diff --git a/pkg/vkMachinery/forge/creation.go b/pkg/vkMachinery/forge/creation.go
@@ -59,7 +59,7 @@ func ForgeVKClusterRoleBinding(name string, kubeletNamespace string) *rbacv1.Clu
 		RoleRef: rbacv1.RoleRef{
 			APIGroup: "rbac.authorization.k8s.io",
 			Kind:     "ClusterRole",
-			Name:     "cluster-admin",
+			Name:     "liqo-virtual-kubelet-local",
 		},
 	}
 }