chore: rbac permissions for odiglet (#2049)

remove unused permissions and make some of them role instead of clusterrole
odigos-io · Dec 23, 2024 · 2bd6672 · 2bd6672
1 parent ac6db53
commit 2bd6672
Show file tree

Hide file tree

Showing 6 changed files with 160 additions and 165 deletions.
diff --git a/cli/cmd/resources/odiglet.go b/cli/cmd/resources/odiglet.go
@@ -8,6 +8,7 @@ import (
 
 	"github.com/odigos-io/odigos/cli/pkg/autodetect"
 	cmdcontext "github.com/odigos-io/odigos/cli/pkg/cmd_context"
+	"github.com/odigos-io/odigos/common/consts"
 
 	"github.com/odigos-io/odigos/cli/cmd/resources/odigospro"
 	"github.com/odigos-io/odigos/cli/cmd/resources/resourcemanager"
@@ -24,12 +25,16 @@ import (
 )
 
 const (
-	OdigletServiceName         = "odiglet"
-	OdigletDaemonSetName       = "odiglet"
-	OdigletAppLabelValue       = "odiglet"
-	OdigletContainerName       = "odiglet"
-	OdigletImageName           = "keyval/odigos-odiglet"
-	OdigletEnterpriseImageName = "keyval/odigos-enterprise-odiglet"
+	OdigletDaemonSetName          = "odiglet"
+	OdigletAppLabelValue          = OdigletDaemonSetName
+	OdigletServiceAccountName     = OdigletDaemonSetName
+	OdigletRoleName               = OdigletDaemonSetName
+	OdigletRoleBindingName        = OdigletDaemonSetName
+	OdigletClusterRoleName        = OdigletDaemonSetName
+	OdigletClusterRoleBindingName = OdigletDaemonSetName
+	OdigletContainerName          = "odiglet"
+	OdigletImageName              = "keyval/odigos-odiglet"
+	OdigletEnterpriseImageName    = "keyval/odigos-enterprise-odiglet"
 )
 
 func NewOdigletServiceAccount(ns string) *corev1.ServiceAccount {
@@ -39,20 +44,21 @@ func NewOdigletServiceAccount(ns string) *corev1.ServiceAccount {
 			APIVersion: "v1",
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      "odiglet",
+			Name:      OdigletServiceAccountName,
 			Namespace: ns,
 		},
 	}
 }
 
