From 94e1e05a829344e69e70bd7b395d3355bf84a803 Mon Sep 17 00:00:00 2001 From: Ben Elferink Date: Tue, 24 Dec 2024 14:37:20 +0200 Subject: [PATCH] [GEN-2110]: update RBAC permissions for UI (#2058) This pull request includes significant updates to the role and cluster role definitions in the `cli/cmd/resources/ui.go` file. The changes primarily involve refining the permissions for various resources to better align with the required operations. ### Changes to Role and ClusterRole Definitions: * [`cli/cmd/resources/ui.go`](diffhunk://#diff-c286e10d34710a80a59127b2b7951e8a33d9b9554e47d2f2b827fd690f2e53abL143-R156): Updated the `NewUIRole` function to refine the permissions for accessing `configmaps`, `secrets`, and `odigos.io` resources. This includes adding comments to clarify the necessity of each permission set. * [`cli/cmd/resources/ui.go`](diffhunk://#diff-c286e10d34710a80a59127b2b7951e8a33d9b9554e47d2f2b827fd690f2e53abL231-R230): Updated the `NewUIClusterRole` function to refine the permissions for accessing `namespaces`, `services`, `pods`, `replicasets`, and `odigos.io` resources. Comments were added to explain the purpose of each permission set. --- cli/cmd/resources/ui.go | 109 +++++++++------------- helm/odigos/templates/ui/clusterrole.yaml | 53 ++++------- helm/odigos/templates/ui/role.yaml | 40 +++++--- 3 files changed, 87 insertions(+), 115 deletions(-) diff --git a/cli/cmd/resources/ui.go b/cli/cmd/resources/ui.go index 00b4f86df..de9a2ca14 100644 --- a/cli/cmd/resources/ui.go +++ b/cli/cmd/resources/ui.go @@ -140,54 +140,35 @@ func NewUIRole(ns string) *rbacv1.Role { Namespace: ns, }, Rules: []rbacv1.PolicyRule{ - { - Verbs: []string{ - "create", - "get", - "update", - "watch", - "patch", - }, + { // Needed to read odigos-config configmap for settings APIGroups: []string{""}, - Resources: []string{ - "secrets", - }, + Resources: []string{"configmaps"}, + Verbs: []string{"get", "list"}, }, - { - Verbs: []string{ - "watch", - "list", - "get", - }, + { // Needed for secret values in destinations APIGroups: []string{""}, - Resources: []string{ - "pods", - }, + Resources: []string{"secrets"}, + Verbs: []string{"get", "list", "create", "patch", "update"}, }, - { - Verbs: []string{ - "get", - "list", - }, - APIGroups: []string{"apps"}, - Resources: []string{ - "replicasets", - }, + { // Needed for CRUD on Odigos entities + APIGroups: []string{"odigos.io"}, + Resources: []string{"instrumentationrules", "destinations"}, + Verbs: []string{"get", "list", "create", "patch", "update", "delete"}, }, - { - Verbs: []string{ - "get", - "list", - "watch", - "patch", - "delete", - "create", - "update", - }, + { // Needed to watch Odigos entities APIGroups: []string{"odigos.io"}, - Resources: []string{ - "instrumentaitonrules", - }, + Resources: []string{"destinations"}, + Verbs: []string{"watch"}, + }, + { // Needed to read Odigos entities + APIGroups: []string{"odigos.io"}, + Resources: []string{"collectorsgroups"}, + Verbs: []string{"get", "list"}, + }, + { // Needed for CRUD on Pipeline Actions + APIGroups: []string{"actions.odigos.io"}, + Resources: []string{"*"}, + Verbs: []string{"get", "list", "create", "patch", "update", "delete"}, }, }, } @@ -228,40 +209,36 @@ func NewUIClusterRole() *rbacv1.ClusterRole { Name: "odigos-ui", }, Rules: []rbacv1.PolicyRule{ - { + { // Needed to get and instrument namespaces APIGroups: []string{""}, Resources: []string{"namespaces"}, - Verbs: []string{"get", "list", "watch", "patch"}, + Verbs: []string{"get", "list", "patch"}, }, - { - APIGroups: []string{""}, - Resources: []string{"services"}, - Verbs: []string{"list"}, + { // Needed to instrument applications + APIGroups: []string{"apps"}, + Resources: []string{"deployments", "statefulsets", "daemonsets"}, + Verbs: []string{"get", "list", "patch", "update"}, }, - { - APIGroups: []string{""}, - Resources: []string{"configmaps"}, - Verbs: []string{"get", "list", "watch", "patch", "create", "delete", "update"}, + { // Needed for "Describe Source" and for "Describe Odigos" + APIGroups: []string{"apps"}, + Resources: []string{"replicasets"}, + Verbs: []string{"get", "list"}, }, - { + { // Need "services" for "Potential Destinations" + // Need "pods" for "Describe Source" APIGroups: []string{""}, - Resources: []string{"pods"}, + Resources: []string{"services", "pods"}, Verbs: []string{"get", "list"}, }, - { - APIGroups: []string{"apps"}, - Resources: []string{"deployments", "statefulsets", "daemonsets", "replicasets"}, - Verbs: []string{"get", "list", "watch", "patch", "update"}, - }, - { + { // Needed to read Odigos entities APIGroups: []string{"odigos.io"}, - Resources: []string{"*"}, - Verbs: []string{"get", "list", "watch", "patch", "create", "delete", "update"}, + Resources: []string{"instrumentedapplications", "instrumentationinstances", "instrumentationconfigs"}, + Verbs: []string{"get", "list"}, }, - { - APIGroups: []string{"actions.odigos.io"}, - Resources: []string{"*"}, - Verbs: []string{"get", "list", "watch", "patch", "create", "delete", "update"}, + { // Needed to watch Odigos entities + APIGroups: []string{"odigos.io"}, + Resources: []string{"instrumentedapplications", "instrumentationinstances"}, + Verbs: []string{"watch"}, }, }, } diff --git a/helm/odigos/templates/ui/clusterrole.yaml b/helm/odigos/templates/ui/clusterrole.yaml index cb7992b83..db40122df 100644 --- a/helm/odigos/templates/ui/clusterrole.yaml +++ b/helm/odigos/templates/ui/clusterrole.yaml @@ -4,73 +4,52 @@ metadata: name: odigos-ui rules: - apiGroups: - - "" + - '' resources: - namespaces verbs: - get - list - - watch - patch - apiGroups: - - "" - resources: - - services - verbs: - - list - - apiGroups: - - "" + - apps resources: - - configmaps + - deployments + - statefulsets + - daemonsets verbs: - get - list - - watch - patch - - create - - delete - update - apiGroups: - - "" + - apps resources: - - pods + - replicasets verbs: - get - list - apiGroups: - - apps + - '' resources: - - deployments - - statefulsets - - daemonsets - - replicasets + - services + - pods verbs: - get - list - - watch - - update - - patch - apiGroups: - odigos.io resources: - - "*" + - instrumentedapplications + - instrumentationinstances + - instrumentationconfigs verbs: - get - list - - watch - - patch - - create - - delete - - update - apiGroups: - - actions.odigos.io + - odigos.io resources: - - "*" + - instrumentedapplications + - instrumentationinstances verbs: - - get - - list - watch - - patch - - create - - delete - - update diff --git a/helm/odigos/templates/ui/role.yaml b/helm/odigos/templates/ui/role.yaml index 9da7f8e41..fa4a5ebbb 100644 --- a/helm/odigos/templates/ui/role.yaml +++ b/helm/odigos/templates/ui/role.yaml @@ -2,42 +2,58 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: odigos-ui - namespace: {{ .Release.Namespace }} + namespace: '{{ .Release.Namespace }}' rules: - apiGroups: - - "" + - '' + resources: + - configmaps + verbs: + - get + - list + - apiGroups: + - '' resources: - secrets verbs: - - create - get - list + - create - patch - update - - watch - apiGroups: - - "" + - odigos.io resources: - - pods + - instrumentationrules + - destinations verbs: - get - list + - create + - patch + - update + - delete + - apiGroups: + - odigos.io + resources: + - destinations + verbs: - watch - apiGroups: - - "apps" + - odigos.io resources: - - replicasets + - collectorsgroups verbs: - get - list - apiGroups: - - "odigos.io" + - actions.odigos.io resources: - - instrumentationrules + - '*' verbs: - - create - - delete - get - list + - create - patch - update + - delete