Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding permissions for "nodes" resources to the helm chart (#2091) #2093

Merged
merged 3 commits into from
Jul 15, 2024
Merged

Adding permissions for "nodes" resources to the helm chart (#2091) #2093

merged 3 commits into from
Jul 15, 2024

Conversation

kky-fury
Copy link
Contributor

@kky-fury kky-fury commented Jul 3, 2024

Description

These changes add get, watch, and list permissions to the fdb-operator helm chart. These permissions are required to detect taints on nodes and enable the rotation of FDB cluster pods when taintReplacementOptions are used.

Type of change

  • Bug fix (non-breaking change which fixes an issue)

Testing

We tested these changes on our various Kubernetes clusters.

@kky-fury kky-fury mentioned this pull request Jul 3, 2024
Closed
@kky-fury
Copy link
Contributor Author

I updated the files, can you please take a look. Please find below the generated helm template.

Helm Template Output 
---
# Source: fdb-operator/templates/rbac/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: fdb-operator
  labels:
    helm.sh/chart: fdb-operator-0.2.0
    app.kubernetes.io/name: fdb-operator
    app.kubernetes.io/instance: fdb-operator
    app.kubernetes.io/version: "1.42.0"
    app.kubernetes.io/managed-by: Helm
---
# Source: fdb-operator/templates/rbac/rbac_role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: fdb-operator-clusterrole
  labels:
    helm.sh/chart: fdb-operator-0.2.0
    app.kubernetes.io/name: fdb-operator
    app.kubernetes.io/instance: fdb-operator
    app.kubernetes.io/version: "1.42.0"
    app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
  - watch
  - list
---
# Source: fdb-operator/templates/rbac/rbac_role_binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: fdb-operator-clusterrolebinding
  labels:
    helm.sh/chart: fdb-operator-0.2.0
    app.kubernetes.io/name: fdb-operator
    app.kubernetes.io/instance: fdb-operator
    app.kubernetes.io/version: "1.42.0"
    app.kubernetes.io/managed-by: Helm
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: fdb-operator-clusterrole
subjects:
- kind: ServiceAccount
  name: fdb-operator
---
# Source: fdb-operator/templates/rbac/rbac_role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: fdb-operator
  labels:
    helm.sh/chart: fdb-operator-0.2.0
    app.kubernetes.io/name: fdb-operator
    app.kubernetes.io/instance: fdb-operator
    app.kubernetes.io/version: "1.42.0"
    app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - configmaps
  - persistentvolumeclaims
  - events
  verbs:
  - get
  - watch
  - list
  - create
  - update
  - patch
  - delete
- apiGroups:
  - apps.foundationdb.org
  resources:
  - foundationdbclusters
  - foundationdbbackups
  - foundationdbrestores
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - apps.foundationdb.org
  resources:
  - foundationdbclusters/status
  - foundationdbbackups/status
  - foundationdbrestores/status
  verbs:
  - get
  - update
  - patch
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - mutatingwebhookconfigurations
  - validatingwebhookconfigurations
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
---
# Source: fdb-operator/templates/rbac/rbac_role_binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: fdb-operator
  labels:
    helm.sh/chart: fdb-operator-0.2.0
    app.kubernetes.io/name: fdb-operator
    app.kubernetes.io/instance: fdb-operator
    app.kubernetes.io/version: "1.42.0"
    app.kubernetes.io/managed-by: Helm
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: fdb-operator
subjects:
- kind: ServiceAccount
  name: fdb-operator
---
# Source: fdb-operator/templates/manager/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: fdb-operator
  labels:
    helm.sh/chart: fdb-operator-0.2.0
    app.kubernetes.io/name: fdb-operator
    app.kubernetes.io/instance: fdb-operator
    app.kubernetes.io/version: "1.42.0"