-func NewOdigletClusterRole(psp bool) *rbacv1.ClusterRole {
-	clusterrole := &rbacv1.ClusterRole{
+func NewOdigletRole(ns string) *rbacv1.Role {
+	return &rbacv1.Role{
 		TypeMeta: metav1.TypeMeta{
-			Kind:       "ClusterRole",
+			Kind:       "Role",
 			APIVersion: "rbac.authorization.k8s.io/v1",
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Name: "odiglet",
+			Name:      OdigletRoleName,
+			Namespace: ns,
 		},
 		Rules: []rbacv1.PolicyRule{
 			{
@@ -62,37 +68,57 @@ func NewOdigletClusterRole(psp bool) *rbacv1.ClusterRole {
 					"watch",
 				},
 				APIGroups: []string{"odigos.io"},
-				Resources: []string{"odigosconfigurations", "collectorsgroups", "collectorsgroups/status"},
-			},
-			{
-				Verbs: []string{
-					"get",
-					"list",
-					"watch",
-				},
-				APIGroups: []string{""},
-				Resources: []string{"configmaps"},
+				Resources: []string{"collectorsgroups", "collectorsgroups/status"},
 			},
 			{
 				Verbs: []string{
 					"get",
 					"list",
 					"watch",
 				},
-				APIGroups: []string{""},
-				Resources: []string{
-					"pods",
-				},
+				APIGroups:     []string{""},
+				Resources:     []string{"configmaps"},
+				ResourceNames: []string{consts.OdigosConfigurationName},
 			},
+		},
+	}
+}
+
+func NewOdigletRoleBinding(ns string) *rbacv1.RoleBinding {
+	return &rbacv1.RoleBinding{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "RoleBinding",
+			APIVersion: "rbac.authorization.k8s.io/v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      OdigletRoleBindingName,
+			Namespace: ns,
+		},
+		Subjects: []rbacv1.Subject{
 			{
-				Verbs: []string{
-					"get",
-				},
-				APIGroups: []string{""},
-				Resources: []string{
-					"pods/status",
-				},
+				Kind:      "ServiceAccount",
+				Name:      OdigletServiceAccountName,
+				Namespace: ns,
 			},
+		},
+		RoleRef: rbacv1.RoleRef{
+			APIGroup: "rbac.authorization.k8s.io",
+			Kind:     "Role",
+			Name:     OdigletRoleName,
+		},
+	}
+}
+
+func NewOdigletClusterRole(psp bool) *rbacv1.ClusterRole {
+	clusterrole := &rbacv1.ClusterRole{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "ClusterRole",
+			APIVersion: "rbac.authorization.k8s.io/v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: OdigletClusterRoleName,
+		},
+		Rules: []rbacv1.PolicyRule{
 			{
 				Verbs: []string{
 					"get",
@@ -101,34 +127,7 @@ func NewOdigletClusterRole(psp bool) *rbacv1.ClusterRole {
 				},
 				APIGroups: []string{""},
 				Resources: []string{
-					"nodes",
-				},
-			},
-			{
-				Verbs: []string{
-					"get",
-					"list",
-					"watch",
-				},
-				APIGroups: []string{"apps"},
-				Resources: []string{"deployments"},
-			},
-			{
-				Verbs: []string{
-					"get",
-				},
-				APIGroups: []string{"apps"},
-				Resources: []string{
-					"deployments/status",
-				},
-			},
-			{
-				Verbs: []string{
-					"get",
-				},
-				APIGroups: []string{"apps"},
-				Resources: []string{
-					"deployments/finalizers",
+					"pods", "pods/status",
 				},
 			},
 			{
@@ -137,25 +136,9 @@ func NewOdigletClusterRole(psp bool) *rbacv1.ClusterRole {
 					"list",
 					"watch",
 				},
-				APIGroups: []string{"apps"},
-				Resources: []string{"statefulsets"},
-			},
-			{
-				Verbs: []string{
-					"get",
-				},
-				APIGroups: []string{"apps"},
-				Resources: []string{
-					"statefulsets/status",
-				},
-			},
-			{
-				Verbs: []string{
-					"get",
-				},
-				APIGroups: []string{"apps"},
+				APIGroups: []string{""},
 				Resources: []string{
-					"statefulsets/finalizers",
+					"nodes",
 				},
 			},
 			{
@@ -165,24 +148,15 @@ func NewOdigletClusterRole(psp bool) *rbacv1.ClusterRole {
 					"watch",
 				},
 				APIGroups: []string{"apps"},
-				Resources: []string{"daemonsets"},
-			},
-			{
-				Verbs: []string{
-					"get",
-				},
-				APIGroups: []string{"apps"},
-				Resources: []string{
-					"daemonsets/status",
-				},
+				Resources: []string{"deployments", "daemonsets", "statefulsets"},
 			},
 			{
 				Verbs: []string{
 					"get",
 				},
 				APIGroups: []string{"apps"},
 				Resources: []string{
-					"daemonsets/finalizers",
+					"deployments/status", "daemonsets/status", "statefulsets/status",
 				},
 			},
 			{
@@ -253,17 +227,6 @@ func NewOdigletClusterRole(psp bool) *rbacv1.ClusterRole {
 					"instrumentationinstances/status",
 				},
 			},
-			{
-				Verbs: []string{
-					"get",
-					"list",
-					"watch",
-				},
-				APIGroups: []string{""},
-				Resources: []string{
-					"namespaces",
-				},
-			},
 			{
 				Verbs: []string{
 					"get",
@@ -319,19 +282,19 @@ func NewOdigletClusterRoleBinding(ns string) *rbacv1.ClusterRoleBinding {
 			APIVersion: "rbac.authorization.k8s.io/v1",
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Name: "odiglet",
+			Name: OdigletClusterRoleBindingName,
 		},
 		Subjects: []rbacv1.Subject{
 			{
 				Kind:      "ServiceAccount",
-				Name:      "odiglet",
+				Name:      OdigletServiceAccountName,
 				Namespace: ns,
 			},
 		},
 		RoleRef: rbacv1.RoleRef{
 			APIGroup: "rbac.authorization.k8s.io",
 			Kind:     "ClusterRole",
-			Name:     "odiglet",
+			Name:     OdigletClusterRoleName,
 		},
 	}
 }
@@ -349,7 +312,7 @@ func NewSCCRoleBinding(ns string) *rbacv1.RoleBinding {
 		Subjects: []rbacv1.Subject{
 			{
 				Kind:      "ServiceAccount",
-				Name:      "odiglet",
+				Name:      OdigletServiceAccountName,
 				Namespace: ns,
 			},
 			{
@@ -641,7 +604,7 @@ func NewOdigletDaemonSet(ns string, version string, imagePrefix string, imageNam
 						},
 					},
 					DNSPolicy:          "ClusterFirstWithHostNet",
-					ServiceAccountName: "odiglet",
+					ServiceAccountName: OdigletServiceAccountName,
 					HostNetwork:        true,
 					HostPID:            true,
 					PriorityClassName:  "system-node-critical",
@@ -723,6 +686,8 @@ func (a *odigletResourceManager) InstallFromScratch(ctx context.Context) error {
 
 	resources := []kube.Object{
 		NewOdigletServiceAccount(a.ns),
+		NewOdigletRole(a.ns),
+		NewOdigletRoleBinding(a.ns),
 		NewOdigletClusterRole(a.config.Psp),
 		NewOdigletClusterRoleBinding(a.ns),
 	}