minimize the RBAC permissions for the pull mode cluster

artifacts/deploy/bootstrap-token-configuration.yaml

@@ -86,269 +86,27 @@ subjects:
   name: system:nodes
 
 ---
+# ClusterRole is not used for the connection between the karmada-agent and the control plane,
+# but is used by karmadactl register to generate the RBAC resources required by the karmada-agent.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: system:karmada:agent
 rules:
-- apiGroups:
-  - cluster.karmada.io
-  resources:
-  - clusters
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - delete
-- apiGroups:
-  - cluster.karmada.io
-  resources:
-  - clusters/status
-  verbs:
-  - update
-- apiGroups:
-  - work.karmada.io
-  resources:
-  - works
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - delete
-- apiGroups:
-  - work.karmada.io
-  resources:
-  - works/status
-  verbs:
-  - patch
-  - update
-- apiGroups:
-  - config.karmada.io
-  resources:
-  - resourceinterpreterwebhookconfigurations
-  - resourceinterpretercustomizations
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - namespaces
-  verbs:
-  - get
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - create
-  - patch
-- apiGroups:
-  - coordination.k8s.io
-  resources:
-  - leases
-  verbs:
-  - create
-  - get
-  - update
-- apiGroups:
-  - certificates.k8s.io
-  resources:
-  - certificatesigningrequests
-  verbs:
-  - create
-  - get
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-  - patch
-  - update
+  - apiGroups: ['*']
+    resources: ['*']
+    verbs: ['*']
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: system:karmada:agent
+  name: system:karmada:agent-rbac-generator
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: system:karmada:agent
 subjects:
-- apiGroup: rbac.authorization.k8s.io
-  kind: Group
-  name: system:nodes
-
-# To ensure the agent has the minimal RBAC permissions, the ideal approach is to
-# use different RBAC configurations for different agents of member clusters with pull mode.
-# Below is the minimal set of RBAC permissions required for a single pull mode member cluster.
-# Here are the definitions of the variables used:
-#
-# - clustername: the name of the member cluster.
-# - cluster_namespace: the namespace where the member cluster secrets are stored, default to karmada-cluster.
-#
-# ---
-# apiVersion: rbac.authorization.k8s.io/v1
-# kind: ClusterRole
-# metadata:
-#   name: system:karmada:agent
-# rules:
-# - apiGroups:
-#   - cluster.karmada.io
-#   resources:
-#   - clusters
-#   resourceNames:
-#   - {{clustername}}
-#   verbs:
-#   - create
-#   - get
-#   - delete
-# - apiGroups:
-#   - cluster.karmada.io
-#   resources:
-#   - clusters
-#   verbs:
-#   - list
-#   - watch
-# - apiGroups:
-#   - cluster.karmada.io
-#   resources:
-#   - clusters/status
-#   resourceNames:
-#   - {{clustername}}
-#   verbs:
-#   - update
-# - apiGroups:
-#   - config.karmada.io
-#   resources:
-#   - resourceinterpreterwebhookconfigurations
-#   - resourceinterpretercustomizations
-#   verbs:
-#   - get
-#   - list
-#   - watch
-# - apiGroups:
-#   - ""
-#   resources:
-#   - namespaces
-#   verbs:
-#   - get
-# - apiGroups:
-#   - coordination.k8s.io
-#   resources:
-#   - leases
-#   verbs:
-#   - create
-#   - get
-#   - update
-# - apiGroups:
-#   - certificates.k8s.io
-#   resources:
-#   - certificatesigningrequests
-#   verbs:
-#   - create
-#   - get
-# - apiGroups:
-#   - ""
-#   resources:
-#   - events
-#   verbs:
-#   - create
-#   - patch
-#   - update
-#
-# ---
-# apiVersion: rbac.authorization.k8s.io/v1
-# kind: ClusterRoleBinding
-# metadata:
-#   name: system:karmada:agent
-# roleRef:
-#   apiGroup: rbac.authorization.k8s.io
-#   kind: ClusterRole
-#   name: system:karmada:agent
-# subjects:
-# - apiGroup: rbac.authorization.k8s.io
-#   kind: Group
-#   name: system:nodes
-#
-# ---
-# apiVersion: rbac.authorization.k8s.io/v1
-# kind: Role
-# metadata:
-#   name: system:karmada:agent-secret
-#   namespace: "{{cluster_namespace}}"
-# rules:
-# - apiGroups:
-#   - ""
-#   resources:
-#   - secrets
-#   resourceNames:
-#   - {{clustername}}-impersonator
-#   - {{clustername}}
-#   verbs:
-#   - get
-#   - create
-#   - patch
-#
-# ---
-# apiVersion: rbac.authorization.k8s.io/v1
-# kind: RoleBinding
-# metadata:
-#   name: system:karmada:agent-secret
-#   namespace: "{{cluster_namespace}}"
-# roleRef:
-#   apiGroup: rbac.authorization.k8s.io
-#   kind: Role
-#   name: system:karmada:agent-secret
-# subjects:
-# - apiGroup: rbac.authorization.k8s.io
-#   kind: Group
-#   name: system:nodes
-#
-# ---
-# apiVersion: rbac.authorization.k8s.io/v1
-# kind: Role
-# metadata:
-#   name: system:karmada:agent-work
-#   namespace: "karmada-es-{{clustername}}"
-# rules:
-# - apiGroups:
-#   - work.karmada.io
-#   resources:
-#   - works
-#   verbs:
-#   - create
-#   - get
-#   - list
-#   - watch
-#   - update
-#   - delete
-# - apiGroups:
-#   - work.karmada.io
-#   resources:
-#   - works/status
-#   verbs:
-#   - patch
-#   - update
-#
-# ---
-# apiVersion: rbac.authorization.k8s.io/v1
-# kind: RoleBinding
-# metadata:
-#   name: system:karmada:agent-work
-#   namespace: "karmada-es-{{clustername}}"
-# roleRef:
-#   apiGroup: rbac.authorization.k8s.io
-#   kind: Role
-#   name: system:karmada:agent-work
-# subjects:
-# - apiGroup: rbac.authorization.k8s.io
-#   kind: Group
-#   name: system:nodes
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
+    name: system:node:agent-rbac-generator

