djpbessems
/
ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ContainerImage.Pinniped/deploy/concierge/rbac.yaml

297 lines
9.1 KiB
YAML
Raw Normal View History

Merge branch 'main' of github.com:vmware-tanzu/pinniped into kubernetes-1.20
2021-01-08 21:22:31 +00:00
#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
Upon pod startup, update the Status of CredentialIssuerConfig - Indicate the success or failure of the cluster signing key strategy - Also introduce the concept of "capabilities" of an integration test cluster to allow the integration tests to be run against clusters that do or don't allow the borrowing of the cluster signing key - Tests that are not expected to pass on clusters that lack the borrowing of the signing key capability are now ignored by calling the new library.SkipUnlessClusterHasCapability test helper - Rename library.Getenv to library.GetEnv - Add copyrights where they were missing
2020-08-25 01:07:34 +00:00
#! SPDX-License-Identifier: Apache-2.0
Add RBAC for autoregistration - Also fix mistakes in the deployment.yaml - Also hardcode the ownerRef kind and version because otherwise we get an error Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-17 21:42:02 +00:00
#@ load("@ytt:data", "data")
deploy: wire API group suffix through YTT templates I didn't advertise this feature in the deploy README's since (hopefully) not many people will want to use it? Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 22:23:06 +00:00
#@ load("helpers.lib.yaml", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix", "pinnipedDevAPIGroupWithPrefix")
Add RBAC for autoregistration - Also fix mistakes in the deployment.yaml - Also hardcode the ownerRef kind and version because otherwise we get an error Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-17 21:42:02 +00:00
First draft of moving API server TLS cert generation to controllers - Refactors the existing cert generation code into controllers which read and write a Secret containing the certs - Does not add any new functionality yet, e.g. no new handling for cert expiration, and no leader election to allow for multiple servers running simultaneously - This commit also doesn't add new tests for the cert generation code, but it should be more unit testable now as controllers
2020-08-09 17:04:05 +00:00
#! Give permission to various cluster-scoped objects
Add RBAC for autoregistration - Also fix mistakes in the deployment.yaml - Also hardcode the ownerRef kind and version because otherwise we get an error Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-17 21:42:02 +00:00
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
labels: #@ labels()
Add RBAC for autoregistration - Also fix mistakes in the deployment.yaml - Also hardcode the ownerRef kind and version because otherwise we get an error Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-17 21:42:02 +00:00
rules:
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
- apiGroups: [ "" ]
resources: [ namespaces ]
verbs: [ get, list, watch ]
- apiGroups: [ apiregistration.k8s.io ]
resources: [ apiservices ]
Fix status related RBAC Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 23:02:18 +00:00
verbs: [ get, list, patch, update, watch ]
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
- apiGroups: [ admissionregistration.k8s.io ]
resources: [ validatingwebhookconfigurations, mutatingwebhookconfigurations ]
verbs: [ get, list, watch ]
deploy/concierge: add RBAC for flowschemas and prioritylevelconfigurations As of upgrading to Kubernetes 1.20, our aggregated API server nows runs some controllers for the two flowcontrol.apiserver.k8s.io resources in the title of this commit, so it needs RBAC to read them. This should get rid of the following error messages in our Concierge logs: Failed to watch *v1beta1.FlowSchema: failed to list *v1beta1.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:concierge:concierge" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope Failed to watch *v1beta1.PriorityLevelConfiguration: failed to list *v1beta1.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:concierge:concierge" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-05 13:19:12 +00:00
- apiGroups: [ flowcontrol.apiserver.k8s.io ]
resources: [ flowschemas, prioritylevelconfigurations ]
verbs: [ get, list, watch ]
Add nonroot SCC to work on OpenShift clusters
2020-11-18 22:08:45 +00:00
- apiGroups: [ security.openshift.io ]
resources: [ securitycontextconstraints ]
verbs: [ use ]
resourceNames: [ nonroot ]
