Enable RBAC, and create service accounts/roles/rolebindings for sidec…

…ar and controller as appropriate.
googleforgames · Feb 12, 2018 · 64faa73 · 64faa73
1 parent ced8bad
commit 64faa73
Show file tree

Hide file tree

Showing 5 changed files with 206 additions and 3 deletions.
diff --git a/build/Makefile b/build/Makefile
@@ -233,6 +233,7 @@ gcloud-auth-cluster: ensure-build-image
 	docker run --rm $(common_mounts) $(build_tag) gcloud config set compute/zone \
 		`grep zone: $(build_path)/gke-test-cluster/deployment.yml | sed 's/zone: //'`
 	docker run --rm $(common_mounts) $(build_tag) gcloud container clusters get-credentials $(CLUSTER_NAME)
+	-docker run --rm $(common_mounts) $(build_tag) kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user $$(gcloud config get-value account)
 
 # authenticate our docker configuration so that you can do a docker push directly
 # to the gcr.io repository
@@ -258,7 +259,7 @@ clean-gcloud-config:
 # Switches to an "agones" profile, and starts a kubernetes cluster
 # of the right version.
 #
-# Use MINIKUBE_DRIVER variable to change the VM driver 
+# Use MINIKUBE_DRIVER variable to change the VM driver
 # (defaults virtualbox for Linux and OSX, hyperv for windows) if you so desire.
 minikube-test-cluster: minikube-agones-profile
 	$(MINIKUBE) start --kubernetes-version v1.8.0 --vm-driver $(MINIKUBE_DRIVER)

diff --git a/build/gke-test-cluster/cluster.yml.jinja b/build/gke-test-cluster/cluster.yml.jinja
@@ -21,6 +21,7 @@ resources:
     cluster:
       name: test-cluster
       description: Test cluster for Agones
+      initialClusterVersion: 1.8.7-gke.1
       nodePools:
         - name: "default"
           initialNodeCount: 3
@@ -35,6 +36,8 @@ resources:
       masterAuth:
         username: admin
         password: supersecretpassword
+      legacyAbac:
+        enabled: false
 - name: game-server-firewall
   type: compute.beta.firewall
   properties:

diff --git a/build/install.yaml b/build/install.yaml
@@ -12,8 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Install with development settings - suggest using `make install` to run
-
 apiVersion: v1
 kind: Namespace
 metadata:
@@ -48,6 +46,7 @@ spec:
       labels:
         stable.agones.dev/role: controller
     spec:
+      serviceAccountName: agones-controller
       containers:
       - name: agones-controller
         image: ${REGISTRY}/agones-controller:${VERSION}
@@ -67,3 +66,97 @@ spec:
             port: 8080
           initialDelaySeconds: 3
           periodSeconds: 3
+---
+# Service account, secret, role and rolebinding for sidecar (agones-sdk) pod
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: agones-sdk
+secrets:
+- name: agones-sdk-secret
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: agones-sdk-secret
+  annotations:
+    kubernetes.io/service-account.name: agones-sdk
+type: kubernetes.io/service-account-token
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: agones-sdk
+  namespace: agones-system
+rules:
+- apiGroups: ["stable.agones.dev"]
+  resources: ["gameservers"]
+  verbs: ["get", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: agones-sdk-access
+  namespace: agones-system
+subjects:
+- kind: User
+  name: system:serviceaccount:default:agones-sdk
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: agones-sdk
+---
+# Service account, secret, role and rolebinding for agones-controller
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: agones-controller
+  namespace: agones-system
+secrets:
+- name: agones-controller-secret
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: agones-controller-secret
+  namespace: agones-system
+  annotations:
+    kubernetes.io/service-account.name: agones-controller
+type: kubernetes.io/service-account-token
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: agones-controller
+  namespace: agones-system
+rules:
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["create"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["create", "delete", "list", "watch"]
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["list", "watch"]
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["get"]
+- apiGroups: ["stable.agones.dev"]
+  resources: ["gameservers"]
+  verbs: ["delete", "get", "list", "update", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: agones-controller-access
+  namespace: agones-system
+subjects:
+- kind: User
+  name: system:serviceaccount:agones-system:agones-controller
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: agones-controller
diff --git a/install.yaml b/install.yaml
@@ -12,6 +12,11 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: agones-system
+---
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
@@ -31,6 +36,7 @@ apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
   name: agones-controller
+  namespace: agones-system
 spec:
   replicas: 1
   strategy:
@@ -40,6 +46,7 @@ spec:
       labels:
         stable.agones.dev/role: controller
     spec:
+      serviceAccountName: agones-controller
       containers:
       - name: agones-controller
         image: gcr.io/agones-images/agones-controller:0.1
@@ -58,3 +65,97 @@ spec:
             port: 8080
           initialDelaySeconds: 3
           periodSeconds: 3
+---
+# Service account, secret, role and rolebinding for sidecar (agones-sdk) pod
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: agones-sdk
+secrets:
+- name: agones-sdk-secret
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: agones-sdk-secret
+  annotations:
+    kubernetes.io/service-account.name: agones-sdk
+type: kubernetes.io/service-account-token
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: agones-sdk
+  namespace: agones-system
+rules:
+- apiGroups: ["stable.agones.dev"]
+  resources: ["gameservers"]
+  verbs: ["get", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: agones-sdk-access
+  namespace: agones-system
+subjects:
+- kind: User
+  name: system:serviceaccount:default:agones-sdk
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: agones-sdk
+---
+# Service account, secret, role and rolebinding for agones-controller
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: agones-controller
+  namespace: agones-system
+secrets:
+- name: agones-controller-secret
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: agones-controller-secret
+  namespace: agones-system
+  annotations:
+    kubernetes.io/service-account.name: agones-controller
+type: kubernetes.io/service-account-token
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: agones-controller
+  namespace: agones-system
+rules:
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["create"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["create", "delete", "list", "watch"]
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["list", "watch"]
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["get"]
+- apiGroups: ["stable.agones.dev"]
+  resources: ["gameservers"]
+  verbs: ["delete", "get", "list", "update", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: agones-controller-access
+  namespace: agones-system
+subjects:
+- kind: User
+  name: system:serviceaccount:agones-system:agones-controller
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: agones-controller
diff --git a/pkg/apis/stable/v1alpha1/types.go b/pkg/apis/stable/v1alpha1/types.go
@@ -61,6 +61,8 @@ const (
 	// GameServerContainerAnnotation is the annotation that stores
 	// which container is the container that runs the dedicated game server
 	GameServerContainerAnnotation = stable.GroupName + "/container"
+	// SidecarServiceAccountName is the default service account for managing access to get/update GameServers
+	SidecarServiceAccountName = "agones-sdk"
 )
 
 var (
@@ -204,6 +206,9 @@ func (gs *GameServer) Pod(sidecars ...corev1.Container) (*corev1.Pod, error) {
 	pod.ObjectMeta.Namespace = gs.ObjectMeta.Namespace
 	// Make sure these are blank, just in case
 	pod.ResourceVersion = ""
+	if len(pod.Spec.ServiceAccountName) == 0 {
+		pod.Spec.ServiceAccountName = SidecarServiceAccountName
+	}
 	pod.UID = ""
 	if pod.ObjectMeta.Labels == nil {
 		pod.ObjectMeta.Labels = make(map[string]string, 2)