Reduce permission for cluster manager

Signed-off-by: Jian Qiu <[email protected]>
open-cluster-management-io · Dec 4, 2023 · c845106 · c845106
1 parent 7ceb9a2
commit c845106
Show file tree

Hide file tree

Showing 21 changed files with 279 additions and 158 deletions.
diff --git a/deploy/cluster-manager/config/kustomization.yaml b/deploy/cluster-manager/config/kustomization.yaml
@@ -3,9 +3,12 @@ kind: Kustomization
 
 resources:
 - crds/0000_01_operator.open-cluster-management.io_clustermanagers.crd.yaml
+- operator/namespace.yaml
+- operator/hub_namespace.yaml
 - rbac/cluster_role.yaml
 - rbac/cluster_role_binding.yaml
-- operator/namespace.yaml
+- rbac/role.yaml
+- rbac/role_binding.yaml
 - operator/service_account.yaml
 - operator/operator.yaml
 

diff --git a/deploy/cluster-manager/config/operator/hub_namespace.yaml b/deploy/cluster-manager/config/operator/hub_namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: open-cluster-management-hub
diff --git a/deploy/cluster-manager/config/operator/kustomization.yaml b/deploy/cluster-manager/config/operator/kustomization.yaml
@@ -2,3 +2,4 @@ resources:
   - namespace.yaml
   - service_account.yaml
   - operator.yaml
+  - hub_namespace.yaml
diff --git a/deploy/cluster-manager/config/rbac/cluster_role.yaml b/deploy/cluster-manager/config/rbac/cluster_role.yaml
@@ -5,28 +5,8 @@ metadata:
 rules:
 # Allow the registration-operator to create workload
 - apiGroups: [""]
-  resources: ["configmaps", "namespaces", "serviceaccounts", "services"]
-  verbs: ["create", "get", "list", "update", "watch", "patch", "delete", "deletecollection"]
-- apiGroups: [""]
-  resources: ["pods"]
-  verbs: ["get"]
-- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["get", "list", "watch", "update", "patch", "delete"]
-  resourceNames:
-    - "signer-secret"
-    - "registration-webhook-serving-cert"
-    - "work-webhook-serving-cert"
-    - "registration-controller-sa-kubeconfig"
-    - "registration-webhook-sa-kubeconfig"
-    - "work-webhook-sa-kubeconfig"
-    - "placement-controller-sa-kubeconfig"
-    - "work-controller-sa-kubeconfig"
-    - "addon-manager-controller-sa-kubeconfig"
-    - "external-hub-kubeconfig"
-- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["create"]
+  resources: ["configmaps", "namespaces"]
+  verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
 - apiGroups: ["coordination.k8s.io"]
   resources: ["leases"]
   verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
@@ -39,12 +19,6 @@ rules:
 - apiGroups: ["", "events.k8s.io"]
   resources: ["events"]
   verbs: ["get", "list", "watch", "create", "patch", "update", "delete", "deletecollection"]
-- apiGroups: ["apps"]
-  resources: ["deployments"]
-  verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
-- apiGroups: ["apps"]
-  resources: ["replicasets"]
-  verbs: ["get"]  
 - apiGroups: ["rbac.authorization.k8s.io"]
   resources: ["clusterrolebindings", "rolebindings"]
   verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
@@ -54,15 +28,40 @@ rules:
 # Allow the registration-operator to create crds
 - apiGroups: ["apiextensions.k8s.io"]
   resources: ["customresourcedefinitions"]
-  verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
+  verbs: ["create"]
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["get", "list", "update", "watch", "patch", "delete"]
+  resourceNames:
+    - "addondeploymentconfigs.addon.open-cluster-management.io"
+    - "addonplacementscores.cluster.open-cluster-management.io"
+    - "addontemplates.addon.open-cluster-management.io"
+    - "clustermanagementaddons.addon.open-cluster-management.io"
+    - "managedclusteraddons.addon.open-cluster-management.io"
+    - "managedclusters.cluster.open-cluster-management.io"
+    - "managedclustersetbindings.cluster.open-cluster-management.io"
+    - "managedclustersets.cluster.open-cluster-management.io"
+    - "manifestworkreplicasets.work.open-cluster-management.io"
+    - "manifestworks.work.open-cluster-management.io"
+    - "placementdecisions.cluster.open-cluster-management.io"
+    - "placements.cluster.open-cluster-management.io"
 # Allow the registration-operator to update crds status
 - apiGroups: ["apiextensions.k8s.io"]
   resources: ["customresourcedefinitions/status"]
   verbs: ["update", "patch"]
-# Allow the registration-operator to create apiservice
-- apiGroups: ["apiregistration.k8s.io"]
-  resources: ["apiservices"]
-  verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
+  resourceNames:
+    - "addondeploymentconfigs.addon.open-cluster-management.io"
+    - "addonplacementscores.cluster.open-cluster-management.io"
+    - "addontemplates.addon.open-cluster-management.io"
+    - "clustermanagementaddons.addon.open-cluster-management.io"
+    - "managedclusteraddons.addon.open-cluster-management.io"
+    - "managedclusters.cluster.open-cluster-management.io"
+    - "managedclustersetbindings.cluster.open-cluster-management.io"
+    - "managedclustersets.cluster.open-cluster-management.io"
+    - "manifestworkreplicasets.work.open-cluster-management.io"
+    - "manifestworks.work.open-cluster-management.io"
+    - "placementdecisions.cluster.open-cluster-management.io"
+    - "placements.cluster.open-cluster-management.io"
 # Allow the registration-operator to create validatingwebhookconfigurration
 - apiGroups: ["admissionregistration.k8s.io"]
   resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
@@ -86,10 +85,10 @@ rules:
   resources: ["managedclusteraddons/status", "clustermanagementaddons/status"]
   verbs: ["patch", "update"]
 - apiGroups: ["addon.open-cluster-management.io"]
-  resources: [managedclusteraddons/finalizers, "clustermanagementaddons/finalizers"]
+  resources: ["managedclusteraddons/finalizers", "clustermanagementaddons/finalizers"]
   verbs: ["update"]
 - apiGroups: ["addon.open-cluster-management.io"]
-  resources: [addondeploymentconfigs, "addontemplates"]
+  resources: ["addondeploymentconfigs", "addontemplates"]
   verbs: ["get", "list", "watch"]
 - apiGroups: ["authentication.k8s.io"]
   resources: ["tokenreviews"]

