diff --git a/pkg/crds/calico/crd.projectcalico.org_bgpfilters.yaml b/pkg/crds/calico/crd.projectcalico.org_bgpfilters.yaml index 49dc53f8e8..09db5e3eff 100644 --- a/pkg/crds/calico/crd.projectcalico.org_bgpfilters.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_bgpfilters.yaml @@ -49,6 +49,19 @@ spec: type: string matchOperator: type: string + prefixLength: + properties: + max: + format: int32 + maximum: 32 + minimum: 0 + type: integer + min: + format: int32 + maximum: 32 + minimum: 0 + type: integer + type: object source: type: string required: @@ -70,6 +83,19 @@ spec: type: string matchOperator: type: string + prefixLength: + properties: + max: + format: int32 + maximum: 128 + minimum: 0 + type: integer + min: + format: int32 + maximum: 128 + minimum: 0 + type: integer + type: object source: type: string required: @@ -91,6 +117,19 @@ spec: type: string matchOperator: type: string + prefixLength: + properties: + max: + format: int32 + maximum: 32 + minimum: 0 + type: integer + min: + format: int32 + maximum: 32 + minimum: 0 + type: integer + type: object source: type: string required: @@ -112,6 +151,19 @@ spec: type: string matchOperator: type: string + prefixLength: + properties: + max: + format: int32 + maximum: 128 + minimum: 0 + type: integer + min: + format: int32 + maximum: 128 + minimum: 0 + type: integer + type: object source: type: string required: diff --git a/pkg/crds/calico/crd.projectcalico.org_globalnetworkpolicies.yaml b/pkg/crds/calico/crd.projectcalico.org_globalnetworkpolicies.yaml index bf4420ca1b..039119087d 100644 --- a/pkg/crds/calico/crd.projectcalico.org_globalnetworkpolicies.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_globalnetworkpolicies.yaml @@ -794,10 +794,10 @@ spec: order: description: Order is an optional field that specifies the order in which the policy is applied. Policies with higher "order" are applied - after those with lower order. If the order is omitted, it may be - considered to be "infinite" - i.e. the policy will be applied last. Policies - with identical order will be applied in alphanumerical order based - on the Policy "Name". + after those with lower order within the same tier. If the order + is omitted, it may be considered to be "infinite" - i.e. the policy + will be applied last. Policies with identical order will be applied + in alphanumerical order based on the Policy "Name" within the tier. type: number performanceHints: description: "PerformanceHints contains a list of hints to Calico's @@ -839,6 +839,14 @@ spec: description: ServiceAccountSelector is an optional field for an expression used to select a pod based on service accounts. type: string + tier: + description: The name of the tier that this policy belongs to. If + this is omitted, the default tier (name is "default") is assumed. The + specified tier must exist in order to create security policies within + the tier, the "default" tier is created automatically if it does + not exist, this means for deployments requiring only a single Tier, + the tier name may be omitted on all policy management requests. + type: string types: description: "Types indicates whether this policy applies to ingress, or to egress, or to both. When not explicitly specified (and so diff --git a/pkg/crds/calico/crd.projectcalico.org_networkpolicies.yaml b/pkg/crds/calico/crd.projectcalico.org_networkpolicies.yaml index 6a92754520..b2a4c07797 100644 --- a/pkg/crds/calico/crd.projectcalico.org_networkpolicies.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_networkpolicies.yaml @@ -779,10 +779,10 @@ spec: order: description: Order is an optional field that specifies the order in which the policy is applied. Policies with higher "order" are applied - after those with lower order. If the order is omitted, it may be - considered to be "infinite" - i.e. the policy will be applied last. Policies - with identical order will be applied in alphanumerical order based - on the Policy "Name". + after those with lower order within the same tier. If the order + is omitted, it may be considered to be "infinite" - i.e. the policy + will be applied last. Policies with identical order will be applied + in alphanumerical order based on the Policy "Name" within the tier. type: number performanceHints: description: "PerformanceHints contains a list of hints to Calico's @@ -820,6 +820,14 @@ spec: description: ServiceAccountSelector is an optional field for an