Merge pull request #3915 from XiShanYongYe-Chang/grant-clusterrole-ad…

…min-with-karmada-resource-permission grant clusterrole admin with karamda resource permission
karmada-io · Aug 9, 2023 · 37cee8d · 37cee8d
2 parents 8680ff3 + f807fc8
commit 37cee8d
Show file tree

Hide file tree

Showing 3 changed files with 153 additions and 1 deletion.
diff --git a/artifacts/deploy/admin-clusterrole-aggregation.yaml b/artifacts/deploy/admin-clusterrole-aggregation.yaml
@@ -0,0 +1,149 @@
+# This configuration is used to grant the admin clusterrole read
+# and write permissions for Karmada resources.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    # refer to https://kubernetes.io/docs/reference/access-authn-authz/rbac/#auto-reconciliation
+    # and https://kubernetes.io/docs/reference/access-authn-authz/rbac/#kubectl-auth-reconcile
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  labels:
+    # refer to https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings
+    kubernetes.io/bootstrapping: rbac-defaults
+    # used to aggregate rules to view clusterrole
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  name: karmada-view
+rules:
+  - apiGroups:
+      - "autoscaling.karmada.io"
+    resources:
+      - cronfederatedhpas
+      - cronfederatedhpas/status
+      - federatedhpas
+      - federatedhpas/status
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - "multicluster.x-k8s.io"
+    resources:
+      - serviceexports
+      - serviceexports/status
+      - serviceimports
+      - serviceimports/status
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - "networking.karmada.io"
+    resources:
+      - multiclusteringresses
+      - multiclusteringresses/status
+      - multiclusterservices
+      - multiclusterservices/status
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - "policy.karmada.io"
+    resources:
+      - overridepolicies
+      - propagationpolicies
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - "work.karmada.io"
+    resources:
+      - resourcebindings
+      - resourcebindings/status
+      - works
+      - works/status
+    verbs:
+      - get
+      - list
+      - watch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    # refer to https://kubernetes.io/docs/reference/access-authn-authz/rbac/#auto-reconciliation
+    # and https://kubernetes.io/docs/reference/access-authn-authz/rbac/#kubectl-auth-reconcile
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  labels:
+    # refer to https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings
+    kubernetes.io/bootstrapping: rbac-defaults
+    # used to aggregate rules to view clusterrole
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  name: karmada-edit
+rules:
+  - apiGroups:
+      - "autoscaling.karmada.io"
+    resources:
+      - cronfederatedhpas
+      - cronfederatedhpas/status
+      - federatedhpas
+      - federatedhpas/status
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - patch
+      - update
+  - apiGroups:
+      - "multicluster.x-k8s.io"
+    resources:
+      - serviceexports
+      - serviceexports/status
+      - serviceimports
+      - serviceimports/status
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - patch
+      - update
+  - apiGroups:
+      - "networking.karmada.io"
+    resources:
+      - multiclusteringresses
+      - multiclusteringresses/status
+      - multiclusterservices
+      - multiclusterservices/status
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - patch
+      - update
+  - apiGroups:
+      - "policy.karmada.io"
+    resources:
+      - overridepolicies
+      - propagationpolicies
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - patch
+      - update
+  - apiGroups:
+      - "work.karmada.io"
+    resources:
+      - resourcebindings
+      - resourcebindings/status
+      - works
+      - works/status
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - patch
+      - update
diff --git a/artifacts/deploy/kube-controller-manager.yaml b/artifacts/deploy/kube-controller-manager.yaml
@@ -43,7 +43,7 @@ spec:
             - --cluster-name=karmada
             - --cluster-signing-cert-file=/etc/karmada/pki/ca.crt
             - --cluster-signing-key-file=/etc/karmada/pki/ca.key
-            - --controllers=namespace,garbagecollector,serviceaccount-token,ttl-after-finished,bootstrapsigner,tokencleaner,csrapproving,csrcleaner,csrsigning
+            - --controllers=namespace,garbagecollector,serviceaccount-token,ttl-after-finished,bootstrapsigner,tokencleaner,csrapproving,csrcleaner,csrsigning,clusterrole-aggregation
             - --kubeconfig=/etc/kubeconfig
             - --leader-elect=true
             - --node-cidr-mask-size=24

diff --git a/hack/deploy-karmada.sh b/hack/deploy-karmada.sh
@@ -268,6 +268,9 @@ kubectl --context="karmada-apiserver" apply -f "${REPO_ROOT}/artifacts/deploy/ka
 # make sure apiservice for karmada metrics adapter is Available
 util::wait_apiservice_ready "karmada-apiserver" "${KARMADA_METRICS_ADAPTER_LABEL}"
 
+# grant the admin clusterrole read and write permissions for Karmada resources
+kubectl --context="karmada-apiserver" apply -f "${REPO_ROOT}/artifacts/deploy/admin-clusterrole-aggregation.yaml"
+
 # deploy cluster proxy rbac for admin
 kubectl --context="karmada-apiserver" apply -f "${REPO_ROOT}/artifacts/deploy/cluster-proxy-admin-rbac.yaml"