From cc5625a11cf2ac806aaa4e8fc1ebd41573d80607 Mon Sep 17 00:00:00 2001 From: Gaelle Fournier Date: Fri, 10 Nov 2023 14:35:32 +0100 Subject: [PATCH] feat(install): Separate namespaced and descoped rbacs Ref #3165 --- config/rbac/descoped/kustomization.yaml | 39 ++++ .../operator-cluster-role-binding-events.yaml | 31 +++ .../operator-cluster-role-binding-keda.yaml | 31 +++ ...operator-cluster-role-binding-knative.yaml | 31 +++ .../operator-cluster-role-binding-leases.yaml | 31 +++ ...r-cluster-role-binding-local-registry.yaml | 31 +++ ...ator-cluster-role-binding-podmonitors.yaml | 31 +++ ...operator-cluster-role-binding-strimzi.yaml | 31 +++ .../operator-cluster-role-binding.yaml | 31 +++ .../operator-cluster-role-events.yaml | 34 ++++ .../descoped/operator-cluster-role-keda.yaml | 38 ++++ .../operator-cluster-role-knative.yaml | 80 ++++++++ .../operator-cluster-role-leases.yaml | 37 ++++ .../operator-cluster-role-podmonitors.yaml | 37 ++++ .../operator-cluster-role-strimzi.yaml | 33 +++ .../rbac/descoped/operator-cluster-role.yaml | 188 ++++++++++++++++++ config/rbac/kustomization.yaml | 15 -- config/rbac/namespaced/kustomization.yaml | 51 +++++ .../operator-role-binding-events.yaml | 0 .../operator-role-binding-keda.yaml | 0 .../operator-role-binding-knative.yaml | 0 .../operator-role-binding-leases.yaml | 0 .../operator-role-binding-local-registry.yaml | 0 .../operator-role-binding-podmonitors.yaml | 0 .../operator-role-binding-strimzi.yaml | 0 .../operator-role-binding.yaml | 0 .../operator-role-events.yaml | 0 .../{ => namespaced}/operator-role-keda.yaml | 0 .../operator-role-knative.yaml | 0 .../operator-role-leases.yaml | 0 .../operator-role-podmonitors.yaml | 0 .../operator-role-strimzi.yaml | 0 .../rbac/{ => namespaced}/operator-role.yaml | 0 install/Makefile | 10 +- 34 files changed, 789 insertions(+), 21 deletions(-) create mode 100644 config/rbac/descoped/kustomization.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-binding-events.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-binding-keda.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-binding-knative.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-binding-leases.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-binding-local-registry.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-binding-strimzi.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-binding.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-events.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-keda.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-knative.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-leases.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-podmonitors.yaml create mode 100644 config/rbac/descoped/operator-cluster-role-strimzi.yaml create mode 100644 config/rbac/descoped/operator-cluster-role.yaml create mode 100644 config/rbac/namespaced/kustomization.yaml rename config/rbac/{ => namespaced}/operator-role-binding-events.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-binding-keda.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-binding-knative.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-binding-leases.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-binding-local-registry.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-binding-podmonitors.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-binding-strimzi.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-binding.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-events.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-keda.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-knative.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-leases.