expression used to select a pod based on service accounts. type: string + tier: + description: The name of the tier that this policy belongs to. If + this is omitted, the default tier (name is "default") is assumed. The + specified tier must exist in order to create security policies within + the tier, the "default" tier is created automatically if it does + not exist, this means for deployments requiring only a single Tier, + the tier name may be omitted on all policy management requests. + type: string types: description: "Types indicates whether this policy applies to ingress, or to egress, or to both. When not explicitly specified (and so diff --git a/pkg/crds/calico/crd.projectcalico.org_tiers.yaml b/pkg/crds/calico/crd.projectcalico.org_tiers.yaml new file mode 100644 index 0000000000..323e092467 --- /dev/null +++ b/pkg/crds/calico/crd.projectcalico.org_tiers.yaml @@ -0,0 +1,54 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: tiers.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: Tier + listKind: TierList + plural: tiers + singular: tier + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TierSpec contains the specification for a security policy + tier resource. + properties: + order: + description: Order is an optional field that specifies the order in + which the tier is applied. Tiers with higher "order" are applied + after those with lower order. If the order is omitted, it may be + considered to be "infinite" - i.e. the tier will be applied last. Tiers + with identical order will be applied in alphanumerical order based + on the Tier "Name". + type: number + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/pkg/render/apiserver.go b/pkg/render/apiserver.go index 1269c65397..f05c834ae1 100644 --- a/pkg/render/apiserver.go +++ b/pkg/render/apiserver.go @@ -181,6 +181,10 @@ func (c *apiServerComponent) Objects() ([]client.Object, []client.Object) { globalObjects := []client.Object{ c.calicoCustomResourcesClusterRole(), c.calicoCustomResourcesClusterRoleBinding(), + c.tierGetterClusterRole(), + c.kubeControllerMgrTierGetterClusterRoleBinding(), + c.calicoPolicyPassthruClusterRole(), + c.calicoPolicyPassthruClusterRolebinding(), } // These objects are global, and have different names based on Calico or Calico Enterprise. @@ -219,8 +223,6 @@ func (c *apiServerComponent) Objects() ([]client.Object, []client.Object) { CreateNamespace(rmeta.APIServerNamespace(operatorv1.TigeraSecureEnterprise), c.cfg.Installation.KubernetesProvider, PSSPrivileged), c.tigeraApiServerClusterRole(), c.tigeraApiServerClusterRoleBinding(), - c.tierGetterClusterRole(), - c.kubeControllerMgrTierGetterClusterRoleBinding(), c.uisettingsgroupGetterClusterRole(), c.kubeControllerMgrUisettingsgroupGetterClusterRoleBinding(), c.tieredPolicyPassthruClusterRole(), @@ -565,6 +567,7 @@ func (c *apiServerComponent) calicoCustomResourcesClusterRole() *rbacv1.ClusterR "ipamblocks", "blockaffinities", "ipamconfigs", + "tiers", }, Verbs: []string{ "get", @@ -1229,7 +1232,6 @@ func (c *apiServerComponent) tigeraApiServerClusterRole() *rbacv1.ClusterRole { "stagedkubernetesnetworkpolicies", "stagednetworkpolicies", "stagedglobalnetworkpolicies", - "tiers", "licensekeys", "alertexceptions", "globalalerts", @@ -1309,13 +1311,11 @@ func (c *apiServerComponent) tigeraApiServerClusterRoleBinding() *rbacv1.Cluster } // tierGetterClusterRole creates a clusterrole that gives permissions to get tiers. -// -// Calico Enterprise only func (c *apiServerComponent) tierGetterClusterRole() *rbacv1.ClusterRole { return &rbacv1.ClusterRole{ TypeMeta: metav1.TypeMeta{Kind: "ClusterRole", APIVersion: "rbac.authorization.k8s.io/v1"}, ObjectMeta: metav1.ObjectMeta{ - Name: "tigera-tier-getter", + Name: "calico-tier-getter", }, Rules: []rbacv1.PolicyRule{ { @@ -1332,17 +1332,15 @@ func (c *apiServerComponent) tierGetterClusterRole() *rbacv1.ClusterRole { // kubeControllerMgrTierGetterClusterRoleBinding creates a rolebinding that allows the k8s kube-controller manager to // get tiers. In k8s 1.15+, cascading resource deletions (for instance pods for a replicaset) failed // due to k8s kube-controller not having permissions to get tiers. -// -// Calico Enterprise only func (c *apiServerComponent) kubeControllerMgrTierGetterClusterRoleBinding() *rbacv1.ClusterRoleBinding { return &rbacv1.ClusterRoleBinding{ TypeMeta: metav1.TypeMeta{Kind: "ClusterRoleBinding", APIVersion: "rbac.authorization.k8s.io/v1"}, ObjectMeta: