Skip to content

Commit

Permalink
feat: add new RBAC configuration for k8sgpt (#434)
Browse files Browse the repository at this point in the history 
* feat: migrate k8sgpt rbac configuration to template chart

Signed-off-by: Matheus Sousa <matessousa@outlook.com>

* remove: removed k8sgpt rbac logic because is managed by template chart

Signed-off-by: Matheus Sousa <matessousa@outlook.com>

---------

Signed-off-by: Matheus Sousa <matessousa@outlook.com>
Signed-off-by: Matheus Sousa    <73663610+MateSousa@users.noreply.github.com>
Co-authored-by: Aris Boutselis <arisboutselis08@gmail.com>
  • Loading branch information
@MateSousa @arbreezy
MateSousa and arbreezy committed Jun 6, 2024
1 parent 144485e commit 2d5954c
Show file tree
Hide file tree
Showing 4 changed files with 46 additions and 126 deletions.
14 changes: 14 additions & 0 deletions chart/operator/templates/k8sgpt-cluster-role-binding.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "chart.fullname" . }}-k8sgpt
labels:
{{- include "chart.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "chart.fullname" . }}-k8sgpt
subjects:
- kind: ServiceAccount
name: "k8sgpt"
namespace: {{ .Release.Namespace }}
23 changes: 23 additions & 0 deletions chart/operator/templates/k8sgpt-cluster-role.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "chart.fullname" . }}-k8sgpt
labels:
{{- include "chart.labels" . | nindent 4 }}
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- create
- list
- get
- watch
- delete
- apiGroups:
- apiextensions.k8s.io
resources:
- '*'
verbs:
- '*'
9 changes: 9 additions & 0 deletions chart/operator/templates/k8sgpt-sa.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: "k8sgpt"
labels:
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: k8sgpt-operator
app.kubernetes.io/part-of: k8sgpt-operator
{{- include "chart.labels" . | nindent 4 }}
126 changes: 0 additions & 126 deletions pkg/resources/k8sgpt.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@ import (
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
v1 "k8s.io/api/core/v1"
r1 "k8s.io/api/rbac/v1"
"k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/api/resource"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
Expand Down Expand Up @@ -102,108 +101,6 @@ func GetService(config v1alpha1.K8sGPT) (*corev1.Service, error) {
return &service, nil
}

// GetServiceAccount Create Service Account for K8sGPT and bind it to K8sGPT role
func GetServiceAccount(config v1alpha1.K8sGPT) (*corev1.ServiceAccount, error) {
// Create service account
serviceAccount := corev1.ServiceAccount{
ObjectMeta: metav1.ObjectMeta{
Name: "k8sgpt",
Namespace: config.Namespace,
OwnerReferences: []metav1.OwnerReference{
{
Kind: config.Kind,
Name: config.Name,
UID: config.UID,
APIVersion: config.APIVersion,
BlockOwnerDeletion: utils.PtrBool(true),
Controller: utils.PtrBool(true),
},
},
},
ImagePullSecrets: []corev1.LocalObjectReference{},
}
//Add image pull secrets to service account
for _, secret := range config.Spec.ImagePullSecrets {
serviceAccount.ImagePullSecrets = append(serviceAccount.ImagePullSecrets, corev1.LocalObjectReference{
Name: secret.Name,
})
}

return &serviceAccount, nil
}

// GetClusterRoleBinding Create cluster role binding for K8sGPT
func GetClusterRoleBinding(config v1alpha1.K8sGPT) (*r1.ClusterRoleBinding, error) {

// Create cluster role binding
clusterRoleBinding := r1.ClusterRoleBinding{
ObjectMeta: metav1.ObjectMeta{
Name: "k8sgpt",
OwnerReferences: []metav1.OwnerReference{
{
Kind: config.Kind,
Name: config.Name,
UID: config.UID,
APIVersion: config.APIVersion,
BlockOwnerDeletion: utils.PtrBool(true),
Controller: utils.PtrBool(true),
},
},
},
Subjects: []r1.Subject{
{
Kind: "ServiceAccount",
Name: "k8sgpt",
Namespace: config.Namespace,
},
},
RoleRef: r1.RoleRef{
Kind: "ClusterRole",
Name: "k8sgpt",
APIGroup: "rbac.authorization.k8s.io",
},
}

return &clusterRoleBinding, nil
}

// GetClusterRole Create ClusterRole for K8sGPT with cluster read all
func GetClusterRole(config v1alpha1.K8sGPT) (*r1.ClusterRole, error) {

// Create cluster role
clusterRole := r1.ClusterRole{
ObjectMeta: metav1.ObjectMeta{
Name: "k8sgpt",
OwnerReferences: []metav1.OwnerReference{
{
Kind: config.Kind,
Name: config.Name,
UID: config.UID,
APIVersion: config.APIVersion,
BlockOwnerDeletion: utils.PtrBool(true),
Controller: utils.PtrBool(true),
},
},
},
Rules: []r1.PolicyRule{
{
APIGroups: []string{"*"},
Resources: []string{"*"},
// This is necessary for the creation of integrations
Verbs: []string{"create", "list", "get", "watch", "delete"},
},
// Allow creation of custom resources
{
APIGroups: []string{"apiextensions.k8s.io"},
Resources: []string{"*"},
Verbs: []string{"*"},
},
},
}

return &clusterRole, nil
}

// GetDeployment Create deployment with the latest K8sGPT image
func GetDeployment(config v1alpha1.K8sGPT, outOfClusterMode bool, c client.Client) (*appsv1.Deployment, error) {

Expand Down Expand Up @@ -427,29 +324,6 @@ func Sync(ctx context.Context, c client.Client,

outOfClusterMode := config.Spec.Kubeconfig != nil

if !outOfClusterMode {
svcAcc, er := GetServiceAccount(config)
if er != nil {
return er
}

objs = append(objs, svcAcc)

clusterRole, er := GetClusterRole(config)
if er != nil {
return er
}

objs = append(objs, clusterRole)

clusterRoleBinding, er := GetClusterRoleBinding(config)
if er != nil {
return er
}

objs = append(objs, clusterRoleBinding)
}

svc, er := GetService(config)
if er != nil {
return er
Expand Down

0 comments on commit 2d5954c

Please sign in to comment.