[go: nahoru, domu]
Skip to content
This repository has been archived by the owner on Jun 8, 2022. It is now read-only.

Commit

Permalink
Merge pull request #228 from negz/drop
Browse files Browse the repository at this point in the history 
Run with fewer privileges
  • Loading branch information
@wonderflow
wonderflow committed Oct 7, 2020
2 parents 728b47e + 4cf6083 commit 2be3900
Show file tree
Hide file tree
Showing 2 changed files with 73 additions and 9 deletions.
60 changes: 53 additions & 7 deletions charts/oam-kubernetes-runtime/templates/oam-controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,18 +5,60 @@ kind: ServiceAccount
metadata:
name: {{ include "oam-kubernetes-runtime.serviceAccountName" . }}
labels:
{{ include "oam-kubernetes-runtime.labels" . | nindent 4 }}
{{- end }}
{{- include "oam-kubernetes-runtime.labels" . | nindent 4 }}
{{- end }}

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "oam-kubernetes-runtime.fullname" . }}
labels:
{{- include "oam-kubernetes-runtime.labels" . | nindent 4 }}
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.oam.dev/aggregate-to-controller: "true"

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "oam-kubernetes-runtime.fullname" . }}:system:aggregate-to-controller
labels:
{{- include "oam-kubernetes-runtime.labels" . | nindent 4 }}
rbac.oam.dev/aggregate-to-controller: "true"
rules:
- apiGroups:
- core.oam.dev
resources:
- "*"
verbs:
- "*"
- apiGroups:
- apps
resources:
- deployment
verbs:
- "*"
- apiGroups:
- ""
resources:
- service
verbs:
- "*"

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: manager-rolebinding
name: {{ include "oam-kubernetes-runtime.fullname" . }}
labels:
{{- include "oam-kubernetes-runtime.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: "cluster-admin"
name: {{ include "oam-kubernetes-runtime.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "oam-kubernetes-runtime.serviceAccountName" . }}
Expand All @@ -27,7 +69,9 @@ subjects:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: leader-election-role
name: {{ include "oam-kubernetes-runtime.fullname" . }}-leader-election
labels:
{{- include "oam-kubernetes-runtime.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
Expand Down Expand Up @@ -60,11 +104,13 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: leader-election-rolebinding
name: {{ include "oam-kubernetes-runtime.fullname" . }}-leader-election
labels:
{{- include "oam-kubernetes-runtime.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: leader-election-role
name: {{ include "oam-kubernetes-runtime.fullname" . }}-leader-election
subjects:
- kind: ServiceAccount
name: {{ include "oam-kubernetes-runtime.serviceAccountName" . }}
Expand Down
22 changes: 20 additions & 2 deletions test/e2e-test/suite_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ var k8sClient client.Client
var scheme = runtime.NewScheme()
var manualscalertrait v1alpha2.TraitDefinition
var extendedmanualscalertrait v1alpha2.TraitDefinition
var roleName = "oam-example-com"
var roleBindingName = "oam-role-binding"
var crd crdv1.CustomResourceDefinition

Expand Down Expand Up @@ -160,6 +161,23 @@ var _ = BeforeSuite(func(done Done) {
Expect(k8sClient.Create(context.Background(), &wd)).Should(SatisfyAny(BeNil(), &util.AlreadyExistMatcher{}))
By("Created containerizedworkload.core.oam.dev")

exampleClusterRole := rbac.ClusterRole{
ObjectMeta: metav1.ObjectMeta{
Name: roleName,
Labels: map[string]string{
"oam": "clusterrole",
"rbac.oam.dev/aggregate-to-controller": "true",
},
},
Rules: []rbac.PolicyRule{{
APIGroups: []string{"example.com"},
Resources: []string{rbac.ResourceAll},
Verbs: []string{rbac.VerbAll},
}},
}
Expect(k8sClient.Create(context.Background(), &exampleClusterRole)).Should(BeNil())
By("Created example.com cluster role for the test service account")

adminRoleBinding := rbac.ClusterRoleBinding{
ObjectMeta: metav1.ObjectMeta{
Name: roleBindingName,
Expand All @@ -168,7 +186,7 @@ var _ = BeforeSuite(func(done Done) {
Subjects: []rbac.Subject{
{
Kind: "User",
Name: "system:serviceaccount:crossplane-system:crossplane",
Name: "system:serviceaccount:oam-system:oam-kubernetes-runtime-e2e",
},
},
RoleRef: rbac.RoleRef{
Expand All @@ -178,7 +196,7 @@ var _ = BeforeSuite(func(done Done) {
},
}
Expect(k8sClient.Create(context.Background(), &adminRoleBinding)).Should(BeNil())
By("Created cluster role bind for the test service account")
By("Created cluster role binding for the test service account")
// Create a crd for appconfig dependency test
crd = crdv1.CustomResourceDefinition{
ObjectMeta: metav1.ObjectMeta{
Expand Down

0 comments on commit 2be3900

Please sign in to comment.