From a40bcab9cbf9f2de60e02d049e6b15b6adaf5d54 Mon Sep 17 00:00:00 2001 From: Tariq Ibrahim Date: Tue, 11 Jun 2024 15:23:25 -0700 Subject: [PATCH] [RBAC] move namespace-scoped resource permissions to Roles Signed-off-by: Tariq Ibrahim --- ...rator-certified.clusterserviceversion.yaml | 93 ++++++++++++++----- .../gpu-operator/templates/clusterrole.yaml | 89 +++--------------- deployments/gpu-operator/templates/role.yaml | 72 ++++++++++++++ .../gpu-operator/templates/rolebinding.yaml | 15 +++ 4 files changed, 172 insertions(+), 97 deletions(-) create mode 100644 deployments/gpu-operator/templates/role.yaml create mode 100644 deployments/gpu-operator/templates/rolebinding.yaml diff --git a/bundle/manifests/gpu-operator-certified.clusterserviceversion.yaml b/bundle/manifests/gpu-operator-certified.clusterserviceversion.yaml index 0d1e4a2fd..575d62c38 100644 --- a/bundle/manifests/gpu-operator-certified.clusterserviceversion.yaml +++ b/bundle/manifests/gpu-operator-certified.clusterserviceversion.yaml @@ -601,6 +601,7 @@ spec: - patch - update - watch + - deletecollection - apiGroups: - config.openshift.io resources: @@ -631,13 +632,31 @@ spec: - use resourceNames: - hostmount-anyuid + - apiGroups: + - image.openshift.io + resources: + - imagestreams + verbs: + - get + - list + - watch + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + - prometheusrules + verbs: + - get + - list + - create + - watch + - update + - delete - apiGroups: - rbac.authorization.k8s.io resources: - clusterroles - clusterrolebindings - - roles - - rolebindings verbs: - create - get @@ -653,14 +672,7 @@ spec: - pods/eviction - services - services/finalizers - - endpoints - - persistentvolumeclaims - events - - configmaps - - secrets - - nodes - - namespaces - - serviceaccounts verbs: - create - delete @@ -670,17 +682,33 @@ spec: - update - watch - apiGroups: - - apps + - "" resources: - - deployments - - daemonsets + - namespaces verbs: - - create - - delete - get - list + - create + - watch + - update - patch + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch - update + - patch + - apiGroups: + - apps + resources: + - daemonsets + verbs: + - get + - list - watch - apiGroups: - apps @@ -714,29 +742,52 @@ spec: - patch - delete - apiGroups: - - monitoring.coreos.com + - apiextensions.k8s.io resources: - - servicemonitors - - prometheusrules + - customresourcedefinitions verbs: + - create - get - list + - watch + - update + - patch + - delete + permissions: + - serviceAccountName: gpu-operator + rules: + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: - create + - get + - list - watch - update + - patch - delete - apiGroups: - - image.openshift.io + - apps resources: - - imagestreams + - daemonsets verbs: + - create - get - list - watch + - update + - patch + - delete - apiGroups: - - apiextensions.k8s.io + - "" resources: - - customresourcedefinitions + - configmaps + - endpoints + - secrets + - serviceaccounts verbs: - create - get diff --git a/deployments/gpu-operator/templates/clusterrole.yaml b/deployments/gpu-operator/templates/clusterrole.yaml index ab5168ad8..1236e5019 100644 --- a/deployments/gpu-operator/templates/clusterrole.yaml +++ b/deployments/gpu-operator/templates/clusterrole.yaml @@ -9,14 +9,23 @@ rules: - apiGroups: - config.openshift.io resources: + - clusterversions - proxies verbs: - get + - list + - watch +- apiGroups: + - image.openshift.io + resources: + - imagestreams + verbs: + - get + - list + - watch - apiGroups: - rbac.authorization.k8s.io resources: - - roles - - rolebindings - clusterroles - clusterrolebindings verbs: @@ -30,12 +39,10 @@ rules: - apiGroups: - "" resources: + - events - pods + - pods/eviction - services - - events - - configmaps - - secrets - - serviceaccounts verbs: - create - get @@ -68,16 +75,11 @@ rules: - apiGroups: - apps resources: - - deployments - daemonsets verbs: - - create - get - list - watch - - update - - patch - - delete - apiGroups: - apps resources: @@ -86,18 +88,6 @@ rules: - get - list - watch -- apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - - prometheusrules - verbs: - - get - - list - - create - - watch - - update - - delete - apiGroups: - nvidia.com resources: @@ -125,27 +115,6 @@ rules: - list - watch - create -- apiGroups: - - security.openshift.io - resources: - - securitycontextconstraints - verbs: - - create - - get - - list - - watch - - update - - patch - - delete - - use -- apiGroups: - - config.openshift.io - resources: - - clusterversions - verbs: - - get - - list - - watch - apiGroups: - coordination.k8s.io resources: @@ -169,38 +138,6 @@ rules: - update - watch - delete -- apiGroups: - - image.openshift.io - resources: - - imagestreams - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - pods - - pods/eviction - verbs: - - get - - list - - watch - - create - - delete - - update - - patch -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch - - create - - update - - patch - apiGroups: - apiextensions.k8s.io resources: diff --git a/deployments/gpu-operator/templates/role.yaml b/deployments/gpu-operator/templates/role.yaml new file mode 100644 index 000000000..934e3acbe --- /dev/null +++ b/deployments/gpu-operator/templates/role.yaml @@ -0,0 +1,72 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gpu-operator + labels: + {{- include "gpu-operator.labels" . | nindent 4 }} + app.kubernetes.io/component: "gpu-operator" +rules: +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - apps + resources: + - daemonsets + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps + - secrets + - serviceaccounts + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + - prometheusrules + verbs: + - get + - list + - create + - watch + - update + - delete +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + verbs: + - create + - get + - list + - watch + - update + - patch + - delete + - use diff --git a/deployments/gpu-operator/templates/rolebinding.yaml b/deployments/gpu-operator/templates/rolebinding.yaml new file mode 100644 index 000000000..c915a4659 --- /dev/null +++ b/deployments/gpu-operator/templates/rolebinding.yaml @@ -0,0 +1,15 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: gpu-operator + labels: + {{- include "gpu-operator.labels" . | nindent 4 }} + app.kubernetes.io/component: "gpu-operator" +subjects: +- kind: ServiceAccount + name: gpu-operator + namespace: {{ $.Release.Namespace }} +roleRef: + kind: Role + name: gpu-operator + apiGroup: rbac.authorization.k8s.io