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-podmonitors.yaml (100%) rename config/rbac/{ => namespaced}/operator-role-strimzi.yaml (100%) rename config/rbac/{ => namespaced}/operator-role.yaml (100%) diff --git a/config/rbac/descoped/kustomization.yaml b/config/rbac/descoped/kustomization.yaml new file mode 100644 index 0000000000..fe6c546761 --- /dev/null +++ b/config/rbac/descoped/kustomization.yaml @@ -0,0 +1,39 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +# +# rbac resources applicable for all kubernetes platforms - global operator +# +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- operator-cluster-role-events.yaml +- operator-cluster-role-knative.yaml +- operator-cluster-role.yaml +- operator-cluster-role-keda.yaml +- operator-cluster-role-leases.yaml +- operator-cluster-role-podmonitors.yaml +- operator-cluster-role-strimzi.yaml +- operator-cluster-role-binding-events.yaml +- operator-cluster-role-binding-keda.yaml +- operator-cluster-role-binding-knative.yaml +- operator-cluster-role-binding-leases.yaml +- operator-cluster-role-binding-local-registry.yaml +- operator-cluster-role-binding-podmonitors.yaml +- operator-cluster-role-binding-strimzi.yaml +- operator-cluster-role-binding.yaml diff --git a/config/rbac/descoped/operator-cluster-role-binding-events.yaml b/config/rbac/descoped/operator-cluster-role-binding-events.yaml new file mode 100644 index 0000000000..9dd5228d26 --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-binding-events.yaml @@ -0,0 +1,31 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-events + labels: + app: "camel-k" +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: placeholder +roleRef: + kind: ClusterRole + name: camel-k-operator-events + apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/descoped/operator-cluster-role-binding-keda.yaml b/config/rbac/descoped/operator-cluster-role-binding-keda.yaml new file mode 100644 index 0000000000..92e154e878 --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-binding-keda.yaml @@ -0,0 +1,31 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-keda + labels: + app: "camel-k" +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: placeholder +roleRef: + kind: ClusterRole + name: camel-k-operator-keda + apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/descoped/operator-cluster-role-binding-knative.yaml b/config/rbac/descoped/operator-cluster-role-binding-knative.yaml new file mode 100644 index 0000000000..739b0dd06a --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-binding-knative.yaml @@ -0,0 +1,31 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-knative + labels: + app: "camel-k" +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: placeholder +roleRef: + kind: ClusterRole + name: camel-k-operator-knative + apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/descoped/operator-cluster-role-binding-leases.yaml b/config/rbac/descoped/operator-cluster-role-binding-leases.yaml new file mode 100644 index 0000000000..35d667fd12 --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-binding-leases.yaml @@ -0,0 +1,31 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-leases + labels: + app: "camel-k" +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: placeholder +roleRef: + kind: ClusterRole + name: camel-k-operator-leases + apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/descoped/operator-cluster-role-binding-local-registry.yaml b/config/rbac/descoped/operator-cluster-role-binding-local-registry.yaml new file mode 100644 index 0000000000..daa8acae90 --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-binding-local-registry.yaml @@ -0,0 +1,31 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-local-registry + labels: + app: "camel-k" +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: placeholder +roleRef: + kind: ClusterRole + name: camel-k-operator-local-registry + apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml b/config/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml new file mode 100644 index 0000000000..bef231b078 --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml @@ -0,0 +1,31 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-podmonitors + labels: + app: "camel-k" +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: placeholder +roleRef: + kind: ClusterRole + name: camel-k-operator-podmonitors + apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/descoped/operator-cluster-role-binding-strimzi.yaml b/config/rbac/descoped/operator-cluster-role-binding-strimzi.yaml new file mode 100644 index 0000000000..fefd143525 --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-binding-strimzi.yaml @@ -0,0 +1,31 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-strimzi + labels: + app: "camel-k" +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: placeholder +roleRef: + kind: ClusterRole + name: camel-k-operator-strimzi + apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/descoped/operator-cluster-role-binding.yaml b/config/rbac/descoped/operator-cluster-role-binding.yaml new file mode 100644 index 0000000000..83f227d628 --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-binding.yaml @@ -0,0 +1,31 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator + labels: + app: "camel-k" +subjects: +- kind: ServiceAccount + name: camel-k-operator + namespace: placeholder +roleRef: + kind: ClusterRole + name: camel-k-operator + apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/descoped/operator-cluster-role-events.yaml b/config/rbac/descoped/operator-cluster-role-events.yaml new file mode 100644 index 0000000000..1dfd24b01e --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-events.yaml @@ -0,0 +1,34 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-events + labels: + app: "camel-k" +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - get + - list + - watch diff --git a/config/rbac/descoped/operator-cluster-role-keda.yaml b/config/rbac/descoped/operator-cluster-role-keda.yaml new file mode 100644 index 0000000000..3b3f432ebb --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-keda.yaml @@ -0,0 +1,38 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-keda + labels: + app: "camel-k" +rules: +- apiGroups: + - "keda.sh" + resources: + - scaledobjects + - triggerauthentications + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch diff --git a/config/rbac/descoped/operator-cluster-role-knative.yaml b/config/rbac/descoped/operator-cluster-role-knative.yaml new file mode 100644 index 0000000000..305d26b624 --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-knative.yaml @@ -0,0 +1,80 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-knative + labels: + app: "camel-k" +rules: +- apiGroups: + - serving.knative.dev + resources: + - services + - routes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - eventing.knative.dev + resources: + - triggers + - brokers + verbs: + - create + - delete + - get + - list + - patch + - update +- apiGroups: + - messaging.knative.dev + resources: + - subscriptions + - channels + - inmemorychannels + verbs: + - create + - delete + - get + - list + - patch + - update +- apiGroups: + - sources.knative.dev + resources: + - sinkbindings + verbs: + - create + - delete + - get + - list + - patch + - update +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - patch diff --git a/config/rbac/descoped/operator-cluster-role-leases.yaml b/config/rbac/descoped/operator-cluster-role-leases.yaml new file mode 100644 index 0000000000..6ea671bd28 --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-leases.yaml @@ -0,0 +1,37 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-leases + labels: + app: "camel-k" +rules: +- apiGroups: + - "coordination.k8s.io" + resources: + - leases + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch diff --git a/config/rbac/descoped/operator-cluster-role-podmonitors.yaml b/config/rbac/descoped/operator-cluster-role-podmonitors.yaml new file mode 100644 index 0000000000..2578103c38 --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-podmonitors.yaml @@ -0,0 +1,37 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-podmonitors + labels: + app: "camel-k" +rules: +- apiGroups: + - monitoring.coreos.com + resources: + - podmonitors + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch diff --git a/config/rbac/descoped/operator-cluster-role-strimzi.yaml b/config/rbac/descoped/operator-cluster-role-strimzi.yaml new file mode 100644 index 0000000000..9ccea139fd --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role-strimzi.yaml @@ -0,0 +1,33 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator-strimzi + labels: + app: "camel-k" +rules: +- apiGroups: + - "kafka.strimzi.io" + resources: + - kafkatopics + - kafkas + verbs: + - get + - list + - watch diff --git a/config/rbac/descoped/operator-cluster-role.yaml b/config/rbac/descoped/operator-cluster-role.yaml new file mode 100644 index 0000000000..d7ee2fa399 --- /dev/null +++ b/config/rbac/descoped/operator-cluster-role.yaml @@ -0,0 +1,188 