Merge pull request karmada-io#5586 from B1F030/karmada-operator-rbac

minimize the rbac permissions for karmada-operator
wulemao · Oct 22, 2024 · 13df63f · 13df63f
2 parents be571fb + 8b6d4c4
commit 13df63f
Show file tree

Hide file tree

Showing 6 changed files with 91 additions and 17 deletions.
diff --git a/charts/karmada-operator/templates/karmada-operator-clusterrole.yaml b/charts/karmada-operator/templates/karmada-operator-clusterrole.yaml
@@ -4,8 +4,29 @@ metadata:
   name: {{ include "common.names.fullname" . }}
   labels: {{- include "common.labels.standard" . | nindent 4 }}
 rules:
-  - apiGroups: ['*']
-    resources: ['*']
-    verbs: ["*"]
-  - nonResourceURLs: ['*']
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"] # karmada-operator requires access to the Lease resource for leader election
+    verbs: ["get", "create", "update"]
+  - apiGroups: ["operator.karmada.io"]
+    resources: ["karmadas"] # to manage karmada instances
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["operator.karmada.io"]
+    resources: ["karmadas/status"] # to update the status subresource of karmada instances
+    verbs: ["update"]
+  - apiGroups: [""]
+    resources: ["events"] # allows karmada-operator to record events in the kubernetes api-server
+    verbs: ["create"]
+  - apiGroups: [""]
+    resources: ["nodes", "pods"] # list cluster nodes and pods to get node information and for health checks
+    verbs: ["list"]
+  - apiGroups: [""]
+    resources: ["namespaces"] # to get information about namespaces, and deploy resources into specific namespaces
+    verbs: ["get"]
+  - apiGroups: [""]
+    resources: ["secrets", "services"] # to manage secrets which might contain sensitive data like credentials and services to expose applications within the cluster
+    verbs: ["get", "create", "update", "delete"]
+  - apiGroups: ["apps"]
+    resources: ["statefulsets", "deployments"] # to manage statefulsets, e.g. etcd, and deployments, e.g. karmada-operator
+    verbs: ["get", "create", "update", "delete"]
+  - nonResourceURLs: ["/healthz"] # used to check whether the karmada apiserver is health
     verbs: ["get"]
diff --git a/operator/README.md b/operator/README.md
@@ -33,18 +33,20 @@ helm install karmada-operator -n karmada-system --create-namespace --dependency-
 
 #### Using YAML resource
 
-The `karmada-operator` workload requires a kubeconfig of the local cluster to establish a connection with the cluster and watch CR resources.
-In preparation for this, create a secret containing the kubeconfig for the karmada-operator.
+The `karmada-operator` workload requires ClusterRole to watch and manage CR resources.
+In preparation for this, create a ClusterRole (with a ClusterRoleBinding and a ServiceAccount) containing the required privileges for the karmada-operator.
 
 ```shell
 kubectl create namespace karmada-system
-kubectl create secret generic my-kubeconfig --from-file=$HOME/.kube/config -n karmada-system
+kubectl apply -f operator/config/deploy/karmada-operator-clusterrole.yaml
+kubectl apply -f operator/config/deploy/karmada-operator-clusterrolebinding.yaml
+kubectl apply -f operator/config/deploy/karmada-operator-serviceaccount.yaml
 ```
 
 Deploy the `karmada-operator` workload.
 
 ```shell
-kubectl apply -f operator/config/deploy/karmada-operator.yaml
+kubectl apply -f operator/config/deploy/karmada-operator-deployment.yaml
 ```
 
 The pod of `karmada-operator` in the `karmada-system` namespace will be running.

diff --git a/operator/config/deploy/karmada-operator-clusterrole.yaml b/operator/config/deploy/karmada-operator-clusterrole.yaml
@@ -0,0 +1,33 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: karmada-operator
+  labels:
+    karmada-app: karmada-operator
+rules:
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"] # karmada-operator requires access to the Lease resource for leader election
+    verbs: ["get", "create", "update"]
+  - apiGroups: ["operator.karmada.io"]
+    resources: ["karmadas"] # to manage karmada instances
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["operator.karmada.io"]
+    resources: ["karmadas/status"] # to update the status subresource of karmada instances
+    verbs: ["update"]
+  - apiGroups: [""]
+    resources: ["events"] # allows karmada-operator to record events in the kubernetes api-server
+    verbs: ["create"]
+  - apiGroups: [""]
+    resources: ["nodes", "pods"] # list cluster nodes and pods to get node information and for health checks
+    verbs: ["list"]
+  - apiGroups: [""]
+    resources: ["namespaces"] # to get information about namespaces, and deploy resources into specific namespaces
+    verbs: ["get"]
+  - apiGroups: [""]
+    resources: ["secrets", "services"] # to manage secrets which might contain sensitive data like credentials and services to expose applications within the cluster
+    verbs: ["get", "create", "update", "delete"]
+  - apiGroups: ["apps"]
+    resources: ["statefulsets", "deployments"] # to manage statefulsets, e.g. etcd, and deployments, e.g. karmada-operator
+    verbs: ["get", "create", "update", "delete"]
+  - nonResourceURLs: ["/healthz"] # used to check whether the karmada apiserver is health
+    verbs: ["get"]
diff --git a/operator/config/deploy/karmada-operator-clusterrolebinding.yaml b/operator/config/deploy/karmada-operator-clusterrolebinding.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: karmada-operator
+  labels:
+    karmada-app: karmada-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: karmada-operator
+subjects:
+  - kind: ServiceAccount
+    name: karmada-operator
+    namespace: karmada-system
diff --git a/operator/config/deploy/karmada-operator.yaml → ...g/deploy/karmada-operator-deployment.yaml b/operator/config/deploy/karmada-operator.yaml → ...g/deploy/karmada-operator-deployment.yaml
@@ -21,13 +21,10 @@ spec:
         imagePullPolicy: IfNotPresent
         command:
         - /bin/karmada-operator
-        - --kubeconfig=/etc/config
+        - --leader-elect-resource-namespace=karmada-system
         - --v=4
-        volumeMounts:
-        - name: kubeconfig
-          mountPath: /etc/config
-          subPath: config
-      volumes:
-      - name: kubeconfig
-        secret:
-          secretName: my-kubeconfig
+        ports:
+        - containerPort: 8080
+          name: metrics
+          protocol: TCP
+      serviceAccountName: karmada-operator
diff --git a/operator/config/deploy/karmada-operator-serviceaccount.yaml b/operator/config/deploy/karmada-operator-serviceaccount.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: karmada-operator
+  namespace: karmada-system
+  labels:
+    karmada-app: karmada-operator