[PLAT-11716][yba] Synced the YBA SA RBAC with platform-global RBAC

Summary: - Synchronized the YBA SA RBAC with the platform-global RBAC. - I haven't updated the multicluster-related permissions in YBA SA RBAC. - The following extra permissions have been deleted after synchronizing it with platform-global. ``` - apiGroups: - "" resources: - services verbs: ["watch", "update"] - apiGroups: - "" resources: - nodes verbs: ["create", "update", "patch", "delete"] - apiGroups: - "" resources: - nodes/proxy verbs: ["list", "watch", "create", "update", "patch", "delete"] - apiGroups: - "" resources: - endpoints verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: - "" resources: - pods verbs: ["watch", "create", "update", "patch"] - apiGroups: - "" resources: - pods/exec verbs: ["get", "list", "watch", "update", "patch", "delete"] - apiGroups: - extensions resources: - ingresses verbs: ["get", "list", "watch"] - nonResourceURLs: ["/metrics"] verbs: ["get"] - apiGroups: - "" resources: - namespaces verbs: ["watch"] - apiGroups: - "" resources: - secrets verbs: ["watch"] - apiGroups: - "" resources: - pods/portforward verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: - "apps" resources: - deployments verbs: ["create", "get", "list", "watch", "update", "delete"] ``` Test Plan: ## Test 1 - Created the K8s Cloud provider using the `autofill local cluster config` button. - Deployed the multizone universe. - Expand the storage size. Reviewers: sanketh, bgandhi, anijhawan Reviewed By: bgandhi, anijhawan Subscribers: yugaware Differential Revision: https://phorge.dev.yugabyte.com/D31163
yugabyte · Dec 21, 2023 · 4f936a8 · 4f936a8
1 parent 0934652
commit 4f936a8
Showing 1 changed file with 159 additions and 51 deletions.
diff --git a/stable/yugaware/templates/rbac.yaml b/stable/yugaware/templates/rbac.yaml
@@ -39,59 +39,167 @@ kind: ClusterRole
 metadata:
   name: {{ .Release.Name }}
 rules:
+# Set of permissions required for operator
 - apiGroups:
   - operator.yugabyte.io
-  resources: ["*"]
-  verbs: ["get", "create", "delete", "patch", "list", "watch", "update"]
-- apiGroups: ["policy"]
-  resources:
-  - poddisruptionbudgets
-  verbs: ["get", "create", "delete", "patch"]
-- apiGroups: [""]
-  resources:
-  - services
-  verbs: ["get", "delete", "create", "patch", "list", "watch"]
-- apiGroups: ["apps"]
-  resources:
-  - statefulsets
-  verbs: ["get", "delete", "create", "patch", "scale"]
-- apiGroups: [""]
-  resources:
-  - secrets
-  verbs: ["create", "list", "get", "delete", "update", "patch"]
-- apiGroups: ["cert-manager.io"]
-  resources:
-  - certificates
-  verbs: ["create", "delete", "get", "patch"]
-- apiGroups: [""]
-  resources:
-  - nodes
-  - nodes/proxy
-  - services
-  - endpoints
-  - pods
-  - pods/exec
-  - configmaps      # added configmaps resource
-  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]   # added all verbs for configmaps
-- apiGroups:
-  - extensions
-  resources:
-  - ingresses
-  verbs: ["get", "list", "watch"]
-- nonResourceURLs: ["/metrics"]
-  verbs: ["get"]
-- apiGroups: [""]
-  resources:
-  - namespaces
-  - secrets
-  - pods/portforward
-  - events          # added events resource
-  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]  # added all verbs for events
-- apiGroups: ["", "extensions"]
-  resources:
-  - deployments
-  - services
-  verbs: ["create", "get", "list", "watch", "update", "delete"]
+  resources:
+  - "*"
+  verbs:
+  - "get"
+  - "create"
+  - "delete"
+  - "patch"
+  - "list"
+  - "watch"
+  - "update"
+# Set of permissions required to install, upgrade, delete the yugabyte chart
+- apiGroups:
+  - "policy"
+  resources:
+  - "poddisruptionbudgets"
+  verbs:
+  - "get"
+  - "create"
+  - "delete"
+  - "patch"
+- apiGroups:
+  - ""
+  resources:
+  - "services"
+  verbs:
+  - "get"
+  - "delete"
+  - "create"
+  - "patch"
+- apiGroups:
+  - "apps"
+  resources:
+  - "statefulsets"
+  verbs:
+  - "get"
+  - "list"
+  - "delete"
+  - "create"
+  - "patch"
+- apiGroups:
+  - ""
+  resources:
+  - "secrets"
+  verbs:
+  - "create"
+  - "list"
+  - "get"
+  - "delete"
+  - "update"
+  - "patch"
+- apiGroups:
+  - "cert-manager.io"
+  resources:
+  - "certificates"
+  verbs:
+  - "create"
+  - "delete"
+  - "get"
+  - "patch"
+- apiGroups:
+  - ""
+  resources:
+  - "configmaps"
+  verbs:
+  - "get"
+  - "create"
+  - "patch"
+  - "delete"
+# Set of permissions required by YBA to manage YB DB universes
+- apiGroups:
+  - ""
+  resources:
+  - "namespaces"
+  verbs:
+  - "delete"
+  - "create"
+  - "patch"
+  - "get"
+  - "list"
+- apiGroups:
+  - ""
+  resources:
+  - "pods"
+  verbs:
+  - "get"
+  - "list"
+  - "delete"
+- apiGroups:
+  - ""
+  resources:
+  - "services"
+  verbs:
+  - "get"
+  - "list"
+- apiGroups:
+  - ""
+  resources:
+  - "persistentvolumeclaims"
+  verbs:
+  - "get"
+  - "patch"
+  - "list"
+  - "delete"
+- apiGroups:
+  - ""
+  resources:
+  - "pods/exec"
+  verbs:
+  - "create"
+- apiGroups:
+  - "apps"
+  resources:
+  - "statefulsets/scale"
+  verbs:
+  - "patch"
+- apiGroups:
+  - ""
+  resources:
+  - "events"
+  verbs:
+  - "list"
+# required to scrape resource metrics like CPU, memory, etc.
+- apiGroups:
+  - ""
+  resources:
+  - "nodes"
+  verbs:
+  - "list"
+  - "get"
+  - "watch"
+# required to scrape resource metrics like CPU, memory, etc.
+- apiGroups:
+  - ""
+  resources:
+  - "nodes/proxy"
+  verbs:
+  - "get"
+# Ref: https://github.com/yugabyte/charts/commit/4a5319972385666487a7bc2cd0c35052f2cfa4c5
+- apiGroups:
+  - ""
+  resources:
+  - "events"
+  verbs:
+  - "get"
+  - "list"
+  - "watch"
+  - "create"
+  - "update"
+  - "patch"
+  - "delete"
+- apiGroups:
+  - ""
+  resources:
+  - "configmaps"
+  verbs:
+  - "list"
+  - "watch"
+  - "update"
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1