pkg/karmadactl/cmdinit/karmada/deploy.go

@@ -185,8 +185,8 @@ func createExtraResources(clientSet *kubernetes.Clientset, dir string) error {
 		return fmt.Errorf("error creating clusterinfo RBAC rules: %v", err)
 	}
 
-	// grant limited access permission to 'karmada-agent'
-	if err := grantAccessPermissionToAgent(clientSet); err != nil {
+	// grant access permission to 'karmada-agent-rbac-generator'
+	if err := grantAccessPermissionToAgentRBACGenerator(clientSet); err != nil {
 		return err
 	}
 

pkg/karmadactl/cmdinit/karmada/rbac.go

@@ -26,10 +26,11 @@ import (
 )
 
 const (
-	karmadaViewClusterRole        = "karmada-view"
-	karmadaEditClusterRole        = "karmada-edit"
-	karmadaAgentAccessClusterRole = "system:karmada:agent"
-	karmadaAgentGroup             = "system:nodes"
+	karmadaViewClusterRole                      = "karmada-view"
+	karmadaEditClusterRole                      = "karmada-edit"
+	karmadaAgentRBACGeneratorClusterRole        = "system:karmada:agent"
+	karmadaAgentRBACGeneratorClusterRoleBinding = "system:karmada:agent-rbac-generator"
+	agentRBACGenerator                          = "system:node:agent-rbac-generator"
 )
 
 // grantProxyPermissionToAdmin grants the proxy permission to "system:admin"
@@ -62,78 +63,28 @@ func grantProxyPermissionToAdmin(clientSet kubernetes.Interface) error {
 	return nil
 }
 
