From 5e98c295333ccf711b0fa488c3e9fd7868ca57dd Mon Sep 17 00:00:00 2001 From: Gaelle Fournier Date: Fri, 10 Nov 2023 14:35:32 +0100 Subject: [PATCH] feat(install): Separate namespaced and descoped rbacs Ref #3165 --- config/manifests/kustomization.yaml | 1 + config/rbac/descoped/kustomization.yaml | 38 ++++ .../operator-cluster-role-binding-events.yaml | 31 +++ .../operator-cluster-role-binding-keda.yaml | 31 +++ ...operator-cluster-role-binding-knative.yaml | 31 +++ .../operator-cluster-role-binding-leases.yaml | 31 +++ ...ator-cluster-role-binding-podmonitors.yaml | 31 +++ ...operator-cluster-role-binding-strimzi.yaml | 31 +++ .../operator-cluster-role-binding.yaml | 31 +++ .../operator-cluster-role-events.yaml | 34 ++++ .../descoped/operator-cluster-role-keda.yaml | 38 ++++ .../operator-cluster-role-knative.yaml | 80 ++++++++ .../operator-cluster-role-leases.yaml | 37 ++++ .../operator-cluster-role-podmonitors.yaml | 37 ++++ .../operator-cluster-role-strimzi.yaml | 33 +++ .../rbac/descoped/operator-cluster-role.yaml | 188 ++++++++++++++++++ config/rbac/kustomization.yaml | 29 ++- config/rbac/namespaced/kustomization.yaml | 38 ++++ .../operator-role-binding-events.yaml | 0 .../operator-role-binding-keda.yaml | 0 .../operator-role-binding-knative.yaml | 0 .../operator-role-binding-leases.yaml | 0 .../operator-role-binding-podmonitors.yaml | 0 .../operator-role-binding-strimzi.yaml | 0 .../operator-role-binding.yaml | 0 .../operator-role-events.yaml | 0 .../{ => namespaced}/operator-role-keda.yaml | 0 .../operator-role-knative.yaml | 0 .../operator-role-leases.yaml | 0 .../operator-role-podmonitors.yaml | 0 .../operator-role-strimzi.yaml | 0 .../rbac/{ => namespaced}/operator-role.yaml | 0 install/Makefile | 10 +- install/setup/kustomization.yaml | 12 -- pkg/install/operator.go | 136 +++++++++---- 35 files changed, 852 insertions(+), 76 deletions(-) create mode 100644 config/rbac/descoped/kustomization.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-binding-events.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-binding-keda.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-binding-knative.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-binding-leases.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-binding-strimzi.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-binding.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-events.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-keda.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-knative.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-leases.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-podmonitors.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-strimzi.yaml create mode 100644 config/rbac/descoped/operator-cluster-role.yaml create mode 100644 config/rbac/namespaced/kustomization.yaml rename config/rbac/{ => namespaced}/operator-role-binding-events.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-binding-keda.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-binding-knative.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-binding-leases.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-binding-podmonitors.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-binding-strimzi.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-binding.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-events.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-keda.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-knative.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-leases.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-podmonitors.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-strimzi.yaml (100%) rename config/rbac/{ => namespaced}/operator-role.yaml (100%) diff --git a/config/manifests/kustomization.yaml b/config/manifests/kustomization.yaml index 94f8a27f8b..9a926be1b0 100644 --- a/config/manifests/kustomization.yaml +++ b/config/manifests/kustomization.yaml @@ -27,6 +27,7 @@ resources: - ../samples - ../scorecard - ../rbac +- ../rbac/namespaced - ../rbac/openshift patchesStrategicMerge: diff --git a/config/rbac/descoped/kustomization.yaml b/config/rbac/descoped/kustomization.yaml new file mode 100644 index 0000000000..ade2d46ba8 --- /dev/null +++ b/config/rbac/descoped/kustomization.yaml @@ -0,0 +1,38 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +# +# rbac resources applicable for all kubernetes platforms - global operator +# +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- operator-cluster-role-events.yaml +- operator-cluster-role-knative.yaml +- operator-cluster-role.yaml +- operator-cluster-role-keda.yaml +- operator-cluster-role-leases.yaml +- operator-cluster-role-podmonitors.yaml +- operator-cluster-role-strimzi.yaml +- operator-cluster-role-binding-events.yaml +- operator-cluster-role-binding-keda.yaml +- operator-cluster-role-binding-knative.yaml +- operator-cluster-role-binding-leases.yaml +- operator-cluster-role-binding-podmonitors.yaml +- operator-cluster-role-binding-strimzi.yaml +- operator-cluster-role-binding.yaml diff --git a/config/rbac/descoped/operator-cluster-role-binding-events.yaml b/config/rbac/descoped/operator-cluster-role-binding-events.yaml new file mode 100644 index 0000000000..9dd5228d26 --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-binding-events.yaml @@ -0,0 +1,31 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-events + labels: + app: "camel-k" +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: placeholder +roleRef: + kind: ClusterRole + name: camel-k-operator-events + apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/descoped/operator-cluster-role-binding-keda.yaml b/config/rbac/descoped/operator-cluster-role-binding-keda.yaml new file mode 100644 index 0000000000..92e154e878 --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-binding-keda.yaml @@ -0,0 +1,31 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-keda + labels: + app: "camel-k" +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: placeholder +roleRef: + kind: ClusterRole + name: camel-k-operator-keda + apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/descoped/operator-cluster-role-binding-knative.yaml b/config/rbac/descoped/operator-cluster-role-binding-knative.yaml new file mode 100644 index 0000000000..739b0dd06a --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-binding-knative.yaml @@ -0,0 +1,31 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-knative + labels: + app: "camel-k" +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: placeholder +roleRef: + kind: ClusterRole + name: camel-k-operator-knative + apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/descoped/operator-cluster-role-binding-leases.yaml b/config/rbac/descoped/operator-cluster-role-binding-leases.yaml new file mode 100644 index 0000000000..35d667fd12 --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-binding-leases.yaml @@ -0,0 +1,31 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-leases + labels: + app: "camel-k" +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: placeholder +roleRef: + kind: ClusterRole + name: camel-k-operator-leases + apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml b/config/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml new file mode 100644 index 0000000000..bef231b078 --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml @@ -0,0 +1,31 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-podmonitors + labels: + app: "camel-k" +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: placeholder +roleRef: + kind: ClusterRole + name: camel-k-operator-podmonitors + apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/descoped/operator-cluster-role-binding-strimzi.yaml b/config/rbac/descoped/operator-cluster-role-binding-strimzi.yaml new file mode 100644 index 0000000000..fefd143525 --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-binding-strimzi.yaml @@ -0,0 +1,31 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-strimzi + labels: + app: "camel-k" +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: placeholder +roleRef: + kind: ClusterRole + name: camel-k-operator-strimzi + apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/descoped/operator-cluster-role-binding.yaml b/config/rbac/descoped/operator-cluster-role-binding.yaml new file mode 100644 index 0000000000..83f227d628 --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-binding.yaml @@ -0,0 +1,31 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator + labels: + app: "camel-k" +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: placeholder +roleRef: + kind: ClusterRole + name: camel-k-operator + apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/descoped/operator-cluster-role-events.yaml b/config/rbac/descoped/operator-cluster-role-events.yaml new file mode 100644 index 0000000000..1dfd24b01e --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-events.yaml @@ -0,0 +1,34 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-events + labels: + app: "camel-k" +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - get + - list + - watch diff --git a/config/rbac/descoped/operator-cluster-role-keda.yaml b/config/rbac/descoped/operator-cluster-role-keda.yaml new file mode 100644 index 0000000000..3b3f432ebb --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-keda.yaml @@ -0,0 +1,38 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-keda + labels: + app: "camel-k" +rules: +- apiGroups: + - "keda.sh" + resources: + - scaledobjects + - triggerauthentications + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch diff --git a/config/rbac/descoped/operator-cluster-role-knative.yaml b/config/rbac/descoped/operator-cluster-role-knative.yaml new file mode 100644 index 