diff --git a/deploy/cluster-manager/config/rbac/kustomization.yaml b/deploy/cluster-manager/config/rbac/kustomization.yaml
@@ -1,3 +1,5 @@
 resources:
   - cluster_role.yaml
   - cluster_role_binding.yaml
+  - role.yaml
+  - role_binding.yaml
diff --git a/deploy/cluster-manager/config/rbac/role.yaml b/deploy/cluster-manager/config/rbac/role.yaml
@@ -0,0 +1,32 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cluster-manager
+  namespace: open-cluster-management-hub
+rules:
+# Allow the registration-operator to create workload
+- apiGroups: [""]
+  resources: ["serviceaccounts", "services"]
+  verbs: ["create", "get", "list", "update", "watch", "patch", "delete", "deletecollection"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list", "watch", "update", "patch", "delete"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list", "watch", "update", "patch", "delete"]
+  resourceNames:
+    - "signer-secret"
+    - "registration-webhook-serving-cert"
+    - "work-webhook-serving-cert"
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create"]
+- apiGroups: ["apps"]
+  resources: ["deployments"]
+  verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
+- apiGroups: ["apps"]
+  resources: ["replicasets"]
+  verbs: ["get"]
diff --git a/deploy/cluster-manager/config/rbac/role_binding.yaml b/deploy/cluster-manager/config/rbac/role_binding.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cluster-manager
+  namespace: open-cluster-management-hub
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cluster-manager
+subjects:
+- kind: ServiceAccount
+  name: cluster-manager
+  namespace: open-cluster-management