From d67dde7cd2170d7e7064d57ea393020df91fa38d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Drzewiecki?= Date: Mon, 25 Nov 2024 16:50:39 +0100 Subject: [PATCH 1/8] limits gardenercluster rbacs annotations to kcp-system --- .../controller/kubeconfig/gardener_cluster_controller.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/internal/controller/kubeconfig/gardener_cluster_controller.go b/internal/controller/kubeconfig/gardener_cluster_controller.go index c532e203..87cba31e 100644 --- a/internal/controller/kubeconfig/gardener_cluster_controller.go +++ b/internal/controller/kubeconfig/gardener_cluster_controller.go @@ -77,10 +77,10 @@ type KubeconfigProvider interface { Fetch(ctx context.Context, shootName string) (string, error) } -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;delete -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/finalizers,verbs=update -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/status,verbs=update +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters,verbs=get;list;watch;create;update;patch;delete,namespace=kcp-system +//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;delete,namespace=kcp-system +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/finalizers,verbs=update,namespace=kcp-system +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/status,verbs=update,namespace=kcp-system // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. From 7a6a835b2edfe48ea5ffd4836a01e3dc146b9f28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Drzewiecki?= Date: Mon, 25 Nov 2024 16:53:18 +0100 Subject: [PATCH 2/8] limits runtime rbacs annotations to kcp-system --- config/rbac/role.yaml | 44 ++++++++++--------- .../controller/runtime/runtime_controller.go | 6 +-- 2 files changed, 26 insertions(+), 24 deletions(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 7681c444..798e3f36 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -4,21 +4,10 @@ kind: ClusterRole metadata: name: infrastructure-manager-role rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - get - - list - - update - - watch - apiGroups: - infrastructuremanager.kyma-project.io resources: - - gardenerclusters + - runtimes verbs: - create - delete @@ -30,38 +19,51 @@ rules: - apiGroups: - infrastructuremanager.kyma-project.io resources: - - gardenerclusters/finalizers + - runtimes/finalizers verbs: - update - apiGroups: - infrastructuremanager.kyma-project.io resources: - - gardenerclusters/status + - runtimes/status verbs: + - get + - patch - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: infrastructure-manager-role + namespace: kcp-system +rules: - apiGroups: - - infrastructuremanager.kyma-project.io + - "" resources: - - runtimes + - secrets verbs: - create - delete - get - list - - patch - update - watch - apiGroups: - infrastructuremanager.kyma-project.io resources: - - runtimes/finalizers + - gardenerclusters verbs: + - create + - delete + - get + - list + - patch - update + - watch - apiGroups: - infrastructuremanager.kyma-project.io resources: - - runtimes/status + - gardenerclusters/finalizers + - gardenerclusters/status verbs: - - get - - patch - update diff --git a/internal/controller/runtime/runtime_controller.go b/internal/controller/runtime/runtime_controller.go index 1f8eb574..5aa8f530 100644 --- a/internal/controller/runtime/runtime_controller.go +++ b/internal/controller/runtime/runtime_controller.go @@ -41,9 +41,9 @@ type RuntimeReconciler struct { EventRecorder record.EventRecorder } -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/finalizers,verbs=update +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes,verbs=get;list;watch;create;update;patch;delete,namespace=kcp-system +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/status,verbs=get;update;patch,namespace=kcp-system +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/finalizers,verbs=update,namespace=kcp-system var requCounter = 0 // nolint:gochecknoglobals From 3376e95ac90775e37beda42bc7c4d740aacf6863 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Drzewiecki?= Date: Mon, 25 Nov 2024 16:54:23 +0100 Subject: [PATCH 3/8] removes Delete verb from runtime rbac annotations --- internal/controller/runtime/runtime_controller.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/controller/runtime/runtime_controller.go b/internal/controller/runtime/runtime_controller.go index 5aa8f530..867cf9b9 100644 --- a/internal/controller/runtime/runtime_controller.go +++ b/internal/controller/runtime/runtime_controller.go @@ -41,7 +41,7 @@ type RuntimeReconciler struct { EventRecorder record.EventRecorder } -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes,verbs=get;list;watch;create;update;patch;delete,namespace=kcp-system +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes,verbs=get;list;watch;create;update;patch,namespace=kcp-system //+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/status,verbs=get;update;patch,namespace=kcp-system //+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/finalizers,verbs=update,namespace=kcp-system From 1d9c50a7ac7eb4ab314e1e005b0d8c9fea35e10a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Drzewiecki?= Date: Tue, 26 Nov 2024 07:38:19 +0100 Subject: [PATCH 4/8] aligns rbac annotations for gardenercluster status and finalizer --- internal/controller/kubeconfig/gardener_cluster_controller.