-// grantAccessPermissionToAgent grants the limited access permission to 'karmada-agent'
-func grantAccessPermissionToAgent(clientSet kubernetes.Interface) error {
-	clusterRole := utils.ClusterRoleFromRules(karmadaAgentAccessClusterRole, []rbacv1.PolicyRule{
+// grantAccessPermissionToAgentRBACGenerator grants the access permission to 'karmada-agent-rbac-generator'
+func grantAccessPermissionToAgentRBACGenerator(clientSet kubernetes.Interface) error {
+	clusterRole := utils.ClusterRoleFromRules(karmadaAgentRBACGeneratorClusterRole, []rbacv1.PolicyRule{
 		{
-			APIGroups: []string{"authentication.k8s.io"},
-			Resources: []string{"tokenreviews"},
-			Verbs:     []string{"create"},
-		},
-		{
-			APIGroups: []string{"cluster.karmada.io"},
-			Resources: []string{"clusters"},
-			Verbs:     []string{"create", "get", "list", "watch", "patch", "update", "delete"},
-		},
-		{
-			APIGroups: []string{"cluster.karmada.io"},
-			Resources: []string{"clusters/status"},
-			Verbs:     []string{"patch", "update"},
-		},
-		{
-			APIGroups: []string{"work.karmada.io"},
-			Resources: []string{"works"},
-			Verbs:     []string{"create", "get", "list", "watch", "update", "delete"},
-		},
-		{
-			APIGroups: []string{"work.karmada.io"},
-			Resources: []string{"works/status"},
-			Verbs:     []string{"patch", "update"},
-		},
-		{
-			APIGroups: []string{"config.karmada.io"},
-			Resources: []string{"resourceinterpreterwebhookconfigurations", "resourceinterpretercustomizations"},
-			Verbs:     []string{"get", "list", "watch"},
-		},
-		{
-			APIGroups: []string{""},
-			Resources: []string{"namespaces"},
-			Verbs:     []string{"get", "list", "watch", "create"},
-		},
-		{
-			APIGroups: []string{""},
-			Resources: []string{"secrets"},
-			Verbs:     []string{"get", "list", "watch", "create", "patch"},
-		},
-		{
-			APIGroups: []string{"coordination.k8s.io"},
-			Resources: []string{"leases"},
-			Verbs:     []string{"create", "delete", "get", "patch", "update"},
-		},
-		{
-			APIGroups: []string{"certificates.k8s.io"},
-			Resources: []string{"certificatesigningrequests"},
-			Verbs:     []string{"create", "get", "list", "watch"},
-		},
-		{
-			APIGroups: []string{""},
-			Resources: []string{"events"},
-			Verbs:     []string{"create", "patch", "update"},
+			APIGroups: []string{"*"},
+			Resources: []string{"*"},
+			Verbs:     []string{"*"},
 		},
 	}, nil, nil)
 	err := cmdutil.CreateOrUpdateClusterRole(clientSet, clusterRole)
 	if err != nil {
 		return err
 	}
 
-	clusterRoleBinding := utils.ClusterRoleBindingFromSubjects(karmadaAgentAccessClusterRole, karmadaAgentAccessClusterRole,
+	clusterRoleBinding := utils.ClusterRoleBindingFromSubjects(karmadaAgentRBACGeneratorClusterRoleBinding, karmadaAgentRBACGeneratorClusterRole,
 		[]rbacv1.Subject{
 			{
-				Kind: rbacv1.GroupKind,
-				Name: karmadaAgentGroup,
+				Kind: rbacv1.UserKind,
+				Name: agentRBACGenerator,
 			}}, nil)
 
-	klog.V(1).Info("Grant the limited access permission to 'karmada-agent'")
+	klog.V(1).Info("Grant the access permission to 'karmada-agent-rbac-generator'")
 	err = cmdutil.CreateOrUpdateClusterRoleBinding(clientSet, clusterRoleBinding)
 	if err != nil {
 		return err