diff --git a/.gitignore b/.gitignore index 75a59e3a..512c31af 100644 --- a/.gitignore +++ b/.gitignore @@ -10,7 +10,7 @@ trusted-cluster-gen /bin /config/crd /config/deploy -/config/rbac/role.yaml +/config/rbac/base/role.yaml /lib/src/kopium /target bundle/manifests/ diff --git a/Makefile b/Makefile index 85d8c009..f1ba8b44 100644 --- a/Makefile +++ b/Makefile @@ -6,6 +6,7 @@ .PHONY: all build build-tools crds-rs generate manifests cluster-up cluster-down image push install-trustee install clean fmt-check clippy lint test test-release release-tarball NAMESPACE ?= trusted-execution-clusters +PLATFORM ?= kind KUBECTL=kubectl @@ -41,10 +42,12 @@ reg-server: crds-rs cargo build -p register-server CRD_YAML_PATH = config/crd +RBAC_YAML_PATH = config/rbac/base API_PATH = api/v1alpha1 generate: $(CONTROLLER_GEN) $(CONTROLLER_GEN) rbac:roleName=trusted-cluster-operator-role crd webhook paths="./..." \ - output:crd:artifacts:config=$(CRD_YAML_PATH) + output:crd:artifacts:config=$(CRD_YAML_PATH) \ + output:rbac:artifacts:config=$(RBAC_YAML_PATH) RS_LIB_PATH = lib/src CRD_RS_PATH = $(RS_LIB_PATH)/kopium @@ -132,10 +135,15 @@ endif scripts/clean-cluster-kind.sh $(OPERATOR_IMAGE) $(COMPUTE_PCRS_IMAGE) $(REG_SERVER_IMAGE) $(YQ) '.spec.publicTrusteeAddr = "$(TRUSTEE_ADDR):8080"' \ -i $(DEPLOY_PATH)/trusted_execution_cluster_cr.yaml - $(YQ) '.namespace = "$(NAMESPACE)"' -i config/rbac/kustomization.yaml + $(YQ) '.namespace = "$(NAMESPACE)"' -i config/rbac/base/kustomization.yaml + $(YQ) '.patches[0].patch = "- op: replace\n path: /metadata/name\n value: $(NAMESPACE)-manager-rolebinding"' -i config/rbac/base/kustomization.yaml + $(YQ) '.patches[1].patch = "- op: replace\n path: /metadata/name\n value: $(NAMESPACE)-metrics-auth-rolebinding"' -i config/rbac/base/kustomization.yaml + @if [ "$(PLATFORM)" = "openshift" ]; then \ + $(YQ) '.patches[0].patch = "- op: replace\n path: /metadata/name\n value: $(NAMESPACE)-trusted-cluster-scc\n- op: replace\n path: /users/0\n value: system:serviceaccount:$(NAMESPACE):trusted-cluster-operator"' -i config/rbac/overlays/openshift/kustomization.yaml; \ + fi $(KUBECTL) apply -f $(DEPLOY_PATH)/operator.yaml $(KUBECTL) apply -f config/crd - $(KUBECTL) apply -k config/rbac + $(KUBECTL) apply -k config/rbac/overlays/$(PLATFORM) $(KUBECTL) apply -f $(DEPLOY_PATH)/trusted_execution_cluster_cr.yaml $(KUBECTL) apply -f $(DEPLOY_PATH)/approved_image_cr.yaml $(KUBECTL) apply -f kind/register-forward.yaml @@ -147,7 +155,7 @@ install-kubevirt: clean: cargo clean rm -rf bin manifests $(CRD_YAML_PATH) $(CRD_RS_PATH) - rm -f trusted-cluster-gen config/rbac/role.yaml .crates.toml .crates2.json + rm -f trusted-cluster-gen config/rbac/base/role.yaml .crates.toml .crates2.json fmt-check: cargo fmt -- --check diff --git a/api/v1alpha1/crds.go b/api/v1alpha1/crds.go index 3aa20dcb..3d9a32b1 100644 --- a/api/v1alpha1/crds.go +++ b/api/v1alpha1/crds.go @@ -25,16 +25,13 @@ var ( AddToScheme = SchemeBuilder.AddToScheme ) -// +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;create;patch;update -// +kubebuilder:rbac:groups="",resources=services,verbs=create -// +kubebuilder:rbac:groups="",resources=secrets,verbs=create -// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;create;update -// +kubebuilder:rbac:groups=batch,resources=jobs,verbs=create;delete;list;watch -// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=trustedexecutionclusters,verbs=list;watch -// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=trustedexecutionclusters/status,verbs=patch -// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=machines,verbs=create;list;delete;watch;patch -// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=approvedimages,verbs=get;list;watch;patch -// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=approvedimages/status,verbs=patch +// +kubebuilder:rbac:groups="",resources=configmaps;services;secrets,verbs=create;get;list;watch +// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=create;delete;get;list;patch;update;watch +// +kubebuilder:rbac:groups=batch,resources=jobs,verbs=create;delete;get;list;patch;update;watch +// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=trustedexecutionclusters;machines;approvedimages,verbs=create;delete;get;list;patch;update;watch +// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=trustedexecutionclusters/finalizers,verbs=update +// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=machines/finalizers,verbs=update +// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=trustedexecutionclusters/status;machines/status;approvedimages/status,verbs=get;patch;update // TrustedExecutionClusterSpec defines the desired state of TrustedExecutionCluster // +kubebuilder:validation:XValidation:rule="!has(oldSelf.publicTrusteeAddr) || has(self.publicTrusteeAddr)", message="Value is required once set" diff --git a/config/rbac/approvedimage_admin_role.yaml b/config/rbac/base/approvedimage_admin_role.yaml similarity index 100% rename from config/rbac/approvedimage_admin_role.yaml rename to config/rbac/base/approvedimage_admin_role.yaml diff --git a/config/rbac/approvedimage_viewer_role.yaml b/config/rbac/base/approvedimage_viewer_role.yaml similarity index 100% rename from config/rbac/approvedimage_viewer_role.yaml rename to config/rbac/base/approvedimage_viewer_role.yaml diff --git a/config/rbac/kustomization.yaml b/config/rbac/base/kustomization.yaml similarity index 80% rename from config/rbac/kustomization.yaml rename to config/rbac/base/kustomization.yaml index caf9d9a8..0087df1a 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/base/kustomization.yaml @@ -3,6 +3,21 @@ # SPDX-License-Identifier: CC0-1.0 namespace: trusted-execution-clusters +patches: + - target: + kind: ClusterRoleBinding + name: manager-rolebinding + patch: |- + - op: replace + path: /metadata/name + value: NAMESPACE-manager-rolebinding + - target: + kind: ClusterRoleBinding + name: metrics-auth-rolebinding + patch: |- + - op: replace + path: /metadata/name + value: NAMESPACE-metrics-auth-rolebinding resources: # All RBAC will be applied under this service account in # the deployment namespace. You may comment out this resource diff --git a/config/rbac/leader_election_role.yaml b/config/rbac/base/leader_election_role.yaml similarity index 100% rename from config/rbac/leader_election_role.yaml rename to config/rbac/base/leader_election_role.yaml diff --git a/config/rbac/leader_election_role_binding.yaml b/config/rbac/base/leader_election_role_binding.yaml similarity index 100% rename from config/rbac/leader_election_role_binding.yaml rename to config/rbac/base/leader_election_role_binding.yaml diff --git a/config/rbac/machine_admin_role.yaml b/config/rbac/base/machine_admin_role.yaml similarity index 100% rename from config/rbac/machine_admin_role.yaml rename to config/rbac/base/machine_admin_role.yaml diff --git a/config/rbac/machine_viewer_role.yaml b/config/rbac/base/machine_viewer_role.yaml similarity index 100% rename from config/rbac/machine_viewer_role.yaml rename to config/rbac/base/machine_viewer_role.yaml diff --git a/config/rbac/metrics_auth_role.yaml b/config/rbac/base/metrics_auth_role.yaml similarity index 100% rename from config/rbac/metrics_auth_role.yaml rename to config/rbac/base/metrics_auth_role.yaml diff --git a/config/rbac/metrics_auth_role_binding.yaml b/config/rbac/base/metrics_auth_role_binding.yaml similarity index 100% rename from config/rbac/metrics_auth_role_binding.yaml rename to config/rbac/base/metrics_auth_role_binding.yaml diff --git a/config/rbac/metrics_reader_role.yaml b/config/rbac/base/metrics_reader_role.yaml similarity index 100% rename from config/rbac/metrics_reader_role.yaml rename to config/rbac/base/metrics_reader_role.yaml diff --git a/config/rbac/role_binding.yaml b/config/rbac/base/role_binding.yaml similarity index 100% rename from config/rbac/role_binding.yaml rename to config/rbac/base/role_binding.yaml diff --git a/config/rbac/service_account.yaml b/config/rbac/base/service_account.yaml similarity index 100% rename from config/rbac/service_account.yaml rename to config/rbac/base/service_account.yaml diff --git a/config/rbac/trustedexecutioncluster_admin_role.yaml b/config/rbac/base/trustedexecutioncluster_admin_role.yaml similarity index 100% rename from config/rbac/trustedexecutioncluster_admin_role.yaml rename to config/rbac/base/trustedexecutioncluster_admin_role.yaml diff --git a/config/rbac/trustedexecutioncluster_editor_role.yaml b/config/rbac/base/trustedexecutioncluster_editor_role.yaml similarity index 100% rename from config/rbac/trustedexecutioncluster_editor_role.yaml rename to