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camel-k-operator + labels: + app: "camel-k" +rules: +- apiGroups: + - camel.apache.org + resources: + - builds + - camelcatalogs + - integrationkits + - integrationplatforms + - integrations + - pipes + # Deprecated: kameletbindings CR + - kameletbindings + - kamelets + verbs: + - create + - get + - list + - patch + - update + - watch +- apiGroups: + - camel.apache.org + resources: + - builds + verbs: + - delete +- apiGroups: + - camel.apache.org + resources: + - builds/status + - camelcatalogs/status + - integrationkits/status + - integrationplatforms/status + - integrations/scale + - integrations/status + - pipes/status + - pipes/scale + # Deprecated: kameletbindings CR + - kameletbindings/status + - kameletbindings/scale + - kamelets/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - pods + - services + - endpoints + - persistentvolumeclaims + - configmaps + - secrets + - serviceaccounts + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create +- apiGroups: + - "" + resources: + - pods/proxy + - pods/log + verbs: + - get +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - delete + - get + - update + - list + - patch + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + - clusterrolebindings + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - batch + resources: + - cronjobs + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - batch + resources: + - jobs + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index f2600f1626..6e02df9d5d 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -23,21 +23,6 @@ kind: Kustomization resources: - user-cluster-role.yaml -- operator-role-events.yaml -- operator-role-knative.yaml -- operator-role.yaml -- operator-role-keda.yaml -- operator-role-leases.yaml -- operator-role-podmonitors.yaml -- operator-role-strimzi.yaml -- operator-role-binding-events.yaml -- operator-role-binding-keda.yaml -- operator-role-binding-knative.yaml -- operator-role-binding-leases.yaml -- operator-role-binding-local-registry.yaml -- operator-role-binding-podmonitors.yaml -- operator-role-binding-strimzi.yaml -- operator-role-binding.yaml - operator-cluster-role-custom-resource-definitions.yaml - operator-cluster-role-binding-custom-resource-definitions.yaml - operator-cluster-role-addressable-resolver.yaml diff --git a/config/rbac/namespaced/kustomization.yaml b/config/rbac/namespaced/kustomization.yaml new file mode 100644 index 0000000000..48a678bfe2 --- /dev/null +++ b/config/rbac/namespaced/kustomization.yaml @@ -0,0 +1,51 @@ +# --------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# --------------------------------------------------------------------------- + +# +# rbac resources applicable for all kubernetes platforms - namespaced operator +# +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- operator-role-events.yaml +- operator-role-knative.yaml +- operator-role.yaml +- operator-role-keda.yaml +- operator-role-leases.yaml +- operator-role-podmonitors.yaml +- operator-role-strimzi.yaml +- operator-role-binding-events.yaml +- operator-role-binding-keda.yaml +- operator-role-binding-knative.yaml +- operator-role-binding-leases.yaml +- operator-role-binding-local-registry.yaml +- operator-role-binding-podmonitors.yaml +- operator-role-binding-strimzi.yaml +- operator-role-binding.yaml + +transformers: +- |- + apiVersion: builtin + kind: PatchTransformer + metadata: + name: fix-local-registry-rbac-namespace + patch: '[{"op": "replace", "path": "/metadata/namespace", "value": "kube-public"}]' + target: + group: rbac.authorization.k8s.io + kind: RoleBinding + name: camel-k-operator-local-registry \ No newline at end of file diff --git a/config/rbac/operator-role-binding-events.yaml b/config/rbac/namespaced/operator-role-binding-events.yaml similarity index 100% rename from config/rbac/operator-role-binding-events.yaml rename to config/rbac/namespaced/operator-role-binding-events.yaml diff --git a/config/rbac/operator-role-binding-keda.yaml b/config/rbac/namespaced/operator-role-binding-keda.yaml similarity index 100% rename from config/rbac/operator-role-binding-keda.yaml rename to config/rbac/namespaced/operator-role-binding-keda.yaml diff --git a/config/rbac/operator-role-binding-knative.yaml