From d02dfe2dfe04cb698912c5f15658b8f94c5bbc35 Mon Sep 17 00:00:00 2001 From: Madhu Rajanna Date: Tue, 11 Feb 2020 14:16:21 +0530 Subject: [PATCH] Remove unwanted RBAC rules from ceph-csi There are currently unwanted RBAC permission is given for ceph-csi, This PR reduces removes such unwanted RBAC resources. Signed-off-by: Madhu Rajanna --- .../templates/nodeplugin-clusterrole.yaml | 17 ------- .../nodeplugin-clusterrolebinding.yaml | 20 -------- .../nodeplugin-rules-clusterrole.yaml | 32 ------------ .../templates/provisioner-role.yaml | 3 -- .../provisioner-rules-clusterrole.yaml | 6 --- .../templates/nodeplugin-clusterrole.yaml | 17 ------- .../nodeplugin-clusterrolebinding.yaml | 20 -------- .../nodeplugin-rules-clusterrole.yaml | 29 ----------- .../provisioner-rules-clusterrole.yaml | 6 --- .../kubernetes/csi-nodeplugin-rbac.yaml | 48 ----------------- .../kubernetes/csi-provisioner-rbac.yaml | 10 +--- .../rbd/kubernetes/csi-nodeplugin-rbac.yaml | 51 ------------------- .../rbd/kubernetes/csi-provisioner-rbac.yaml | 9 ---- 13 files changed, 1 insertion(+), 267 deletions(-) delete mode 100644 charts/ceph-csi-cephfs/templates/nodeplugin-clusterrole.yaml delete mode 100644 charts/ceph-csi-cephfs/templates/nodeplugin-clusterrolebinding.yaml delete mode 100644 charts/ceph-csi-cephfs/templates/nodeplugin-rules-clusterrole.yaml delete mode 100644 charts/ceph-csi-rbd/templates/nodeplugin-clusterrole.yaml delete mode 100644 charts/ceph-csi-rbd/templates/nodeplugin-clusterrolebinding.yaml delete mode 100644 charts/ceph-csi-rbd/templates/nodeplugin-rules-clusterrole.yaml diff --git a/charts/ceph-csi-cephfs/templates/nodeplugin-clusterrole.yaml b/charts/ceph-csi-cephfs/templates/nodeplugin-clusterrole.yaml deleted file mode 100644 index 4ed09bf9e..000000000 --- a/charts/ceph-csi-cephfs/templates/nodeplugin-clusterrole.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if .Values.rbac.create -}} -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }} - labels: - app: {{ include "ceph-csi-cephfs.name" . }} - chart: {{ include "ceph-csi-cephfs.chart" . }} - component: {{ .Values.nodeplugin.name }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.cephfs.csi.ceph.com/aggregate-to-{{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}: "true" -rules: [] -{{- end -}} diff --git a/charts/ceph-csi-cephfs/templates/nodeplugin-clusterrolebinding.yaml b/charts/ceph-csi-cephfs/templates/nodeplugin-clusterrolebinding.yaml deleted file mode 100644 index 2fa8b38bf..000000000 --- a/charts/ceph-csi-cephfs/templates/nodeplugin-clusterrolebinding.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.rbac.create -}} -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }} - labels: - app: {{ include "ceph-csi-cephfs.name" . }} - chart: {{ include "ceph-csi-cephfs.chart" . }} - component: {{ .Values.nodeplugin.name }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -subjects: - - kind: ServiceAccount - name: {{ include "ceph-csi-cephfs.serviceAccountName.nodeplugin" . }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }} - apiGroup: rbac.authorization.k8s.io -{{- end -}} diff --git a/charts/ceph-csi-cephfs/templates/nodeplugin-rules-clusterrole.yaml b/charts/ceph-csi-cephfs/templates/nodeplugin-rules-clusterrole.yaml deleted file mode 100644 index 8b90d9ed8..000000000 --- a/charts/ceph-csi-cephfs/templates/nodeplugin-rules-clusterrole.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{- if .Values.rbac.create -}} -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}-rules - labels: - app: {{ include "ceph-csi-cephfs.name" . }} - chart: {{ include "ceph-csi-cephfs.chart" . }} - component: {{ .Values.nodeplugin.name }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - rbac.cephfs.csi.ceph.com/aggregate-to-{{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}: "true" -rules: - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "update"] - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "list"] -{{- end -}} diff --git a/charts/ceph-csi-cephfs/templates/provisioner-role.yaml b/charts/ceph-csi-cephfs/templates/provisioner-role.yaml index 786936a91..983bc60ee 100644 --- a/charts/ceph-csi-cephfs/templates/provisioner-role.yaml +++ b/charts/ceph-csi-cephfs/templates/provisioner-role.yaml @@ -11,9 +11,6 @@ metadata: release: {{ .Release.Name }} heritage: {{ .Release.Service }} rules: - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "watch", "list", "delete", "update", "create"] - apiGroups: [""] resources: ["configmaps"] verbs: ["get", "list", "watch", "create", "delete"] diff --git a/charts/ceph-csi-cephfs/templates/provisioner-rules-clusterrole.yaml b/charts/ceph-csi-cephfs/templates/provisioner-rules-clusterrole.yaml index b19c8613a..629631fa8 100644 --- a/charts/ceph-csi-cephfs/templates/provisioner-rules-clusterrole.yaml +++ b/charts/ceph-csi-cephfs/templates/provisioner-rules-clusterrole.yaml @@ -11,9 +11,6 @@ metadata: heritage: {{ .Release.Service }} rbac.cephfs.csi.ceph.com/aggregate-to-{{ include "ceph-csi-cephfs.provisioner.fullname" . }}: "true" rules: - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list"] @@ -29,9 +26,6 @@ rules: - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] - - apiGroups: ["csi.storage.k8s.io"] - resources: ["csinodeinfos"] - verbs: ["get", "list", "watch"] {{- if .Values.provisioner.attacher.enabled }} - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] diff --git a/charts/ceph-csi-rbd/templates/nodeplugin-clusterrole.yaml b/charts/ceph-csi-rbd/templates/nodeplugin-clusterrole.yaml deleted file mode 100644 index 091cc2201..000000000 --- a/charts/ceph-csi-rbd/templates/nodeplugin-clusterrole.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if .Values.rbac.create -}} -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }} - labels: - app: {{ include "ceph-csi-rbd.name" . }} - chart: {{ include "ceph-csi-rbd.chart" . }} - component: {{ .Values.nodeplugin.name }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.rbd.csi.ceph.com/aggregate-to-{{ include "ceph-csi-rbd.nodeplugin.fullname" . }}: "true" -rules: [] -{{- end -}} diff --git a/charts/ceph-csi-rbd/templates/nodeplugin-clusterrolebinding.yaml b/charts/ceph-csi-rbd/templates/nodeplugin-clusterrolebinding.yaml deleted file mode 100644 index bf52865e1..000000000 --- a/charts/ceph-csi-rbd/templates/nodeplugin-clusterrolebinding.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.rbac.create -}} -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }} - labels: - app: {{ include "ceph-csi-rbd.name" . }} - chart: {{ include "ceph-csi-rbd.chart" . }} - component: {{ .Values.nodeplugin.name }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -subjects: - - kind: ServiceAccount - name: {{ include "ceph-csi-rbd.serviceAccountName.nodeplugin" . }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }} - apiGroup: rbac.authorization.k8s.io -{{- end -}} diff --git a/charts/ceph-csi-rbd/templates/nodeplugin-rules-clusterrole.yaml b/charts/ceph-csi-rbd/templates/nodeplugin-rules-clusterrole.yaml deleted file mode 100644 index d80ebaea0..000000000 --- a/charts/ceph-csi-rbd/templates/nodeplugin-rules-clusterrole.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{- if .Values.rbac.create -}} -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }}-rules - labels: - app: {{ include "ceph-csi-rbd.name" . }} - chart: {{ include "ceph-csi-rbd.chart" . }} - component: {{ .Values.nodeplugin.name }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - rbac.rbd.csi.ceph.com/aggregate-to-{{ include "ceph-csi-rbd.nodeplugin.fullname" . }}: "true" -rules: - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "update"] - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "list"] -{{- end -}} diff --git a/charts/ceph-csi-rbd/templates/provisioner-rules-clusterrole.yaml b/charts/ceph-csi-rbd/templates/provisioner-rules-clusterrole.yaml index f36e6dc45..025db945a 100644 --- a/charts/ceph-csi-rbd/templates/provisioner-rules-clusterrole.yaml +++ b/charts/ceph-csi-rbd/templates/provisioner-rules-clusterrole.yaml @@ -11,9 +11,6 @@ metadata: heritage: {{ .Release.Service }} rbac.rbd.csi.ceph.com/aggregate-to-{{ include "ceph-csi-rbd.provisioner.fullname" . }}: "true" rules: - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list"] @@ -46,9 +43,6 @@ rules: - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotclasses"] verbs: ["get", "list", "watch"] - - apiGroups: ["csi.storage.k8s.io"] - resources: ["csinodeinfos"] - verbs: ["get", "list", "watch"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["create", "list", "watch", "delete", "get", "update"] diff --git a/deploy/cephfs/kubernetes/csi-nodeplugin-rbac.yaml b/deploy/cephfs/kubernetes/csi-nodeplugin-rbac.yaml index 4e4026bcc..a1ee7d1a0 100644 --- a/deploy/cephfs/kubernetes/csi-nodeplugin-rbac.yaml +++ b/deploy/cephfs/kubernetes/csi-nodeplugin-rbac.yaml @@ -3,51 +3,3 @@ apiVersion: v1 kind: ServiceAccount metadata: name: cephfs-csi-nodeplugin - ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cephfs-csi-nodeplugin -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.cephfs.csi.ceph.com/aggregate-to-cephfs-csi-nodeplugin: "true" -rules: [] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cephfs-csi-nodeplugin-rules - labels: - rbac.cephfs.csi.ceph.com/aggregate-to-cephfs-csi-nodeplugin: "true" -rules: - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "update"] - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "update"] - ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cephfs-csi-nodeplugin -subjects: - - kind: ServiceAccount - name: cephfs-csi-nodeplugin - namespace: default -roleRef: - kind: ClusterRole - name: cephfs-csi-nodeplugin - apiGroup: rbac.authorization.k8s.io diff --git a/deploy/cephfs/kubernetes/csi-provisioner-rbac.yaml b/deploy/cephfs/kubernetes/csi-provisioner-rbac.yaml index 01cd65876..3eeeb8493 100644 --- a/deploy/cephfs/kubernetes/csi-provisioner-rbac.yaml +++ b/deploy/cephfs/kubernetes/csi-provisioner-rbac.yaml @@ -22,9 +22,6 @@ metadata: labels: rbac.cephfs.csi.ceph.com/aggregate-to-cephfs-external-provisioner-runner: "true" rules: - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list"] @@ -40,9 +37,6 @@ rules: - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - - apiGroups: ["csi.storage.k8s.io"] - resources: ["csinodeinfos"] - verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] verbs: ["get", "list", "watch", "update", "patch"] @@ -72,9 +66,7 @@ metadata: namespace: default name: cephfs-external-provisioner-cfg rules: - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "watch", "list", "delete", "update", "create"] + # remove this once we stop supporting v1.0.0 - apiGroups: [""] resources: ["configmaps"] verbs: ["get", "list", "create", "delete"] diff --git a/deploy/rbd/kubernetes/csi-nodeplugin-rbac.yaml b/deploy/rbd/kubernetes/csi-nodeplugin-rbac.yaml index 4479cfff9..c36d11510 100644 --- a/deploy/rbd/kubernetes/csi-nodeplugin-rbac.yaml +++ b/deploy/rbd/kubernetes/csi-nodeplugin-rbac.yaml @@ -3,54 +3,3 @@ apiVersion: v1 kind: ServiceAccount metadata: name: rbd-csi-nodeplugin - ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rbd-csi-nodeplugin -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.rbd.csi.ceph.com/aggregate-to-rbd-csi-nodeplugin: "true" -rules: [] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rbd-csi-nodeplugin-rules - labels: - rbac.rbd.csi.ceph.com/aggregate-to-rbd-csi-nodeplugin: "true" -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "update"] - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "list"] - ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rbd-csi-nodeplugin -subjects: - - kind: ServiceAccount - name: rbd-csi-nodeplugin - namespace: default -roleRef: - kind: ClusterRole - name: rbd-csi-nodeplugin - apiGroup: rbac.authorization.k8s.io diff --git a/deploy/rbd/kubernetes/csi-provisioner-rbac.yaml b/deploy/rbd/kubernetes/csi-provisioner-rbac.yaml index 715d949cb..b37fedbff 100644 --- a/deploy/rbd/kubernetes/csi-provisioner-rbac.yaml +++ b/deploy/rbd/kubernetes/csi-provisioner-rbac.yaml @@ -22,9 +22,6 @@ metadata: labels: rbac.rbd.csi.ceph.com/aggregate-to-rbd-external-provisioner-runner: "true" rules: - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list"] @@ -52,9 +49,6 @@ rules: - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["create", "list", "watch", "delete", "get", "update"] - - apiGroups: ["csi.storage.k8s.io"] - resources: ["csinodeinfos"] - verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] verbs: ["get", "list", "watch", "update", "patch"] @@ -87,9 +81,6 @@ metadata: namespace: default name: rbd-external-provisioner-cfg rules: - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "watch", "list", "delete", "update", "create"] - apiGroups: [""] resources: ["configmaps"] verbs: ["get", "list", "watch", "create", "delete"]