0000000000..305d26b624 --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-knative.yaml @@ -0,0 +1,80 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-knative + labels: + app: "camel-k" +rules: +- apiGroups: + - serving.knative.dev + resources: + - services + - routes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - eventing.knative.dev + resources: + - triggers + - brokers + verbs: + - create + - delete + - get + - list + - patch + - update +- apiGroups: + - messaging.knative.dev + resources: + - subscriptions + - channels + - inmemorychannels + verbs: + - create + - delete + - get + - list + - patch + - update +- apiGroups: + - sources.knative.dev + resources: + - sinkbindings + verbs: + - create + - delete + - get + - list + - patch + - update +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - patch diff --git a/config/rbac/descoped/operator-cluster-role-leases.yaml b/config/rbac/descoped/operator-cluster-role-leases.yaml new file mode 100644 index 0000000000..6ea671bd28 --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-leases.yaml @@ -0,0 +1,37 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-leases + labels: + app: "camel-k" +rules: +- apiGroups: + - "coordination.k8s.io" + resources: + - leases + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch diff --git a/config/rbac/descoped/operator-cluster-role-podmonitors.yaml b/config/rbac/descoped/operator-cluster-role-podmonitors.yaml new file mode 100644 index 0000000000..2578103c38 --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-podmonitors.yaml @@ -0,0 +1,37 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-podmonitors + labels: + app: "camel-k" +rules: +- apiGroups: + - monitoring.coreos.com + resources: + - podmonitors + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch diff --git a/config/rbac/descoped/operator-cluster-role-strimzi.yaml b/config/rbac/descoped/operator-cluster-role-strimzi.yaml new file mode 100644 index 0000000000..9ccea139fd --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-strimzi.yaml @@ -0,0 +1,33 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-strimzi + labels: + app: "camel-k" +rules: +- apiGroups: + - "kafka.strimzi.io" + resources: + - kafkatopics + - kafkas + verbs: + - get + - list + - watch diff --git a/config/rbac/descoped/operator-cluster-role.yaml b/config/rbac/descoped/operator-cluster-role.yaml new file mode 100644 index 0000000000..d7ee2fa399 --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role.yaml @@ -0,0 +1,188 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator + labels: + app: "camel-k" +rules: +- apiGroups: + - camel.apache.org + resources: + - builds + - camelcatalogs + - integrationkits + - integrationplatforms + - integrations + - pipes + # Deprecated: kameletbindings CR + - kameletbindings + - kamelets + verbs: + - create + - get + - list + - patch + - update + - watch +- apiGroups: + - camel.apache.org + resources: + - builds + verbs: + - delete +- apiGroups: + - camel.apache.org + resources: + - builds/status + - camelcatalogs/status + - integrationkits/status + - integrationplatforms/status + - integrations/scale + - integrations/status + - pipes/status + - pipes/scale + # Deprecated: kameletbindings CR + - kameletbindings/status + - kameletbindings/scale + - kamelets/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - pods + - services + - endpoints + - persistentvolumeclaims + - configmaps + - secrets + - serviceaccounts + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create +- apiGroups: + - "" + resources: + - pods/proxy + - pods/log + verbs: + - get +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - delete + - get + - update + - list + - patch + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + - clusterrolebindings + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - batch + resources: + - cronjobs + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - batch + resources: + - jobs + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index f2600f1626..5b3e03f558 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -23,23 +23,22 @@ kind: Kustomization resources: - user-cluster-role.yaml -- operator-role-events.yaml -- operator-role-knative.yaml -- operator-role.yaml -- operator-role-keda.yaml -- operator-role-leases.yaml -- operator-role-podmonitors.yaml -- operator-role-strimzi.yaml -- operator-role-binding-events.yaml -- operator-role-binding-keda.yaml -- operator-role-binding-knative.yaml -- operator-role-binding-leases.yaml -- operator-role-binding-local-registry.yaml -- operator-role-binding-podmonitors.yaml -- operator-role-binding-strimzi.yaml -- operator-role-binding.yaml - operator-cluster-role-custom-resource-definitions.yaml - operator-cluster-role-binding-custom-resource-definitions.yaml - operator-cluster-role-addressable-resolver.yaml - operator-cluster-role-binding-addressable-resolver.yaml - operator-cluster-role-local-registry.yaml +- operator-role-binding-local-registry.yaml + + +transformers: +- |- + apiVersion: builtin + kind: PatchTransformer + metadata: + name: fix-local-registry-rbac-namespace + patch: '[{"op": "replace", "path": "/metadata/namespace", "value": "kube-public"}]' + target: + group: rbac.authorization.k8s.io + kind: RoleBinding + name: camel-k-operator-local-registry \ No newline at end of file diff --git a/config/rbac/namespaced/kustomization.yaml b/config/rbac/namespaced/kustomization.yaml new file mode 100644 index 0000000000..510beb4d57 --- /dev/null +++ b/config/rbac/namespaced/kustomization.yaml @@ -0,0 +1,38 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +# +# rbac resources applicable for all kubernetes platforms - namespaced operator +# +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- operator-role-events.yaml +- operator-role-knative.yaml +- operator-role.yaml +- operator-role-keda.yaml +- operator-role-leases.yaml +- operator-role-podmonitors.yaml +- operator-role-strimzi.yaml +- operator-role-binding-events.yaml +- operator-role-binding-keda.yaml +- operator-role-binding-knative.yaml +- operator-role-binding-leases.yaml +- operator-role-binding-podmonitors.yaml +- operator-role-binding-strimzi.yaml +- operator-role-binding.yaml diff --git a/config/rbac/operator-role-binding-events.yaml b/config/rbac/namespaced/operator-role-binding-events.yaml similarity index 100% rename from config/rbac/operator-role-binding-events.yaml rename to config/rbac/namespaced/operator-role-binding-events.yaml diff --git a/config/rbac/operator-role-binding-keda.yaml b/config/rbac/namespaced/operator-role-binding-keda.yaml similarity index 100% rename from config/rbac/operator-role-binding-keda.yaml rename to config/rbac/namespaced/operator-role-binding-keda.yaml diff --git a/config/rbac/operator-role-binding-knative.yaml b/config/rbac/namespaced/operator-role-binding-knative.yaml similarity index 100% rename from config/rbac/operator-role-binding-knative.yaml rename to config/rbac/namespaced/operator-role-binding-knative.yaml diff --git a/config/rbac/operator-role-binding-leases.yaml b/config/rbac/namespaced/operator-role-binding-leases.yaml similarity index 100% rename from config/rbac/operator-role-binding-leases.yaml rename to config/rbac/namespaced/operator-role-binding-leases.yaml diff --git a/config/rbac/operator-role-binding-podmonitors.yaml b/config/rbac/namespaced/operator-role-binding-podmonitors.yaml similarity index 100% rename from config/rbac/operator-role-binding-podmonitors.yaml rename to config/rbac/namespaced/operator-role-binding-podmonitors.yaml diff --git a/config/rbac/operator-role-binding-strimzi.yaml b/config/rbac/namespaced/operator-role-binding-strimzi.yaml similarity index 100% rename from config/rbac/operator-role-binding-strimzi.yaml rename to config/rbac/namespaced/operator-role-binding-strimzi.yaml diff --git a/config/rbac/operator-role-binding.yaml b/config/rbac/namespaced/operator-role-binding.yaml similarity index 100% rename from config/rbac/operator-role-binding.yaml rename to config/rbac/namespaced/operator-role-binding.yaml diff --git a/config/rbac/operator-role-events.yaml b/config/rbac/namespaced/operator-role-events.yaml similarity index 100% rename from config/rbac/operator-role-events.yaml rename to config/rbac/namespaced/operator-role-events.yaml diff --git a/config/rbac/operator-role-keda.yaml b/config/rbac/namespaced/operator-role-keda.yaml similarity index 100% rename from config/rbac/operator-role-keda.yaml rename to config/rbac/namespaced/operator-role-keda.yaml diff --git a/config/rbac/operator-role-knative.yaml b/config/rbac/namespaced/operator-role-knative.yaml similarity index 100% rename from config/rbac/operator-role-knative.yaml rename to config/rbac/namespaced/operator-role-knative.yaml diff --git a/config/rbac/operator-role-leases.yaml b/config/rbac/namespaced/operator-role-leases.yaml similarity index 100% rename from config/rbac/operator-role-leases.yaml rename to config/rbac/namespaced/operator-role-leases.yaml diff --git a/config/rbac/operator-role-podmonitors.yaml b/config/rbac/namespaced/operator-role-podmonitors.yaml similarity index 100% rename from config/rbac/operator-role-podmonitors.yaml rename to config/rbac/namespaced/operator-role-podmonitors.yaml diff --git a/config/rbac/operator-role-strimzi.yaml b/config/rbac/namespaced/operator-role-strimzi.yaml similarity index 100% rename from config/rbac/operator-role-strimzi.yaml rename to config/rbac/namespaced/operator-role-strimzi.yaml diff --git a/config/rbac/operator-role.yaml b/config/rbac/namespaced/operator-role.yaml similarity index 100% rename from config/rbac/operator-role.yaml rename to config/rbac/namespaced/operator-role.yaml diff --git a/install/Makefile b/install/Makefile index ce329c6d51..a80f5e3da9 100644 --- a/install/Makefile +++ b/install/Makefile @@ -241,13 +241,11 @@ endif setup: setup-cluster # Set the namespace in the setup kustomization yaml @$(call set-kustomize-namespace,$@) -# If GLOBAL then add the conversion patches for all roles and rolebindings -ifeq ($(GLOBAL),true) - @$(call add-remove-kind-patch,setup,add,../$(ROLE_TO_CROLE_PATCH).