fix permissions

liqotech · Sep 17, 2021 · e59dc17 · e59dc17
1 parent fbe4a7b
commit e59dc17
Show file tree

Hide file tree

Showing 19 changed files with 375 additions and 93 deletions.
diff --git a/apis/sharing/v1alpha1/groupversion_info.go b/apis/sharing/v1alpha1/groupversion_info.go
@@ -26,8 +26,6 @@ var (
 	// GroupVersion is group version used to register these objects.
 	GroupVersion = schema.GroupVersion{Group: "sharing.liqo.io", Version: "v1alpha1"}
 
-	GroupResource = schema.GroupResource{Group: GroupVersion.Group, Resource: "advertisements"}
-
 	// ResourceOfferGroupResource is group resource used by resourceOffer objects.
 	ResourceOfferGroupResource = schema.GroupResource{Group: GroupVersion.Group, Resource: "resourceoffers"}
 

diff --git a/cmd/discovery/main.go b/cmd/discovery/main.go
@@ -63,6 +63,9 @@ func main() {
 	authServicePortOverride := flag.String(consts.AuthServicePortOverrideParameter, "",
 		"The port the authentication service is reachable from foreign clusters (automatically retrieved if not set")
 	autoJoin := flag.Bool("auto-join-discovered-clusters", true, "Whether to automatically peer with discovered clusters")
+	ownerReferencesPermissionEnforcement := flag.Bool("owner-references-permission-enforcement", false,
+		"Enable support for the OwnerReferencesPermissionEnforcement admission controller "+
+			"https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement")
 
 	var mdnsConfig discovery.MDNSConfig
 	flag.BoolVar(&mdnsConfig.EnableAdvertisement, "mdns-enable-advertisement", false, "Enable the mDNS advertisement on LANs")
@@ -144,7 +147,7 @@ func main() {
 	klog.Info("Starting ForeignCluster operator")
 	foreignclusteroperator.StartOperator(mgr, namespacedClient, clientset, *namespace,
 		*requeueAfter, localClusterID, *clusterName, *authServiceAddressOverride,
-		*authServicePortOverride, *autoJoin)
+		*authServicePortOverride, *autoJoin, *ownerReferencesPermissionEnforcement)
 
 	if err := mgr.Add(auxmgr); err != nil {
 		klog.Errorf("Unable to add the auxiliary manager to the main one: %w", err)

diff --git a/deployments/liqo/files/liqo-controller-manager-ClusterRole.yaml b/deployments/liqo/files/liqo-controller-manager-ClusterRole.yaml
@@ -36,6 +36,19 @@ rules:
   verbs:
   - create
   - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes/finalizers
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
   - ""
   resources:
@@ -210,8 +223,6 @@ rules:
   verbs:
   - get
   - list
-  - patch
-  - update
   - watch
 - apiGroups:
   - ""
@@ -245,6 +256,7 @@ rules:
 - apiGroups:
   - discovery.liqo.io
   resources:
+  - foreignclusters/finalizers
   - foreignclusters/status
   verbs:
   - get
@@ -265,6 +277,15 @@ rules:
 - apiGroups:
   - discovery.liqo.io
   resources:
+  - resourcerequests/finalizers
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - discovery.liqo.io
+  resources:
+  - resourcerequests/finalizers
   - resourcerequests/status
   verbs:
   - get
@@ -331,6 +352,8 @@ rules:
   resources:
   - resourceoffers/finalizers
   verbs:
+  - get
+  - patch
   - update
 - apiGroups:
   - sharing.liqo.io
@@ -352,4 +375,12 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - virtualkubelet.liqo.io
+  resources:
+  - namespacemaps/finalizers
+  verbs:
+  - get
+  - patch
+  - update
 
diff --git a/deployments/liqo/files/liqo-discovery-ClusterRole.yaml b/deployments/liqo/files/liqo-discovery-ClusterRole.yaml
@@ -1,4 +1,12 @@
 rules:
+- apiGroups:
+  - capsule.clastix.io
+  resources:
+  - tenants/finalizers
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
   - ""
   resources:
@@ -41,22 +49,22 @@ rules:
 - apiGroups:
   - discovery.liqo.io
   resources:
-  - foreignclusters/status
+  - foreignclusters/finalizers
   verbs:
-  - create
-  - delete
   - get
-  - list
   - patch
   - update
-  - watch
 - apiGroups:
   - discovery.liqo.io
   resources:
-  - peeringrequests
+  - foreignclusters/status
   verbs:
+  - create
+  - delete
   - get
   - list
+  - patch
+  - update
   - watch
 - apiGroups:
   - discovery.liqo.io
@@ -83,6 +91,14 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - discovery.liqo.io
+  resources:
+  - searchdomains/finalizers
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
   - net.liqo.io
   resources:
@@ -117,12 +133,15 @@ rules:
   - clusterrolebindings
   verbs:
   - create
+  - delete
   - get
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
   - clusterroles
   verbs:
+  - create
+  - delete
   - get
   - list
   - watch
@@ -135,26 +154,4 @@ rules:
   - delete
   - deletecollection
   - get
-- apiGroups:
-  - sharing.liqo.io
-  resources:
-  - advertisements
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - update
-  - watch
-- apiGroups:
-  - sharing.liqo.io
-  resources:
-  - advertisements/status
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - update
-  - watch
 
