From d098368f41122e64f638e88a727acfe62666a2ab Mon Sep 17 00:00:00 2001 From: Floppy Disk Date: Fri, 6 Dec 2024 11:58:28 +0300 Subject: [PATCH 1/3] fix super admin roles --- packages/apps/tenant/Chart.yaml | 2 +- packages/apps/tenant/templates/tenant.yaml | 130 ++++++++++++++++----- packages/apps/versions_map | 3 +- 3 files changed, 107 insertions(+), 28 deletions(-) diff --git a/packages/apps/tenant/Chart.yaml b/packages/apps/tenant/Chart.yaml index 1dca128de..585a0cd98 100644 --- a/packages/apps/tenant/Chart.yaml +++ b/packages/apps/tenant/Chart.yaml @@ -4,4 +4,4 @@ description: Separated tenant namespace icon: /logos/tenant.svg type: application -version: 1.6.1 +version: 1.6.2 diff --git a/packages/apps/tenant/templates/tenant.yaml b/packages/apps/tenant/templates/tenant.yaml index 646969e40..c7628dc82 100644 --- a/packages/apps/tenant/templates/tenant.yaml +++ b/packages/apps/tenant/templates/tenant.yaml @@ -43,9 +43,6 @@ subjects: - kind: ServiceAccount name: tenant-root namespace: tenant-root -- kind: Group - name: tenant-root-super-admin - apiGroup: rbac.authorization.k8s.io {{- end }} {{- if hasPrefix "tenant-" .Release.Namespace }} {{- $parts := splitList "-" .Release.Namespace }} @@ -54,18 +51,12 @@ subjects: - kind: ServiceAccount name: {{ join "-" (slice $parts 0 (add $i 1)) }} namespace: {{ join "-" (slice $parts 0 (add $i 1)) }} -- kind: Group - name: {{ join "-" (slice $parts 0 (add $i 1)) }}-super-admin - apiGroup: rbac.authorization.k8s.io {{- end }} {{- end }} {{- end }} - kind: ServiceAccount name: {{ include "tenant.name" . }} namespace: {{ include "tenant.name" . }} -- kind: Group - name: {{ include "tenant.name" . }}-super-admin - apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: {{ include "tenant.name" . }} @@ -84,23 +75,6 @@ rules: resources: ["helmcharts"] verbs: ["*"] --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "tenant.name" . }} - namespace: cozy-public -subjects: -- kind: ServiceAccount - name: {{ include "tenant.name" . }} - namespace: {{ include "tenant.name" . }} -- kind: Group - name: {{ include "tenant.name" . }}-super-admin - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: Role - name: {{ include "tenant.name" . }} - apiGroup: rbac.authorization.k8s.io ---- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -361,3 +335,107 @@ roleRef: kind: Role name: {{ include "tenant.name" . }}-admin apiGroup: rbac.authorization.k8s.io +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "tenant.name" . }}-super-admin + namespace: {{ include "tenant.name" . }} +rules: + - apiGroups: [rbac.authorization.k8s.io] + resources: + - roles + verbs: + - get + - apiGroups: [""] + resources: + - "*" + verbs: + - get + - list + - watch + - delete + - apiGroups: ["helm.toolkit.fluxcd.io"] + resources: + - helmreleases + verbs: + - get + - list + - watch + - apiGroups: ["kubevirt.io"] + resources: + - virtualmachines + verbs: + - get + - list + - apiGroups: ["subresources.kubevirt.io"] + resources: + - virtualmachineinstances/console + - virtualmachineinstances/vnc + verbs: + - get + - list + - apiGroups: ["apps.cozystack.io"] + resources: + - '*' + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "tenant.name" . }}-super-admin + namespace: cozy-public +rules: + - apiGroups: ["source.toolkit.fluxcd.io"] + resources: ["helmrepositories"] + verbs: + - get + - list + - apiGroups: + - source.toolkit.fluxcd.io + resources: + - helmcharts + verbs: + - get + - list + - apiGroups: ["source.toolkit.fluxcd.io"] + resources: + - helmcharts + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "tenant.name" . }}-super-admin + namespace: cozy-public +subjects: +- kind: Group + name: {{ include "tenant.name" . }}-super-admin + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: {{ include "tenant.name" . }}-super-admin + apiGroup: rbac.authorization.k8s.io +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "tenant.name" . }}-super-admin + namespace: {{ include "tenant.name" . }} +subjects: + - kind: Group + name: {{ include "tenant.name" . }}-super-admin + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: {{ include "tenant.name" . }}-super-admin + apiGroup: rbac.authorization.k8s.io diff --git a/packages/apps/versions_map b/packages/apps/versions_map index 6ad48e5e5..0af234926 100644 --- a/packages/apps/versions_map +++ b/packages/apps/versions_map @@ -88,7 +88,8 @@ tenant 1.3.1 c56e5769 tenant 1.4.0 94c688f7 tenant 1.5.0 48128743 tenant 1.6.0 df448b99 -tenant 1.6.1 HEAD +tenant 1.6.1 edbbb9be +tenant 1.6.2 HEAD virtual-machine 0.1.4 f2015d6 virtual-machine 0.1.5 7cd7de7 virtual-machine 0.2.0 5ca8823 From e79479dbfc46772340c8220202f9f9bdce39b423 Mon Sep 17 00:00:00 2001 From: Floppy Disk Date: Fri, 6 Dec 2024 14:43:16 +0300 Subject: [PATCH 2/3] fix roles --- packages/apps/tenant/templates/tenant.yaml | 22 +++------------------- 1 file changed, 3 insertions(+), 19 deletions(-) diff --git a/packages/apps/tenant/templates/tenant.yaml b/packages/apps/tenant/templates/tenant.yaml index c7628dc82..fb4ad40f5 100644 --- a/packages/apps/tenant/templates/tenant.yaml +++ b/packages/apps/tenant/templates/tenant.yaml @@ -359,15 +359,12 @@ rules: resources: - helmreleases verbs: - - get - - list - - watch + - '*' - apiGroups: ["kubevirt.io"] resources: - virtualmachines verbs: - - get - - list + - '*' - apiGroups: ["subresources.kubevirt.io"] resources: - virtualmachineinstances/console @@ -379,13 +376,7 @@ rules: resources: - '*' verbs: - - get - - list - - watch - - create - - update - - patch - - delete + - '*' --- @@ -400,13 +391,6 @@ rules: verbs: - get - list - - apiGroups: - - source.toolkit.fluxcd.io - resources: - - helmcharts - verbs: - - get - - list - apiGroups: ["source.toolkit.fluxcd.io"] resources: - helmcharts From b63d721e9f4c864525dbde1e06d3d4f5e05e81e2 Mon Sep 17 00:00:00 2001 From: Floppy Disk Date: Mon, 9 Dec 2024 16:39:35 +0300 Subject: [PATCH 3/3] add rolebinding for suptenants --- packages/apps/tenant/templates/tenant.yaml | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/packages/apps/tenant/templates/tenant.yaml b/packages/apps/tenant/templates/tenant.yaml index fb4ad40f5..748126e92 100644 --- a/packages/apps/tenant/templates/tenant.yaml +++ b/packages/apps/tenant/templates/tenant.yaml @@ -416,9 +416,19 @@ metadata: name: {{ include "tenant.name" . }}-super-admin namespace: {{ include "tenant.name" . }} subjects: - - kind: Group - name: {{ include "tenant.name" . }}-super-admin - apiGroup: rbac.authorization.k8s.io +{{- if hasPrefix "tenant-" .Release.Namespace }} +{{- $parts := splitList "-" .Release.Namespace }} +{{- range $i, $v := $parts }} +{{- if ne $i 0 }} +- kind: Group + name: {{ join "-" (slice $parts 0 (add $i 1)) }}-super-admin + apiGroup: rbac.authorization.k8s.io +{{- end }} +{{- end }} +{{- end }} +- kind: Group + name: {{ include "tenant.name" . }}-super-admin + apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: {{ include "tenant.name" . }}-super-admin