Skip to content

Commit

Permalink
chore(rbac): Consolidate the serviceaccounts in the chaos infrastruct…
Browse files Browse the repository at this point in the history
…ure (#4598)

* chore(rbac): Consolidate the serviceaccounts in the chaos infrastructure

Signed-off-by: Shubham Chaudhary <shubham.chaudhary@harness.io>

* add rbac for event tracker

Signed-off-by: Shubham Chaudhary <shubham.chaudhary@harness.io>

---------

Signed-off-by: Shubham Chaudhary <shubham.chaudhary@harness.io>
  • Loading branch information
ispeakc0de authored Apr 24, 2024
1 parent a102b66 commit 496ac7f
Show file tree
Hide file tree
Showing 15 changed files with 583 additions and 863 deletions.
69 changes: 34 additions & 35 deletions chaoscenter/graphql/server/manifests/cluster/1b_argo_rbac.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,54 +2,53 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: argo
name: argo-chaos
namespace: #{INFRA_NAMESPACE}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: argo-cluster-role
name: chaos-cluster-role
rules:
- apiGroups: [""]
resources: ["pods", "pods/exec"]
verbs: ["create", "get", "list", "watch", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["create", "delete"]
- apiGroups: ["argoproj.io"]
resources: ["workflows", "workflows/finalizers"]
verbs: ["get", "list", "watch", "update", "patch", "delete", "create"]
- apiGroups: ["argoproj.io"]
resources: ["workflowtemplates","workflowtemplates/finalizers","clusterworkflowtemplates","clusterworkflowtemplates/finalizers","workflowtasksets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["argoproj.io"]
resources: ["workflowtaskresults"]
verbs: ["list", "watch", "deletecollection"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get", "list"]
- apiGroups: ["argoproj.io"]
resources: ["cronworkflows", "cronworkflows/finalizers"]
verbs: ["get", "list", "watch", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
- apiGroups: ["policy"]
resources: ["poddisruptionbudgets"]
verbs: ["create", "get", "delete"]
# for managing the pods created by workflow controller to implement individual steps in the workflow
- apiGroups: ['']
resources: ['pods', 'services']
verbs: ['create', 'get', 'watch', 'patch', 'delete', 'list']
- apiGroups: ['']
resources: ['namespaces']
verbs: ['get', 'watch', 'patch', 'list']

# for tracking & getting logs of the pods created by workflow controller to implement individual steps in the workflow
- apiGroups: ['']
resources: ['pods/log', 'pods/exec']
verbs: ['get', 'watch', 'create', 'delete', 'patch']
- apiGroups: ['']
resources: ['secrets', 'configmaps']
verbs: ['get', 'watch', 'create', 'patch']

# for creation & deletion of application in predefined workflows
- apiGroups: ['apps']
resources: ['deployments']
verbs: ['delete']
- apiGroups: ['apps']
resources: ['deployments', 'statefulsets']
verbs: ['get', 'watch', 'patch' , 'create']

# for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
- apiGroups: ["litmuschaos.io"]
resources:
["chaosengines", "chaosexperiments", "chaosresults", "chaosschedules"]
verbs: ["create", "list", "get", "patch", "delete", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: argo-binding
name: chaos-cluster-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: argo-cluster-role
name: chaos-cluster-role
subjects:
- kind: ServiceAccount
name: argo
name: argo-chaos
namespace: #{INFRA_NAMESPACE}
Original file line number Diff line number Diff line change
Expand Up @@ -67,4 +67,4 @@ spec:
memory: "500Mi"
cpu: "225m"
ephemeral-storage: "1Gi"
serviceAccountName: argo
serviceAccountName: #{INFRA_SERVICE_ACCOUNT}
123 changes: 123 additions & 0 deletions chaoscenter/graphql/server/manifests/cluster/2b_litmus_admin_rbac.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: litmus-admin
namespace: #{INFRA_NAMESPACE}
labels:
name: litmus-admin
---
# Source: openebs/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: litmus-admin
labels:
name: litmus-admin
rules:
# ***************************************************************************************
# Permissions needed for preparing and monitor the chaos resources by chaos-runner
# ***************************************************************************************

