From c1bef1b689beb7165b01e1e6b29193c886962f51 Mon Sep 17 00:00:00 2001 From: B1F030 <646337422@qq.com> Date: Tue, 29 Oct 2024 16:39:06 +0800 Subject: [PATCH] minimize the rbac permissions for karmada-agent Signed-off-by: B1F030 <646337422@qq.com> --- .../deploy/bootstrap-token-configuration.yaml | 113 +++++++++++++----- 1 file changed, 86 insertions(+), 27 deletions(-) diff --git a/artifacts/deploy/bootstrap-token-configuration.yaml b/artifacts/deploy/bootstrap-token-configuration.yaml index a25fba7bb1f1..2fca0d1df73d 100644 --- a/artifacts/deploy/bootstrap-token-configuration.yaml +++ b/artifacts/deploy/bootstrap-token-configuration.yaml @@ -92,29 +92,28 @@ metadata: name: system:karmada:agent rules: - apiGroups: - - authentication.k8s.io + - cluster.karmada.io resources: - - tokenreviews + - clusters verbs: - - create + - list + - watch - apiGroups: - cluster.karmada.io resources: - clusters + # resourceNames: + # - {{clustername}} verbs: - create - get - - list - - watch - - patch - - update - - delete - apiGroups: - cluster.karmada.io resources: - clusters/status + # resourceNames: + # - {{clustername}} verbs: - - patch - update - apiGroups: - work.karmada.io @@ -140,7 +139,6 @@ rules: - resourceinterpreterwebhookconfigurations - resourceinterpretercustomizations verbs: - - get - list - watch - apiGroups: @@ -149,17 +147,15 @@ rules: - namespaces verbs: - get - - list - - watch - - create - apiGroups: - "" resources: - secrets + # resourceNames: + # - {{clustername}}-impersonator + # - {{clustername}} verbs: - get - - list - - watch - create - patch - apiGroups: @@ -168,9 +164,7 @@ rules: - leases verbs: - create - - delete - get - - patch - update - apiGroups: - certificates.k8s.io @@ -179,16 +173,6 @@ rules: verbs: - create - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update --- apiVersion: rbac.authorization.k8s.io/v1 @@ -203,3 +187,78 @@ subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:nodes + +# --- +# apiVersion: rbac.authorization.k8s.io/v1 +# kind: Role +# metadata: +# name: system:karmada:agent-secret +# namespace: "{{cluster_namespace}}" # default to karmada-cluster +# rules: +# - apiGroups: +# - "" +# resources: +# - secrets +# # resourceNames: +# # - {{clustername}}-impersonator +# # - {{clustername}} +# verbs: +# - get +# - create +# - patch + +# --- +# apiVersion: rbac.authorization.k8s.io/v1 +# kind: RoleBinding +# metadata: +# name: system:karmada:agent-secret +# namespace: "{{cluster_namespace}}" # default to karmada-cluster +# roleRef: +# apiGroup: rbac.authorization.k8s.io +# kind: Role +# name: system:karmada:agent-secret +# subjects: +# - apiGroup: rbac.authorization.k8s.io +# kind: Group +# name: system:nodes + +# --- +# apiVersion: rbac.authorization.k8s.io/v1 +# kind: Role +# metadata: +# name: system:karmada:agent-work +# namespace: "karmada-es-{{clustername}}" +# rules: +# - apiGroups: +# - work.karmada.io +# resources: +# - works +# verbs: +# - create +# - get +# - list +# - watch +# - update +# - delete +# - apiGroups: +# - work.karmada.io +# resources: +# - works/status +# verbs: +# - patch +# - update + +# --- +# apiVersion: rbac.authorization.k8s.io/v1 +# kind: RoleBinding +# metadata: +# name: system:karmada:agent-work +# namespace: "karmada-es-{{clustername}}" +# roleRef: +# apiGroup: rbac.authorization.k8s.io +# kind: Role +# name: system:karmada:agent-work +# subjects: +# - apiGroup: rbac.authorization.k8s.io +# kind: Group +# name: system:nodes