Move starting/stopping impersonation proxy server to a new controller - Watch a configmap to read the configuration of the impersonation proxy and reconcile it. - Implements "auto" mode by querying the API for control plane nodes. - WIP: does not create a load balancer or proper TLS certificates yet. Those will come in future commits. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-12 01:22:47 +00:00
- apiGroups: [ "" ]
resources: [ nodes ]
verbs: [ list ]
Declare war on namespaces Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-09 18:59:32 +00:00
- apiGroups:
- #@ pinnipedDevAPIGroupWithPrefix("config.concierge")
resources: [ credentialissuers ]
Fix status related RBAC Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 23:02:18 +00:00
verbs: [ get, list, watch, create ]
- apiGroups:
- #@ pinnipedDevAPIGroupWithPrefix("config.concierge")
resources: [ credentialissuers/status ]
Refactor kube-cert-agent controllers to use a Deployment. This is a relatively large rewrite of much of the kube-cert-agent controllers. Instead of managing raw Pod objects, they now create a single Deployment and let the builtin k8s controller handle it from there. This reduces the amount of code we need and should handle a number of edge cases better, especially those where a Pod becomes "wedged" and needs to be recreated. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-20 19:55:28 +00:00
verbs: [ get, patch, update ]
Declare war on namespaces Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-09 18:59:32 +00:00
- apiGroups:
- #@ pinnipedDevAPIGroupWithPrefix("authentication.concierge")
resources: [ jwtauthenticators, webhookauthenticators ]
verbs: [ get, list, watch ]
Add RBAC for autoregistration - Also fix mistakes in the deployment.yaml - Also hardcode the ownerRef kind and version because otherwise we get an error Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-17 21:42:02 +00:00
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
labels: #@ labels()
Add RBAC for autoregistration - Also fix mistakes in the deployment.yaml - Also hardcode the ownerRef kind and version because otherwise we get an error Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-17 21:42:02 +00:00
subjects:
- kind: ServiceAccount
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
name: #@ defaultResourceName()
namespace: #@ namespace()
Add RBAC for autoregistration - Also fix mistakes in the deployment.yaml - Also hardcode the ownerRef kind and version because otherwise we get an error Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-17 21:42:02 +00:00
roleRef:
kind: ClusterRole
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
Add RBAC for autoregistration - Also fix mistakes in the deployment.yaml - Also hardcode the ownerRef kind and version because otherwise we get an error Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-17 21:42:02 +00:00
apiGroup: rbac.authorization.k8s.io
First draft of moving API server TLS cert generation to controllers - Refactors the existing cert generation code into controllers which read and write a Secret containing the certs - Does not add any new functionality yet, e.g. no new handling for cert expiration, and no leader election to allow for multiple servers running simultaneously - This commit also doesn't add new tests for the cert generation code, but it should be more unit testable now as controllers
2020-08-09 17:04:05 +00:00
impersonator: run as a distinct SA with minimal permissions This change updates the impersonation proxy code to run as a distinct service account that only has permission to impersonate identities. Thus any future vulnerability that causes the impersonation headers to be dropped will fail closed instead of escalating to the concierge's default service account which has significantly more permissions. Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-09 23:00:54 +00:00
#! Give minimal permissions to impersonation proxy service account
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: #@ defaultResourceNameWithSuffix("impersonation-proxy")
labels: #@ labels()
rules:
- apiGroups: [ "" ]
resources: [ "users", "groups", "serviceaccounts" ]
verbs: [ "impersonate" ]
- apiGroups: [ "authentication.k8s.io" ]
resources: [ "*" ] #! What we really want is userextras/* but the RBAC authorizer only supports */subresource, not resource/*
verbs: [ "impersonate" ]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: #@ defaultResourceNameWithSuffix("impersonation-proxy")
labels: #@ labels()
subjects:
- kind: ServiceAccount
name: #@ defaultResourceNameWithSuffix("impersonation-proxy")
namespace: #@ namespace()
roleRef:
kind: ClusterRole
name: #@ defaultResourceNameWithSuffix("impersonation-proxy")
apiGroup: rbac.authorization.k8s.io
