From cc09450f79f41d823a7dff1ba69a06beb76d285a Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Wed, 18 Dec 2024 13:22:21 +0100 Subject: [PATCH] Refactor tenant RBAC rules Signed-off-by: Andrei Kvapil --- packages/apps/tenant/Chart.yaml | 2 +- packages/apps/tenant/templates/tenant.yaml | 205 +++++++++------------ packages/apps/versions_map | 3 +- 3 files changed, 95 insertions(+), 115 deletions(-) diff --git a/packages/apps/tenant/Chart.yaml b/packages/apps/tenant/Chart.yaml index 585a0cd98..e5737ddab 100644 --- a/packages/apps/tenant/Chart.yaml +++ b/packages/apps/tenant/Chart.yaml @@ -4,4 +4,4 @@ description: Separated tenant namespace icon: /logos/tenant.svg type: application -version: 1.6.2 +version: 1.6.3 diff --git a/packages/apps/tenant/templates/tenant.yaml b/packages/apps/tenant/templates/tenant.yaml index 748126e92..f6c6dfc11 100644 --- a/packages/apps/tenant/templates/tenant.yaml +++ b/packages/apps/tenant/templates/tenant.yaml @@ -14,6 +14,8 @@ metadata: kubernetes.io/service-account.name: {{ include "tenant.name" . }} type: kubernetes.io/service-account-token --- +# == default role == +--- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -62,18 +64,7 @@ roleRef: name: {{ include "tenant.name" . }} apiGroup: rbac.authorization.k8s.io --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "tenant.name" . }} - namespace: cozy-public -rules: -- apiGroups: ["source.toolkit.fluxcd.io"] - resources: ["helmrepositories"] - verbs: ["get", "list"] -- apiGroups: ["source.toolkit.fluxcd.io"] - resources: ["helmcharts"] - verbs: ["*"] +# == view role == --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 @@ -119,22 +110,35 @@ rules: - get - list - watch - --- - kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ include "tenant.name" . }}-view namespace: {{ include "tenant.name" . }} subjects: - - kind: Group - name: {{ include "tenant.name" . }}-view - apiGroup: rbac.authorization.k8s.io +{{- if ne .Release.Namespace "tenant-root" }} +- kind: Group + name: tenant-root-view + apiGroup: rbac.authorization.k8s.io +{{- end }} +{{- if hasPrefix "tenant-" .Release.Namespace }} +{{- $parts := splitList "-" .Release.Namespace }} +{{- range $i, $v := $parts }} +{{- if ne $i 0 }} +- kind: Group + name: {{ join "-" (slice $parts 0 (add $i 1)) }}-view + apiGroup: rbac.authorization.k8s.io +{{- end }} +{{- end }} +{{- end }} roleRef: kind: Role name: {{ include "tenant.name" . }}-view apiGroup: rbac.authorization.k8s.io + +--- +# == use role == --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 @@ -189,14 +193,28 @@ metadata: name: {{ include "tenant.name" . }}-use namespace: {{ include "tenant.name" . }} subjects: - - kind: Group - name: {{ include "tenant.name" . }}-use - apiGroup: rbac.authorization.k8s.io +{{- if ne .Release.Namespace "tenant-root" }} +- kind: Group + name: tenant-root-use + apiGroup: rbac.authorization.k8s.io +{{- end }} +{{- if hasPrefix "tenant-" .Release.Namespace }} +{{- $parts := splitList "-" .Release.Namespace }} +{{- range $i, $v := $parts }} +{{- if ne $i 0 }} +- kind: Group + name: {{ join "-" (slice $parts 0 (add $i 1)) }}-use + apiGroup: rbac.authorization.k8s.io +{{- end }} +{{- end }} +{{- end }} roleRef: kind: Role name: {{ include "tenant.name" . }}-use apiGroup: rbac.authorization.k8s.io --- +# == admin role == +--- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -263,79 +281,35 @@ rules: - update - patch - delete - - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "tenant.name" . }}-admin - namespace: cozy-public -rules: - - apiGroups: ["source.toolkit.fluxcd.io"] - resources: ["helmrepositories"] - verbs: - - get - - list - - apiGroups: - - source.toolkit.fluxcd.io - resources: - - helmcharts - verbs: - - get - - list - - apiGroups: ["source.toolkit.fluxcd.io"] - resources: - - helmcharts - verbs: ["*"] - resourceNames: - - bucket - - clickhouse - - ferretdb - - foo - - httpcache - - kafka - - kubernetes - - mysql - - nats - - postgres - - rabbitmq - - redis - - seaweedfs - - tcpbalancer - - virtualmachine - - vmdisk - - vminstance - --- -apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ include "tenant.name" . }}-admin - namespace: cozy-public + namespace: {{ include "tenant.name" . }} subjects: +{{- if ne .Release.Namespace "tenant-root" }} - kind: Group - name: {{ include "tenant.name" . }}-admin + name: tenant-root-admin apiGroup: rbac.authorization.k8s.io -roleRef: - kind: Role - name: {{ include "tenant.name" . }}-admin +{{- end }} +{{- if hasPrefix "tenant-" .Release.Namespace }} +{{- $parts := splitList "-" .Release.Namespace }} +{{- range $i, $v := $parts }} +{{- if ne $i 0 }} +- kind: Group + name: {{ join "-" (slice $parts 0 (add $i 1)) }}-admin apiGroup: rbac.authorization.k8s.io ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "tenant.name" . }}-admin - namespace: {{ include "tenant.name" . }} -subjects: - - kind: Group - name: {{ include "tenant.name" . }}-admin - apiGroup: rbac.authorization.k8s.io +{{- end }} +{{- end }} +{{- end }} roleRef: kind: Role name: {{ include "tenant.name" . }}-admin apiGroup: rbac.authorization.k8s.io --- +# == super admin role == +--- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -377,38 +351,6 @@ rules: - '*' verbs: - '*' - - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "tenant.name" . }}-super-admin - namespace: cozy-public -rules: - - apiGroups: ["source.toolkit.fluxcd.io"] - resources: ["helmrepositories"] - verbs: - - get - - list - - apiGroups: ["source.toolkit.fluxcd.io"] - resources: - - helmcharts - verbs: ["*"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "tenant.name" . }}-super-admin - namespace: cozy-public -subjects: -- kind: Group - name: {{ include "tenant.name" . }}-super-admin - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: Role - name: {{ include "tenant.name" . }}-super-admin - apiGroup: rbac.authorization.k8s.io --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -416,6 +358,11 @@ metadata: name: {{ include "tenant.name" . }}-super-admin namespace: {{ include "tenant.name" . }} subjects: +{{- if ne .Release.Namespace "tenant-root" }} +- kind: Group + name: tenant-root-super-admin + apiGroup: rbac.authorization.k8s.io +{{- end }} {{- if hasPrefix "tenant-" .Release.Namespace }} {{- $parts := splitList "-" .Release.Namespace }} {{- range $i, $v := $parts }} @@ -426,10 +373,42 @@ subjects: {{- end }} {{- end }} {{- end }} +roleRef: + kind: Role + name: {{ include "tenant.name" . }}-super-admin + apiGroup: rbac.authorization.k8s.io +--- +# == dashboard role == +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "tenant.name" . }} + namespace: cozy-public +rules: +- apiGroups: ["source.toolkit.fluxcd.io"] + resources: ["helmrepositories"] + verbs: ["get", "list"] +- apiGroups: ["source.toolkit.fluxcd.io"] + resources: ["helmcharts"] + verbs: ["get", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "tenant.name" . }} + namespace: cozy-public +subjects: - kind: Group name: {{ include "tenant.name" . }}-super-admin apiGroup: rbac.authorization.k8s.io +- kind: Group + name: {{ include "tenant.name" . }}-admin + apiGroup: rbac.authorization.k8s.io +- kind: ServiceAccount + name: {{ include "tenant.name" . }} + namespace: {{ include "tenant.name" . }} roleRef: kind: Role - name: {{ include "tenant.name" . }}-super-admin + name: {{ include "tenant.name" . }} apiGroup: rbac.authorization.k8s.io diff --git a/packages/apps/versions_map b/packages/apps/versions_map index a506edbd2..1b303afd2 100644 --- a/packages/apps/versions_map +++ b/packages/apps/versions_map @@ -91,7 +91,8 @@ tenant 1.4.0 94c688f7 tenant 1.5.0 48128743 tenant 1.6.0 df448b99 tenant 1.6.1 edbbb9be -tenant 1.6.2 HEAD +tenant 1.6.2 ccedc5fe +tenant 1.6.3 HEAD virtual-machine 0.1.4 f2015d6 virtual-machine 0.1.5 7cd7de7 virtual-machine 0.2.0 5ca8823