Skip to content

Commit

Permalink
Virtual kubelet: reduce local privileges
Browse files Browse the repository at this point in the history
  • Loading branch information
@giorio94 @adamjensenbot
giorio94 authored and adamjensenbot committed Jun 8, 2022
1 parent 50e3573 commit bb75318
Show file tree
Hide file tree
Showing 3 changed files with 48 additions and 58 deletions.
80 changes: 35 additions & 45 deletions deployments/liqo/files/liqo-virtual-kubelet-local-ClusterRole.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,16 +1,40 @@
rules:
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
verbs:
- create
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- update
- apiGroups:
- ""
resources:
- configmaps
- secrets
- services
- services/status
verbs:
- create
- delete
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
Expand All @@ -23,6 +47,7 @@ rules:
- ""
resources:
- nodes
- nodes/status
verbs:
- create
- delete
Expand All @@ -34,9 +59,8 @@ rules:
- apiGroups:
- ""
resources:
- nodes/status
- pods/status
- services/status
- persistentvolumeclaims
- persistentvolumes
verbs:
- create
- delete
Expand All @@ -50,11 +74,11 @@ rules:
resources:
- pods
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
Expand All @@ -65,62 +89,28 @@ rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- get
- update
- apiGroups:
- apps
resources:
- replicasets
verbs:
- get
- list
- watch
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
verbs:
- create
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
- pods/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- events
- secrets
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- persistentvolumeclaims
- persistentvolumes
verbs:
- create
- delete
- get
- list
- update
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- create
- get
- list
- watch
Expand Down
24 changes: 12 additions & 12 deletions pkg/virtualKubelet/roles/local/role.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,25 +15,25 @@
// Package local defines the ClusterRole containing the permissions required by the virtual kubelet in the local cluster.
package local

// +kubebuilder:rbac:groups="",resources=configmaps;services;secrets,verbs=get;list;watch;delete;create
// +kubebuilder:rbac:groups="",resources=secrets,verbs=get;create;update
// +kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch
// +kubebuilder:rbac:groups="",resources=nodes,verbs=get;update;patch;list;watch;delete;create
// +kubebuilder:rbac:groups="",resources=pods,verbs=get;patch;list;watch;delete;create
// +kubebuilder:rbac:groups="",resources=pods/status;services/status;nodes/status,verbs=get;update;patch;list;watch;delete;create
// +kubebuilder:rbac:groups="",resources=pods/eviction,verbs=create
// +kubebuilder:rbac:groups=core,resources=persistentvolumeclaims;persistentvolumes,verbs=get;list;watch;create;delete;update
// +kubebuilder:rbac:groups=core,resources=configmaps;services;services/status;secrets,verbs=get;list;watch
// +kubebuilder:rbac:groups=core,resources=nodes;nodes/status,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=core,resources=namespaces,verbs=get;list;watch
// +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch;delete;update;patch
// +kubebuilder:rbac:groups=core,resources=pods/status,verbs=get;list;watch;create;delete;update;patch
// +kubebuilder:rbac:groups=core,resources=pods/eviction,verbs=create
// +kubebuilder:rbac:groups=core,resources=persistentvolumeclaims;persistentvolumes,verbs=get;list;watch;create;delete;update;patch
// +kubebuilder:rbac:groups=core,resources=events,verbs=create;patch
// +kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=get;list;watch
// +kubebuilder:rbac:groups=networking.k8s.io,resources=ingresses,verbs=get;list;watch

// +kubebuilder:rbac:groups=apps,resources=replicasets,verbs=get;list;watch
// +kubebuilder:rbac:groups=discovery.k8s.io,resources=endpointslices,verbs=create;get;list;watch

// +kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests,verbs=create;get;list;watch
// +kubebuilder:rbac:groups=discovery.k8s.io,resources=endpointslices,verbs=get;list;watch

// +kubebuilder:rbac:groups=virtualkubelet.liqo.io,resources=namespacemaps,verbs=get;list;watch;
// +kubebuilder:rbac:groups=net.liqo.io,resources=tunnelendpoints,verbs=get;list;watch
// +kubebuilder:rbac:groups=sharing.liqo.io,resources=resourceoffers,verbs=get;list;watch;update;patch;delete

// +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;create;update;delete

// Additional permissions necessary for the virtual kubelet initialization process.
// +kubebuilder:rbac:groups=core,resources=secrets,verbs=create;update;patch
// +kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests,verbs=create;get;list;watch
2 changes: 1 addition & 1 deletion pkg/virtualKubelet/roles/remote/role.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
// Package remote defines the ClusterRole containing the permissions required by the virtual kubelet in the remote cluster.
package remote

// +kubebuilder:rbac:groups=core,resources=configmaps;services;secrets,verbs=get;list;watch;create;update;patch;delete;
// +kubebuilder:rbac:groups=core,resources=configmaps;services;secrets,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch
// +kubebuilder:rbac:groups=core,resources=pods/log,verbs=get;list
// +kubebuilder:rbac:groups=core,resources=pods/exec,verbs=create
Expand Down

0 comments on commit bb75318

Please sign in to comment.