Split out kube-cert-agent service account and bindings. Followup on the previous comment to split apart the ServiceAccount of the kube-cert-agent and the main concierge pod. This is a bit cleaner and ensures that in testing our main Concierge pod never requires any privileged permissions. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-03 21:31:48 +00:00
#! Give permission to the kube-cert-agent Pod to run privileged.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: #@ defaultResourceNameWithSuffix("kube-cert-agent")
namespace: #@ namespace()
labels: #@ labels()
rules:
- apiGroups: [ policy ]
resources: [ podsecuritypolicies ]
verbs: [ use ]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: #@ defaultResourceNameWithSuffix("kube-cert-agent")
namespace: #@ namespace()
labels: #@ labels()
subjects:
- kind: ServiceAccount
name: #@ defaultResourceNameWithSuffix("kube-cert-agent")
namespace: #@ namespace()
roleRef:
kind: Role
name: #@ defaultResourceNameWithSuffix("kube-cert-agent")
apiGroup: rbac.authorization.k8s.io
First draft of moving API server TLS cert generation to controllers - Refactors the existing cert generation code into controllers which read and write a Secret containing the certs - Does not add any new functionality yet, e.g. no new handling for cert expiration, and no leader election to allow for multiple servers running simultaneously - This commit also doesn't add new tests for the cert generation code, but it should be more unit testable now as controllers
2020-08-09 17:04:05 +00:00
#! Give permission to various objects within the app's own namespace
Add RBAC for autoregistration - Also fix mistakes in the deployment.yaml - Also hardcode the ownerRef kind and version because otherwise we get an error Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-17 21:42:02 +00:00
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
namespace: #@ namespace()
labels: #@ labels()
Add RBAC for autoregistration - Also fix mistakes in the deployment.yaml - Also hardcode the ownerRef kind and version because otherwise we get an error Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-17 21:42:02 +00:00
rules:
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
- apiGroups: [ "" ]
resources: [ services ]
Add Service resource "delete" permission to Concierge RBAC - Because the impersonation proxy config controller needs to be able to delete the load balancer which it created Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-18 18:59:58 +00:00
verbs: [ create, get, list, patch, update, watch, delete ]
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
- apiGroups: [ "" ]
resources: [ secrets ]
verbs: [ create, get, list, patch, update, watch, delete ]
Refactor kube-cert-agent controllers to use a Deployment. This is a relatively large rewrite of much of the kube-cert-agent controllers. Instead of managing raw Pod objects, they now create a single Deployment and let the builtin k8s controller handle it from there. This reduces the amount of code we need and should handle a number of edge cases better, especially those where a Pod becomes "wedged" and needs to be recreated. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-20 19:55:28 +00:00
#! We need to be able to watch pods in our namespace so we can find the kube-cert-agent pods.
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
- apiGroups: [ "" ]
resources: [ pods ]
Refactor kube-cert-agent controllers to use a Deployment. This is a relatively large rewrite of much of the kube-cert-agent controllers. Instead of managing raw Pod objects, they now create a single Deployment and let the builtin k8s controller handle it from there. This reduces the amount of code we need and should handle a number of edge cases better, especially those where a Pod becomes "wedged" and needs to be recreated. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-20 19:55:28 +00:00
verbs: [ get, list, watch ]
Integration tests are passing ayooooooooooooooo
2020-09-23 16:47:04 +00:00
#! We need to be able to exec into pods in our namespace so we can grab the API server's private key
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
- apiGroups: [ "" ]
resources: [ pods/exec ]
verbs: [ create ]
Add a new "legacy pod cleaner" controller. This controller is responsible for cleaning up kube-cert-agent pods that were deployed by previous versions. They are easily identified because they use a different `kube-cert-agent.pinniped.dev` label compared to the new agent pods (`true` vs. `v2`). Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-20 19:56:43 +00:00
#! We need to be able to delete pods in our namespace so we can clean up legacy kube-cert-agent pods.
