#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 #@ load("@ytt:data", "data") #@ load("helpers.lib.yaml", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix", "pinnipedDevAPIGroupWithPrefix") #! Give permission to various cluster-scoped objects --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: #@ defaultResourceNameWithSuffix("aggregated-api-server") labels: #@ labels() rules: - apiGroups: [ "" ] resources: [ namespaces ] verbs: [ get, list, watch ] - apiGroups: [ apiregistration.k8s.io ] resources: [ apiservices ] verbs: [ get, list, patch, update, watch ] - apiGroups: [ admissionregistration.k8s.io ] resources: [ validatingwebhookconfigurations, mutatingwebhookconfigurations ] verbs: [ get, list, watch ] - apiGroups: [ flowcontrol.apiserver.k8s.io ] resources: [ flowschemas, prioritylevelconfigurations ] verbs: [ get, list, watch ] - apiGroups: [ policy ] resources: [ podsecuritypolicies ] verbs: [ use ] - apiGroups: [ security.openshift.io ] resources: [ securitycontextconstraints ] verbs: [ use ] resourceNames: [ nonroot ] - apiGroups: - #@ pinnipedDevAPIGroupWithPrefix("config.concierge") resources: [ credentialissuers ] verbs: [ get, list, watch, create ] - apiGroups: - #@ pinnipedDevAPIGroupWithPrefix("config.concierge") resources: [ credentialissuers/status ] verbs: [get, patch, update] - apiGroups: - #@ pinnipedDevAPIGroupWithPrefix("authentication.concierge") resources: [ jwtauthenticators, webhookauthenticators ] verbs: [ get, list, watch ] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: #@ defaultResourceNameWithSuffix("aggregated-api-server") labels: #@ labels() subjects: - kind: ServiceAccount name: #@ defaultResourceName() namespace: #@ namespace() roleRef: kind: ClusterRole name: #@ defaultResourceNameWithSuffix("aggregated-api-server") apiGroup: rbac.authorization.k8s.io #! Give permission to various objects within the app's own namespace --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: #@ defaultResourceNameWithSuffix("aggregated-api-server") namespace: #@ namespace() labels: #@ labels() rules: - apiGroups: [ "" ] resources: [ services ] verbs: [ create, get, list, patch, update, watch ] - apiGroups: [ "" ] resources: [ secrets ] verbs: [ create, get, list, patch, update, watch, delete ] #! We need to be able to CRUD pods in our namespace so we can reconcile the kube-cert-agent pods. - apiGroups: [ "" ] resources: [ pods ] verbs: [ create, get, list, patch, update, watch, delete ] #! We need to be able to exec into pods in our namespace so we can grab the API server's private key - apiGroups: [ "" ] resources: [ pods/exec ] verbs: [ create ] - apiGroups: [apps] resources: [replicasets,deployments] verbs: [get] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: #@ defaultResourceNameWithSuffix("aggregated-api-server") namespace: #@ namespace() labels: #@ labels() subjects: - kind: ServiceAccount name: #@ defaultResourceName() namespace: #@ namespace() roleRef: kind: Role name: #@ defaultResourceNameWithSuffix("aggregated-api-server") apiGroup: rbac.authorization.k8s.io #! Give permission to read pods in the kube-system namespace so we can find the API server's private key --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: #@ defaultResourceNameWithSuffix("kube-system-pod-read") namespace: kube-system labels: #@ labels() rules: - apiGroups: [ "" ] resources: [ pods ] verbs: [ get, list, watch ] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: #@ defaultResourceNameWithSuffix("kube-system-pod-read") namespace: kube-system labels: #@ labels() subjects: - kind: ServiceAccount name: #@ defaultResourceName() namespace: #@ namespace() roleRef: kind: Role name: #@ defaultResourceNameWithSuffix("kube-system-pod-read") apiGroup: rbac.authorization.k8s.io #! Allow both authenticated and unauthenticated TokenCredentialRequests (i.e. allow all requests) --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: #@ defaultResourceNameWithSuffix("create-token-credential-requests") labels: #@ labels() rules: - apiGroups: - #@ pinnipedDevAPIGroupWithPrefix("login.concierge") resources: [ tokencredentialrequests ] verbs: [ create ] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: #@ defaultResourceNameWithSuffix("create-token-credential-requests") labels: #@ labels() subjects: - kind: Group name: system:authenticated apiGroup: rbac.authorization.k8s.io - kind: Group name: system:unauthenticated apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: #@ defaultResourceNameWithSuffix("create-token-credential-requests") apiGroup: rbac.authorization.k8s.io #! Give permissions for subjectaccessreviews, tokenreview that is needed by aggregated api servers --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: #@ defaultResourceName() labels: #@ labels() subjects: - kind: ServiceAccount name: #@ defaultResourceName() namespace: #@ namespace() roleRef: kind: ClusterRole name: system:auth-delegator apiGroup: rbac.authorization.k8s.io #! Give permissions for a special configmap of CA bundles that is needed by aggregated api servers --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: #@ defaultResourceNameWithSuffix("extension-apiserver-authentication-reader") namespace: kube-system labels: #@ labels() subjects: - kind: ServiceAccount name: #@ defaultResourceName() namespace: #@ namespace() roleRef: kind: Role name: extension-apiserver-authentication-reader apiGroup: rbac.authorization.k8s.io #! Give permission to list and watch ConfigMaps in kube-public --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher") namespace: kube-public labels: #@ labels() rules: - apiGroups: [ "" ] resources: [ configmaps ] verbs: [ list, watch ] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher") namespace: kube-public labels: #@ labels() subjects: - kind: ServiceAccount name: #@ defaultResourceName() namespace: #@ namespace() roleRef: kind: Role name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher") apiGroup: rbac.authorization.k8s.io