cec9f3c4d7
Fixes #801. The solution is complicated by the fact that the Selector field of Deployments is immutable. It would have been easy to just make the Selectors of the main Concierge Deployment, the Kube cert agent Deployment, and the various Services use more specific labels, but that would break upgrades. Instead, we make the Pod template labels and the Service selectors more specific, because those not immutable, and then handle the Deployment selectors in a special way. For the main Concierge and Supervisor Deployments, we cannot change their selectors, so they remain "app: app_name", and we make other changes to ensure that only the intended pods are selected. We keep the original "app" label on those pods and remove the "app" label from the pods of the Kube cert agent Deployment. By removing it from the Kube cert agent pods, there is no longer any chance that they will accidentally get selected by the main Concierge Deployment. For the Kube cert agent Deployment, we can change the immutable selector by deleting and recreating the Deployment. The new selector uses only the unique label that has always been applied to the pods of that deployment. Upon recreation, these pods no longer have the "app" label, so they will not be selected by the main Concierge Deployment's selector. The selector of all Services have been updated to use new labels to more specifically target the intended pods. For the Concierge Services, this will prevent them from accidentally including the Kube cert agent pods. For the Supervisor Services, we follow the same convention just to be consistent and to help future-proof the Supervisor app in case it ever has a second Deployment added to it. The selector of the auto-created impersonation proxy Service was also previously using the "app" label. There is no change to this Service because that label will now select the correct pods, since the Kube cert agent pods no longer have that label. It would be possible to update that selector to use the new more specific label, but then we would need to invent a way to pass that label into the controller, so it seemed like more work than was justified.
297 lines
9.1 KiB
YAML
297 lines
9.1 KiB
YAML
#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
|
#! SPDX-License-Identifier: Apache-2.0
|
|
|
|
#@ load("@ytt:data", "data")
|
|
#@ load("helpers.lib.yaml", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix", "pinnipedDevAPIGroupWithPrefix")
|
|
|
|
#! Give permission to various cluster-scoped objects
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
|
|
labels: #@ labels()
|
|
rules:
|
|
- apiGroups: [ "" ]
|
|
resources: [ namespaces ]
|
|
verbs: [ get, list, watch ]
|
|
- apiGroups: [ apiregistration.k8s.io ]
|
|
resources: [ apiservices ]
|
|
verbs: [ get, list, patch, update, watch ]
|
|
- apiGroups: [ admissionregistration.k8s.io ]
|
|
resources: [ validatingwebhookconfigurations, mutatingwebhookconfigurations ]
|
|
verbs: [ get, list, watch ]
|
|
- apiGroups: [ flowcontrol.apiserver.k8s.io ]
|
|
resources: [ flowschemas, prioritylevelconfigurations ]
|
|
verbs: [ get, list, watch ]
|
|
- apiGroups: [ security.openshift.io ]
|
|
resources: [ securitycontextconstraints ]
|
|
verbs: [ use ]
|
|
resourceNames: [ nonroot ]
|
|
- apiGroups: [ "" ]
|
|
resources: [ nodes ]
|
|
verbs: [ list ]
|
|
- apiGroups:
|
|
- #@ pinnipedDevAPIGroupWithPrefix("config.concierge")
|
|
resources: [ credentialissuers ]
|
|
verbs: [ get, list, watch, create ]
|
|
- apiGroups:
|
|
- #@ pinnipedDevAPIGroupWithPrefix("config.concierge")
|
|
resources: [ credentialissuers/status ]
|
|
verbs: [ get, patch, update ]
|
|
- apiGroups:
|
|
- #@ pinnipedDevAPIGroupWithPrefix("authentication.concierge")
|
|
resources: [ jwtauthenticators, webhookauthenticators ]
|
|
verbs: [ get, list, watch ]
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
|
|
labels: #@ labels()
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: #@ defaultResourceName()
|
|
namespace: #@ namespace()
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
#! Give minimal permissions to impersonation proxy service account
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: #@ defaultResourceNameWithSuffix("impersonation-proxy")
|
|
labels: #@ labels()
|
|
rules:
|
|
- apiGroups: [ "" ]
|
|
resources: [ "users", "groups", "serviceaccounts" ]
|
|
verbs: [ "impersonate" ]
|
|
- apiGroups: [ "authentication.k8s.io" ]
|
|
resources: [ "*" ] #! What we really want is userextras/* but the RBAC authorizer only supports */subresource, not resource/*
|
|
verbs: [ "impersonate" ]
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ defaultResourceNameWithSuffix("impersonation-proxy")
|
|
labels: #@ labels()
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: #@ defaultResourceNameWithSuffix("impersonation-proxy")
|
|
namespace: #@ namespace()
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: #@ defaultResourceNameWithSuffix("impersonation-proxy")
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
#! Give permission to the kube-cert-agent Pod to run privileged.
