Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[issue#306] Add missing ClusterRoles #465

Merged
merged 8 commits into from
Sep 21, 2023
Merged

[issue#306] Add missing ClusterRoles #465

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
d537327
[issue#306] Add missing ClusterRoles
elfiesmelfie Aug 25, 2023
a74cffb
Fix up the RBAC setup for prometheus-stf (#467)
leifmadsen Sep 15, 2023
e3306bd
Fix smoketest to use prometheus-stf for token retrieval
leifmadsen Sep 15, 2023
a63f79c
Refactor smoketest script (#468)
leifmadsen Sep 18, 2023
557d75f
Remove nodes/metrics permission from ClusterRole
leifmadsen Sep 18, 2023
a4787a3
Move SCC RBAC from ClusterRole to Role
leifmadsen Sep 19, 2023
c525fb0
Convert alertmanager-stf Role to ClusterRole (#473)
leifmadsen Sep 20, 2023
abe966b
Create ClusterRoleBinding and Role for alertmanager (#475)
leifmadsen Sep 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion deploy/role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ rules:
- watch
- update
- patch
- delete
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noting that this should be transitional only and could be removed in a later version.

Copy link
Member

@leifmadsen leifmadsen Sep 21, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was going to file an issue about this, but then I realized that if someone was somehow running STF 1.5.2 and moved to STF 1.5.4 they would need this.

Additionally, the latest changes I landed in 5d0210d will continually require the delete RBAC.

We could refine this though and break out the clusterroles and clusterrolebindings though to have the delete resource only on the clusterrolebindings. I'm also curious if we could further lock this down to just resources we manage and not all ClusterRoles and ClusterRoleBindings.

I am not going to do any of this at this point though, but I'm certainly interested about doing another RBAC focused review, and if we can make the scope even more restrictive and controlled for only objects we actually need to adjust and own.

- apiGroups:
- authorization.k8s.io
resources:
Expand Down Expand Up @@ -185,4 +186,4 @@ rules:
verbs:
- get
- list
- watch
- watch
119 changes: 109 additions & 10 deletions roles/servicetelemetry/tasks/component_alertmanager.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@
kind: Route
name: '{{ ansible_operator_meta.name }}-alertmanager-proxy'

- name: Add a service account to used by Alertmanager
- name: Create ServiceAccount/alertmanager-stf with oauth redirect annotation
k8s:
definition:
apiVersion: v1
Expand All @@ -77,22 +77,121 @@
annotations:
serviceaccounts.openshift.io/oauth-redirectreference.alertmanager: '{{ alertmanager_oauth_redir_ref | to_json }}'

- name: Bind role
- name: Create ClusterRole/alertmanager-stf
k8s:
definition:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
kind: ClusterRole
metadata:
name: alertmanager-stf
namespace: '{{ ansible_operator_meta.namespace }}'
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: alertmanager-main
subjects:
- kind: ServiceAccount
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create

- name: Setup ClusterRoleBinding for Alertmanager
block:
- name: Define ClusterRoleBinding/alertmanager-stf
set_fact:
def_alertmanager_stf_crb: |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: alertmanager-stf
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: alertmanager-stf
subjects:
- kind: ServiceAccount
name: alertmanager-stf
namespace: '{{ ansible_operator_meta.namespace }}'

- name: Create ClusterRoleBinding/alertmanager-stf
k8s:
definition:
"{{ def_alertmanager_stf_crb }}"
rescue:
- name: Remove ClusterRoleBinding/alertmanager-stf when fail to update
k8s:
state: absent
definition:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: alertmanager-stf

- name: Create ClusterRoleBinding/alertmanager-stf
k8s:
definition:
"{{ def_alertmanager_stf_crb }}"

- name: Create Role/alertmanager-stf
k8s:
definition:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: alertmanager-stf
namespace: '{{ ansible_operator_meta.namespace }}'
rules:
- apiGroups:
- security.openshift.io
resourceNames:
- nonroot
resources:
- securitycontextconstraints
verbs:
- use

- name: Setup RoleBinding for Alertmanager
block:
- name: Define RoleBinding/alertmanager-stf
set_fact:
def_alertmanager_stf_rb: |
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: alertmanager-stf
namespace: '{{ ansible_operator_meta.namespace }}'
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: alertmanager-stf
namespace: '{{ ansible_operator_meta.namespace }}'
subjects:
- kind: ServiceAccount
name: alertmanager-stf
namespace: '{{ ansible_operator_meta.namespace }}'

