From 4f936a8d561b8ba416d2c99818cd36172b35bc9b Mon Sep 17 00:00:00 2001 From: baba230896 Date: Thu, 21 Dec 2023 07:46:11 +0000 Subject: [PATCH] [PLAT-11716][yba] Synced the YBA SA RBAC with platform-global RBAC Summary: - Synchronized the YBA SA RBAC with the platform-global RBAC. - I haven't updated the multicluster-related permissions in YBA SA RBAC. - The following extra permissions have been deleted after synchronizing it with platform-global. ``` - apiGroups: - "" resources: - services verbs: ["watch", "update"] - apiGroups: - "" resources: - nodes verbs: ["create", "update", "patch", "delete"] - apiGroups: - "" resources: - nodes/proxy verbs: ["list", "watch", "create", "update", "patch", "delete"] - apiGroups: - "" resources: - endpoints verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: - "" resources: - pods verbs: ["watch", "create", "update", "patch"] - apiGroups: - "" resources: - pods/exec verbs: ["get", "list", "watch", "update", "patch", "delete"] - apiGroups: - extensions resources: - ingresses verbs: ["get", "list", "watch"] - nonResourceURLs: ["/metrics"] verbs: ["get"] - apiGroups: - "" resources: - namespaces verbs: ["watch"] - apiGroups: - "" resources: - secrets verbs: ["watch"] - apiGroups: - "" resources: - pods/portforward verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: - "apps" resources: - deployments verbs: ["create", "get", "list", "watch", "update", "delete"] ``` Test Plan: ## Test 1 - Created the K8s Cloud provider using the `autofill local cluster config` button. - Deployed the multizone universe. - Expand the storage size. Reviewers: sanketh, bgandhi, anijhawan Reviewed By: bgandhi, anijhawan Subscribers: yugaware Differential Revision: https://phorge.dev.yugabyte.com/D31163 --- stable/yugaware/templates/rbac.yaml | 210 +++++++++++++++++++++------- 1 file changed, 159 insertions(+), 51 deletions(-) diff --git a/stable/yugaware/templates/rbac.yaml b/stable/yugaware/templates/rbac.yaml index 1160842d04..d61b3fc3e0 100644 --- a/stable/yugaware/templates/rbac.yaml +++ b/stable/yugaware/templates/rbac.yaml @@ -39,59 +39,167 @@ kind: ClusterRole metadata: name: {{ .Release.Name }} rules: +# Set of permissions required for operator - apiGroups: - operator.yugabyte.io - resources: ["*"] - verbs: ["get", "create", "delete", "patch", "list", "watch", "update"] -- apiGroups: ["policy"] - resources: - - poddisruptionbudgets - verbs: ["get", "create", "delete", "patch"] -- apiGroups: [""] - resources: - - services - verbs: ["get", "delete", "create", "patch", "list", "watch"] -- apiGroups: ["apps"] - resources: - - statefulsets - verbs: ["get", "delete", "create", "patch", "scale"] -- apiGroups: [""] - resources: - - secrets - verbs: ["create", "list", "get", "delete", "update", "patch"] -- apiGroups: ["cert-manager.io"] - resources: - - certificates - verbs: ["create", "delete", "get", "patch"] -- apiGroups: [""] - resources: - - nodes - - nodes/proxy - - services - - endpoints - - pods - - pods/exec - - configmaps # added configmaps resource - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # added all verbs for configmaps -- apiGroups: - - extensions - resources: - - ingresses - verbs: ["get", "list", "watch"] -- nonResourceURLs: ["/metrics"] - verbs: ["get"] -- apiGroups: [""] - resources: - - namespaces - - secrets - - pods/portforward - - events # added events resource - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # added all verbs for events -- apiGroups: ["", "extensions"] - resources: - - deployments - - services - verbs: ["create", "get", "list", "watch", "update", "delete"] + resources: + - "*" + verbs: + - "get" + - "create" + - "delete" + - "patch" + - "list" + - "watch" + - "update" +# Set of permissions required to install, upgrade, delete the yugabyte chart +- apiGroups: + - "policy" + resources: + - "poddisruptionbudgets" + verbs: + - "get" + - "create" + - "delete" + - "patch" +- apiGroups: + - "" + resources: + - "services" + verbs: + - "get" + - "delete" + - "create" + - "patch" +- apiGroups: + - "apps" + resources: + - "statefulsets" + verbs: + - "get" + - "list" + - "delete" + - "create" + - "patch" +- apiGroups: + - "" + resources: + - "secrets" + verbs: + - "create" + - "list" + - "get" + - "delete" + - "update" + - "patch" +- apiGroups: + - "cert-manager.io" + resources: + - "certificates" + verbs: + - "create" + - "delete" + - "get" + - "patch" +- apiGroups: + - "" + resources: + - "configmaps" + verbs: + - "get" + - "create" + - "patch" + - "delete" +# Set of permissions required by YBA to manage YB DB universes +- apiGroups: + - "" + resources: + - "namespaces" + verbs: + - "delete" + - "create" + - "patch" + - "get" + - "list" +- apiGroups: + - "" + resources: + - "pods" + verbs: + - "get" + - "list" + - "delete" +- apiGroups: + - "" + resources: + - "services" + verbs: + - "get" + - "list" +- apiGroups: + - "" + resources: + - "persistentvolumeclaims" + verbs: + - "get" + - "patch" + - "list" + - "delete" +- apiGroups: + - "" + resources: + - "pods/exec" + verbs: + - "create" +- apiGroups: + - "apps" + resources: + - "statefulsets/scale" + verbs: + - "patch" +- apiGroups: + - "" + resources: + - "events" + verbs: + - "list" +# required to scrape resource metrics like CPU, memory, etc. +- apiGroups: + - "" + resources: + - "nodes" + verbs: + - "list" + - "get" + - "watch" +# required to scrape resource metrics like CPU, memory, etc. +- apiGroups: + - "" + resources: + - "nodes/proxy" + verbs: + - "get" +# Ref: https://github.com/yugabyte/charts/commit/4a5319972385666487a7bc2cd0c35052f2cfa4c5 +- apiGroups: + - "" + resources: + - "events" + verbs: + - "get" + - "list" + - "watch" + - "create" + - "update" + - "patch" + - "delete" +- apiGroups: + - "" + resources: + - "configmaps" + verbs: + - "list" + - "watch" + - "update" --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1