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: #@ defaultResourceNameWithSuffix("kube-cert-agent")
|
|
namespace: #@ namespace()
|
|
labels: #@ labels()
|
|
rules:
|
|
- apiGroups: [ policy ]
|
|
resources: [ podsecuritypolicies ]
|
|
verbs: [ use ]
|
|
---
|
|
kind: RoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ defaultResourceNameWithSuffix("kube-cert-agent")
|
|
namespace: #@ namespace()
|
|
labels: #@ labels()
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: #@ defaultResourceNameWithSuffix("kube-cert-agent")
|
|
namespace: #@ namespace()
|
|
roleRef:
|
|
kind: Role
|
|
name: #@ defaultResourceNameWithSuffix("kube-cert-agent")
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
#! Give permission to various objects within the app's own namespace
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
|
|
namespace: #@ namespace()
|
|
labels: #@ labels()
|
|
rules:
|
|
- apiGroups: [ "" ]
|
|
resources: [ services ]
|
|
verbs: [ create, get, list, patch, update, watch, delete ]
|
|
- apiGroups: [ "" ]
|
|
resources: [ secrets ]
|
|
verbs: [ create, get, list, patch, update, watch, delete ]
|
|
#! We need to be able to watch pods in our namespace so we can find the kube-cert-agent pods.
|
|
- apiGroups: [ "" ]
|
|
resources: [ pods ]
|
|
verbs: [ get, list, watch ]
|
|
#! We need to be able to exec into pods in our namespace so we can grab the API server's private key
|
|
- apiGroups: [ "" ]
|
|
resources: [ pods/exec ]
|
|
verbs: [ create ]
|
|
#! We need to be able to delete pods in our namespace so we can clean up legacy kube-cert-agent pods.
|
|
- apiGroups: [ "" ]
|
|
resources: [ pods ]
|
|
verbs: [ delete ]
|
|
#! We need to be able to create and update deployments in our namespace so we can manage the kube-cert-agent Deployment.
|
|
- apiGroups: [ apps ]
|
|
resources: [ deployments ]
|
|
verbs: [ create, get, list, patch, update, watch, delete ]
|
|
#! We need to be able to get replicasets so we can form the correct owner references on our generated objects.
|
|
- apiGroups: [ apps ]
|
|
resources: [ replicasets ]
|
|
verbs: [ get ]
|
|
- apiGroups: [ "" ]
|
|
resources: [ configmaps ]
|
|
verbs: [ list, get, watch ]
|
|
- apiGroups: [ coordination.k8s.io ]
|
|
resources: [ leases ]
|
|
verbs: [ create, get, update ]
|
|
---
|
|
kind: RoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
|
|
namespace: #@ namespace()
|
|
labels: #@ labels()
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: #@ defaultResourceName()
|
|
namespace: #@ namespace()
|
|
roleRef:
|
|
kind: Role
|
|
name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
#! Give permission to read pods in the kube-system namespace so we can find the API server's private key
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: #@ defaultResourceNameWithSuffix("kube-system-pod-read")
|
|
namespace: kube-system
|
|
labels: #@ labels()
|
|
rules:
|
|
- apiGroups: [ "" ]
|
|
resources: [ pods ]
|
|
verbs: [ get, list, watch ]
|
|
---
|
|
kind: RoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ defaultResourceNameWithSuffix("kube-system-pod-read")
|
|
namespace: kube-system
|
|
labels: #@ labels()
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: #@ defaultResourceName()
|
|
namespace: #@ namespace()
|
|
roleRef:
|
|
kind: Role
|
|
name: #@ defaultResourceNameWithSuffix("kube-system-pod-read")
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
#! Allow both authenticated and unauthenticated TokenCredentialRequests (i.e. allow all requests)
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: #@ defaultResourceNameWithSuffix("pre-authn-apis")
|
|
labels: #@ labels()
|
|
rules:
|
|
- apiGroups:
|
|
- #@ pinnipedDevAPIGroupWithPrefix("login.concierge")
|
|
resources: [ tokencredentialrequests ]
|
|
verbs: [ create, list ]
|
|
- apiGroups:
|
|
- #@ pinnipedDevAPIGroupWithPrefix("identity.concierge")
|
|
resources: [ whoamirequests ]
|
|
verbs: [ create, list ]
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ defaultResourceNameWithSuffix("pre-authn-apis")
|
|
labels: #@ labels()
|
|
subjects:
|
|
- kind: Group
|
|
name: system:authenticated
|
|
apiGroup: rbac.authorization.k8s.io
|
|
- kind: Group
|
|
name: system:unauthenticated
|
|
apiGroup: rbac.authorization.k8s.io
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: #@ defaultResourceNameWithSuffix("pre-authn-apis")
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
#! Give permissions for subjectaccessreviews, tokenreview that is needed by aggregated api servers
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ defaultResourceName()
|
|
labels: #@ labels()
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: #@ defaultResourceName()
|
|
namespace: #@ namespace()
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: system:auth-delegator
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
#! Give permissions for a special configmap of CA bundles that is needed by aggregated api servers
|
|
---
|
|
kind: RoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ defaultResourceNameWithSuffix("extension-apiserver-authentication-reader")
|
|
namespace: kube-system
|
|
labels: #@ labels()
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: #@ defaultResourceName()
|
|
namespace: #@ namespace()
|
|
roleRef:
|
|
kind: Role
|
|
name: extension-apiserver-authentication-reader
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
#! Give permission to list and watch ConfigMaps in kube-public
|
|
---
|
|
kind: Role
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher")
|
|
namespace: kube-public
|
|
labels: #@ labels()
|
|
rules:
|
|
- apiGroups: [ "" ]
|
|
resources: [ configmaps ]
|
|
verbs: [ list, watch ]
|
|
---
|
|
kind: RoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher")
|
|
namespace: kube-public
|
|
labels: #@ labels()
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: #@ defaultResourceName()
|
|
namespace: #@ namespace()
|
|
roleRef:
|
|
kind: Role
|
|
name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher")
|
|
apiGroup: rbac.authorization.k8s.io
|