From 41f7454a890bfc4adf2d96ba61dafdd0d83f3839 Mon Sep 17 00:00:00 2001
From: Bipul Adhikari <badhikar@redhat.com>
Date: Wed, 15 Jan 2025 15:05:20 +0545
Subject: [PATCH] Add TokenReview RBAC to support CSI addons security
 enhancements

Signed-off-by: Bipul Adhikari <badhikar@redhat.com>
---
 .../cephfs_ctrlplugin_cluster_role.yaml       |  3 ++
 config/csi-rbac/cephfs_ctrlplugin_role.yaml   |  3 ++
 .../cephfs_nodeplugin_cluster_role.yaml       |  3 ++
 .../csi-rbac/nfs_ctrlplugin_cluster_role.yaml |  3 ++
 .../csi-rbac/nfs_nodeplugin_cluster_role.yaml |  3 ++
 .../csi-rbac/rbd_ctrlplugin_cluster_role.yaml |  3 ++
 config/csi-rbac/rbd_ctrlplugin_role.yaml      |  3 ++
 .../csi-rbac/rbd_nodeplugin_cluster_role.yaml |  3 ++
 config/csi-rbac/rbd_nodeplugin_role.yaml      |  3 ++
 deploy/all-in-one/install.yaml                | 54 +++++++++++++++++++
 deploy/multifile/csi-rbac.yaml                | 54 +++++++++++++++++++
 11 files changed, 135 insertions(+)

diff --git a/config/csi-rbac/cephfs_ctrlplugin_cluster_role.yaml b/config/csi-rbac/cephfs_ctrlplugin_cluster_role.yaml
index 9c3850b7..4043efba 100644
--- a/config/csi-rbac/cephfs_ctrlplugin_cluster_role.yaml
+++ b/config/csi-rbac/cephfs_ctrlplugin_cluster_role.yaml
@@ -63,3 +63,6 @@ rules:
   - apiGroups: [""]
     resources: ["serviceaccounts/token"]
     verbs: ["create"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
diff --git a/config/csi-rbac/cephfs_ctrlplugin_role.yaml b/config/csi-rbac/cephfs_ctrlplugin_role.yaml
index 123d5d96..1d2d7dd4 100644
--- a/config/csi-rbac/cephfs_ctrlplugin_role.yaml
+++ b/config/csi-rbac/cephfs_ctrlplugin_role.yaml
@@ -18,3 +18,6 @@ rules:
   - apiGroups: ["apps"]
     resources: ["deployments/finalizers", "daemonsets/finalizers"]
     verbs: ["update"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
diff --git a/config/csi-rbac/cephfs_nodeplugin_cluster_role.yaml b/config/csi-rbac/cephfs_nodeplugin_cluster_role.yaml
index 48be70bd..678b3e26 100644
--- a/config/csi-rbac/cephfs_nodeplugin_cluster_role.yaml
+++ b/config/csi-rbac/cephfs_nodeplugin_cluster_role.yaml
@@ -19,3 +19,6 @@ rules:
 - apiGroups: [""]
   resources: ["serviceaccounts/token"]
   verbs: ["create"]
+- apiGroups: ["authentication.k8s.io"]
+  resources: ["tokenreviews"]
+  verbs: ["create"]
diff --git a/config/csi-rbac/nfs_ctrlplugin_cluster_role.yaml b/config/csi-rbac/nfs_ctrlplugin_cluster_role.yaml
index 46c9ba06..139ab8b4 100644
--- a/config/csi-rbac/nfs_ctrlplugin_cluster_role.yaml
+++ b/config/csi-rbac/nfs_ctrlplugin_cluster_role.yaml
@@ -49,3 +49,6 @@ rules:
   - apiGroups: ["storage.k8s.io"]
     resources: ["volumeattachments/status"]
     verbs: ["patch"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
\ No newline at end of file
diff --git a/config/csi-rbac/nfs_nodeplugin_cluster_role.yaml b/config/csi-rbac/nfs_nodeplugin_cluster_role.yaml
index 674dccfb..413bc0c9 100644
--- a/config/csi-rbac/nfs_nodeplugin_cluster_role.yaml
+++ b/config/csi-rbac/nfs_nodeplugin_cluster_role.yaml
@@ -9,3 +9,6 @@ rules:
   - apiGroups: [""]
     resources: ["nodes"]
     verbs: ["get"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
diff --git a/config/csi-rbac/rbd_ctrlplugin_cluster_role.yaml b/config/csi-rbac/rbd_ctrlplugin_cluster_role.yaml
index deba2ba5..3793417e 100644
--- a/config/csi-rbac/rbd_ctrlplugin_cluster_role.yaml
+++ b/config/csi-rbac/rbd_ctrlplugin_cluster_role.yaml
@@ -63,3 +63,6 @@ rules:
   - apiGroups: ["groupsnapshot.storage.k8s.io"]
     resources: ["volumegroupsnapshotcontents/status"]
     verbs: ["update", "patch"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
diff --git a/config/csi-rbac/rbd_ctrlplugin_role.yaml b/config/csi-rbac/rbd_ctrlplugin_role.yaml
index d04f983d..2b76c00e 100644