- apiGroups: [ "" ]
resources: [ pods ]
verbs: [ delete ]
Refactor kube-cert-agent controllers to use a Deployment. This is a relatively large rewrite of much of the kube-cert-agent controllers. Instead of managing raw Pod objects, they now create a single Deployment and let the builtin k8s controller handle it from there. This reduces the amount of code we need and should handle a number of edge cases better, especially those where a Pod becomes "wedged" and needs to be recreated. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-20 19:55:28 +00:00
#! We need to be able to create and update deployments in our namespace so we can manage the kube-cert-agent Deployment.
- apiGroups: [ apps ]
resources: [ deployments ]
Improve the selectors of Deployments and Services Fixes #801. The solution is complicated by the fact that the Selector field of Deployments is immutable. It would have been easy to just make the Selectors of the main Concierge Deployment, the Kube cert agent Deployment, and the various Services use more specific labels, but that would break upgrades. Instead, we make the Pod template labels and the Service selectors more specific, because those not immutable, and then handle the Deployment selectors in a special way. For the main Concierge and Supervisor Deployments, we cannot change their selectors, so they remain "app: app_name", and we make other changes to ensure that only the intended pods are selected. We keep the original "app" label on those pods and remove the "app" label from the pods of the Kube cert agent Deployment. By removing it from the Kube cert agent pods, there is no longer any chance that they will accidentally get selected by the main Concierge Deployment. For the Kube cert agent Deployment, we can change the immutable selector by deleting and recreating the Deployment. The new selector uses only the unique label that has always been applied to the pods of that deployment. Upon recreation, these pods no longer have the "app" label, so they will not be selected by the main Concierge Deployment's selector. The selector of all Services have been updated to use new labels to more specifically target the intended pods. For the Concierge Services, this will prevent them from accidentally including the Kube cert agent pods. For the Supervisor Services, we follow the same convention just to be consistent and to help future-proof the Supervisor app in case it ever has a second Deployment added to it. The selector of the auto-created impersonation proxy Service was also previously using the "app" label. There is no change to this Service because that label will now select the correct pods, since the Kube cert agent pods no longer have that label. It would be possible to update that selector to use the new more specific label, but then we would need to invent a way to pass that label into the controller, so it seemed like more work than was justified.
2021-09-14 20:35:10 +00:00
verbs: [ create, get, list, patch, update, watch, delete ]
Refactor kube-cert-agent controllers to use a Deployment. This is a relatively large rewrite of much of the kube-cert-agent controllers. Instead of managing raw Pod objects, they now create a single Deployment and let the builtin k8s controller handle it from there. This reduces the amount of code we need and should handle a number of edge cases better, especially those where a Pod becomes "wedged" and needs to be recreated. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-20 19:55:28 +00:00
#! We need to be able to get replicasets so we can form the correct owner references on our generated objects.