diff --git a/deployments/liqo/files/liqo-network-manager-ClusterRole.yaml b/deployments/liqo/files/liqo-network-manager-ClusterRole.yaml
@@ -34,6 +34,7 @@ rules:
 - apiGroups:
   - discovery.liqo.io
   resources:
+  - foreignclusters/finalizers
   - foreignclusters/status
   verbs:
   - get

diff --git a/deployments/liqo/files/liqo-virtual-kubelet-local-ClusterRole.yaml b/deployments/liqo/files/liqo-virtual-kubelet-local-ClusterRole.yaml
@@ -116,7 +116,6 @@ rules:
 - apiGroups:
   - sharing.liqo.io
   resources:
-  - advertisements
   - resourceoffers
   verbs:
   - delete

diff --git a/internal/discovery/foreign-cluster-operator/foreign-cluster-controller.go b/internal/discovery/foreign-cluster-operator/foreign-cluster-controller.go
@@ -91,12 +91,13 @@ type ForeignClusterReconciler struct {
 	LiqoNamespacedClient client.Client
 	liqoNamespace        string
 
-	requeueAfter               time.Duration
-	clusterID                  clusterid.ClusterID
-	clusterName                string
-	authServiceAddressOverride string
-	authServicePortOverride    string
-	autoJoin                   bool
+	requeueAfter                         time.Duration
+	clusterID                            clusterid.ClusterID
+	clusterName                          string
+	authServiceAddressOverride           string
+	authServicePortOverride              string
+	autoJoin                             bool
+	ownerReferencesPermissionEnforcement bool
 
 	namespaceManager tenantnamespace.Manager
 	identityManager  identitymanager.IdentityManager
@@ -107,22 +108,24 @@ type ForeignClusterReconciler struct {
 // clusterRole
 // +kubebuilder:rbac:groups=discovery.liqo.io,resources=foreignclusters,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=discovery.liqo.io,resources=foreignclusters/status,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=discovery.liqo.io,resources=foreignclusters/finalizers,verbs=get;update;patch
 // +kubebuilder:rbac:groups=discovery.liqo.io,resources=searchdomains,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=discovery.liqo.io,resources=peeringrequests,verbs=get;list;watch
+// +kubebuilder:rbac:groups=discovery.liqo.io,resources=searchdomains/finalizers,verbs=get;update;patch
 // +kubebuilder:rbac:groups=discovery.liqo.io,resources=resourcerequests,verbs=get;list;watch;create;update;patch;delete;deletecollection
 // +kubebuilder:rbac:groups=net.liqo.io,resources=networkconfigs,verbs=*
 // +kubebuilder:rbac:groups=net.liqo.io,resources=networkconfigs/status,verbs=*
 // +kubebuilder:rbac:groups=net.liqo.io,resources=tunnelendpoints,verbs=get;list;watch
 // +kubebuilder:rbac:groups=net.liqo.io,resources=tunnelendpoints/status,verbs=get;watch;update
-// +kubebuilder:rbac:groups=sharing.liqo.io,resources=advertisements,verbs=get;list;watch;create;update;delete
-// +kubebuilder:rbac:groups=sharing.liqo.io,resources=advertisements/status,verbs=get;list;watch;create;update;delete
 // +kubebuilder:rbac:groups=core,resources=nodes,verbs=list;watch
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=get;list;watch
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=get;create
 // tenant namespace management
 // +kubebuilder:rbac:groups=core,resources=namespaces,verbs=get;list;watch;create
 // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;delete;update
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;create;deletecollection;delete
+// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=get;create;delete
+// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=get;create;delete
+// +kubebuilder:rbac:groups=capsule.clastix.io,resources=tenants/finalizers,verbs=get;patch;update
 // role
 // +kubebuilder:rbac:groups=core,namespace="liqo",resources=services,verbs=get;list;watch
 // +kubebuilder:rbac:groups=core,namespace="liqo",resources=configmaps,verbs=get;list;watch;create;update;delete
@@ -270,7 +273,7 @@ func (r *ForeignClusterReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 	// ------ (6) garbage collection ------
 
 	// check if this ForeignCluster needs to be deleted. It could happen, for example, if it has been discovered
-	// thanks to incoming peeringRequest and it has no active connections
+	// thanks to incoming resourceRequest and it has no active connections
 	if foreignclusterutils.HasToBeRemoved(&foreignCluster) {
 		klog.Infof("[%v] Delete ForeignCluster %v with discovery type %v",
 			foreignCluster.Spec.ClusterIdentity.ClusterID,