    app.kubernetes.io/managed-by: Helm
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: fdb-operator
      app.kubernetes.io/instance: fdb-operator
  template:
    metadata:
      labels:
        app.kubernetes.io/name: fdb-operator
        app.kubernetes.io/instance: fdb-operator
    spec:
      serviceAccountName: fdb-operator
      securityContext:
        fsGroup: 4059
        runAsGroup: 4059
        runAsUser: 4059
      terminationGracePeriodSeconds: 10
      initContainers:
      - name: foundationdb-kubernetes-init-6-2
        image: foundationdb/foundationdb-kubernetes-sidecar:6.2.30-1
        imagePullPolicy: IfNotPresent
        args:
        - "--copy-library"
        - "6.2"
        - "--copy-binary"
        - "fdbcli"
        - "--copy-binary"
        - "fdbbackup"
        - "--copy-binary"
        - "fdbrestore"
        - "--output-dir"
        - "/var/output-files/6.2.30"
        - "--init-mode"
        volumeMounts:
        - name: fdb-binaries
          mountPath: /var/output-files
        resources:
          limits:
            cpu: 10m
            memory: 50Mi
          requests:
            cpu: 10m
            memory: 50Mi
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - all
          privileged: false
          readOnlyRootFilesystem: true
      - name: foundationdb-kubernetes-init-6-3
        image: foundationdb/foundationdb-kubernetes-sidecar:6.3.23-1
        imagePullPolicy: IfNotPresent
        args:
        - "--copy-library"
        - "6.3"
        - "--copy-binary"
        - "fdbcli"
        - "--copy-binary"
        - "fdbbackup"
        - "--copy-binary"
        - "fdbrestore"
        - "--output-dir"
        - "/var/output-files/6.3.23"
        - "--init-mode"
        volumeMounts:
        - name: fdb-binaries
          mountPath: /var/output-files
        resources:
          limits:
            cpu: 10m
            memory: 50Mi
          requests:
            cpu: 10m
            memory: 50Mi
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - all
          privileged: false
          readOnlyRootFilesystem: true
      - name: foundationdb-kubernetes-init-7-1
        image: foundationdb/foundationdb-kubernetes-sidecar:7.1.15-1
        imagePullPolicy: IfNotPresent
        args:
        - "--copy-library"
        - "7.1"
        - "--copy-binary"
        - "fdbcli"
        - "--copy-binary"
        - "fdbbackup"
        - "--copy-binary"
        - "fdbrestore"
        - "--output-dir"
        - "/var/output-files/7.1.15"
        - "--init-mode"
        volumeMounts:
        - name: fdb-binaries
          mountPath: /var/output-files
        resources:
          limits:
            cpu: 10m
            memory: 50Mi
          requests:
            cpu: 10m
            memory: 50Mi
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - all
          privileged: false
          readOnlyRootFilesystem: true
      containers:
      - name: manager
        image: foundationdb/fdb-kubernetes-operator:v1.42.0
        imagePullPolicy: IfNotPresent
        command:
        - /manager
        env:
        - name: WATCH_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        ports:
        - containerPort: 8080
          name: metrics
        volumeMounts:
        - name: tmp
          mountPath: /tmp
        - name: logs
          mountPath: /var/log/fdb
        - name: fdb-binaries
          mountPath: /usr/bin/fdb
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - all
          privileged: false
          readOnlyRootFilesystem: true
        livenessProbe:
          httpGet:
            path: /metrics
            port: metrics
        resources:
          limits:
            cpu: 500m
            memory: 256Mi
          requests:
            cpu: 500m
            memory: 256Mi
      volumes:
      - name: tmp
        emptyDir: {}
      - name: logs
        emptyDir: {}
      - name: fdb-binaries
        emptyDir: {}

