From 1e438939c4c15f62165e9cfd5202a5f41afc8716 Mon Sep 17 00:00:00 2001 From: Zhiwei Yin Date: Mon, 6 Jan 2025 13:50:06 +0800 Subject: [PATCH] update rbac for capi Signed-off-by: Zhiwei Yin --- .../cluster-manager/templates/cluster_role.yaml | 5 +++++ .../cluster-manager/config/rbac/cluster_role.yaml | 5 +++++ .../cluster-manager.clusterserviceversion.yaml | 11 ++++++++++- .../clusterrole_binding.yaml | 14 ++++++++++++++ .../registration-capi-rbac/kustomization.yaml | 2 ++ .../cluster-manager-registration-clusterrole.yaml | 8 +++++--- 6 files changed, 41 insertions(+), 4 deletions(-) create mode 100644 deploy/cluster-manager/registration-capi-rbac/clusterrole_binding.yaml create mode 100644 deploy/cluster-manager/registration-capi-rbac/kustomization.yaml diff --git a/deploy/cluster-manager/chart/cluster-manager/templates/cluster_role.yaml b/deploy/cluster-manager/chart/cluster-manager/templates/cluster_role.yaml index e1a2fc149..4f6dab7bf 100644 --- a/deploy/cluster-manager/chart/cluster-manager/templates/cluster_role.yaml +++ b/deploy/cluster-manager/chart/cluster-manager/templates/cluster_role.yaml @@ -7,6 +7,11 @@ rules: - apiGroups: [""] resources: ["configmaps", "namespaces", "serviceaccounts", "services"] verbs: ["create", "get", "list", "update", "watch", "patch", "delete", "deletecollection"] +- apiGroups: [""] + resources: ["serviceaccounts/token"] + resourceNames: + - "cluster-bootstrap" + verbs: ["get", "create"] - apiGroups: [""] resources: ["pods"] verbs: ["get"] diff --git a/deploy/cluster-manager/config/rbac/cluster_role.yaml b/deploy/cluster-manager/config/rbac/cluster_role.yaml index e1ba32d76..65e79d67f 100644 --- a/deploy/cluster-manager/config/rbac/cluster_role.yaml +++ b/deploy/cluster-manager/config/rbac/cluster_role.yaml @@ -9,6 +9,11 @@ rules: - apiGroups: [""] resources: ["configmaps", "namespaces", "serviceaccounts", "services"] verbs: ["create", "get", "list", "update", "watch", "patch", "delete", "deletecollection"] +- apiGroups: [""] + resources: ["serviceaccounts/token"] + resourceNames: + - "cluster-bootstrap" + verbs: ["get", "create"] - apiGroups: [""] resources: ["pods"] verbs: ["get"] diff --git a/deploy/cluster-manager/olm-catalog/latest/manifests/cluster-manager.clusterserviceversion.yaml b/deploy/cluster-manager/olm-catalog/latest/manifests/cluster-manager.clusterserviceversion.yaml index cf294c12a..dcdc472af 100644 --- a/deploy/cluster-manager/olm-catalog/latest/manifests/cluster-manager.clusterserviceversion.yaml +++ b/deploy/cluster-manager/olm-catalog/latest/manifests/cluster-manager.clusterserviceversion.yaml @@ -59,7 +59,7 @@ metadata: categories: Integration & Delivery,OpenShift Optional certified: "false" containerImage: quay.io/open-cluster-management/registration-operator:latest - createdAt: "2024-12-24T03:03:39Z" + createdAt: "2025-01-06T02:51:43Z" description: Manages the installation and upgrade of the ClusterManager. operators.operatorframework.io/builder: operator-sdk-v1.32.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 @@ -127,6 +127,15 @@ spec: - patch - delete - deletecollection + - apiGroups: + - "" + resourceNames: + - cluster-bootstrap + resources: + - serviceaccounts/token + verbs: + - get + - create - apiGroups: - "" resources: diff --git a/deploy/cluster-manager/registration-capi-rbac/clusterrole_binding.yaml b/deploy/cluster-manager/registration-capi-rbac/clusterrole_binding.yaml new file mode 100644 index 000000000..601804361 --- /dev/null +++ b/deploy/cluster-manager/registration-capi-rbac/clusterrole_binding.yaml @@ -0,0 +1,14 @@ +--- +# need to bind capi manager cluster role to registration controller sa if enable capi cluster auto-import. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: open-cluster-management:cluster-manager-registration:capi +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: capi-manager-role +subjects: + - kind: ServiceAccount + namespace: open-cluster-management-hub + name: registration-controller-sa diff --git a/deploy/cluster-manager/registration-capi-rbac/kustomization.yaml b/deploy/cluster-manager/registration-capi-rbac/kustomization.yaml new file mode 100644 index 000000000..28e055e41 --- /dev/null +++ b/deploy/cluster-manager/registration-capi-rbac/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - clusterrole_binding.yaml diff --git a/manifests/cluster-manager/hub/cluster-manager-registration-clusterrole.yaml b/manifests/cluster-manager/hub/cluster-manager-registration-clusterrole.yaml index 5c3e930fb..21a143c96 100644 --- a/manifests/cluster-manager/hub/cluster-manager-registration-clusterrole.yaml +++ b/manifests/cluster-manager/hub/cluster-manager-registration-clusterrole.yaml @@ -14,6 +14,11 @@ rules: - apiGroups: [""] resources: ["namespaces", "serviceaccounts", "configmaps"] verbs: ["get", "list", "watch", "create", "delete", "update"] +- apiGroups: [""] + resources: ["serviceaccounts/token"] + resourceNames: + - "cluster-bootstrap" + verbs: ["get", "create"] - apiGroups: [""] resources: ["pods"] verbs: ["get"] @@ -104,9 +109,6 @@ rules: - apiGroups: ["cluster.x-k8s.io"] resources: ["clusters"] verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get"] {{end}} {{if .ClusterProfileEnabled}} # Allow hub to manage clusterprofile