From b15949a7641c2552e825b673c3faf97b638352cc Mon Sep 17 00:00:00 2001 From: Ilyes Ben Dlala Date: Fri, 14 Jul 2023 15:21:51 +0200 Subject: [PATCH 1/3] Updated the templates/rbac of the operator rbac definitiotions are generated to config/rbac which is not part of the helm deployment This fixes that by including any auto-generated changes Signed-off-by: Ilyes Ben Dlala --- .../rbac/cascadingrule_editor_role.yaml | 28 +++++++++++++++++++ .../rbac/cascadingrule_viewer_role.yaml | 24 ++++++++++++++++ operator/templates/rbac/kustomization.yaml | 22 +++++++++++++++ operator/templates/rbac/role.yaml | 13 +++++---- .../rbac/scancompletionhook_editor_role.yaml | 28 +++++++++++++++++++ .../rbac/scancompletionhook_viewer_role.yaml | 24 ++++++++++++++++ operator/templates/rbac/service_account.yaml | 9 ++++++ 7 files changed, 143 insertions(+), 5 deletions(-) create mode 100644 operator/templates/rbac/cascadingrule_editor_role.yaml create mode 100644 operator/templates/rbac/cascadingrule_viewer_role.yaml create mode 100644 operator/templates/rbac/kustomization.yaml create mode 100644 operator/templates/rbac/scancompletionhook_editor_role.yaml create mode 100644 operator/templates/rbac/scancompletionhook_viewer_role.yaml create mode 100644 operator/templates/rbac/service_account.yaml diff --git a/operator/templates/rbac/cascadingrule_editor_role.yaml b/operator/templates/rbac/cascadingrule_editor_role.yaml new file mode 100644 index 0000000000..487dcdb21e --- /dev/null +++ b/operator/templates/rbac/cascadingrule_editor_role.yaml @@ -0,0 +1,28 @@ +# SPDX-FileCopyrightText: the secureCodeBox authors +# +# SPDX-License-Identifier: Apache-2.0 + +# permissions for end users to edit cascadingrules. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cascadingrule-editor-role +rules: + - apiGroups: + - cascading.securecodebox.io + resources: + - cascadingrules + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - cascading.securecodebox.io + resources: + - cascadingrules/status + verbs: + - get diff --git a/operator/templates/rbac/cascadingrule_viewer_role.yaml b/operator/templates/rbac/cascadingrule_viewer_role.yaml new file mode 100644 index 0000000000..7723fd6513 --- /dev/null +++ b/operator/templates/rbac/cascadingrule_viewer_role.yaml @@ -0,0 +1,24 @@ +# SPDX-FileCopyrightText: the secureCodeBox authors +# +# SPDX-License-Identifier: Apache-2.0 + +# permissions for end users to view cascadingrules. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cascadingrule-viewer-role +rules: + - apiGroups: + - cascading.securecodebox.io + resources: + - cascadingrules + verbs: + - get + - list + - watch + - apiGroups: + - cascading.securecodebox.io + resources: + - cascadingrules/status + verbs: + - get diff --git a/operator/templates/rbac/kustomization.yaml b/operator/templates/rbac/kustomization.yaml new file mode 100644 index 0000000000..ce0e1a4157 --- /dev/null +++ b/operator/templates/rbac/kustomization.yaml @@ -0,0 +1,22 @@ +# SPDX-FileCopyrightText: the secureCodeBox authors +# +# SPDX-License-Identifier: Apache-2.0 + +resources: + # All RBAC will be applied under this service account in + # the deployment namespace. You may comment out this resource + # if your manager will use a service account that exists at + # runtime. Be sure to update RoleBinding and ClusterRoleBinding + # subjects if changing service account names. + - service_account.yaml + - role.yaml + - role_binding.yaml + - leader_election_role.yaml + - leader_election_role_binding.yaml + # Comment the following 4 lines if you want to disable + # the auth proxy (https://github.com/brancz/kube-rbac-proxy) + # which protects your /metrics endpoint. + - auth_proxy_service.yaml + - auth_proxy_role.yaml + - auth_proxy_role_binding.yaml + - auth_proxy_client_clusterrole.yaml diff --git a/operator/templates/rbac/role.yaml b/operator/templates/rbac/role.yaml index ac5d0c8aa8..661d011ab0 100644 --- a/operator/templates/rbac/role.yaml +++ b/operator/templates/rbac/role.yaml @@ -1,7 +1,3 @@ -# SPDX-FileCopyrightText: the secureCodeBox authors -# -# SPDX-License-Identifier: Apache-2.0 - --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -100,6 +96,14 @@ rules: - get - patch - update +- apiGroups: + - execution.securecodebox.io/status + resources: + - scheduledscans + verbs: + - get + - patch + - update - apiGroups: - rbac.authorization.k8s.io resources: @@ -116,6 +120,5 @@ rules: verbs: - create - get - - update - list - watch diff --git a/operator/templates/rbac/scancompletionhook_editor_role.yaml b/operator/templates/rbac/scancompletionhook_editor_role.yaml new file mode 100644 index 0000000000..f24ca2b342 --- /dev/null +++ b/operator/templates/rbac/scancompletionhook_editor_role.yaml @@ -0,0 +1,28 @@ +# SPDX-FileCopyrightText: the secureCodeBox authors +# +# SPDX-License-Identifier: Apache-2.0 + +# permissions for end users to edit scancompletionhooks. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scancompletionhook-editor-role +rules: + - apiGroups: + - execution.securecodebox.io + resources: + - scancompletionhooks + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - execution.securecodebox.io + resources: + - scancompletionhooks/status + verbs: + - get diff --git a/operator/templates/rbac/scancompletionhook_viewer_role.yaml b/operator/templates/rbac/scancompletionhook_viewer_role.yaml new file mode 100644 index 0000000000..5d33eb6c85 --- /dev/null +++ b/operator/templates/rbac/scancompletionhook_viewer_role.yaml @@ -0,0 +1,24 @@ +# SPDX-FileCopyrightText: the secureCodeBox authors +# +# SPDX-License-Identifier: Apache-2.0 + +# permissions for end users to view scancompletionhooks. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scancompletionhook-viewer-role +rules: + - apiGroups: + - execution.securecodebox.io + resources: + - scancompletionhooks + verbs: + - get + - list + - watch + - apiGroups: + - execution.securecodebox.io + resources: + - scancompletionhooks/status + verbs: + - get diff --git a/operator/templates/rbac/service_account.yaml b/operator/templates/rbac/service_account.yaml new file mode 100644 index 0000000000..87eeb115e3 --- /dev/null +++ b/operator/templates/rbac/service_account.yaml @@ -0,0 +1,9 @@ +# SPDX-FileCopyrightText: the secureCodeBox authors +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: controller-manager + namespace: system From c74c94cfeb3d417a90884610c205baa38c9e1b51 Mon Sep 17 00:00:00 2001 From: Ilyes Ben Dlala Date: Fri, 14 Jul 2023 15:27:42 +0200 Subject: [PATCH 2/3] Add missing SPDX header to templates/rbac/role.yaml Signed-off-by: Ilyes Ben Dlala --- operator/templates/rbac/role.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/operator/templates/rbac/role.yaml b/operator/templates/rbac/role.yaml index 661d011ab0..c80f66fb95 100644 --- a/operator/templates/rbac/role.yaml +++ b/operator/templates/rbac/role.yaml @@ -1,3 +1,7 @@ +# SPDX-FileCopyrightText: the secureCodeBox authors +# +# SPDX-License-Identifier: Apache-2.0 + --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole From aad55ba522dae1124c91ffafbc531433c06d1e51 Mon Sep 17 00:00:00 2001 From: Ilyes Ben Dlala Date: Fri, 14 Jul 2023 16:16:40 +0200 Subject: [PATCH 3/3] removed duplicate/unnecessary auto-generated rbac files Signed-off-by: Ilyes Ben Dlala --- operator/templates/rbac/kustomization.yaml | 22 -------------------- operator/templates/rbac/service_account.yaml | 9 -------- 2 files changed, 31 deletions(-) delete mode 100644 operator/templates/rbac/kustomization.yaml delete mode 100644 operator/templates/rbac/service_account.yaml diff --git a/operator/templates/rbac/kustomization.yaml b/operator/templates/rbac/kustomization.yaml deleted file mode 100644 index ce0e1a4157..0000000000 --- a/operator/templates/rbac/kustomization.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# SPDX-FileCopyrightText: the secureCodeBox authors -# -# SPDX-License-Identifier: Apache-2.0 - -resources: - # All RBAC will be applied under this service account in - # the deployment namespace. You may comment out this resource - # if your manager will use a service account that exists at - # runtime. Be sure to update RoleBinding and ClusterRoleBinding - # subjects if changing service account names. - - service_account.yaml - - role.yaml - - role_binding.yaml - - leader_election_role.yaml - - leader_election_role_binding.yaml - # Comment the following 4 lines if you want to disable - # the auth proxy (https://github.com/brancz/kube-rbac-proxy) - # which protects your /metrics endpoint. - - auth_proxy_service.yaml - - auth_proxy_role.yaml - - auth_proxy_role_binding.yaml - - auth_proxy_client_clusterrole.yaml diff --git a/operator/templates/rbac/service_account.yaml b/operator/templates/rbac/service_account.yaml deleted file mode 100644 index 87eeb115e3..0000000000 --- a/operator/templates/rbac/service_account.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# SPDX-FileCopyrightText: the secureCodeBox authors -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: controller-manager - namespace: system