johscheuer
johscheuer reviewed Jul 15, 2024
View reviewed changes
Copy link
Member

@johscheuer johscheuer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good, I think it would be useful to have the new ClusterRole and ClusterRoleBinding optional, that would allow users to use the helm chart, even if they don't want to use this feature (or don't have the permissions for that).

charts/fdb-operator/templates/rbac/rbac_role_binding.yaml Outdated Show resolved Hide resolved
charts/fdb-operator/templates/rbac/rbac_role_binding.yaml Show resolved Hide resolved
@kky-fury
Copy link
Contributor Author

Thank for your comments. Made the changes. Please find below the helm template if nodeReadClusterRole is false.

Helm Template Output 
---
# Source: fdb-operator/templates/rbac/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: fdb-operator
  labels:
    helm.sh/chart: fdb-operator-0.2.0
    app.kubernetes.io/name: fdb-operator
    app.kubernetes.io/instance: fdb-operator
    app.kubernetes.io/version: "1.42.0"
    app.kubernetes.io/managed-by: Helm
---
# Source: fdb-operator/templates/rbac/rbac_role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: fdb-operator
  labels:
    helm.sh/chart: fdb-operator-0.2.0
    app.kubernetes.io/name: fdb-operator
    app.kubernetes.io/instance: fdb-operator
    app.kubernetes.io/version: "1.42.0"
    app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - configmaps
  - persistentvolumeclaims
  - events
  verbs:
  - get
  - watch
  - list
  - create
  - update
  - patch
  - delete
- apiGroups:
  - apps.foundationdb.org
  resources:
  - foundationdbclusters
  - foundationdbbackups
  - foundationdbrestores
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - apps.foundationdb.org
  resources:
  - foundationdbclusters/status
  - foundationdbbackups/status
  - foundationdbrestores/status
  verbs:
  - get
  - update
  - patch
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - mutatingwebhookconfigurations
  - validatingwebhookconfigurations
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
---
# Source: fdb-operator/templates/rbac/rbac_role_binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: fdb-operator
  labels:
    helm.sh/chart: fdb-operator-0.2.0
    app.kubernetes.io/name: fdb-operator
    app.kubernetes.io/instance: fdb-operator
    app.kubernetes.io/version: "1.42.0"
    app.kubernetes.io/managed-by: Helm
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: fdb-operator
subjects:
- kind: ServiceAccount
  name: fdb-operator
---
# Source: fdb-operator/templates/manager/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: fdb-operator
  labels:
    helm.sh/chart: fdb-operator-0.2.0
    app.kubernetes.io/name: fdb-operator
    app.kubernetes.io/instance: fdb-operator
    app.kubernetes.io/version: "1.42.0"
    app.kubernetes.io/managed-by: Helm
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: fdb-operator
      app.kubernetes.io/instance: fdb-operator
  template:
    metadata:
      labels:
        app.kubernetes.io/name: fdb-operator
        app.kubernetes.io/instance: fdb-operator
    spec:
      serviceAccountName: fdb-operator
      securityContext:
        fsGroup: 4059
        runAsGroup: 4059
        runAsUser: 4059
      terminationGracePeriodSeconds: 10
      initContainers:
      - name: foundationdb-kubernetes-init-6-2
        image: foundationdb/foundationdb-kubernetes-sidecar:6.2.30-1
        imagePullPolicy: IfNotPresent
        args:
        - "--copy-library"
        - "6.2"
        - "--copy-binary"
        - "fdbcli"
        - "--copy-binary"
        - "fdbbackup"
        - "--copy-binary"
        - "fdbrestore"
        - "--output-dir"
        - "/var/output-files/6.2.30"
        - "--init-mode"
        volumeMounts:
        - name: fdb-binaries
          mountPath: /var/output-files
        resources:
          limits:
            cpu: 10m
            memory: 50Mi
          requests:
            cpu: 10m
            memory: 50Mi
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - all
          privileged: false
          readOnlyRootFilesystem: true
      - name: foundationdb-kubernetes-init-6-3
        image: foundationdb/foundationdb-kubernetes-sidecar:6.3.23-1
        imagePullPolicy: IfNotPresent
        args:
        - "--copy-library"
        - "6.3"
        - "--copy-binary"
        - "fdbcli"
        - "--copy-binary"
        - "fdbbackup"
        - "--copy-binary"
        - "fdbrestore"
        - "--output-dir"
        - "/var/output-files/6.3.23"
        - "--init-mode"
        volumeMounts:
        - name: fdb-binaries
          mountPath: /var/output-files
        resources:
          limits:
            cpu: 10m
            memory: 50Mi
          requests:
            cpu: 10m
            memory: 50Mi
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - all
          privileged: false
          readOnlyRootFilesystem: true
      - name: foundationdb-kubernetes-init-7-1
        image: foundationdb/foundationdb-kubernetes-sidecar:7.1.15-1
        imagePullPolicy: IfNotPresent
        args:
        - "--copy-library"
        - "7.1"
        - "--copy-binary"
        - "fdbcli"
        - "--copy-binary"
        - "fdbbackup"
        - "--copy-binary"
        - "fdbrestore"
        - "--output-dir"
        - "/var/output-files/7.1.15"
        - "--init-mode"
        volumeMounts:
        - name: fdb-binaries
          mountPath: /var/output-files
        resources:
          limits:
            cpu: 10m
            memory: 50Mi
          requests:
            cpu: 10m
            memory: 50Mi
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - all
          privileged: false
          readOnlyRootFilesystem: true
      containers:
      - name: manager
        image: foundationdb/fdb-kubernetes-operator:v1.42.0
        imagePullPolicy: IfNotPresent
        command:
        - /manager
        env:
        - name: WATCH_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        ports:
        - containerPort: 8080
          name: metrics
        volumeMounts:
        - name: tmp
          mountPath: /tmp
        - name: logs
          mountPath: /var/log/fdb
        - name: fdb-binaries
          mountPath: /usr/bin/fdb
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - all
          privileged: false
          readOnlyRootFilesystem: true
        livenessProbe:
          httpGet:
            path: /metrics
            port: metrics
        resources:
          limits:
            cpu: 500m
            memory: 256Mi
          requests:
            cpu: 500m
            memory: 256Mi
      volumes:
      - name: tmp
        emptyDir: {}
      - name: logs
        emptyDir: {}
      - name: fdb-binaries
        emptyDir: {}

johscheuer
johscheuer approved these changes Jul 15, 2024
View reviewed changes
Copy link
Member

@johscheuer johscheuer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍 Thanks!

@johscheuer
Copy link
Member

I'm going to merge those changes as we have no tests for the helm charts and nothing else was changed.

@johscheuer johscheuer merged commit 2bf00fc into FoundationDB:main Jul 15, 2024
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johscheuer johscheuer johscheuer approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@kky-fury @johscheuer