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/controller/kubeconfig/gardener_cluster_controller.go b/internal/controller/kubeconfig/gardener_cluster_controller.go index 87cba31e..75554b43 100644 --- a/internal/controller/kubeconfig/gardener_cluster_controller.go +++ b/internal/controller/kubeconfig/gardener_cluster_controller.go @@ -79,8 +79,8 @@ type KubeconfigProvider interface { //+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters,verbs=get;list;watch;create;update;patch;delete,namespace=kcp-system //+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;delete,namespace=kcp-system -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/finalizers,verbs=update,namespace=kcp-system -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/status,verbs=update,namespace=kcp-system +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/finalizers,verbs=get;list;delete;create;update;patch,namespace=kcp-system +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/status,verbs=get;list;delete;create;update;patch,namespace=kcp-system // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. From 32381e01e9243f1da9fa035a9619b21fab58be2b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Drzewiecki?= Date: Tue, 26 Nov 2024 07:38:32 +0100 Subject: [PATCH 5/8] aligns rbac annotations for runtime status and finalizer --- internal/controller/runtime/runtime_controller.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/controller/runtime/runtime_controller.go b/internal/controller/runtime/runtime_controller.go index 867cf9b9..d87f09a7 100644 --- a/internal/controller/runtime/runtime_controller.go +++ b/internal/controller/runtime/runtime_controller.go @@ -42,8 +42,8 @@ type RuntimeReconciler struct { } //+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes,verbs=get;list;watch;create;update;patch,namespace=kcp-system -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/status,verbs=get;update;patch,namespace=kcp-system -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/finalizers,verbs=update,namespace=kcp-system +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/status,verbs=get;list;delete;create;update;patch,namespace=kcp-system +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/finalizers,verbs=get;list;delete;create;update;patch,namespace=kcp-system var requCounter = 0 // nolint:gochecknoglobals From fa2cc6b42175022f3a4edd03ab7af14b68c70381 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Drzewiecki?= Date: Tue, 26 Nov 2024 09:02:34 +0100 Subject: [PATCH 6/8] updates role.yaml --- config/rbac/role.yaml | 46 +++++++++++++++---------------------------- 1 file changed, 16 insertions(+), 30 deletions(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 798e3f36..cec4423a 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -1,57 +1,40 @@ --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: name: infrastructure-manager-role + namespace: kcp-system rules: - apiGroups: - - infrastructuremanager.kyma-project.io + - "" resources: - - runtimes + - secrets verbs: - create - delete - get - list - - patch - update - watch - apiGroups: - infrastructuremanager.kyma-project.io resources: - - runtimes/finalizers - verbs: - - update -- apiGroups: - - infrastructuremanager.kyma-project.io - resources: - - runtimes/status - verbs: - - get - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: infrastructure-manager-role - namespace: kcp-system -rules: -- apiGroups: - - "" - resources: - - secrets + - gardenerclusters verbs: - create - delete - get - list + - patch - update - watch - apiGroups: - infrastructuremanager.kyma-project.io resources: - - gardenerclusters + - gardenerclusters/finalizers + - gardenerclusters/status + - runtimes/finalizers + - runtimes/status verbs: - create - delete @@ -59,11 +42,14 @@ rules: - list - patch - update - - watch - apiGroups: - infrastructuremanager.kyma-project.io resources: - - gardenerclusters/finalizers - - gardenerclusters/status + - runtimes verbs: + - create + - get + - list + - patch - update + - watch From a9cdbc662f334dad615b84c621a7e4c39282a586 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Drzewiecki?= Date: Wed, 27 Nov 2024 12:28:00 +0100 Subject: [PATCH 7/8] IM rolebinding is now namespaced instead of cluster scoped --- config/rbac/role_binding.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml index 60f28ad3..5b3b05c4 100644 --- a/config/rbac/role_binding.yaml +++ b/config/rbac/role_binding.yaml @@ -1,17 +1,18 @@ apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: labels: - app.kubernetes.io/name: clusterrolebinding + app.kubernetes.io/name: rolebinding app.kubernetes.io/instance: infrastructure-manager-rolebinding app.kubernetes.io/component: rbac app.kubernetes.io/created-by: infrastructure-manager app.kubernetes.io/part-of: infrastructure-manager app.kubernetes.io/managed-by: kustomize name: infrastructure-manager-rolebinding + namespace: kcp-system roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: Role name: infrastructure-manager-role subjects: - kind: ServiceAccount From e9736f4fbfeaa03b2df28c33655eca596aa7b212 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Drzewiecki?= Date: Tue, 3 Dec 2024 07:58:19 +0100 Subject: [PATCH 8/8] service account is now created in kcp-system ns --- config/rbac/service_account.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml index 5c3330c2..3ddd25a9 100644 --- a/config/rbac/service_account.yaml +++ b/config/rbac/service_account.yaml @@ -9,4 +9,4 @@ metadata: app.kubernetes.io/part-of: infrastructure-manager app.kubernetes.io/managed-by: kustomize name: infrastructure-manager - namespace: system + namespace: kcp-system