$(YAML),Role) - @$(call add-remove-kind-patch,setup,add,../$(ROLEBIN_TO_CROLEBIN_PATCH).$(YAML),RoleBinding) +# If GLOBAL then add the versions with clusterroles and clusterrolebindings +ifeq ($(GLOBAL), true) + @cd $@ || exit 1 && $(KUSTOMIZE) edit add resource ../$(RBAC)/descoped && cd - &> /dev/null; else - @$(call add-remove-kind-patch,setup,remove,../$(ROLE_TO_CROLE_PATCH).$(YAML),Role) - @$(call add-remove-kind-patch,setup,remove,../$(ROLEBIN_TO_CROLEBIN_PATCH).$(YAML),RoleBinding) + @cd $@ || exit 1 && $(KUSTOMIZE) edit add resource ../$(RBAC)/namespaced && cd - &> /dev/null; endif ifeq ($(PLATFORM), openshift) @for res in $(RBAC_OS)/operator-role*; do \ diff --git a/install/setup/kustomization.yaml b/install/setup/kustomization.yaml index 9598726cae..c10dfd6538 100644 --- a/install/setup/kustomization.yaml +++ b/install/setup/kustomization.yaml @@ -19,15 +19,3 @@ kind: Kustomization resources: - ../config/rbac - -transformers: -- |- - apiVersion: builtin - kind: PatchTransformer - metadata: - name: fix-local-registry-rbac-namespace - patch: '[{"op": "replace", "path": "/metadata/namespace", "value": "kube-public"}]' - target: - group: rbac.authorization.k8s.io - kind: RoleBinding - name: camel-k-operator-local-registry diff --git a/pkg/install/operator.go b/pkg/install/operator.go index 9daf61ee0c..2db3fde3d6 100644 --- a/pkg/install/operator.go +++ b/pkg/install/operator.go @@ -260,7 +260,7 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client, } // Install Kubernetes RBAC resources (roles and bindings) - if err := installKubernetesRoles(ctx, c, cfg.Namespace, customizer, collection, force); err != nil { + if err := installKubernetesRoles(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil { return err } @@ -289,7 +289,7 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client, return err } if isKnative { - if err := installKnative(ctx, c, cfg.Namespace, customizer, collection, force); err != nil { + if err := installKnative(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil { return err } if err := installClusterRoleBinding(ctx, c, collection, cfg.Namespace, "camel-k-operator-bind-addressable-resolver", "/rbac/operator-cluster-role-binding-addressable-resolver.yaml"); err != nil { @@ -301,35 +301,35 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client, } } - if err = installEvents(ctx, c, cfg.Namespace, customizer, collection, force); err != nil { + if err = installEvents(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil { if k8serrors.IsAlreadyExists(err) { return err } fmt.Fprintln(cmd.ErrOrStderr(), "Warning: the operator will not be able to publish Kubernetes events. Try installing as cluster-admin to allow it to generate events.") } - if err = installKedaBindings(ctx, c, cfg.Namespace, customizer, collection, force); err != nil { + if err = installKedaBindings(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil { if k8serrors.IsAlreadyExists(err) { return err } fmt.Fprintln(cmd.ErrOrStderr(), "Warning: the operator will not be able to create KEDA resources. Try installing as cluster-admin.") } - if err = installPodMonitors(ctx, c, cfg.Namespace, customizer, collection, force); err != nil { + if err = installPodMonitors(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil { if k8serrors.IsAlreadyExists(err) { return err } fmt.Fprintln(cmd.ErrOrStderr(), "Warning: the operator will not be able to create PodMonitor resources. Try installing as cluster-admin.") } - if err := installStrimziBindings(ctx, c, cfg.Namespace, customizer, collection, force); err != nil { + if err := installStrimziBindings(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil { if k8serrors.IsAlreadyExists(err) { return err } fmt.Fprintln(cmd.ErrOrStderr(), "Warning: the operator will not be able to lookup strimzi kafka resources. Try installing as cluster-admin to allow the lookup of strimzi kafka resources.") } - if err = installLeaseBindings(ctx, c, cfg.Namespace, customizer, collection, force); err != nil { + if err = installLeaseBindings(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil { if k8serrors.IsAlreadyExists(err) { return err } @@ -491,12 +491,20 @@ func installOpenShiftRoles(ctx context.Context, c client.Client, namespace strin ) } -func installKubernetesRoles(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error { - return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, - "/manager/operator-service-account.yaml", - "/rbac/operator-role.yaml", - "/rbac/operator-role-binding.yaml", - ) +func installKubernetesRoles(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error { + if global { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/manager/operator-service-account.yaml", + "/rbac/descoped/operator-cluster-role.yaml", + "/rbac/descoped/operator-cluster-role-binding.yaml", + ) + } else { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/manager/operator-service-account.yaml", + "/rbac/namespaced/operator-role.yaml", + "/rbac/namespaced/operator-role-binding.yaml", + ) + } } func installOperator(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error { @@ -505,39 +513,74 @@ func installOperator(ctx context.Context, c client.Client, namespace string, cus ) } -func installKedaBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error { - return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, - "/rbac/operator-role-keda.yaml", - "/rbac/operator-role-binding-keda.yaml", - ) +func installKedaBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error { + if global { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/descoped/operator-cluster-role-keda.yaml", + "/rbac/descoped/operator-cluster-role-binding-keda.yaml", + ) + } else { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/namespaced/operator-role-keda.yaml", + "/rbac/namespaced/operator-role-binding-keda.yaml", + ) + } } -func installKnative(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error { - return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, - "/rbac/operator-role-knative.yaml", - "/rbac/operator-role-binding-knative.yaml", - ) +func installKnative(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error { + if global { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/descoped/operator-cluster-role-knative.yaml", + "/rbac/descoped/operator-cluster-role-binding-knative.yaml", + ) + } else { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/namespaced/operator-role-knative.yaml", + "/rbac/namespaced/operator-role-binding-knative.yaml", + ) + } } -func installEvents(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error { - return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, - "/rbac/operator-role-events.yaml", - "/rbac/operator-role-binding-events.yaml", - ) +func installEvents(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error { + if global { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/descoped/operator-cluster-role-events.yaml", + "/rbac/descoped/operator-cluster-role-binding-events.yaml", + ) + } else { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/namespaced/operator-role-events.yaml", + "/rbac/namespaced/operator-role-binding-events.yaml", + ) + } } -func installPodMonitors(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error { - return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, - "/rbac/operator-role-podmonitors.yaml", - "/rbac/operator-role-binding-podmonitors.yaml", - ) +func installPodMonitors(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error { + if global { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/descoped/operator-cluster-role-podmonitors.yaml", + "/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml", + ) + } else { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/namespaced/operator-role-podmonitors.yaml", + "/rbac/namespaced/operator-role-binding-podmonitors.yaml", + ) + } } -func installStrimziBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error { - return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, - "/rbac/operator-role-strimzi.yaml", - "/rbac/operator-role-binding-strimzi.yaml", - ) +func installStrimziBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error { + if global { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/descoped/operator-cluster-role-strimzi.yaml", + "/rbac/descoped/operator-cluster-role-binding-strimzi.yaml", + ) + } else { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/namespaced/operator-role-strimzi.yaml", + "/rbac/namespaced/operator-role-binding-strimzi.yaml", + ) + } } func installMonitoringResources(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error { @@ -547,11 +590,18 @@ func installMonitoringResources(ctx context.Context, c client.Client, namespace ) } -func installLeaseBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error { - return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, - "/rbac/operator-role-leases.yaml", - "/rbac/operator-role-binding-leases.yaml", - ) +func installLeaseBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error { + if global { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/descoped/operator-cluster-role-leases.yaml", + "/rbac/descoped/operator-cluster-role-binding-leases.yaml", + ) + } else { + return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer, + "/rbac/namespaced/operator-role-leases.yaml", + "/rbac/namespaced/operator-role-binding-leases.yaml", + ) + } } // NewPlatform creates a new IntegrationPlatform instance.