# The chaos operator watches the chaosengine resource and orchestrates the chaos experiment..
## .. by creating the chaos-runner

# for creating and monitoring the chaos-runner pods
- apiGroups: [""]
resources: ["pods"]
verbs: ["create","delete","get","list","patch","update", "deletecollection"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create","get","list","patch","update"]

# for fetching configmaps and secrets to inject into chaos-runner pod (if specified)
- apiGroups: [""]
resources: ["secrets", "configmaps"]
verbs: ["get", "list"]

# for tracking & getting logs of the pods created by chaos-runner to implement individual steps in the runner
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get", "list", "watch"]

# for configuring and monitor the experiment job by chaos-runner pod
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["create", "list", "get", "delete", "deletecollection"]

# ********************************************************************
# Permissions needed for creation and discovery of chaos experiments
# ********************************************************************

# The helper pods are created by experiment to perform the actual chaos injection ...
# ... for a period of chaos duration

# for creating and managing to execute comands inside target container
- apiGroups: [""]
resources: ["pods/exec","pods/eviction","replicationcontrollers"]
verbs: ["get","list","create"]

# for tracking & getting logs of the pods created by experiment pod to implement individual steps in the experiment
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get", "list", "watch"]

# for creating and monitoring liveness services or monitoring target app services during chaos injection
- apiGroups: [""]
resources: ["services"]
verbs: ["create","get","list"]

# for checking the app parent resources as deployments or sts and are eligible chaos candidates
- apiGroups: ["apps"]
resources: ["deployments", "statefulsets"]
verbs: ["list", "get", "patch", "update"]

# for checking the app parent resources as replicasets and are eligible chaos candidates
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["list", "get"]

# for checking the app parent resources as deamonsets and are eligible chaos candidates
- apiGroups: ["apps"]
resources: ["daemonsets"]
verbs: ["list","get"]

# for checking (openshift) app parent resources if they are eligible chaos candidates
- apiGroups: ["apps.openshift.io"]
resources: ["deploymentconfigs"]
verbs: ["list", "get"]

# for checking (argo) app parent resources if they are eligible chaos candidates
- apiGroups: ["argoproj.io"]
resources: ["rollouts"]
verbs: ["list", "get"]

# performs CRUD operations on the network policies
- apiGroups: ["networking.k8s.io"]
resources: ["networkpolicies"]
verbs: ["create","delete","list","get"]

# for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
- apiGroups: ["litmuschaos.io"]
resources: ["chaosengines","chaosexperiments","chaosresults"]
verbs: ["create","list","get","patch","update","delete"]

# for experiment to perform node status checks and other node level operations like taint, drain in the experiment.
- apiGroups: [""]
resources: ["nodes"]
verbs: ["patch", "get", "list", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: litmus-admin
labels:
name: litmus-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: litmus-admin
subjects:
- kind: ServiceAccount
name: litmus-admin
namespace: #{INFRA_NAMESPACE}
115 changes: 0 additions & 115 deletions chaoscenter/graphql/server/manifests/cluster/2b_litmus_rbac.yaml

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ spec:
app.kubernetes.io/managed-by: kubectl
name: chaos-operator
spec:
serviceAccountName: litmus-cluster-scope
serviceAccountName: #{INFRA_SERVICE_ACCOUNT}
#{TOLERATIONS}
#{NODE_SELECTOR}
containers:
Expand Down Expand Up @@ -114,7 +114,7 @@ spec:
memory: "500Mi"
cpu: "225m"
ephemeral-storage: "1Gi"
serviceAccountName: litmus-cluster-scope
serviceAccountName: #{INFRA_SERVICE_ACCOUNT}
---
apiVersion: v1
kind: Service
Expand Down
Loading

0 comments on commit 496ac7f

Please sign in to comment.