metav1.ObjectMeta{ - Name: "tigera-tier-getter", + Name: "calico-tier-getter", }, RoleRef: rbacv1.RoleRef{ Kind: "ClusterRole", - Name: "tigera-tier-getter", + Name: "calico-tier-getter", APIGroup: "rbac.authorization.k8s.io", }, Subjects: []rbacv1.Subject{ @@ -1765,6 +1763,49 @@ func (c *apiServerComponent) tigeraNetworkAdminClusterRole() *rbacv1.ClusterRole } } +// calicoPolicyPassthruClusterRole creates a clusterrole that is used to control the RBAC +// mechanism for Calico tiered policy. +func (c *apiServerComponent) calicoPolicyPassthruClusterRole() *rbacv1.ClusterRole { + return &rbacv1.ClusterRole{ + TypeMeta: metav1.TypeMeta{Kind: "ClusterRole", APIVersion: "rbac.authorization.k8s.io/v1"}, + ObjectMeta: metav1.ObjectMeta{ + Name: "calico-tiered-policy-passthrough", + }, + // If tiered policy is enabled we allow all authenticated users to access the main tier resource, instead + // restricting access using the tier.xxx resource type. Kubernetes NetworkPolicy and the + // StagedKubernetesNetworkPolicy are handled using normal (non-tiered) RBAC. + Rules: []rbacv1.PolicyRule{ + { + APIGroups: []string{"projectcalico.org"}, + Resources: []string{"networkpolicies", "globalnetworkpolicies"}, + Verbs: []string{"*"}, + }, + }, + } +} + +// calicoPolicyPassthruClusterRolebinding creates a clusterrolebinding that applies calicoPolicyPassthruClusterRole to all users. +func (c *apiServerComponent) calicoPolicyPassthruClusterRolebinding() *rbacv1.ClusterRoleBinding { + return &rbacv1.ClusterRoleBinding{ + TypeMeta: metav1.TypeMeta{Kind: "ClusterRoleBinding", APIVersion: "rbac.authorization.k8s.io/v1"}, + ObjectMeta: metav1.ObjectMeta{ + Name: "calico-tiered-policy-passthrough", + }, + Subjects: []rbacv1.Subject{ + { + Kind: "Group", + Name: "system:authenticated", + APIGroup: "rbac.authorization.k8s.io", + }, + }, + RoleRef: rbacv1.RoleRef{ + Kind: "ClusterRole", + Name: "calico-tiered-policy-passthrough", + APIGroup: "rbac.authorization.k8s.io", + }, + } +} + // tieredPolicyPassthruClusterRole creates a clusterrole that is used to control the RBAC // mechanism for Tigera Secure tiered policy. // @@ -1781,7 +1822,7 @@ func (c *apiServerComponent) tieredPolicyPassthruClusterRole() *rbacv1.ClusterRo Rules: []rbacv1.PolicyRule{ { APIGroups: []string{"projectcalico.org"}, - Resources: []string{"networkpolicies", "globalnetworkpolicies", "stagednetworkpolicies", "stagedglobalnetworkpolicies"}, + Resources: []string{"stagednetworkpolicies", "stagedglobalnetworkpolicies"}, Verbs: []string{"*"}, }, }, @@ -1940,5 +1981,23 @@ func (c *apiServerComponent) getDeprecatedResources() []client.Object { }, }) + // The following resources were not present in Calico OSS, so there is no need to clean up in OSS. + if c.cfg.Installation.Variant == operatorv1.TigeraSecureEnterprise { + // Renamed ClusterRoleBinging tigera-tier-getter to calico-tier-getter since Tier is available in OSS + renamedRscList = append(renamedRscList, &rbacv1.ClusterRoleBinding{ + TypeMeta: metav1.TypeMeta{Kind: "ClusterRoleBinding", APIVersion: "rbac.authorization.k8s.io/v1"}, + ObjectMeta: metav1.ObjectMeta{ + Name: "tigera-tier-getter", + }, + }) + // Renamed ClusterRole tigera-tier-getter to calico-tier-getter since Tier is available in OSS + renamedRscList = append(renamedRscList, &rbacv1.ClusterRole{ + TypeMeta: metav1.TypeMeta{Kind: "ClusterRole", APIVersion: "rbac.authorization.k8s.io/v1"}, + ObjectMeta: metav1.ObjectMeta{ + Name: "tigera-tier-getter", + }, + }) + } + return renamedRscList } diff --git a/pkg/render/apiserver_test.go b/pkg/render/apiserver_test.go index 3466365989..399fc68271 100644 --- a/pkg/render/apiserver_test.go +++ b/pkg/render/apiserver_test.go @@ -120,6 +120,10 @@ var _ = Describe("API server rendering tests (Calico Enterprise)", func() { {name: "calico-crds", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "tigera-apiserver", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "calico-apiserver-access-calico-crds", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, + {name: "calico-tier-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, + {name: "calico-tier-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, + {name: "calico-tiered-policy-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, + {name: "calico-tiered-policy-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "tigera-tiered-policy-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "tigera-tiered-policy-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "tigera-uisettings-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, @@ -132,8 +136,6 @@ var _ = Describe("API server rendering tests (Calico Enterprise)", func() { {name: "tigera-apiserver", ns: "tigera-system", group: "apps", version: "v1", kind: "Deployment"}, {name: "tigera-api", ns: "tigera-system", group: "", version: "v1", kind: "Service"}, {name: "tigera-apiserver", ns: "tigera-system", group: "policy", version: "v1", kind: "PodDisruptionBudget"}, - {name: "tigera-tier-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, - {name: "tigera-tier-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "tigera-uisettingsgroup-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "tigera-uisettingsgroup-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "tigera-ui-user", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, @@ -159,6 +161,7 @@ var _ = Describe("API server rendering tests (Calico Enterprise)", func() { // - 2 ServiceAccount ClusterRole and binding for calico CRDs // - 2 ServiceAccount ClusterRole and binding for tigera CRDs // - 2 ClusterRole and binding for auth configmap + // - 2 calico policy passthru ClusterRole and binding // - 2 tiered policy passthru ClusterRole and binding // - 1 delegate auth binding // - 1 auth reader binding @@ -389,6 +392,10 @@ var _ = Describe("API server rendering tests (Calico Enterprise)", func() { {name: "calico-crds", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "tigera-apiserver", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "calico-apiserver-access-calico-crds", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, + {name: "calico-tier-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, + {name: "calico-tier-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, + {name: "calico-tiered-policy-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, + {name: "calico-tiered-policy-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "tigera-tiered-policy-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "tigera-tiered-policy-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "tigera-uisettings-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, @@ -401,8 +408,6 @@ var _ = Describe("API server rendering tests (Calico Enterprise)", func() { {name: "tigera-apiserver", ns: "tigera-system", group: "apps", version: "v1", kind: "Deployment"}, {name: "tigera-api", ns: "tigera-system", group: "", version: "v1", kind: "Service"}, {name: "tigera-apiserver", ns: "tigera-system", group: "policy", version: "v1", kind: "PodDisruptionBudget"}, - {name: "tigera-tier-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, - {name: "tigera-tier-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "tigera-uisettingsgroup-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "tigera-uisettingsgroup-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "tigera-ui-user", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, @@ -443,6 +448,10 @@ var _ = Describe("API server rendering tests (Calico Enterprise)", func() { {name: "calico-crds", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "tigera-apiserver", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "calico-apiserver-access-calico-crds", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, + {name: "calico-tier-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, + {name: "calico-tier-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, + {name: "calico-tiered-policy-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, + {name: "calico-tiered-policy-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "tigera-tiered-policy-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "tigera-tiered-policy-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "tigera-uisettings-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, @@ -455,8 +464,6 @@ var _ = Describe("API server rendering tests (Calico Enterprise)", func() { {name: "tigera-apiserver", ns: "tigera-system", group: "apps", version: "v1", kind: "Deployment"}, {name: "tigera-api", ns: "tigera-system", group: "", version: "v1", kind: "Service"}, {name: "tigera-apiserver", ns: "tigera-system", group: "policy", version: "v1", kind: "PodDisruptionBudget"}, - {name: "tigera-tier-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, - {name: "tigera-tier-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "tigera-uisettingsgroup-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "tigera-uisettingsgroup-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "tigera-ui-user", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, @@ -473,16 +480,16 @@ var _ = Describe("API server rendering tests (Calico Enterprise)", func() { Expect(resources).To(HaveLen(len(expectedResources))) // Should render the correct resources. - cr := rtest.GetResource(resources, "tigera-tier-getter", "", "rbac.authorization.k8s.io", "v1", "ClusterRole").