Move starting/stopping impersonation proxy server to a new controller - Watch a configmap to read the configuration of the impersonation proxy and reconcile it. - Implements "auto" mode by querying the API for control plane nodes. - WIP: does not create a load balancer or proper TLS certificates yet. Those will come in future commits. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-12 01:22:47 +00:00
- apiGroups: [ apps ]
Refactor kube-cert-agent controllers to use a Deployment. This is a relatively large rewrite of much of the kube-cert-agent controllers. Instead of managing raw Pod objects, they now create a single Deployment and let the builtin k8s controller handle it from there. This reduces the amount of code we need and should handle a number of edge cases better, especially those where a Pod becomes "wedged" and needs to be recreated. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-20 19:55:28 +00:00
resources: [ replicasets ]
Move starting/stopping impersonation proxy server to a new controller - Watch a configmap to read the configuration of the impersonation proxy and reconcile it. - Implements "auto" mode by querying the API for control plane nodes. - WIP: does not create a load balancer or proper TLS certificates yet. Those will come in future commits. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-12 01:22:47 +00:00
verbs: [ get ]
- apiGroups: [ "" ]
resources: [ configmaps ]
verbs: [ list, get, watch ]
Add leader election middleware Signed-off-by: Monis Khan <mok@vmware.com>
2021-08-18 04:14:38 +00:00
- apiGroups: [ coordination.k8s.io ]
resources: [ leases ]
verbs: [ create, get, update ]
Add RBAC for autoregistration - Also fix mistakes in the deployment.yaml - Also hardcode the ownerRef kind and version because otherwise we get an error Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-17 21:42:02 +00:00
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
namespace: #@ namespace()
labels: #@ labels()
Add RBAC for autoregistration - Also fix mistakes in the deployment.yaml - Also hardcode the ownerRef kind and version because otherwise we get an error Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-17 21:42:02 +00:00
subjects:
- kind: ServiceAccount
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
name: #@ defaultResourceName()
namespace: #@ namespace()
Add RBAC for autoregistration - Also fix mistakes in the deployment.yaml - Also hardcode the ownerRef kind and version because otherwise we get an error Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-17 21:42:02 +00:00
roleRef:
kind: Role
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
Add RBAC for autoregistration - Also fix mistakes in the deployment.yaml - Also hardcode the ownerRef kind and version because otherwise we get an error Signed-off-by: Monis Khan <mok@vmware.com>
2020-07-17 21:42:02 +00:00
apiGroup: rbac.authorization.k8s.io
First draft of moving API server TLS cert generation to controllers - Refactors the existing cert generation code into controllers which read and write a Secret containing the certs - Does not add any new functionality yet, e.g. no new handling for cert expiration, and no leader election to allow for multiple servers running simultaneously - This commit also doesn't add new tests for the cert generation code, but it should be more unit testable now as controllers
2020-08-09 17:04:05 +00:00
kubecertagent: get integration tests passing again Note: the non-kubecertagent integration tests are still failing :).
2020-09-22 15:38:13 +00:00
#! Give permission to read pods in the kube-system namespace so we can find the API server's private key
Switch back to an exec-based approach to grab the controller-manager CA. (#65) This switches us back to an approach where we use the Pod "exec" API to grab the keys we need, rather than forcing our code to run on the control plane node. It will help us fail gracefully (or dynamically switch to alternate implementations) when the cluster is not self-hosted. Signed-off-by: Matt Moyer <moyerm@vmware.com> Co-authored-by: Ryan Richard <richardry@vmware.com>
2020-08-19 18:21:07 +00:00
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
name: #@ defaultResourceNameWithSuffix("kube-system-pod-read")
Switch back to an exec-based approach to grab the controller-manager CA. (#65) This switches us back to an approach where we use the Pod "exec" API to grab the keys we need, rather than forcing our code to run on the control plane node. It will help us fail gracefully (or dynamically switch to alternate implementations) when the cluster is not self-hosted. Signed-off-by: Matt Moyer <moyerm@vmware.com> Co-authored-by: Ryan Richard <richardry@vmware.com>
2020-08-19 18:21:07 +00:00
namespace: kube-system
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
labels: #@ labels()
Switch back to an exec-based approach to grab the controller-manager CA. (#65) This switches us back to an approach where we use the Pod "exec" API to grab the keys we need, rather than forcing our code to run on the control plane node. It will help us fail gracefully (or dynamically switch to alternate implementations) when the cluster is not self-hosted. Signed-off-by: Matt Moyer <moyerm@vmware.com> Co-authored-by: Ryan Richard <richardry@vmware.com>
2020-08-19 18:21:07 +00:00
rules:
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
- apiGroups: [ "" ]
resources: [ pods ]
verbs: [ get, list, watch ]
Switch back to an exec-based approach to grab the controller-manager CA. (#65) This switches us back to an approach where we use the Pod "exec" API to grab the keys we need, rather than forcing our code to run on the control plane node. It will help us fail gracefully (or dynamically switch to alternate implementations) when the cluster is not self-hosted. Signed-off-by: Matt Moyer <moyerm@vmware.com> Co-authored-by: Ryan Richard <richardry@vmware.com>
2020-08-19 18:21:07 +00:00
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
name: #@ defaultResourceNameWithSuffix("kube-system-pod-read")
Switch back to an exec-based approach to grab the controller-manager CA. (#65) This switches us back to an approach where we use the Pod "exec" API to grab the keys we need, rather than forcing our code to run on the control plane node. It will help us fail gracefully (or dynamically switch to alternate implementations) when the cluster is not self-hosted. Signed-off-by: Matt Moyer <moyerm@vmware.com> Co-authored-by: Ryan Richard <richardry@vmware.com>
2020-08-19 18:21:07 +00:00
namespace: kube-system
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
labels: #@ labels()
Switch back to an exec-based approach to grab the controller-manager CA. (#65) This switches us back to an approach where we use the Pod "exec" API to grab the keys we need, rather than forcing our code to run on the control plane node. It will help us fail gracefully (or dynamically switch to alternate implementations) when the cluster is not self-hosted. Signed-off-by: Matt Moyer <moyerm@vmware.com> Co-authored-by: Ryan Richard <richardry@vmware.com>
2020-08-19 18:21:07 +00:00
subjects:
- kind: ServiceAccount
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
name: #@ defaultResourceName()
namespace: #@ namespace()
Switch back to an exec-based approach to grab the controller-manager CA. (#65) This switches us back to an approach where we use the Pod "exec" API to grab the keys we need, rather than forcing our code to run on the control plane node. It will help us fail gracefully (or dynamically switch to alternate implementations) when the cluster is not self-hosted. Signed-off-by: Matt Moyer <moyerm@vmware.com> Co-authored-by: Ryan Richard <richardry@vmware.com>
2020-08-19 18:21:07 +00:00
roleRef:
kind: Role
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
name: #@ defaultResourceNameWithSuffix("kube-system-pod-read")
Switch back to an exec-based approach to grab the controller-manager CA. (#65) This switches us back to an approach where we use the Pod "exec" API to grab the keys we need, rather than forcing our code to run on the control plane node. It will help us fail gracefully (or dynamically switch to alternate implementations) when the cluster is not self-hosted. Signed-off-by: Matt Moyer <moyerm@vmware.com> Co-authored-by: Ryan Richard <richardry@vmware.com>
2020-08-19 18:21:07 +00:00
apiGroup: rbac.authorization.k8s.io
Rename many of resources that are created in Kubernetes by Pinniped New resource naming conventions: - Do not repeat the Kind in the name, e.g. do not call it foo-cluster-role-binding, just call it foo - Names will generally start with a prefix to identify our component, so when a user lists all objects of that kind, they can tell to which component it is related, e.g. `kubectl get configmaps` would list one named "pinniped-config" - It should be possible for an operator to make the word "pinniped" mostly disappear if they choose, by specifying the app_name in values.yaml, to the extent that is practical (but not from APIService names because those are hardcoded in golang) - Each role/clusterrole and its corresponding binding have the same name - Pinniped resource names that must be known by the server golang code are passed to the code at run time via ConfigMap, rather than hardcoded in the golang code. This also allows them to be prepended with the app_name from values.yaml while creating the ConfigMap. - Since the CLI `get-kubeconfig` command cannot guess the name of the CredentialIssuerConfig resource in advance anymore, it lists all CredentialIssuerConfig in the app's namespace and returns an error if there is not exactly one found, and then uses that one regardless of its name
2020-09-18 22:56:50 +00:00
#! Allow both authenticated and unauthenticated TokenCredentialRequests (i.e. allow all requests)
Initial aggregated API server (#15) Add initial aggregated API server (squashed from a bunch of commits). Signed-off-by: Andrew Keesler <akeesler@vmware.com> Signed-off-by: Aram Price <pricear@vmware.com> Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-07-23 15:05:21 +00:00
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Add WhoAmIRequest Aggregated Virtual REST API This change adds a new virtual aggregated API that can be used by any user to echo back who they are currently authenticated as. This has general utility to end users and can be used in tests to validate if authentication was successful. Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-19 18:21:10 +00:00
name: #@ defaultResourceNameWithSuffix("pre-authn-apis")
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
labels: #@ labels()
Initial aggregated API server (#15) Add initial aggregated API server (squashed from a bunch of commits). Signed-off-by: Andrew Keesler <akeesler@vmware.com> Signed-off-by: Aram Price <pricear@vmware.com> Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-07-23 15:05:21 +00:00
rules:
deploy: wire API group suffix through YTT templates I didn't advertise this feature in the deploy README's since (hopefully) not many people will want to use it? Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 22:23:06 +00:00
- apiGroups:
- #@ pinnipedDevAPIGroupWithPrefix("login.concierge")
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
resources: [ tokencredentialrequests ]
Add WhoAmIRequest Aggregated Virtual REST API This change adds a new virtual aggregated API that can be used by any user to echo back who they are currently authenticated as. This has general utility to end users and can be used in tests to validate if authentication was successful. Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-19 18:21:10 +00:00
verbs: [ create, list ]
- apiGroups:
- #@ pinnipedDevAPIGroupWithPrefix("identity.concierge")
resources: [ whoamirequests ]
verbs: [ create, list ]
Initial aggregated API server (#15) Add initial aggregated API server (squashed from a bunch of commits). Signed-off-by: Andrew Keesler <akeesler@vmware.com> Signed-off-by: Aram Price <pricear@vmware.com> Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-07-23 15:05:21 +00:00
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
Add WhoAmIRequest Aggregated Virtual REST API This change adds a new virtual aggregated API that can be used by any user to echo back who they are currently authenticated as. This has general utility to end users and can be used in tests to validate if authentication was successful. Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-19 18:21:10 +00:00
name: #@ defaultResourceNameWithSuffix("pre-authn-apis")
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
labels: #@ labels()
Initial aggregated API server (#15) Add initial aggregated API server (squashed from a bunch of commits). Signed-off-by: Andrew Keesler <akeesler@vmware.com> Signed-off-by: Aram Price <pricear@vmware.com> Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-07-23 15:05:21 +00:00
subjects:
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: system:unauthenticated
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
Add WhoAmIRequest Aggregated Virtual REST API This change adds a new virtual aggregated API that can be used by any user to echo back who they are currently authenticated as. This has general utility to end users and can be used in tests to validate if authentication was successful. Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-19 18:21:10 +00:00
name: #@ defaultResourceNameWithSuffix("pre-authn-apis")
Initial aggregated API server (#15) Add initial aggregated API server (squashed from a bunch of commits). Signed-off-by: Andrew Keesler <akeesler@vmware.com> Signed-off-by: Aram Price <pricear@vmware.com> Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-07-23 15:05:21 +00:00
apiGroup: rbac.authorization.k8s.io
First draft of moving API server TLS cert generation to controllers - Refactors the existing cert generation code into controllers which read and write a Secret containing the certs - Does not add any new functionality yet, e.g. no new handling for cert expiration, and no leader election to allow for multiple servers running simultaneously - This commit also doesn't add new tests for the cert generation code, but it should be more unit testable now as controllers
2020-08-09 17:04:05 +00:00
#! Give permissions for subjectaccessreviews, tokenreview that is needed by aggregated api servers
Initial aggregated API server (#15) Add initial aggregated API server (squashed from a bunch of commits). Signed-off-by: Andrew Keesler <akeesler@vmware.com> Signed-off-by: Aram Price <pricear@vmware.com> Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-07-23 15:05:21 +00:00
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
name: #@ defaultResourceName()
labels: #@ labels()
Initial aggregated API server (#15) Add initial aggregated API server (squashed from a bunch of commits). Signed-off-by: Andrew Keesler <akeesler@vmware.com> Signed-off-by: Aram Price <pricear@vmware.com> Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-07-23 15:05:21 +00:00
subjects:
- kind: ServiceAccount
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
name: #@ defaultResourceName()
namespace: #@ namespace()
Initial aggregated API server (#15) Add initial aggregated API server (squashed from a bunch of commits). Signed-off-by: Andrew Keesler <akeesler@vmware.com> Signed-off-by: Aram Price <pricear@vmware.com> Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-07-23 15:05:21 +00:00
roleRef:
kind: ClusterRole
name: system:auth-delegator
apiGroup: rbac.authorization.k8s.io
First draft of moving API server TLS cert generation to controllers - Refactors the existing cert generation code into controllers which read and write a Secret containing the certs - Does not add any new functionality yet, e.g. no new handling for cert expiration, and no leader election to allow for multiple servers running simultaneously - This commit also doesn't add new tests for the cert generation code, but it should be more unit testable now as controllers
2020-08-09 17:04:05 +00:00
#! Give permissions for a special configmap of CA bundles that is needed by aggregated api servers
Initial aggregated API server (#15) Add initial aggregated API server (squashed from a bunch of commits). Signed-off-by: Andrew Keesler <akeesler@vmware.com> Signed-off-by: Aram Price <pricear@vmware.com> Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-07-23 15:05:21 +00:00
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
name: #@ defaultResourceNameWithSuffix("extension-apiserver-authentication-reader")
Initial aggregated API server (#15) Add initial aggregated API server (squashed from a bunch of commits). Signed-off-by: Andrew Keesler <akeesler@vmware.com> Signed-off-by: Aram Price <pricear@vmware.com> Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-07-23 15:05:21 +00:00
namespace: kube-system
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
labels: #@ labels()
Initial aggregated API server (#15) Add initial aggregated API server (squashed from a bunch of commits). Signed-off-by: Andrew Keesler <akeesler@vmware.com> Signed-off-by: Aram Price <pricear@vmware.com> Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-07-23 15:05:21 +00:00
subjects:
- kind: ServiceAccount
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
name: #@ defaultResourceName()
namespace: #@ namespace()
Initial aggregated API server (#15) Add initial aggregated API server (squashed from a bunch of commits). Signed-off-by: Andrew Keesler <akeesler@vmware.com> Signed-off-by: Aram Price <pricear@vmware.com> Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-07-23 15:05:21 +00:00
roleRef:
kind: Role
name: extension-apiserver-authentication-reader
apiGroup: rbac.authorization.k8s.io
First draft of moving API server TLS cert generation to controllers - Refactors the existing cert generation code into controllers which read and write a Secret containing the certs - Does not add any new functionality yet, e.g. no new handling for cert expiration, and no leader election to allow for multiple servers running simultaneously - This commit also doesn't add new tests for the cert generation code, but it should be more unit testable now as controllers
2020-08-09 17:04:05 +00:00
#! Give permission to list and watch ConfigMaps in kube-public
WIP: start on publisher controller integration
2020-07-31 16:08:07 +00:00
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher")
WIP: start on publisher controller integration
2020-07-31 16:08:07 +00:00
namespace: kube-public
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
labels: #@ labels()
WIP: start on publisher controller integration
2020-07-31 16:08:07 +00:00
rules:
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
- apiGroups: [ "" ]
resources: [ configmaps ]
verbs: [ list, watch ]
WIP: start on publisher controller integration
2020-07-31 16:08:07 +00:00
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher")
WIP: start on publisher controller integration
2020-07-31 16:08:07 +00:00
namespace: kube-public
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
labels: #@ labels()
WIP: start on publisher controller integration
2020-07-31 16:08:07 +00:00
subjects:
- kind: ServiceAccount
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
name: #@ defaultResourceName()
namespace: #@ namespace()
WIP: start on publisher controller integration
2020-07-31 16:08:07 +00:00
roleRef:
kind: Role
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher")
WIP: start on publisher controller integration
2020-07-31 16:08:07 +00:00
apiGroup: rbac.authorization.k8s.io