From 718ed7d0b5821f516dbbb8132007000432235e18 Mon Sep 17 00:00:00 2001 From: Rita Zhang Date: Tue, 11 Mar 2025 14:07:26 -0700 Subject: [PATCH] dra: add user rbac Signed-off-by: Rita Zhang --- .../authorizer/rbac/bootstrappolicy/policy.go | 134 ++++++++++-------- 1 file changed, 72 insertions(+), 62 deletions(-) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index 87a60e37efe..1460676cbe7 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -108,6 +108,76 @@ func addClusterRoleBindingLabel(rolebindings []rbacv1.ClusterRoleBinding) { return } +func viewRules() []rbacv1.PolicyRule { + rules := []rbacv1.PolicyRule{ + rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("pods", "replicationcontrollers", "replicationcontrollers/scale", "serviceaccounts", + "services", "services/status", "endpoints", "persistentvolumeclaims", "persistentvolumeclaims/status", "configmaps").RuleOrDie(), + rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("limitranges", "resourcequotas", "bindings", "events", + "pods/status", "resourcequotas/status", "namespaces/status", "replicationcontrollers/status", "pods/log").RuleOrDie(), + // read access to namespaces at the namespace scope means you can read *this* namespace. This can be used as an + // indicator of which namespaces you have access to. + rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("namespaces").RuleOrDie(), + + rbacv1helpers.NewRule(Read...).Groups(discoveryGroup).Resources("endpointslices").RuleOrDie(), + + rbacv1helpers.NewRule(Read...).Groups(appsGroup).Resources( + "controllerrevisions", + "statefulsets", "statefulsets/status", "statefulsets/scale", + "daemonsets", "daemonsets/status", + "deployments", "deployments/status", "deployments/scale", + "replicasets", "replicasets/status", "replicasets/scale").RuleOrDie(), + + rbacv1helpers.NewRule(Read...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers", "horizontalpodautoscalers/status").RuleOrDie(), + + rbacv1helpers.NewRule(Read...).Groups(batchGroup).Resources("jobs", "cronjobs", "cronjobs/status", "jobs/status").RuleOrDie(), + + rbacv1helpers.NewRule(Read...).Groups(extensionsGroup).Resources("daemonsets", "daemonsets/status", "deployments", "deployments/scale", "deployments/status", + "ingresses", "ingresses/status", "replicasets", "replicasets/scale", "replicasets/status", "replicationcontrollers/scale", + "networkpolicies").RuleOrDie(), + + rbacv1helpers.NewRule(Read...).Groups(policyGroup).Resources("poddisruptionbudgets", "poddisruptionbudgets/status").RuleOrDie(), + + rbacv1helpers.NewRule(Read...).Groups(networkingGroup).Resources("networkpolicies", "ingresses", "ingresses/status").RuleOrDie(), + } + return rules +} + +func editRules() []rbacv1.PolicyRule { + rules := []rbacv1.PolicyRule{ + // Allow read on escalating resources + rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("pods/attach", "pods/proxy", "pods/exec", "pods/portforward", "secrets", "services/proxy").RuleOrDie(), + rbacv1helpers.NewRule("impersonate").Groups(legacyGroup).Resources("serviceaccounts").RuleOrDie(), + + rbacv1helpers.NewRule(Write...).Groups(legacyGroup).Resources("pods", "pods/attach", "pods/proxy", "pods/exec", "pods/portforward").RuleOrDie(), + rbacv1helpers.NewRule("create").Groups(legacyGroup).Resources("pods/eviction").RuleOrDie(), + rbacv1helpers.NewRule(Write...).Groups(legacyGroup).Resources("replicationcontrollers", "replicationcontrollers/scale", "serviceaccounts", + "services", "services/proxy", "persistentvolumeclaims", "configmaps", "secrets", "events").RuleOrDie(), + rbacv1helpers.NewRule("create").Groups(legacyGroup).Resources("serviceaccounts/token").RuleOrDie(), + + rbacv1helpers.NewRule(Write...).Groups(appsGroup).Resources( + "statefulsets", "statefulsets/scale", + "daemonsets", + "deployments", "deployments/scale", "deployments/rollback", + "replicasets", "replicasets/scale").RuleOrDie(), + + rbacv1helpers.NewRule(Write...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers").RuleOrDie(), + + rbacv1helpers.NewRule(Write...).Groups(batchGroup).Resources("jobs", "cronjobs").RuleOrDie(), + + rbacv1helpers.NewRule(Write...).Groups(extensionsGroup).Resources("daemonsets", + "deployments", "deployments/scale", "deployments/rollback", "ingresses", + "replicasets", "replicasets/scale", "replicationcontrollers/scale", + "networkpolicies").RuleOrDie(), + + rbacv1helpers.NewRule(Write...).Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(), + + rbacv1helpers.NewRule(Write...).Groups(networkingGroup).Resources("networkpolicies", "ingresses").RuleOrDie(), + + rbacv1helpers.NewRule(ReadWrite...).Groups(coordinationGroup).Resources("leases").RuleOrDie(), + } + return rules +} + // NodeRules returns node policy rules, it is slice of rbacv1.PolicyRule. func NodeRules() []rbacv1.PolicyRule { nodePolicyRules := []rbacv1.PolicyRule{ @@ -313,73 +383,13 @@ func ClusterRoles() []rbacv1.ClusterRole { // It does not grant powers for "privileged" resources which are domain of the system: `/status` // subresources or `quota`/`limits` which are used to control namespaces ObjectMeta: metav1.ObjectMeta{Name: "system:aggregate-to-edit", Labels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-edit": "true"}}, - Rules: []rbacv1.PolicyRule{ - // Allow read on escalating resources - rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("pods/attach", "pods/proxy", "pods/exec", "pods/portforward", "secrets", "services/proxy").RuleOrDie(), - rbacv1helpers.NewRule("impersonate").Groups(legacyGroup).Resources("serviceaccounts").RuleOrDie(), - - rbacv1helpers.NewRule(Write...).Groups(legacyGroup).Resources("pods", "pods/attach", "pods/proxy", "pods/exec", "pods/portforward").RuleOrDie(), - rbacv1helpers.NewRule("create").Groups(legacyGroup).Resources("pods/eviction").RuleOrDie(), - rbacv1helpers.NewRule(Write...).Groups(legacyGroup).Resources("replicationcontrollers", "replicationcontrollers/scale", "serviceaccounts", - "services", "services/proxy", "persistentvolumeclaims", "configmaps", "secrets", "events").RuleOrDie(), - rbacv1helpers.NewRule("create").Groups(legacyGroup).Resources("serviceaccounts/token").RuleOrDie(), - - rbacv1helpers.NewRule(Write...).Groups(appsGroup).Resources( - "statefulsets", "statefulsets/scale", - "daemonsets", - "deployments", "deployments/scale", "deployments/rollback", - "replicasets", "replicasets/scale").RuleOrDie(), - - rbacv1helpers.NewRule(Write...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers").RuleOrDie(), - - rbacv1helpers.NewRule(Write...).Groups(batchGroup).Resources("jobs", "cronjobs").RuleOrDie(), - - rbacv1helpers.NewRule(Write...).Groups(extensionsGroup).Resources("daemonsets", - "deployments", "deployments/scale", "deployments/rollback", "ingresses", - "replicasets", "replicasets/scale", "replicationcontrollers/scale", - "networkpolicies").RuleOrDie(), - - rbacv1helpers.NewRule(Write...).Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(), - - rbacv1helpers.NewRule(Write...).Groups(networkingGroup).Resources("networkpolicies", "ingresses").RuleOrDie(), - - rbacv1helpers.NewRule(ReadWrite...).Groups(coordinationGroup).Resources("leases").RuleOrDie(), - }, + Rules: editRules(), }, { // a role for namespace level viewing. It grants Read-only access to non-escalating resources in // a namespace. ObjectMeta: metav1.ObjectMeta{Name: "system:aggregate-to-view", Labels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-view": "true"}}, - Rules: []rbacv1.PolicyRule{ - rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("pods", "replicationcontrollers", "replicationcontrollers/scale", "serviceaccounts", - "services", "services/status", "endpoints", "persistentvolumeclaims", "persistentvolumeclaims/status", "configmaps").RuleOrDie(), - rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("limitranges", "resourcequotas", "bindings", "events", - "pods/status", "resourcequotas/status", "namespaces/status", "replicationcontrollers/status", "pods/log").RuleOrDie(), - // read access to namespaces at the namespace scope means you can read *this* namespace. This can be used as an - // indicator of which namespaces you have access to. - rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("namespaces").RuleOrDie(), - - rbacv1helpers.NewRule(Read...).Groups(discoveryGroup).Resources("endpointslices").RuleOrDie(), - - rbacv1helpers.NewRule(Read...).Groups(appsGroup).Resources( - "controllerrevisions", - "statefulsets", "statefulsets/status", "statefulsets/scale", - "daemonsets", "daemonsets/status", - "deployments", "deployments/status", "deployments/scale", - "replicasets", "replicasets/status", "replicasets/scale").RuleOrDie(), - - rbacv1helpers.NewRule(Read...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers", "horizontalpodautoscalers/status").RuleOrDie(), - - rbacv1helpers.NewRule(Read...).Groups(batchGroup).Resources("jobs", "cronjobs", "cronjobs/status", "jobs/status").RuleOrDie(), - - rbacv1helpers.NewRule(Read...).Groups(extensionsGroup).Resources("daemonsets", "daemonsets/status", "deployments", "deployments/scale", "deployments/status", - "ingresses", "ingresses/status", "replicasets", "replicasets/scale", "replicasets/status", "replicationcontrollers/scale", - "networkpolicies").RuleOrDie(), - - rbacv1helpers.NewRule(Read...).Groups(policyGroup).Resources("poddisruptionbudgets", "poddisruptionbudgets/status").RuleOrDie(), - - rbacv1helpers.NewRule(Read...).Groups(networkingGroup).Resources("networkpolicies", "ingresses", "ingresses/status").RuleOrDie(), - }, + Rules: viewRules(), }, { // a role to use for heapster's connections back to the API server