config/rbac/base/trustedexecutioncluster_editor_role.yaml diff --git a/config/rbac/trustedexecutioncluster_viewer_role.yaml b/config/rbac/base/trustedexecutioncluster_viewer_role.yaml similarity index 100% rename from config/rbac/trustedexecutioncluster_viewer_role.yaml rename to config/rbac/base/trustedexecutioncluster_viewer_role.yaml diff --git a/config/rbac/overlays/kind/kustomization.yaml b/config/rbac/overlays/kind/kustomization.yaml new file mode 100644 index 00000000..5a3fc92a --- /dev/null +++ b/config/rbac/overlays/kind/kustomization.yaml @@ -0,0 +1,12 @@ +# SPDX-FileCopyrightText: Yalan Zhang +# +# SPDX-License-Identifier: CC0-1.0 + +# Kustomize overlay for Kind clusters +# This uses the base RBAC configuration without OpenShift-specific resources + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base diff --git a/config/rbac/overlays/openshift/kustomization.yaml b/config/rbac/overlays/openshift/kustomization.yaml new file mode 100644 index 00000000..080ddfb5 --- /dev/null +++ b/config/rbac/overlays/openshift/kustomization.yaml @@ -0,0 +1,25 @@ +# SPDX-FileCopyrightText: Yalan Zhang +# +# SPDX-License-Identifier: CC0-1.0 + +# Kustomize overlay for OpenShift clusters +# This extends the base RBAC configuration with OpenShift-specific resources + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base + - scc.yaml + +patches: + - target: + kind: SecurityContextConstraints + name: trusted-cluster-scc + patch: |- + - op: replace + path: /metadata/name + value: NAMESPACE-trusted-cluster-scc + - op: replace + path: /users/0 + value: system:serviceaccount:NAMESPACE:trusted-cluster-operator diff --git a/config/rbac/overlays/openshift/scc.yaml b/config/rbac/overlays/openshift/scc.yaml new file mode 100644 index 00000000..20e27b88 --- /dev/null +++ b/config/rbac/overlays/openshift/scc.yaml @@ -0,0 +1,37 @@ +# SPDX-FileCopyrightText: Yalan Zhang +# +# SPDX-License-Identifier: CC0-1.0 +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: trusted-cluster-scc +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegedContainer: false +allowPrivilegeEscalation: false +allowedCapabilities: [] +defaultAddCapabilities: [] +fsGroup: + type: RunAsAny +priority: 10 +readOnlyRootFilesystem: false +requiredDropCapabilities: +- ALL +runAsUser: + type: RunAsAny +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: RunAsAny +volumes: +- configMap +- downwardAPI +- emptyDir +- image +- projected +- secret +users: +- system:serviceaccount:trusted-execution-clusters:trusted-cluster-operator diff --git a/test_utils/src/lib.rs b/test_utils/src/lib.rs index 9aca4b19..a00459fa 100644 --- a/test_utils/src/lib.rs +++ b/test_utils/src/lib.rs @@ -353,7 +353,7 @@ impl TestContext { test_info!(&self.test_name, "Preparing RBAC manifests"); - let sa_src = workspace_root.join("config/rbac/service_account.yaml"); + let sa_src = workspace_root.join("config/rbac/base/service_account.yaml"); let sa_content = std::fs::read_to_string(&sa_src)? .replace("namespace: system", &format!("namespace: {}", ns)); let sa_dst = rbac_temp_dir.join("service_account.yaml"); @@ -366,7 +366,7 @@ impl TestContext { ); std::fs::write(&role_path, role_content)?; - let rb_src = workspace_root.join("config/rbac/role_binding.yaml"); + let rb_src = workspace_root.join("config/rbac/base/role_binding.yaml"); let rb_content = std::fs::read_to_string(&rb_src)? .replace( "name: manager-rolebinding", @@ -380,13 +380,13 @@ impl TestContext { let rb_dst = rbac_temp_dir.join("role_binding.yaml"); std::fs::write(&rb_dst, rb_content)?; - let le_role_src = workspace_root.join("config/rbac/leader_election_role.yaml"); + let le_role_src = workspace_root.join("config/rbac/base/leader_election_role.yaml"); let le_role_content = std::fs::read_to_string(&le_role_src)? .replace("namespace: system", &format!("namespace: {}", ns)); let le_role_dst = rbac_temp_dir.join("leader_election_role.yaml"); std::fs::write(&le_role_dst, le_role_content)?; - let le_rb_src = workspace_root.join("config/rbac/leader_election_role_binding.yaml"); + let le_rb_src = workspace_root.join("config/rbac/base/leader_election_role_binding.yaml"); let le_rb_content = std::fs::read_to_string(&le_rb_src)? .replace("namespace: system", &format!("namespace: {}", ns)); let le_rb_dst = rbac_temp_dir.join("leader_election_role_binding.yaml");