b/config/rbac/namespaced/operator-role-binding-knative.yaml similarity index 100% rename from config/rbac/operator-role-binding-knative.yaml rename to config/rbac/namespaced/operator-role-binding-knative.yaml diff --git a/config/rbac/operator-role-binding-leases.yaml b/config/rbac/namespaced/operator-role-binding-leases.yaml similarity index 100% rename from config/rbac/operator-role-binding-leases.yaml rename to config/rbac/namespaced/operator-role-binding-leases.yaml diff --git a/config/rbac/operator-role-binding-local-registry.yaml b/config/rbac/namespaced/operator-role-binding-local-registry.yaml similarity index 100% rename from config/rbac/operator-role-binding-local-registry.yaml rename to config/rbac/namespaced/operator-role-binding-local-registry.yaml diff --git a/config/rbac/operator-role-binding-podmonitors.yaml b/config/rbac/namespaced/operator-role-binding-podmonitors.yaml similarity index 100% rename from config/rbac/operator-role-binding-podmonitors.yaml rename to config/rbac/namespaced/operator-role-binding-podmonitors.yaml diff --git a/config/rbac/operator-role-binding-strimzi.yaml b/config/rbac/namespaced/operator-role-binding-strimzi.yaml similarity index 100% rename from config/rbac/operator-role-binding-strimzi.yaml rename to config/rbac/namespaced/operator-role-binding-strimzi.yaml diff --git a/config/rbac/operator-role-binding.yaml b/config/rbac/namespaced/operator-role-binding.yaml similarity index 100% rename from config/rbac/operator-role-binding.yaml rename to config/rbac/namespaced/operator-role-binding.yaml diff --git a/config/rbac/operator-role-events.yaml b/config/rbac/namespaced/operator-role-events.yaml similarity index 100% rename from config/rbac/operator-role-events.yaml rename to config/rbac/namespaced/operator-role-events.yaml diff --git a/config/rbac/operator-role-keda.yaml b/config/rbac/namespaced/operator-role-keda.yaml similarity index 100% rename from config/rbac/operator-role-keda.yaml rename to config/rbac/namespaced/operator-role-keda.yaml diff --git a/config/rbac/operator-role-knative.yaml b/config/rbac/namespaced/operator-role-knative.yaml similarity index 100% rename from config/rbac/operator-role-knative.yaml rename to config/rbac/namespaced/operator-role-knative.yaml diff --git a/config/rbac/operator-role-leases.yaml b/config/rbac/namespaced/operator-role-leases.yaml similarity index 100% rename from config/rbac/operator-role-leases.yaml rename to config/rbac/namespaced/operator-role-leases.yaml diff --git a/config/rbac/operator-role-podmonitors.yaml b/config/rbac/namespaced/operator-role-podmonitors.yaml similarity index 100% rename from config/rbac/operator-role-podmonitors.yaml rename to config/rbac/namespaced/operator-role-podmonitors.yaml diff --git a/config/rbac/operator-role-strimzi.yaml b/config/rbac/namespaced/operator-role-strimzi.yaml similarity index 100% rename from config/rbac/operator-role-strimzi.yaml rename to config/rbac/namespaced/operator-role-strimzi.yaml diff --git a/config/rbac/operator-role.yaml b/config/rbac/namespaced/operator-role.yaml similarity index 100% rename from config/rbac/operator-role.yaml rename to config/rbac/namespaced/operator-role.yaml diff --git a/install/Makefile b/install/Makefile index ce329c6d51..a80f5e3da9 100644 --- a/install/Makefile +++ b/install/Makefile @@ -241,13 +241,11 @@ endif setup: setup-cluster # Set the namespace in the setup kustomization yaml @$(call set-kustomize-namespace,$@) -# If GLOBAL then add the conversion patches for all roles and rolebindings -ifeq ($(GLOBAL),true) - @$(call add-remove-kind-patch,setup,add,../$(ROLE_TO_CROLE_PATCH).$(YAML),Role) - @$(call add-remove-kind-patch,setup,add,../$(ROLEBIN_TO_CROLEBIN_PATCH).$(YAML),RoleBinding) +# If GLOBAL then add the versions with clusterroles and clusterrolebindings +ifeq ($(GLOBAL), true) + @cd $@ || exit 1 && $(KUSTOMIZE) edit add resource ../$(RBAC)/descoped && cd - &> /dev/null; else - @$(call add-remove-kind-patch,setup,remove,../$(ROLE_TO_CROLE_PATCH).$(YAML),Role) - @$(call add-remove-kind-patch,setup,remove,../$(ROLEBIN_TO_CROLEBIN_PATCH).$(YAML),RoleBinding) + @cd $@ || exit 1 && $(KUSTOMIZE) edit add resource ../$(RBAC)/namespaced && cd - &> /dev/null; endif ifeq ($(PLATFORM), openshift) @for res in $(RBAC_OS)/operator-role*; do \