From 1e2288b9a8c9d4c53c3ca0663c916c5cb0615072 Mon Sep 17 00:00:00 2001 From: Nimrod Gilboa Markevich <59927337+nimrod-up9@users.noreply.github.com> Date: Sun, 20 Feb 2022 13:16:15 +0200 Subject: [PATCH] Update permission examples (#824) Reorganize permissions example. Permissions for optional features are separated from those that are mandatory. Revised the list of permissions. Added and removed features to make it fit what Mizu currently requires. --- docs/PERMISSIONS.md | 328 +----------------- .../permissions-all-namespaces-daemon.yaml | 67 ---- ...issions-all-namespaces-debug-optional.yaml | 26 ++ .../permissions-all-namespaces-install.yaml | 49 +++ ...all-namespaces-ip-resolution-optional.yaml | 38 ++ ...s-all-namespaces-persistency-optional.yaml | 26 ++ ...ml => permissions-all-namespaces-tap.yaml} | 18 +- .../roles/permissions-all-namespaces.yaml | 64 ---- examples/roles/permissions-ns-daemon.yaml | 60 ---- .../roles/permissions-ns-debug-optional.yaml | 28 ++ ...permissions-ns-ip-resolution-optional.yaml | 40 +++ ...esolution.yaml => permissions-ns-tap.yaml} | 13 +- .../roles/permissions-ns-with-validation.yaml | 57 --- examples/roles/permissions-ns.yaml | 57 --- 14 files changed, 224 insertions(+), 647 deletions(-) delete mode 100644 examples/roles/permissions-all-namespaces-daemon.yaml create mode 100644 examples/roles/permissions-all-namespaces-debug-optional.yaml create mode 100644 examples/roles/permissions-all-namespaces-install.yaml create mode 100644 examples/roles/permissions-all-namespaces-ip-resolution-optional.yaml create mode 100644 examples/roles/permissions-all-namespaces-persistency-optional.yaml rename examples/roles/{permissions-all-namespaces-without-ip-resolution.yaml => permissions-all-namespaces-tap.yaml} (60%) delete mode 100644 examples/roles/permissions-all-namespaces.yaml delete mode 100644 examples/roles/permissions-ns-daemon.yaml create mode 100644 examples/roles/permissions-ns-debug-optional.yaml create mode 100644 examples/roles/permissions-ns-ip-resolution-optional.yaml rename examples/roles/{permissions-ns-without-ip-resolution.yaml => permissions-ns-tap.yaml} (68%) delete mode 100644 examples/roles/permissions-ns-with-validation.yaml delete mode 100644 examples/roles/permissions-ns.yaml diff --git a/docs/PERMISSIONS.md b/docs/PERMISSIONS.md index 7e184eac6..1bd072b67 100644 --- a/docs/PERMISSIONS.md +++ b/docs/PERMISSIONS.md @@ -80,327 +80,9 @@ Notes: ## List of permissions -We broke down this list into few categories: +The permissions that are required to run Mizu depend on the command (`mizu tap` or `mizu-install`) and on the configuration. +By default Mizu requires cluster-wide permissions. +If these are not available to the user, it is possible to run Mizu in namespace-restricted mode which has a reduced set of requirements. +This is done by by setting the `mizu-resources-namespace` config option. See [configuration](CONFIGURATION.md) for instructions. -- Required - what is needed for `mizu` to run properly on your k8s cluster -- Optional - permissions needed for proper name resolving for service & pod IPs - - addition required for policy validation - -### Required permissions - -Mizu needs following permissions on your Kubernetes cluster to run properly - -```yaml -- apiGroups: - - "" - resources: - - pods - verbs: - - list - - watch - - create - - delete -- apiGroups: - - "" - resources: - - services - verbs: - - create - - delete -- apiGroups: - - apps - resources: - - daemonsets - verbs: - - create - - patch - - delete -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch - - create - - delete -- apiGroups: - - "" - resources: - - services/proxy - verbs: - - get -``` - -#### Permissions required running with install command or (optional) for service / pod name resolving - -Mandatory permissions for running with install command. - -Optional for service/pod name resolving in non install standalone - -```yaml -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch - - create - - delete -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - create - - delete -- apiGroups: - - apps - resources: - - daemonsets - verbs: - - create - - patch - - delete -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch - - create - - delete -- apiGroups: - - "" - resources: - - services/proxy - verbs: - - get -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get - - create - - delete -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterroles - verbs: - - get - - create - - delete -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - verbs: - - get - - create - - delete -- apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - verbs: - - get - - create - - delete -- apiGroups: - - rbac.authorization.k8s.io - resources: - - rolebindings - verbs: - - get - - create - - delete -- apiGroups: - - apps - - extensions - resources: - - pods - verbs: - - get - - list - - watch -- apiGroups: - - apps - - extensions - resources: - - services - verbs: - - get - - list - - watch -- apiGroups: - - "" - - apps - - extensions - resources: - - endpoints - verbs: - - get - - list - - watch -``` - -#### Permissions for Policy rules validation feature (opt) - -Optionally, in order to use the policy rules validation feature, Mizu requires the following additional permissions: - -```yaml -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - create - - delete -``` - -- - - - -#### Namespace-Restricted mode - -Alternatively, in order to restrict Mizu to one namespace only (by setting `agent.namespace` in the config file), Mizu needs the following permissions in that namespace: - -```yaml -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch - - create - - delete -- apiGroups: - - "" - resources: - - services - verbs: - - get - - create - - delete -- apiGroups: - - apps - resources: - - daemonsets - verbs: - - get - - create - - patch - - delete -- apiGroups: - - "" - resources: - - services/proxy - verbs: - - get -``` - -##### Name resolving in Namespace-Restricted mode (opt) - -To restrict Mizu to one namespace while also resolving IPs, Mizu needs the following permissions in that namespace: - -```yaml -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch - - create - - delete -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - create - - delete -- apiGroups: - - apps - resources: - - daemonsets - verbs: - - get - - create - - patch - - delete -- apiGroups: - - "" - resources: - - services/proxy - verbs: - - get -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get - - create - - delete -- apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - verbs: - - get - - create - - delete -- apiGroups: - - rbac.authorization.k8s.io - resources: - - rolebindings - verbs: - - get - - create - - delete -- apiGroups: - - apps - - extensions - resources: - - pods - verbs: - - get - - list - - watch -- apiGroups: - - apps - - extensions - resources: - - services - verbs: - - get - - list - - watch -- apiGroups: - - "" - - apps - - extensions - resources: - - endpoints - verbs: - - get - - list - - watch -``` +The different requirements are listed in [the example roles dir](../examples/roles) diff --git a/examples/roles/permissions-all-namespaces-daemon.yaml b/examples/roles/permissions-all-namespaces-daemon.yaml deleted file mode 100644 index 99d36110e..000000000 --- a/examples/roles/permissions-all-namespaces-daemon.yaml +++ /dev/null @@ -1,67 +0,0 @@ -# This example shows the roles required for a user to be able to use Mizu in all namespaces. -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mizu-runner-clusterrole -rules: - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch", "delete"] - - apiGroups: [ "apps" ] - resources: [ "deployments" ] - verbs: [ "get", "create", "delete" ] - - apiGroups: [""] - resources: ["services"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["apps"] - resources: ["daemonsets"] - verbs: ["get", "create", "patch", "delete", "list"] - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: [""] - resources: ["services/proxy"] - verbs: ["get"] - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "create", "delete"] - - apiGroups: [""] - resources: ["serviceaccounts"] - verbs: ["get", "create", "delete"] - - apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterroles"] - verbs: ["get", "create", "delete"] - - apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterrolebindings"] - verbs: ["get", "create", "delete"] - - apiGroups: ["rbac.authorization.k8s.io"] - resources: ["roles"] - verbs: ["get", "create", "delete"] - - apiGroups: ["rbac.authorization.k8s.io"] - resources: ["rolebindings"] - verbs: ["get", "create", "delete"] - - apiGroups: ["apps", "extensions"] - resources: ["pods"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps", "extensions"] - resources: ["services"] - verbs: ["get", "list", "watch"] - - apiGroups: ["", "apps", "extensions"] - resources: ["endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["events.k8s.io"] - resources: ["events"] - verbs: ["list", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mizu-runner-clusterrolebindings -subjects: - - kind: User - name: user1 - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: ClusterRole - name: mizu-runner-clusterrole - apiGroup: rbac.authorization.k8s.io diff --git a/examples/roles/permissions-all-namespaces-debug-optional.yaml b/examples/roles/permissions-all-namespaces-debug-optional.yaml new file mode 100644 index 000000000..8ed2c0881 --- /dev/null +++ b/examples/roles/permissions-all-namespaces-debug-optional.yaml @@ -0,0 +1,26 @@ +# This example shows permissions that enrich the logs with additional info +# Optional with `mizu tap` or `mizu-install` +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mizu-runner-debug-clusterrole +rules: +- apiGroups: ["events.k8s.io"] + resources: ["events"] + verbs: ["watch"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["get"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mizu-runner-debug-clusterrolebindings +subjects: +- kind: User + name: user1 + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: mizu-runner-debug-clusterrole + apiGroup: rbac.authorization.k8s.io diff --git a/examples/roles/permissions-all-namespaces-install.yaml b/examples/roles/permissions-all-namespaces-install.yaml new file mode 100644 index 000000000..69573e95d --- /dev/null +++ b/examples/roles/permissions-all-namespaces-install.yaml @@ -0,0 +1,49 @@ +# This example shows the permissions that are required in order to run the `mizu install` command +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mizu-runner-clusterrole +rules: +- apiGroups: [""] + resources: ["services"] + verbs: ["create"] +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["create"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch", "create", "delete"] +- apiGroups: ["apps", "extensions"] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["services/proxy"] + verbs: ["get", "create"] +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["create"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["roles"] + verbs: ["create"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["rolebindings"] + verbs: ["create"] +- apiGroups: ["apps"] + resources: ["daemonsets"] + verbs: ["get", "list", "create", "patch", "delete"] +- apiGroups: ["events.k8s.io"] + resources: ["events"] + verbs: ["list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mizu-runner-clusterrolebindings +subjects: +- kind: User + name: user1 + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: mizu-runner-clusterrole + apiGroup: rbac.authorization.k8s.io diff --git a/examples/roles/permissions-all-namespaces-ip-resolution-optional.yaml b/examples/roles/permissions-all-namespaces-ip-resolution-optional.yaml new file mode 100644 index 000000000..6d6d658d9 --- /dev/null +++ b/examples/roles/permissions-all-namespaces-ip-resolution-optional.yaml @@ -0,0 +1,38 @@ +# This example shows permissions that are required for Mizu to resolve IPs to service names +# Optional with `mizu tap` or `mizu-install` +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mizu-resolver-clusterrole +rules: +- apiGroups: [""] + resources: ["serviceaccounts"] + verbs: ["get", "create"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles"] + verbs: ["get", "list", "create", "delete"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterrolebindings"] + verbs: ["get", "list", "create", "delete"] +- apiGroups: ["", "apps", "extensions"] + resources: ["pods"] + verbs: ["get", "list", "watch"] +- apiGroups: ["", "apps", "extensions"] + resources: ["services"] + verbs: ["get", "list", "watch"] +- apiGroups: ["", "apps", "extensions"] + resources: ["endpoints"] + verbs: ["get", "list", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mizu-resolver-clusterrolebindings +subjects: +- kind: User + name: user1 + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: mizu-resolver-clusterrole + apiGroup: rbac.authorization.k8s.io diff --git a/examples/roles/permissions-all-namespaces-persistency-optional.yaml b/examples/roles/permissions-all-namespaces-persistency-optional.yaml new file mode 100644 index 000000000..358432726 --- /dev/null +++ b/examples/roles/permissions-all-namespaces-persistency-optional.yaml @@ -0,0 +1,26 @@ +# This example shows permissions that are required for persistency with `mizu install` command +# Optional with `mizu-install` +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mizu-runner-persistency-clusterrole +rules: +- apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["list"] +- apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["create"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mizu-runner-persistent-clusterrolebindings +subjects: +- kind: User + name: user1 + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: mizu-runner-persistency-clusterrole + apiGroup: rbac.authorization.k8s.io diff --git a/examples/roles/permissions-all-namespaces-without-ip-resolution.yaml b/examples/roles/permissions-all-namespaces-tap.yaml similarity index 60% rename from examples/roles/permissions-all-namespaces-without-ip-resolution.yaml rename to examples/roles/permissions-all-namespaces-tap.yaml index 0a743e776..3f038e179 100644 --- a/examples/roles/permissions-all-namespaces-without-ip-resolution.yaml +++ b/examples/roles/permissions-all-namespaces-tap.yaml @@ -1,5 +1,4 @@ -# This example shows the roles required for a user to be able to use Mizu in all namespaces with IP resolution disabled. -# (Traffic will be recorded, but Mizu will not translate IP addresses to names) +# This example shows the permissions that are required in order to run the `mizu tap` command kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -7,25 +6,22 @@ metadata: rules: - apiGroups: [""] resources: ["pods"] - verbs: ["list", "watch", "create", "delete"] + verbs: ["list", "watch", "create"] - apiGroups: [""] resources: ["services"] - verbs: ["create", "delete"] + verbs: ["get", "create"] - apiGroups: ["apps"] resources: ["daemonsets"] - verbs: ["create", "patch", "delete"] + verbs: ["create", "patch"] - apiGroups: [""] resources: ["namespaces"] - verbs: ["get", "list", "watch", "create", "delete"] + verbs: ["list", "watch", "create", "delete"] - apiGroups: [""] resources: ["services/proxy"] - verbs: ["get"] + verbs: ["get", "create"] - apiGroups: [""] resources: ["configmaps"] - verbs: ["get", "create", "delete"] - - apiGroups: ["events.k8s.io"] - resources: ["events"] - verbs: ["list", "watch"] + verbs: ["create"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 diff --git a/examples/roles/permissions-all-namespaces.yaml b/examples/roles/permissions-all-namespaces.yaml deleted file mode 100644 index 7b8b065ee..000000000 --- a/examples/roles/permissions-all-namespaces.yaml +++ /dev/null @@ -1,64 +0,0 @@ -# This example shows the roles required for a user to be able to use Mizu in all namespaces. -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mizu-runner-clusterrole -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch", "create", "delete"] -- apiGroups: [""] - resources: ["services"] - verbs: ["get", "list", "watch", "create", "delete"] -- apiGroups: ["apps"] - resources: ["daemonsets"] - verbs: ["create", "patch", "delete"] -- apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list", "watch", "create", "delete"] -- apiGroups: [""] - resources: ["services/proxy"] - verbs: ["get"] -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "create", "delete"] -- apiGroups: [""] - resources: ["serviceaccounts"] - verbs: ["get", "create", "delete"] -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterroles"] - verbs: ["get", "create", "delete"] -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterrolebindings"] - verbs: ["get", "create", "delete"] -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["roles"] - verbs: ["get", "create", "delete"] -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["rolebindings"] - verbs: ["get", "create", "delete"] -- apiGroups: ["apps", "extensions"] - resources: ["pods"] - verbs: ["get", "list", "watch"] -- apiGroups: ["apps", "extensions"] - resources: ["services"] - verbs: ["get", "list", "watch"] -- apiGroups: ["", "apps", "extensions"] - resources: ["endpoints"] - verbs: ["get", "list", "watch"] -- apiGroups: ["events.k8s.io"] - resources: ["events"] - verbs: ["list", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mizu-runner-clusterrolebindings -subjects: -- kind: User - name: user1 - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: ClusterRole - name: mizu-runner-clusterrole - apiGroup: rbac.authorization.k8s.io diff --git a/examples/roles/permissions-ns-daemon.yaml b/examples/roles/permissions-ns-daemon.yaml deleted file mode 100644 index 0ab880f11..000000000 --- a/examples/roles/permissions-ns-daemon.yaml +++ /dev/null @@ -1,60 +0,0 @@ -# This example shows the roles required for a user to be able to use Mizu in a single namespace. -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mizu-runner-role - namespace: user1 -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch", "delete"] -- apiGroups: [ "apps" ] - resources: [ "deployments" ] - verbs: [ "get", "create", "delete" ] -- apiGroups: [""] - resources: ["services"] - verbs: ["get", "list", "watch", "create", "delete"] -- apiGroups: ["apps"] - resources: ["daemonsets"] - verbs: ["get", "create", "patch", "delete", "list"] -- apiGroups: [""] - resources: ["services/proxy"] - verbs: ["get"] -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "create", "delete"] -- apiGroups: [""] - resources: ["serviceaccounts"] - verbs: ["get", "create", "delete"] -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["roles"] - verbs: ["get", "create", "delete"] -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["rolebindings"] - verbs: ["get", "create", "delete"] -- apiGroups: ["apps", "extensions", ""] - resources: ["pods"] - verbs: ["get", "list", "watch"] -- apiGroups: ["apps", "extensions"] - resources: ["services"] - verbs: ["get", "list", "watch"] -- apiGroups: ["", "apps", "extensions"] - resources: ["endpoints"] - verbs: ["get", "list", "watch"] -- apiGroups: ["events.k8s.io"] - resources: ["events"] - verbs: ["list", "watch"] ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mizu-runner-rolebindings - namespace: user1 -subjects: -- kind: User - name: user1 - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: Role - name: mizu-runner-role - apiGroup: rbac.authorization.k8s.io diff --git a/examples/roles/permissions-ns-debug-optional.yaml b/examples/roles/permissions-ns-debug-optional.yaml new file mode 100644 index 000000000..fafe1e4d5 --- /dev/null +++ b/examples/roles/permissions-ns-debug-optional.yaml @@ -0,0 +1,28 @@ +# This example shows permissions that enrich the logs with additional info in namespace-restricted mode +# Optional with `mizu-tap` +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mizu-runner-debug-role + namespace: user1 +rules: +- apiGroups: ["events.k8s.io"] + resources: ["events"] + verbs: ["watch"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["get"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mizu-runner-debug-rolebindings + namespace: user1 +subjects: +- kind: User + name: user1 + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: mizu-runner-debug-role + apiGroup: rbac.authorization.k8s.io diff --git a/examples/roles/permissions-ns-ip-resolution-optional.yaml b/examples/roles/permissions-ns-ip-resolution-optional.yaml new file mode 100644 index 000000000..8c11e501d --- /dev/null +++ b/examples/roles/permissions-ns-ip-resolution-optional.yaml @@ -0,0 +1,40 @@ +# This example shows permissions that are required for Mizu to resolve IPs to service names in namespace-restricted mode +# Optional with `mizu-tap` +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mizu-resolver-role + namespace: user1 +rules: +- apiGroups: [""] + resources: ["serviceaccounts"] + verbs: ["get", "list", "create", "delete"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["roles"] + verbs: ["get", "list", "create", "delete"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["rolebindings"] + verbs: ["get", "list", "create", "delete"] +- apiGroups: ["", "apps", "extensions"] + resources: ["pods"] + verbs: ["get", "list", "watch"] +- apiGroups: ["", "apps", "extensions"] + resources: ["services"] + verbs: ["get", "list", "watch"] +- apiGroups: ["", "apps", "extensions"] + resources: ["endpoints"] + verbs: ["get", "list", "watch"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mizu-resolver-rolebindings + namespace: user1 +subjects: +- kind: User + name: user1 + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: mizu-resolver-role + apiGroup: rbac.authorization.k8s.io diff --git a/examples/roles/permissions-ns-without-ip-resolution.yaml b/examples/roles/permissions-ns-tap.yaml similarity index 68% rename from examples/roles/permissions-ns-without-ip-resolution.yaml rename to examples/roles/permissions-ns-tap.yaml index 24bc0d822..462e6d5bc 100644 --- a/examples/roles/permissions-ns-without-ip-resolution.yaml +++ b/examples/roles/permissions-ns-tap.yaml @@ -1,4 +1,4 @@ -# This example shows the roles required for a user to be able to use Mizu in a single namespace with IP resolution