rke/templates/authz.go

package templates

const (
	KubeAPIClusterRole = `
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: proxy-clusterrole-kubeapiserver
rules:
- apiGroups: [""]
  resources:
  - nodes/metrics
  - nodes/proxy
  - nodes/stats
  - nodes/log
  - nodes/spec
  verbs: ["get", "list", "watch", "create"]`
	KubeAPIClusterRoleBinding = `
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: proxy-role-binding-kubernetes-master
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: proxy-clusterrole-kubeapiserver
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: kube-apiserver`
	SystemNodeClusterRoleBinding = `
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "false"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: system:node
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:node
subjects:
- kind: Group
  name: system:nodes
  apiGroup: rbac.authorization.k8s.io`

	JobDeployerServiceAccount = `
apiVersion: v1
kind: ServiceAccount
metadata:
  name: rke-job-deployer
  namespace: kube-system`

	JobDeployerClusterRoleBinding = `
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: job-deployer
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  namespace: kube-system
  name: rke-job-deployer`

	DefaultPodSecurityRole = `
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: default-psp-role
rules:
- apiGroups: ['extensions']
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames:
  - default-psp`

	DefaultPodSecurityRoleBinding = `
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: default-psp-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: default-psp-role
subjects:
# Authorize all service accounts in a namespace:
- kind: Group
  apiGroup: rbac.authorization.k8s.io
  name: system:serviceaccounts
# Or equivalently, all authenticated users in a namespace:
- kind: Group
  apiGroup: rbac.authorization.k8s.io
  name: system:authenticated

`
)
Use go templates for addons, network plugins and other manifests 2017-12-16 03:37:45 +00:00			`package templates`
Enable RBAC and needed addons/network plugin configuration 2017-12-14 21:56:19 +00:00
			`const (`
Add kubeapi proxy cluster role and role binding 2019-07-25 20:07:38 +00:00			KubeAPIClusterRole = `
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRole`
			`metadata:`
			`name: proxy-clusterrole-kubeapiserver`
			`rules:`
			`- apiGroups: [""]`
			`resources:`
			`- nodes/metrics`
			`- nodes/proxy`
Add node subresources to api server cluster role 2019-08-08 23:33:47 +00:00			`- nodes/stats`
			`- nodes/log`
			`- nodes/spec`
Add kubeapi proxy cluster role and role binding 2019-07-25 20:07:38 +00:00			verbs: ["get", "list", "watch", "create"]`
			KubeAPIClusterRoleBinding = `
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRoleBinding`
			`metadata:`
			`name: proxy-role-binding-kubernetes-master`
			`roleRef:`
			`apiGroup: rbac.authorization.k8s.io`
			`kind: ClusterRole`
			`name: proxy-clusterrole-kubeapiserver`
			`subjects:`
			`- apiGroup: rbac.authorization.k8s.io`
			`kind: User`
			name: kube-apiserver`
Use go templates for addons, network plugins and other manifests 2017-12-16 03:37:45 +00:00			SystemNodeClusterRoleBinding = `
Enable RBAC and needed addons/network plugin configuration 2017-12-14 21:56:19 +00:00			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRoleBinding`
			`metadata:`
			`annotations:`
			`rbac.authorization.kubernetes.io/autoupdate: "false"`
			`labels:`
			`kubernetes.io/bootstrapping: rbac-defaults`
			`name: system:node`
			`roleRef:`
			`apiGroup: rbac.authorization.k8s.io`
			`kind: ClusterRole`
			`name: system:node`
			`subjects:`
			`- kind: Group`
			`name: system:nodes`
			apiGroup: rbac.authorization.k8s.io`

Use go templates for addons, network plugins and other manifests 2017-12-16 03:37:45 +00:00			JobDeployerServiceAccount = `
Enable RBAC and needed addons/network plugin configuration 2017-12-14 21:56:19 +00:00			`apiVersion: v1`
			`kind: ServiceAccount`
			`metadata:`
			`name: rke-job-deployer`
			namespace: kube-system`

Use go templates for addons, network plugins and other manifests 2017-12-16 03:37:45 +00:00			JobDeployerClusterRoleBinding = `
Enable RBAC and needed addons/network plugin configuration 2017-12-14 21:56:19 +00:00			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRoleBinding`
			`metadata:`
			`name: job-deployer`
			`roleRef:`
			`apiGroup: rbac.authorization.k8s.io`
			`kind: ClusterRole`
			`name: cluster-admin`
			`subjects:`
			`- kind: ServiceAccount`
			`namespace: kube-system`
			name: rke-job-deployer`
Enable PodSecurityPolicy support 2017-12-20 01:51:07 +00:00
			DefaultPodSecurityRole = `
			`kind: Role`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`metadata:`
			`name: default-psp-role`
			`rules:`
			`- apiGroups: ['extensions']`
			`resources: ['podsecuritypolicies']`
			`verbs: ['use']`
			`resourceNames:`
			- default-psp`

			DefaultPodSecurityRoleBinding = `
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: RoleBinding`
			`metadata:`
			`name: default-psp-rolebinding`
			`roleRef:`
			`apiGroup: rbac.authorization.k8s.io`
			`kind: Role`
			`name: default-psp-role`
			`subjects:`
			`# Authorize all service accounts in a namespace:`
			`- kind: Group`
			`apiGroup: rbac.authorization.k8s.io`
			`name: system:serviceaccounts`
			`# Or equivalently, all authenticated users in a namespace:`
			`- kind: Group`
			`apiGroup: rbac.authorization.k8s.io`
			`name: system:authenticated`

			`
Enable RBAC and needed addons/network plugin configuration 2017-12-14 21:56:19 +00:00			`)`