From 63d00afb286a9dcc249e389860a210ec5073d9ff Mon Sep 17 00:00:00 2001 From: Kaushal M Date: Tue, 16 Apr 2019 13:19:59 +0530 Subject: [PATCH] deploy: Use aggregated ClusterRoles The kubernetes manifests and Helm templates have been updated to use aggregated ClusterRoles. The same change has been done in Rook as well. Refer rook/rook#2634 and rook/rook#2975 Signed-off-by: Kaushal M --- deploy/cephfs/helm/Chart.yaml | 2 +- .../templates/nodeplugin-clusterrole.yaml | 24 ++------ .../nodeplugin-rules-clusterrole.yaml | 32 +++++++++++ .../templates/provisioner-clusterrole.yaml | 32 ++--------- .../provisioner-rules-clusterrole.yaml | 40 ++++++++++++++ .../kubernetes/csi-nodeplugin-rbac.yaml | 12 ++++ .../kubernetes/csi-provisioner-rbac.yaml | 12 ++++ deploy/rbd/helm/Chart.yaml | 2 +- .../templates/nodeplugin-clusterrole.yaml | 21 ++----- .../nodeplugin-rules-clusterrole.yaml | 29 ++++++++++ .../templates/provisioner-clusterrole.yaml | 47 ++-------------- .../provisioner-rules-clusterrole.yaml | 55 +++++++++++++++++++ .../rbd/kubernetes/csi-nodeplugin-rbac.yaml | 12 ++++ .../rbd/kubernetes/csi-provisioner-rbac.yaml | 12 ++++ 14 files changed, 226 insertions(+), 106 deletions(-) create mode 100644 deploy/cephfs/helm/templates/nodeplugin-rules-clusterrole.yaml create mode 100644 deploy/cephfs/helm/templates/provisioner-rules-clusterrole.yaml create mode 100644 deploy/rbd/helm/templates/nodeplugin-rules-clusterrole.yaml create mode 100644 deploy/rbd/helm/templates/provisioner-rules-clusterrole.yaml diff --git a/deploy/cephfs/helm/Chart.yaml b/deploy/cephfs/helm/Chart.yaml index 293abe9bf..f3eb6458f 100644 --- a/deploy/cephfs/helm/Chart.yaml +++ b/deploy/cephfs/helm/Chart.yaml @@ -4,7 +4,7 @@ appVersion: "1.0.0" description: "Container Storage Interface (CSI) driver, provisioner, and attacher for Ceph cephfs" name: ceph-csi-cephfs -version: 0.5.2 +version: 0.5.3 keywords: - ceph - cephfs diff --git a/deploy/cephfs/helm/templates/nodeplugin-clusterrole.yaml b/deploy/cephfs/helm/templates/nodeplugin-clusterrole.yaml index de4aaeaaa..4ed09bf9e 100644 --- a/deploy/cephfs/helm/templates/nodeplugin-clusterrole.yaml +++ b/deploy/cephfs/helm/templates/nodeplugin-clusterrole.yaml @@ -9,23 +9,9 @@ metadata: component: {{ .Values.nodeplugin.name }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} -rules: - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "update"] - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "list"] +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.cephfs.csi.ceph.com/aggregate-to-{{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}: "true" +rules: [] {{- end -}} diff --git a/deploy/cephfs/helm/templates/nodeplugin-rules-clusterrole.yaml b/deploy/cephfs/helm/templates/nodeplugin-rules-clusterrole.yaml new file mode 100644 index 000000000..8b90d9ed8 --- /dev/null +++ b/deploy/cephfs/helm/templates/nodeplugin-rules-clusterrole.yaml @@ -0,0 +1,32 @@ +{{- if .Values.rbac.create -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}-rules + labels: + app: {{ include "ceph-csi-cephfs.name" . }} + chart: {{ include "ceph-csi-cephfs.chart" . }} + component: {{ .Values.nodeplugin.name }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + rbac.cephfs.csi.ceph.com/aggregate-to-{{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}: "true" +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "update"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list"] +{{- end -}} diff --git a/deploy/cephfs/helm/templates/provisioner-clusterrole.yaml b/deploy/cephfs/helm/templates/provisioner-clusterrole.yaml index e4b6be4b3..c656b139a 100644 --- a/deploy/cephfs/helm/templates/provisioner-clusterrole.yaml +++ b/deploy/cephfs/helm/templates/provisioner-clusterrole.yaml @@ -9,31 +9,9 @@ metadata: component: {{ .Values.provisioner.name }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} -rules: - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - - apiGroups: ["csi.storage.k8s.io"] - resources: ["csinodeinfos"] - verbs: ["get", "list", "watch"] - {{ if .Values.attacher.enabled }} - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "update"] - {{ end }} +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.cephfs.csi.ceph.com/aggregate-to-{{ include "ceph-csi-cephfs.provisioner.fullname" . }}: "true" +rules: [] {{- end -}} diff --git a/deploy/cephfs/helm/templates/provisioner-rules-clusterrole.yaml b/deploy/cephfs/helm/templates/provisioner-rules-clusterrole.yaml new file mode 100644 index 000000000..2308b60cf --- /dev/null +++ b/deploy/cephfs/helm/templates/provisioner-rules-clusterrole.yaml @@ -0,0 +1,40 @@ +{{- if .Values.rbac.create -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "ceph-csi-cephfs.provisioner.fullname" . }}-rules + labels: + app: {{ include "ceph-csi-cephfs.name" . }} + chart: {{ include "ceph-csi-cephfs.chart" . }} + component: {{ .Values.provisioner.name }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + rbac.cephfs.csi.ceph.com/aggregate-to-{{ include "ceph-csi-cephfs.provisioner.fullname" . }}: "true" +rules: + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + {{ if .Values.attacher.enabled }} + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update"] + {{ end }} +{{- end -}} diff --git a/deploy/cephfs/kubernetes/csi-nodeplugin-rbac.yaml b/deploy/cephfs/kubernetes/csi-nodeplugin-rbac.yaml index 918bdc983..4e4026bcc 100644 --- a/deploy/cephfs/kubernetes/csi-nodeplugin-rbac.yaml +++ b/deploy/cephfs/kubernetes/csi-nodeplugin-rbac.yaml @@ -9,6 +9,18 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cephfs-csi-nodeplugin +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.cephfs.csi.ceph.com/aggregate-to-cephfs-csi-nodeplugin: "true" +rules: [] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: cephfs-csi-nodeplugin-rules + labels: + rbac.cephfs.csi.ceph.com/aggregate-to-cephfs-csi-nodeplugin: "true" rules: - apiGroups: [""] resources: ["configmaps"] diff --git a/deploy/cephfs/kubernetes/csi-provisioner-rbac.yaml b/deploy/cephfs/kubernetes/csi-provisioner-rbac.yaml index b8d3ad8da..dc67c1b39 100644 --- a/deploy/cephfs/kubernetes/csi-provisioner-rbac.yaml +++ b/deploy/cephfs/kubernetes/csi-provisioner-rbac.yaml @@ -9,6 +9,18 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cephfs-external-provisioner-runner +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.cephfs.csi.ceph.com/aggregate-to-cephfs-external-provisioner-runner: "true" +rules: [] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: cephfs-external-provisioner-runner-rules + labels: + rbac.cephfs.csi.ceph.com/aggregate-to-cephfs-external-provisioner-runner: "true" rules: - apiGroups: [""] resources: ["nodes"] diff --git a/deploy/rbd/helm/Chart.yaml b/deploy/rbd/helm/Chart.yaml index dd46766a3..a69ba7e38 100644 --- a/deploy/rbd/helm/Chart.yaml +++ b/deploy/rbd/helm/Chart.yaml @@ -4,7 +4,7 @@ appVersion: "1.0.0" description: "Container Storage Interface (CSI) driver, provisioner, snapshotter, and attacher for Ceph RBD" name: ceph-csi-rbd -version: 0.5.2 +version: 0.5.3 keywords: - ceph - rbd diff --git a/deploy/rbd/helm/templates/nodeplugin-clusterrole.yaml b/deploy/rbd/helm/templates/nodeplugin-clusterrole.yaml index 111073ca4..091cc2201 100644 --- a/deploy/rbd/helm/templates/nodeplugin-clusterrole.yaml +++ b/deploy/rbd/helm/templates/nodeplugin-clusterrole.yaml @@ -9,20 +9,9 @@ metadata: component: {{ .Values.nodeplugin.name }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} -rules: - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "update"] - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "list"] +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.rbd.csi.ceph.com/aggregate-to-{{ include "ceph-csi-rbd.nodeplugin.fullname" . }}: "true" +rules: [] {{- end -}} diff --git a/deploy/rbd/helm/templates/nodeplugin-rules-clusterrole.yaml b/deploy/rbd/helm/templates/nodeplugin-rules-clusterrole.yaml new file mode 100644 index 000000000..d80ebaea0 --- /dev/null +++ b/deploy/rbd/helm/templates/nodeplugin-rules-clusterrole.yaml @@ -0,0 +1,29 @@ +{{- if .Values.rbac.create -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }}-rules + labels: + app: {{ include "ceph-csi-rbd.name" . }} + chart: {{ include "ceph-csi-rbd.chart" . }} + component: {{ .Values.nodeplugin.name }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + rbac.rbd.csi.ceph.com/aggregate-to-{{ include "ceph-csi-rbd.nodeplugin.fullname" . }}: "true" +rules: + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "update"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list"] +{{- end -}} diff --git a/deploy/rbd/helm/templates/provisioner-clusterrole.yaml b/deploy/rbd/helm/templates/provisioner-clusterrole.yaml index b630c7c19..21745ed49 100644 --- a/deploy/rbd/helm/templates/provisioner-clusterrole.yaml +++ b/deploy/rbd/helm/templates/provisioner-clusterrole.yaml @@ -9,46 +9,9 @@ metadata: component: {{ .Values.provisioner.name }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} -rules: - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "update", "delete"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "create", "update"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots"] - verbs: ["get", "list", "watch", "update"] - {{ if .Values.attacher.enabled }} - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "update"] - {{ end }} - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["create", "get", "list", "watch", "update", "delete"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["create"] - - apiGroups: ["csi.storage.k8s.io"] - resources: ["csinodeinfos"] - verbs: ["get", "list", "watch"] +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.rbd.csi.ceph.com/aggregate-to-{{ include "ceph-csi-rbd.provisioner.fullname" . }}: "true" +rules: [] {{- end -}} diff --git a/deploy/rbd/helm/templates/provisioner-rules-clusterrole.yaml b/deploy/rbd/helm/templates/provisioner-rules-clusterrole.yaml new file mode 100644 index 000000000..545b6671d --- /dev/null +++ b/deploy/rbd/helm/templates/provisioner-rules-clusterrole.yaml @@ -0,0 +1,55 @@ +{{- if .Values.rbac.create -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "ceph-csi-rbd.provisioner.fullname" . }}-rules + labels: + app: {{ include "ceph-csi-rbd.name" . }} + chart: {{ include "ceph-csi-rbd.chart" . }} + component: {{ .Values.provisioner.name }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + rbac.rbd.csi.ceph.com/aggregate-to-{{ include "ceph-csi-rbd.provisioner.fullname" . }}: "true" +rules: + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "create", "update"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update"] + {{ if .Values.attacher.enabled }} + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update"] + {{ end }} + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] +{{- end -}} diff --git a/deploy/rbd/kubernetes/csi-nodeplugin-rbac.yaml b/deploy/rbd/kubernetes/csi-nodeplugin-rbac.yaml index 9a5ffed1b..4479cfff9 100644 --- a/deploy/rbd/kubernetes/csi-nodeplugin-rbac.yaml +++ b/deploy/rbd/kubernetes/csi-nodeplugin-rbac.yaml @@ -9,6 +9,18 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rbd-csi-nodeplugin +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.rbd.csi.ceph.com/aggregate-to-rbd-csi-nodeplugin: "true" +rules: [] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: rbd-csi-nodeplugin-rules + labels: + rbac.rbd.csi.ceph.com/aggregate-to-rbd-csi-nodeplugin: "true" rules: - apiGroups: [""] resources: ["secrets"] diff --git a/deploy/rbd/kubernetes/csi-provisioner-rbac.yaml b/deploy/rbd/kubernetes/csi-provisioner-rbac.yaml index 9431cbc63..5fad126c9 100644 --- a/deploy/rbd/kubernetes/csi-provisioner-rbac.yaml +++ b/deploy/rbd/kubernetes/csi-provisioner-rbac.yaml @@ -9,6 +9,18 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rbd-external-provisioner-runner +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.rbd.csi.ceph.com/aggregate-to-rbd-external-provisioner-runner: "true" +rules: [] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: rbd-external-provisioner-runner-rules + labels: + rbac.rbd.csi.ceph.com/aggregate-to-rbd-external-provisioner-runner: "true" rules: - apiGroups: [""] resources: ["nodes"]