disabled. +# This example shows the permissions that are required in order to run the `mizu tap` command in namespace-restricted mode kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -7,22 +7,19 @@ metadata: rules: - apiGroups: [""] resources: ["pods"] - verbs: ["get", "list", "watch", "create", "delete"] + verbs: ["list", "watch", "create"] - apiGroups: [""] resources: ["services"] verbs: ["get", "create", "delete"] - apiGroups: ["apps"] resources: ["daemonsets"] - verbs: ["get", "create", "patch", "delete"] + verbs: ["create", "patch", "delete"] - apiGroups: [""] resources: ["services/proxy"] - verbs: ["get"] + verbs: ["get", "create", "delete"] - apiGroups: [""] resources: ["configmaps"] - verbs: ["get", "create", "delete"] -- apiGroups: ["events.k8s.io"] - resources: ["events"] - verbs: ["list", "watch"] + verbs: ["create", "delete"] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 diff --git a/examples/roles/permissions-ns-with-validation.yaml b/examples/roles/permissions-ns-with-validation.yaml deleted file mode 100644 index a3e3eceb2..000000000 --- a/examples/roles/permissions-ns-with-validation.yaml +++ /dev/null @@ -1,57 +0,0 @@ -# This example shows the roles required for a user to be able to use Mizu in a single namespace. -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mizu-runner-role - namespace: user1 -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch", "create", "delete"] -- apiGroups: [""] - resources: ["services"] - verbs: ["get", "list", "watch", "create", "delete"] -- apiGroups: ["apps"] - resources: ["daemonsets"] - verbs: ["get", "create", "patch", "delete"] -- apiGroups: [""] - resources: ["services/proxy"] - verbs: ["get"] -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "create", "delete"] -- apiGroups: [""] - resources: ["serviceaccounts"] - verbs: ["get", "create", "delete"] -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["roles"] - verbs: ["get", "create", "delete"] -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["rolebindings"] - verbs: ["get", "create", "delete"] -- apiGroups: ["apps", "extensions"] - resources: ["pods"] - verbs: ["get", "list", "watch"] -- apiGroups: ["apps", "extensions"] - resources: ["services"] - verbs: ["get", "list", "watch"] -- apiGroups: ["", "apps", "extensions"] - resources: ["endpoints"] - verbs: ["get", "list", "watch"] -- apiGroups: ["events.k8s.io"] - resources: ["events"] - verbs: ["list", "watch"] ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mizu-runner-rolebindings - namespace: user1 -subjects: -- kind: User - name: user1 - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: Role - name: mizu-runner-role - apiGroup: rbac.authorization.k8s.io diff --git a/examples/roles/permissions-ns.yaml b/examples/roles/permissions-ns.yaml deleted file mode 100644 index 6974ab50f..000000000 --- a/examples/roles/permissions-ns.yaml +++ /dev/null @@ -1,57 +0,0 @@ -# This example shows the roles required for a user to be able to use Mizu in a single namespace. -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mizu-runner-role - namespace: user1 -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch", "create", "delete"] -- apiGroups: [""] - resources: ["services"] - verbs: ["get", "list", "watch", "create", "delete"] -- apiGroups: ["apps"] - resources: ["daemonsets"] - verbs: ["get", "create", "patch", "delete"] -- apiGroups: [""] - resources: ["services/proxy"] - verbs: ["get"] -- apiGroups: [ "" ] - resources: [ "configmaps" ] - verbs: [ "get", "create", "delete" ] -- apiGroups: [""] - resources: ["serviceaccounts"] - verbs: ["get", "create", "delete"] -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["roles"] - verbs: ["get", "create", "delete"] -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["rolebindings"] - verbs: ["get", "create", "delete"] -- apiGroups: ["apps", "extensions"] - resources: ["pods"] - verbs: ["get", "list", "watch"] -- apiGroups: ["apps", "extensions"] - resources: ["services"] - verbs: ["get", "list", "watch"] -- apiGroups: ["", "apps", "extensions"] - resources: ["endpoints"] - verbs: ["get", "list", "watch"] -- apiGroups: ["events.k8s.io"] - resources: ["events"] - verbs: ["list", "watch"] ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mizu-runner-rolebindings - namespace: user1 -subjects: -- kind: User - name: user1 - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: Role - name: mizu-runner-role - apiGroup: rbac.authorization.k8s.io