diff --git a/deploy/manager-dev.yaml b/deploy/manager-dev.yaml index aff4872561..35f2d1f7e7 100644 --- a/deploy/manager-dev.yaml +++ b/deploy/manager-dev.yaml @@ -132,6 +132,25 @@ data: hosts: - scylla-manager-cluster-manager-dc-manager-rack-0 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + namespace: scylla-manager + name: scylla-manager-to-scylla-pod +spec: + policyTypes: + - Ingress + podSelector: + matchLabels: + app.kubernetes.io/managed-by: scylla-operator + app.kubernetes.io/name: scylla + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: scylla-manager + --- apiVersion: v1 kind: Service diff --git a/deploy/manager-prod.yaml b/deploy/manager-prod.yaml index 3abaa0676a..67326857c6 100644 --- a/deploy/manager-prod.yaml +++ b/deploy/manager-prod.yaml @@ -132,6 +132,25 @@ data: hosts: - scylla-manager-cluster-manager-dc-manager-rack-0 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + namespace: scylla-manager + name: scylla-manager-to-scylla-pod +spec: + policyTypes: + - Ingress + podSelector: + matchLabels: + app.kubernetes.io/managed-by: scylla-operator + app.kubernetes.io/name: scylla + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: scylla-manager + --- apiVersion: v1 kind: Service diff --git a/deploy/manager/dev/10_manager_networkpolicy.yaml b/deploy/manager/dev/10_manager_networkpolicy.yaml new file mode 100644 index 0000000000..24f59f1e10 --- /dev/null +++ b/deploy/manager/dev/10_manager_networkpolicy.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + namespace: scylla-manager + name: scylla-manager-to-scylla-pod +spec: + policyTypes: + - Ingress + podSelector: + matchLabels: + app.kubernetes.io/managed-by: scylla-operator + app.kubernetes.io/name: scylla + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: scylla-manager diff --git a/deploy/manager/prod/10_manager_networkpolicy.yaml b/deploy/manager/prod/10_manager_networkpolicy.yaml new file mode 100644 index 0000000000..24f59f1e10 --- /dev/null +++ b/deploy/manager/prod/10_manager_networkpolicy.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + namespace: scylla-manager + name: scylla-manager-to-scylla-pod +spec: + policyTypes: + - Ingress + podSelector: + matchLabels: + app.kubernetes.io/managed-by: scylla-operator + app.kubernetes.io/name: scylla + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: scylla-manager diff --git a/deploy/operator.yaml b/deploy/operator.yaml index 582d22bddc..c2ba76cff5 100644 --- a/deploy/operator.yaml +++ b/deploy/operator.yaml @@ -297,6 +297,91 @@ rules: - patch - update - delete +- apiGroups: + - "" + resources: + - configmaps/finalizers + - secrets/finalizers + - pods/finalizers + verbs: + - update +- apiGroups: + - apps + resources: + - daemonsets/finalizers + verbs: + - update +- apiGroups: + - scylla.scylladb.com + resources: + - scyllaclusters/finalizers + - scylladbdatacenters/finalizers + - scylladbmonitorings/finalizers + verbs: + - update +- apiGroups: + - policy + resources: + - poddisruptionbudgets/finalizers + verbs: + - update +- apiGroups: + - scylla.scylladb.com + resources: + - nodeconfigs/finalizers + verbs: + - update +- apiGroups: + - "" + resources: + - configmaps/finalizers + - secrets/finalizers + - pods/finalizers + verbs: + - update +- apiGroups: + - apps + resources: + - daemonsets/finalizers + verbs: + - update +- apiGroups: + - scylla.scylladb.com + resources: + - scyllaclusters/finalizers + - scylladbdatacenters/finalizers + - scylladbmonitorings/finalizers + verbs: + - update +- apiGroups: + - policy + resources: + - poddisruptionbudgets/finalizers + verbs: + - update +- apiGroups: + - scylla.scylladb.com + resources: + - nodeconfigs/finalizers + verbs: + - update + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:controller:aggregate-to-operator-openshift + labels: + rbac.operator.scylladb.com/aggregate-to-scylla-operator: "true" +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use --- apiVersion: rbac.authorization.k8s.io/v1 @@ -27904,6 +27989,57 @@ rules: - scyllaclusters verbs: - get +- apiGroups: + - "" + resources: + - configmaps/finalizers + - secrets/finalizers + verbs: + - update + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:aggregate-to-scyllacluster-member-openshift + labels: + rbac.operator.scylladb.com/aggregate-to-scylla-member: "true" +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:monitoring:grafana +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.operator.scylladb.com/aggregate-to-scylladb-monitoring-grafana: "true" + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:aggregate-to-scylladb-monitoring-grafana-openshift + labels: + rbac.operator.scylladb.com/aggregate-to-scylladb-monitoring-grafana: "true" +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use --- apiVersion: rbac.authorization.k8s.io/v1 @@ -27940,6 +28076,23 @@ rules: verbs: - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:aggregate-to-scylladb-monitoring-prometheus-openshift + labels: + rbac.operator.scylladb.com/aggregate-to-scylladb-monitoring-prometheus: "true" +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use + --- apiVersion: cert-manager.io/v1 kind: Certificate diff --git a/deploy/operator/00_operator.clusterrole_def.yaml b/deploy/operator/00_operator.clusterrole_def.yaml index c857c2d55c..bfbc10a099 100644 --- a/deploy/operator/00_operator.clusterrole_def.yaml +++ b/deploy/operator/00_operator.clusterrole_def.yaml @@ -281,3 +281,71 @@ rules: - patch - update - delete +- apiGroups: + - "" + resources: + - configmaps/finalizers + - secrets/finalizers + - pods/finalizers + verbs: + - update +- apiGroups: + - apps + resources: + - daemonsets/finalizers + verbs: + - update +- apiGroups: + - scylla.scylladb.com + resources: + - scyllaclusters/finalizers + - scylladbdatacenters/finalizers + - scylladbmonitorings/finalizers + verbs: + - update +- apiGroups: + - policy + resources: + - poddisruptionbudgets/finalizers + verbs: + - update +- apiGroups: + - scylla.scylladb.com + resources: + - nodeconfigs/finalizers + verbs: + - update +- apiGroups: + - "" + resources: + - configmaps/finalizers + - secrets/finalizers + - pods/finalizers + verbs: + - update +- apiGroups: + - apps + resources: + - daemonsets/finalizers + verbs: + - update +- apiGroups: + - scylla.scylladb.com + resources: + - scyllaclusters/finalizers + - scylladbdatacenters/finalizers + - scylladbmonitorings/finalizers + verbs: + - update +- apiGroups: + - policy + resources: + - poddisruptionbudgets/finalizers + verbs: + - update +- apiGroups: + - scylla.scylladb.com + resources: + - nodeconfigs/finalizers + verbs: + - update diff --git a/deploy/operator/00_operator.clusterrole_def_openshift.yaml b/deploy/operator/00_operator.clusterrole_def_openshift.yaml new file mode 100644 index 0000000000..88556786aa --- /dev/null +++ b/deploy/operator/00_operator.clusterrole_def_openshift.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:controller:aggregate-to-operator-openshift + labels: + rbac.operator.scylladb.com/aggregate-to-scylla-operator: "true" +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use diff --git a/deploy/operator/00_scyllacluster_member_clusterrole_def.yaml b/deploy/operator/00_scyllacluster_member_clusterrole_def.yaml index 11cb8ad0b3..d5af6d0c15 100644 --- a/deploy/operator/00_scyllacluster_member_clusterrole_def.yaml +++ b/deploy/operator/00_scyllacluster_member_clusterrole_def.yaml @@ -56,3 +56,10 @@ rules: - scyllaclusters verbs: - get +- apiGroups: + - "" + resources: + - configmaps/finalizers + - secrets/finalizers + verbs: + - update diff --git a/deploy/operator/00_scyllacluster_member_clusterrole_def_openshift.yaml b/deploy/operator/00_scyllacluster_member_clusterrole_def_openshift.yaml new file mode 100644 index 0000000000..7871d0307d --- /dev/null +++ b/deploy/operator/00_scyllacluster_member_clusterrole_def_openshift.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:aggregate-to-scyllacluster-member-openshift + labels: + rbac.operator.scylladb.com/aggregate-to-scylla-member: "true" +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use diff --git a/deploy/operator/00_scylladbmonitoring_grafana_clusterrole.yaml b/deploy/operator/00_scylladbmonitoring_grafana_clusterrole.yaml new file mode 100644 index 0000000000..30d54f79fe --- /dev/null +++ b/deploy/operator/00_scylladbmonitoring_grafana_clusterrole.yaml @@ -0,0 +1,8 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:monitoring:grafana +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.operator.scylladb.com/aggregate-to-scylladb-monitoring-grafana: "true" diff --git a/deploy/operator/00_scylladbmonitoring_grafana_clusterrole_def_openshift.yaml b/deploy/operator/00_scylladbmonitoring_grafana_clusterrole_def_openshift.yaml new file mode 100644 index 0000000000..f1cf99ee14 --- /dev/null +++ b/deploy/operator/00_scylladbmonitoring_grafana_clusterrole_def_openshift.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:aggregate-to-scylladb-monitoring-grafana-openshift + labels: + rbac.operator.scylladb.com/aggregate-to-scylladb-monitoring-grafana: "true" +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use diff --git a/deploy/operator/00_scylladbmonitoring_prometheus_clusterrole_def_openshift.yaml b/deploy/operator/00_scylladbmonitoring_prometheus_clusterrole_def_openshift.yaml new file mode 100644 index 0000000000..fb293dd814 --- /dev/null +++ b/deploy/operator/00_scylladbmonitoring_prometheus_clusterrole_def_openshift.