Skip to content

Commit

Permalink
fix roles for dashboard
Browse files Browse the repository at this point in the history
  • Loading branch information
@klinch0
klinch0 committed Nov 29, 2024
1 parent 5692617 commit 59d4c5c
Show file tree
Hide file tree
Showing 2 changed files with 68 additions and 41 deletions.
105 changes: 65 additions & 40 deletions packages/apps/tenant/templates/tenant.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,9 @@ subjects:
- kind: ServiceAccount
name: tenant-root
namespace: tenant-root
- kind: Group
name: tenant-root-super-admin
apiGroup: rbac.authorization.k8s.io
{{- end }}
{{- if hasPrefix "tenant-" .Release.Namespace }}
{{- $parts := splitList "-" .Release.Namespace }}
Expand All @@ -51,12 +54,18 @@ subjects:
- kind: ServiceAccount
name: {{ join "-" (slice $parts 0 (add $i 1)) }}
namespace: {{ join "-" (slice $parts 0 (add $i 1)) }}
- kind: Group
name: {{ join "-" (slice $parts 0 (add $i 1)) }}-super-admin
apiGroup: rbac.authorization.k8s.io
{{- end }}
{{- end }}
{{- end }}
- kind: ServiceAccount
name: {{ include "tenant.name" . }}
namespace: {{ include "tenant.name" . }}
- kind: Group
name: {{ include "tenant.name" . }}-super-admin
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: {{ include "tenant.name" . }}
Expand Down Expand Up @@ -84,6 +93,9 @@ subjects:
- kind: ServiceAccount
name: {{ include "tenant.name" . }}
namespace: {{ include "tenant.name" . }}
- kind: Group
name: {{ include "tenant.name" . }}-super-admin
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: {{ include "tenant.name" . }}
Expand All @@ -95,15 +107,23 @@ metadata:
name: {{ include "tenant.name" . }}-view
namespace: {{ include "tenant.name" . }}
rules:
- apiGroups: [rbac.authorization.k8s.io]
resources: [roles]
verbs: [get]
- apiGroups: ["apps.cozystack.io"]
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups: ["helm.toolkit.fluxcd.io"]
resources: ["helmreleases"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods", "pods/log"]
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]


---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
Expand All @@ -125,18 +145,21 @@ metadata:
name: {{ include "tenant.name" . }}-use
namespace: {{ include "tenant.name" . }}
rules:
- apiGroups: [rbac.authorization.k8s.io]
resources: [roles]
verbs: [get]
- apiGroups: ["apps.cozystack.io"]
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups: ["helm.toolkit.fluxcd.io"]
resources: ["helmreleases"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods", "pods/log"]
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["kubevirt.io"]
resources: ["virtualmachines"]
verbs: ["get", "list"]
- apiGroups: ["subresources.kubevirt.io"]
resources: ["virtualmachineinstances/console", "virtualmachineinstances/vnc"]
verbs: ["get", "list"]
Expand All @@ -161,12 +184,15 @@ metadata:
name: {{ include "tenant.name" . }}-admin
namespace: {{ include "tenant.name" . }}
rules:
- apiGroups: ["helm.toolkit.fluxcd.io"]
resources: ["helmreleases"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [rbac.authorization.k8s.io]
resources: [roles]
verbs: [get]
- apiGroups: [""]
resources: ["pods/log", "pods"]
resources: ["*"]
verbs: ["get", "list", "watch", "delete"]
- apiGroups: ["helm.toolkit.fluxcd.io"]
resources: ["helmreleases"]
verbs: ["get", "list", "watch"]
- apiGroups: ["kubevirt.io"]
resources: ["virtualmachines"]
verbs: ["get", "list"]
Expand All @@ -178,53 +204,52 @@ rules:
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "tenant.name" . }}-admin
namespace: {{ include "tenant.name" . }}
namespace: cozy-public
rules:
- apiGroups: ["source.toolkit.fluxcd.io"]
resources: ["helmrepositories"]
verbs: ["get", "list"]
- apiGroups:
- source.toolkit.fluxcd.io
resources:
- helmcharts
verbs:
- get
- list
- apiGroups: ["source.toolkit.fluxcd.io"]
resources: ["helmcharts"]
verbs: ["*"]
resourceNames: ["bucket", "clickhouse", "ferretdb", "foo", "httpcache", "kafka", "kubernetes", "mysql", "nats", "postgres", "rabbitmq", "redis", "seaweedfs", "tcpbalancer", "virtualmachine", "vmdisk", "vminstance"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "tenant.name" . }}-admin
namespace: cozy-public
subjects:
- kind: Group
name: {{ include "tenant.name" . }}-admin
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: {{ include "tenant.name" . }}-admin
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: {{ include "tenant.name" . }}-admin
apiGroup: rbac.authorization.k8s.io
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "tenant.name" . }}-super-admin
namespace: {{ include "tenant.name" . }}
rules:
- apiGroups: ["helm.toolkit.fluxcd.io"]
resources: ["helmreleases"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["pods/log", "pods"]
verbs: ["get", "list", "watch", "delete"]
- apiGroups: ["kubevirt.io"]
resources: ["virtualmachines"]
verbs: ["get", "list"]
- apiGroups: ["subresources.kubevirt.io"]
resources: ["virtualmachineinstances/console", "virtualmachineinstances/vnc"]
verbs: ["get", "list"]
- apiGroups: ["apps.cozystack.io"]
resources: ["*"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "tenant.name" . }}-super-admin
name: {{ include "tenant.name" . }}-admin
namespace: {{ include "tenant.name" . }}
subjects:
- kind: Group
name: {{ include "tenant.name" . }}-super-admin
name: {{ include "tenant.name" . }}-admin
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: {{ include "tenant.name" . }}-super-admin
name: {{ include "tenant.name" . }}-admin
apiGroup: rbac.authorization.k8s.io
4 changes: 3 additions & 1 deletion packages/system/keycloak-configure/templates/configure-kk.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -237,5 +237,7 @@ stringData:
- get-token
- --oidc-issuer-url=https://keycloak.{{ $host }}/realms/cozy
- --oidc-client-id=kubernetes
- --oidc-client-secret={{ $k8sClient | quote }}
- --oidc-client-secret={{ $k8sClient }}
- --skip-open-browser
- --grant-type=password
command: kubectl

0 comments on commit 59d4c5c

Please sign in to comment.