- name: Create RoleBinding/alertmanager-stf
k8s:
definition:
"{{ def_alertmanager_stf_rb }}"
rescue:
- name: Remove RoleBinding/alertmanager-stf when fail to update
k8s:
state: absent
definition:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: alertmanager-stf
namespace: '{{ ansible_operator_meta.namespace }}'

- name: Create RoleBinding/alertmanager-stf
k8s:
definition:
"{{ def_alertmanager_stf_rb }}"

- name: Set default alertmanager service template
set_fact:
Expand Down
200 changes: 140 additions & 60 deletions roles/servicetelemetry/tasks/component_prometheus.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,91 +7,171 @@
kind: Route
name: '{{ ansible_operator_meta.name }}-prometheus-proxy'

- name: Add oauth redirect annotation to prometheus-k8s service account
- name: Create ServiceAccount/prometheus-stf with oauth redirect annotation
k8s:
definition:
apiVersion: v1
kind: ServiceAccount
metadata:
name: prometheus-k8s
name: prometheus-stf
namespace: '{{ ansible_operator_meta.namespace }}'
annotations:
serviceaccounts.openshift.io/oauth-redirectreference.prometheus: '{{ prom_oauth_redir_ref | to_json }}'

- block:
- name: Install RBAC Role for prometheus operations
- name: Create ClusterRole/prometheus-stf for non-resource URL /metrics access
k8s:
definition:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: prometheus-stf
rules:
- nonResourceURLs:
leifmadsen marked this conversation as resolved.
Show resolved Hide resolved
- /metrics
verbs:
- get
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get

- name: Setup ClusterRoleBinding for Prometheus
block:
- name: Define ClusterRoleBinding/prometheus-stf
set_fact:
def_prometheus_stf_crb: |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: prometheus-stf
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: prometheus-stf
subjects:
- kind: ServiceAccount
name: prometheus-stf
namespace: '{{ ansible_operator_meta.namespace }}'

- name: Create ClusterRoleBinding/prometheus-stf
k8s:
definition:
"{{ def_prometheus_stf_crb }}"
rescue:
- name: Remove ClusterRoleBinding/prometheus-stf when fail to update
k8s:
state: absent
definition:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: prometheus-stf

- name: Create ClusterRoleBinding/prometheus-stf
k8s:
definition:
"{{ def_prometheus_stf_crb }}"

- name: Create Role/prometheus-stf for Prometheus operations
k8s:
definition:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: prometheus-stf
namespace: '{{ ansible_operator_meta.namespace }}'
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- pods
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
leifmadsen marked this conversation as resolved.
Show resolved Hide resolved
- apiGroups:
- security.openshift.io
resourceNames:
- nonroot
- nonroot-v2
resources:
- securitycontextconstraints
verbs:
- use

- name: Setup RoleBinding for Prometheus
block:
- name: Define RoleBinding/prometheus-stf
set_fact:
def_prometheus_stf_rb: |
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: prometheus-stf
namespace: '{{ ansible_operator_meta.namespace }}'
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: prometheus-stf
subjects:
- kind: ServiceAccount
name: prometheus-stf
namespace: '{{ ansible_operator_meta.namespace }}'

- name: Create RoleBinding/prometheus-stf
k8s:
definition:
"{{ def_prometheus_stf_rb }}"
rescue:
- name: Remove RoleBinding/prometheus-stf on failure to update
k8s:
state: absent
definition:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
kind: RoleBinding
metadata:
name: prometheus-stf
namespace: '{{ ansible_operator_meta.namespace }}'
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- pods
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- security.openshift.io
resourceNames:
- nonroot
- nonroot-v2
resources:
- securitycontextconstraints
verbs:
- use

- name: Bind the local prometheus SA to our new role

- name: Create RoleBinding/prometheus-stf
k8s:
definition:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: prometheus-k8s-stf
namespace: '{{ ansible_operator_meta.namespace }}'
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: prometheus-stf
subjects:
- kind: ServiceAccount
name: prometheus-k8s
namespace: '{{ ansible_operator_meta.namespace }}'
when:
- observability_strategy in ['use_redhat', 'use_hybrid']
"{{ def_prometheus_stf_rb }}"

- name: Bind the local prometheus SA to prometheus cluster role (for oauth perms)
- name: Remove old ClusterRoleBinding for prometheus-k8s using CMO roleRef
k8s:
state: absent
definition:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: prometheus-k8s-{{ ansible_operator_meta.namespace }}
namespace: '{{ ansible_operator_meta.namespace }}'
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: prometheus-k8s
subjects:
- kind: ServiceAccount
name: prometheus-k8s
namespace: '{{ ansible_operator_meta.namespace }}'

- name: Check for existing prometheus htpasswd user secret
k8s_info:
Expand Down
Loading