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:aggregate-to-scylladb-monitoring-prometheus-openshift + labels: + rbac.operator.scylladb.com/aggregate-to-scylladb-monitoring-prometheus: "true" +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use diff --git a/examples/third-party/haproxy-ingress.yaml b/examples/third-party/haproxy-ingress.yaml index 041ef61fae..a0d996fe38 100644 --- a/examples/third-party/haproxy-ingress.yaml +++ b/examples/third-party/haproxy-ingress.yaml @@ -202,6 +202,21 @@ spec: fieldRef: fieldPath: metadata.namespace +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: haproxy-ingress +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use + --- apiVersion: v1 kind: ServiceAccount @@ -405,3 +420,189 @@ spec: app.kubernetes.io/instance: prometheus --- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: haproxy-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: haproxy-ingress +subjects: +- kind: ServiceAccount + name: haproxy-ingress + namespace: haproxy-ingress + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: haproxy-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: haproxy-ingress +subjects: +- kind: ServiceAccount + name: haproxy-ingress + namespace: haproxy-ingress + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: prometheus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: prometheus +subjects: +- kind: ServiceAccount + name: prometheus + namespace: haproxy-ingress + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: haproxy-ingress +spec: + replicas: 1 + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 0 + maxUnavailable: 50% + selector: + matchLabels: + app.kubernetes.io/name: haproxy-ingress + template: + metadata: + labels: + app.kubernetes.io/name: haproxy-ingress + spec: + terminationGracePeriodSeconds: 70 + serviceAccountName: haproxy-ingress + containers: + - name: haproxy-ingress + image: docker.io/haproxytech/kubernetes-ingress:1.10.1@sha256:39eb1a1443e42dc4dc9883bbc764b21f7c7d507af277656551af39ff3faf7635 + args: + - --disable-ipv6 + - --ipv4-bind-address=0.0.0.0 + - --http-bind-port=8080 + - --https-bind-port=8443 + - --configmap=haproxy-ingress/haproxy-ingress + - --default-backend-service=haproxy-ingress/ingress-default-backend + - --default-ssl-certificate=haproxy-ingress/ingress-default-ssl-certificate + - --log=trace + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + resources: + requests: + cpu: 100m + memory: 50M + readinessProbe: + httpGet: + path: /healthz + port: 1042 + livenessProbe: + httpGet: + path: /healthz + port: 1042 + ports: + - name: http + containerPort: 8080 + - name: https + containerPort: 8443 + - name: stat + containerPort: 1024 + env: + - name: TZ + value: "Etc/UTC" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ingress-default-backend +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: ingress-default-backend + template: + metadata: + labels: + app.kubernetes.io/name: ingress-default-backend + spec: + containers: + - name: ingress-default-backend + image: docker.io/scylladb/scylla-operator:thirdparty-google_containers-defaultbackend-1.4@sha256:710e7b3ab708ed0fbd3bb4005893bdadf893983441f46c6680ad2ed6f04c261e + ports: + - containerPort: 8080 + resources: + requests: + cpu: 10m + memory: 50Mi + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: prometheus +spec: + revisionHistoryLimit: 5 + selector: + matchLabels: + app.kubernetes.io/instance: prometheus + template: + metadata: + labels: + app.kubernetes.io/instance: prometheus + name: prometheus + spec: + containers: + - name: prometheus + image: docker.io/prom/prometheus:v2.43.1@sha256:3760d0bcb02f439394aa172eaadafbb9e657baff6a995458a6e82fdb38c5b6b5 + imagePullPolicy: IfNotPresent + args: + - --config.file=/etc/prometheus/config/prometheus.yml + readinessProbe: + failureThreshold: 1 + httpGet: + path: /-/ready + port: 9090 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + volumeMounts: + - mountPath: /etc/prometheus/config + name: prometheus-cfg + - name: prometheus + mountPath: /prometheus + serviceAccountName: prometheus + volumes: + - configMap: + name: prometheus-cfg + name: prometheus-cfg + - name: prometheus + emptyDir: + sizeLimit: 10Mi + +--- diff --git a/examples/third-party/prometheus-operator.yaml b/examples/third-party/prometheus-operator.yaml index 55715c8926..43db708e71 100644 --- a/examples/third-party/prometheus-operator.yaml +++ b/examples/third-party/prometheus-operator.yaml @@ -65448,7 +65448,6 @@ spec: kubernetes.io/os: linux securityContext: runAsNonRoot: true - runAsUser: 65534 seccompProfile: type: RuntimeDefault serviceAccountName: prometheus-operator