--- a/config/csi-rbac/rbd_ctrlplugin_role.yaml
+++ b/config/csi-rbac/rbd_ctrlplugin_role.yaml
@@ -18,3 +18,6 @@ rules:
   - apiGroups: ["apps"]
     resources: ["deployments/finalizers", "daemonsets/finalizers"]
     verbs: ["update"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
\ No newline at end of file
diff --git a/config/csi-rbac/rbd_nodeplugin_cluster_role.yaml b/config/csi-rbac/rbd_nodeplugin_cluster_role.yaml
index 559adacf..0864a7e5 100644
--- a/config/csi-rbac/rbd_nodeplugin_cluster_role.yaml
+++ b/config/csi-rbac/rbd_nodeplugin_cluster_role.yaml
@@ -24,3 +24,6 @@ rules:
   - apiGroups: [""]
     resources: ["nodes"]
     verbs: ["get"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
diff --git a/config/csi-rbac/rbd_nodeplugin_role.yaml b/config/csi-rbac/rbd_nodeplugin_role.yaml
index 1e9353a9..80ced831 100644
--- a/config/csi-rbac/rbd_nodeplugin_role.yaml
+++ b/config/csi-rbac/rbd_nodeplugin_role.yaml
@@ -15,3 +15,6 @@ rules:
   - apiGroups: ["apps"]
     resources: ["deployments/finalizers", "daemonsets/finalizers"]
     verbs: ["update"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
\ No newline at end of file
diff --git a/deploy/all-in-one/install.yaml b/deploy/all-in-one/install.yaml
index 567a9d04..b8259f23 100644
--- a/deploy/all-in-one/install.yaml
+++ b/deploy/all-in-one/install.yaml
@@ -14120,6 +14120,12 @@ rules:
   - daemonsets/finalizers
   verbs:
   - update
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -14207,6 +14213,12 @@ rules:
   - daemonsets/finalizers
   verbs:
   - update
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -14242,6 +14254,12 @@ rules:
   - daemonsets/finalizers
   verbs:
   - update
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -14457,6 +14475,12 @@ rules:
   - serviceaccounts/token
   verbs:
   - create
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -14493,6 +14517,12 @@ rules:
   - serviceaccounts/token
   verbs:
   - create
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -14951,6 +14981,12 @@ rules:
   - volumeattachments/status
   verbs:
   - patch
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -14963,6 +14999,12 @@ rules:
   - nodes
   verbs:
   - get
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -15200,6 +15242,12 @@ rules:
   verbs:
   - update
   - patch
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -15251,6 +15299,12 @@ rules:
   - nodes
   verbs:
   - get
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/deploy/multifile/csi-rbac.yaml b/deploy/multifile/csi-rbac.yaml
index 84941e59..11f490b8 100644
--- a/deploy/multifile/csi-rbac.yaml
+++ b/deploy/multifile/csi-rbac.yaml
@@ -79,6 +79,12 @@ rules:
   - daemonsets/finalizers
   verbs:
   - update
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -125,6 +131,12 @@ rules:
   - daemonsets/finalizers
   verbs:
   - update
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -160,6 +172,12 @@ rules:
   - daemonsets/finalizers
   verbs:
   - update
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -325,6 +343,12 @@ rules:
   - serviceaccounts/token
   verbs:
   - create
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -361,6 +385,12 @@ rules:
   - serviceaccounts/token
   verbs:
   - create
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -494,6 +524,12 @@ rules:
   - volumeattachments/status
   verbs:
   - patch
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -506,6 +542,12 @@ rules:
   - nodes
   verbs:
   - get
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -672,6 +714,12 @@ rules:
   verbs:
   - update
   - patch
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -723,6 +771,12 @@ rules:
   - nodes
   verbs:
   - get
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding