ContainerImage.Pinniped/deploy/concierge/rbac.yaml

#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0

#@ load("@ytt:data", "data")
#@ load("helpers.lib.yaml", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix")

#! Give permission to various cluster-scoped objects
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
  labels: #@ labels()
rules:
  - apiGroups: [ "" ]
    resources: [ namespaces ]
    verbs: [ get, list, watch ]
  - apiGroups: [ apiregistration.k8s.io ]
    resources: [ apiservices ]
    verbs: [ create, get, list, patch, update, watch ]
  - apiGroups: [ admissionregistration.k8s.io ]
    resources: [ validatingwebhookconfigurations, mutatingwebhookconfigurations ]
    verbs: [ get, list, watch ]
  - apiGroups: [ policy ]
    resources: [ podsecuritypolicies ]
    verbs: [ use ]
  - apiGroups: [ security.openshift.io ]
    resources: [ securitycontextconstraints ]
    verbs: [ use ]
    resourceNames: [ nonroot ]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
  labels: #@ labels()
subjects:
  - kind: ServiceAccount
    name: #@ defaultResourceName()
    namespace: #@ namespace()
roleRef:
  kind: ClusterRole
  name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
  apiGroup: rbac.authorization.k8s.io

#! Give permission to various objects within the app's own namespace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
  namespace: #@ namespace()
  labels: #@ labels()
rules:
  - apiGroups: [ "" ]
    resources: [ services ]
    verbs: [ create, get, list, patch, update, watch ]
  - apiGroups: [ "" ]
    resources: [ secrets ]
    verbs: [ create, get, list, patch, update, watch, delete ]
  #! We need to be able to CRUD pods in our namespace so we can reconcile the kube-cert-agent pods.
  - apiGroups: [ "" ]
    resources: [ pods ]
    verbs: [ create, get, list, patch, update, watch, delete ]
  #! We need to be able to exec into pods in our namespace so we can grab the API server's private key
  - apiGroups: [ "" ]
    resources: [ pods/exec ]
    verbs: [ create ]
  - apiGroups: [ config.concierge.pinniped.dev, authentication.concierge.pinniped.dev ]
    resources: [ "*" ]
    verbs: [ create, get, list, update, watch ]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
  namespace: #@ namespace()
  labels: #@ labels()
subjects:
  - kind: ServiceAccount
    name: #@ defaultResourceName()
    namespace: #@ namespace()
roleRef:
  kind: Role
  name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
  apiGroup: rbac.authorization.k8s.io

#! Give permission to read pods in the kube-system namespace so we can find the API server's private key
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: #@ defaultResourceNameWithSuffix("kube-system-pod-read")
  namespace: kube-system
  labels: #@ labels()
rules:
  - apiGroups: [ "" ]
    resources: [ pods ]
    verbs: [ get, list, watch ]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ defaultResourceNameWithSuffix("kube-system-pod-read")
  namespace: kube-system
  labels: #@ labels()
subjects:
  - kind: ServiceAccount
    name: #@ defaultResourceName()
    namespace: #@ namespace()
roleRef:
  kind: Role
  name: #@ defaultResourceNameWithSuffix("kube-system-pod-read")
  apiGroup: rbac.authorization.k8s.io

#! Allow both authenticated and unauthenticated TokenCredentialRequests (i.e. allow all requests)
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: #@ defaultResourceNameWithSuffix("create-token-credential-requests")
  labels: #@ labels()
rules:
  - apiGroups: [ login.concierge.pinniped.dev ]
    resources: [ tokencredentialrequests ]
    verbs: [ create ]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ defaultResourceNameWithSuffix("create-token-credential-requests")
  labels: #@ labels()
subjects:
  - kind: Group
    name: system:authenticated
    apiGroup: rbac.authorization.k8s.io
  - kind: Group
    name: system:unauthenticated
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: #@ defaultResourceNameWithSuffix("create-token-credential-requests")
  apiGroup: rbac.authorization.k8s.io

#! Give permissions for subjectaccessreviews, tokenreview that is needed by aggregated api servers
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ defaultResourceName()
  labels: #@ labels()
subjects:
  - kind: ServiceAccount
    name: #@ defaultResourceName()
    namespace: #@ namespace()
roleRef:
  kind: ClusterRole
  name: system:auth-delegator
  apiGroup: rbac.authorization.k8s.io

#! Give permissions for a special configmap of CA bundles that is needed by aggregated api servers
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ defaultResourceNameWithSuffix("extension-apiserver-authentication-reader")
  namespace: kube-system
  labels: #@ labels()
subjects:
  - kind: ServiceAccount
    name: #@ defaultResourceName()
    namespace: #@ namespace()
roleRef:
  kind: Role
  name: extension-apiserver-authentication-reader
  apiGroup: rbac.authorization.k8s.io

#! Give permission to list and watch ConfigMaps in kube-public
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher")
  namespace: kube-public
  labels: #@ labels()
rules:
  - apiGroups: [ "" ]
    resources: [ configmaps ]
    verbs: [ list, watch ]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher")
  namespace: kube-public
  labels: #@ labels()
subjects:
  - kind: ServiceAccount
    name: #@ defaultResourceName()
    namespace: #@ namespace()
roleRef:
  kind: Role
  name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher")
  apiGroup: rbac.authorization.k8s.io