(*rbacv1.ClusterRole) + cr := rtest.GetResource(resources, "calico-tier-getter", "", "rbac.authorization.k8s.io", "v1", "ClusterRole").(*rbacv1.ClusterRole) Expect(len(cr.Rules)).To(Equal(1)) Expect(len(cr.Rules[0].Resources)).To(Equal(1)) Expect(cr.Rules[0].Resources[0]).To(Equal("tiers")) Expect(len(cr.Rules[0].Verbs)).To(Equal(1)) Expect(cr.Rules[0].Verbs[0]).To(Equal("get")) - crb := rtest.GetResource(resources, "tigera-tier-getter", "", "rbac.authorization.k8s.io", "v1", "ClusterRoleBinding").(*rbacv1.ClusterRoleBinding) + crb := rtest.GetResource(resources, "calico-tier-getter", "", "rbac.authorization.k8s.io", "v1", "ClusterRoleBinding").(*rbacv1.ClusterRoleBinding) Expect(crb.RoleRef.Kind).To(Equal("ClusterRole")) - Expect(crb.RoleRef.Name).To(Equal("tigera-tier-getter")) + Expect(crb.RoleRef.Name).To(Equal("calico-tier-getter")) Expect(len(crb.Subjects)).To(Equal(1)) Expect(crb.Subjects[0].Kind).To(Equal("User")) Expect(crb.Subjects[0].Name).To(Equal("system:kube-controller-manager")) @@ -518,6 +525,10 @@ var _ = Describe("API server rendering tests (Calico Enterprise)", func() { {name: "calico-crds", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "tigera-apiserver", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "calico-apiserver-access-calico-crds", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, + {name: "calico-tier-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, + {name: "calico-tier-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, + {name: "calico-tiered-policy-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, + {name: "calico-tiered-policy-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "tigera-tiered-policy-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "tigera-tiered-policy-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "tigera-uisettings-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, @@ -530,8 +541,6 @@ var _ = Describe("API server rendering tests (Calico Enterprise)", func() { {name: "tigera-apiserver", ns: "tigera-system", group: "apps", version: "v1", kind: "Deployment"}, {name: "tigera-api", ns: "tigera-system", group: "", version: "v1", kind: "Service"}, {name: "tigera-apiserver", ns: "tigera-system", group: "policy", version: "v1", kind: "PodDisruptionBudget"}, - {name: "tigera-tier-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, - {name: "tigera-tier-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "tigera-uisettingsgroup-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "tigera-uisettingsgroup-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "tigera-ui-user", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, @@ -586,6 +595,10 @@ var _ = Describe("API server rendering tests (Calico Enterprise)", func() { {name: "calico-crds", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "tigera-apiserver", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "calico-apiserver-access-calico-crds", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, + {name: "calico-tier-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, + {name: "calico-tier-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, + {name: "calico-tiered-policy-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, + {name: "calico-tiered-policy-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "tigera-tiered-policy-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "tigera-tiered-policy-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "tigera-uisettings-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, @@ -598,8 +611,6 @@ var _ = Describe("API server rendering tests (Calico Enterprise)", func() { {name: "tigera-apiserver", ns: "tigera-system", group: "apps", version: "v1", kind: "Deployment"}, {name: "tigera-api", ns: "tigera-system", group: "", version: "v1", kind: "Service"}, {name: "tigera-apiserver", ns: "tigera-system", group: "policy", version: "v1", kind: "PodDisruptionBudget"}, - {name: "tigera-tier-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, - {name: "tigera-tier-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "tigera-uisettingsgroup-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "tigera-uisettingsgroup-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "tigera-ui-user", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, @@ -708,6 +719,10 @@ var _ = Describe("API server rendering tests (Calico Enterprise)", func() { {name: "calico-crds", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "tigera-apiserver", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "calico-apiserver-access-calico-crds", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, + {name: "calico-tier-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, + {name: "calico-tier-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, + {name: "calico-tiered-policy-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, + {name: "calico-tiered-policy-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "tigera-tiered-policy-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "tigera-tiered-policy-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "tigera-uisettings-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, @@ -720,8 +735,6 @@ var _ = Describe("API server rendering tests (Calico Enterprise)", func() { {name: "tigera-apiserver", ns: "tigera-system", group: "apps", version: "v1", kind: "Deployment"}, {name: "tigera-api", ns: "tigera-system", group: "", version: "v1", kind: "Service"}, {name: "tigera-apiserver", ns: "tigera-system", group: "policy", version: "v1", kind: "PodDisruptionBudget"}, - {name: "tigera-tier-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, - {name: "tigera-tier-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "tigera-uisettingsgroup-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "tigera-uisettingsgroup-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "tigera-ui-user", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, @@ -777,6 +790,10 @@ var _ = Describe("API server rendering tests (Calico Enterprise)", func() { &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "calico-crds"}}, &rbacv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "tigera-apiserver"}}, &rbacv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "calico-apiserver-access-calico-crds"}}, + &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "calico-tier-getter"}}, + &rbacv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "calico-tier-getter"}}, + &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "calico-tiered-policy-passthrough"}}, + &rbacv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "calico-tiered-policy-passthrough"}}, &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "tigera-tiered-policy-passthrough"}}, &rbacv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "tigera-tiered-policy-passthrough"}}, &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "tigera-uisettings-passthrough"}}, @@ -789,8 +806,6 @@ var _ = Describe("API server rendering tests (Calico Enterprise)", func() { &appsv1.Deployment{ObjectMeta: metav1.ObjectMeta{Name: "tigera-apiserver", Namespace: "tigera-system"}}, &corev1.Service{ObjectMeta: metav1.ObjectMeta{Name: "tigera-api", Namespace: "tigera-system"}}, &policyv1.PodDisruptionBudget{ObjectMeta: metav1.ObjectMeta{Name: "tigera-apiserver", Namespace: "tigera-system"}}, - &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "tigera-tier-getter"}}, - &rbacv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "tigera-tier-getter"}}, &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "tigera-uisettingsgroup-getter"}}, &rbacv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "tigera-uisettingsgroup-getter"}}, &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "tigera-ui-user"}}, @@ -860,6 +875,10 @@ var _ = Describe("API server rendering tests (Calico Enterprise)", func() { {name: "calico-crds", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "tigera-apiserver", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "calico-apiserver-access-calico-crds", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, + {name: "calico-tier-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, + {name: "calico-tier-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, + {name: "calico-tiered-policy-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, + {name: "calico-tiered-policy-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "tigera-tiered-policy-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "tigera-tiered-policy-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "tigera-uisettings-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, @@ -872,8 +891,6 @@ var _ = Describe("API server rendering tests (Calico Enterprise)", func() { {name: "tigera-apiserver", ns: "tigera-system", group: "apps", version: "v1", kind: "Deployment"}, {name: "tigera-api", ns: "tigera-system", group: "", version: "v1", kind: "Service"}, {name: "tigera-apiserver", ns: "tigera-system", group: "policy", version: "v1", kind: "PodDisruptionBudget"}, - {name: "tigera-tier-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, - {name: "tigera-tier-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "tigera-uisettingsgroup-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "tigera-uisettingsgroup-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "tigera-ui-user", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, @@ -1541,6 +1558,10 @@ var _ = Describe("API server rendering tests (Calico)", func() { {name: "calico-crds", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "calico-apiserver", ns: "calico-apiserver", group: "", version: "v1", kind: "ServiceAccount"}, {name: "calico-apiserver-access-calico-crds", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, + {name: "calico-tier-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, + {name: "calico-tier-getter", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, + {name: "calico-tiered-policy-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, + {name: "calico-tiered-policy-passthrough", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "calico-extension-apiserver-auth-access", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "calico-extension-apiserver-auth-access", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "calico-apiserver-delegate-auth", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, @@ -1660,6 +1681,10 @@ var _ = Describe("API server rendering tests (Calico)", func() { &corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: "calico-apiserver", Namespace: "calico-apiserver"}, TypeMeta: metav1.TypeMeta{APIVersion: "v1", Kind: "ServiceAccount"}}, &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "calico-crds"}, TypeMeta: metav1.TypeMeta{APIVersion: "rbac.authorization.k8s.io/v1", Kind: "ClusterRole"}}, &rbacv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "calico-apiserver-access-calico-crds"}, TypeMeta: metav1.TypeMeta{APIVersion: "rbac.authorization.k8s.io/v1", Kind: "ClusterRoleBinding"}}, + &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "calico-tier-getter"}, TypeMeta: metav1.TypeMeta{APIVersion: "rbac.authorization.k8s.io/v1", Kind: "ClusterRole"}}, + &rbacv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "calico-tier-getter"}, TypeMeta: metav1.TypeMeta{APIVersion: "rbac.authorization.k8s.io/v1", Kind: "ClusterRoleBinding"}}, + &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "calico-tiered-policy-passthrough"}, TypeMeta: metav1.TypeMeta{APIVersion: "rbac.authorization.k8s.io/v1", Kind: "ClusterRole"}}, + &rbacv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "calico-tiered-policy-passthrough"}, TypeMeta: metav1.TypeMeta{APIVersion: "rbac.authorization.k8s.io/v1", Kind: "ClusterRoleBinding"}}, &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "calico-extension-apiserver-auth-access"}, TypeMeta: metav1.TypeMeta{APIVersion: "rbac.authorization.k8s.io/v1", Kind: "ClusterRole"}}, &rbacv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "calico-extension-apiserver-auth-access"}, TypeMeta: metav1.TypeMeta{APIVersion: "rbac.authorization.k8s.io/v1", Kind: "ClusterRoleBinding"}}, &rbacv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "calico-apiserver-delegate-auth"}, TypeMeta: metav1.TypeMeta{APIVersion: "rbac.authorization.k8s.io/v1", Kind: "ClusterRoleBinding"}}, diff --git a/pkg/render/kubecontrollers/kube-controllers.go b/pkg/render/kubecontrollers/kube-controllers.go index fe94846afe..2ddee05d0a 100644 --- a/pkg/render/kubecontrollers/kube-controllers.go +++ b/pkg/render/kubecontrollers/kube-controllers.go @@ -402,6 +402,12 @@ func kubeControllersRoleCommonRules(cfg *KubeControllersConfiguration, kubeContr Resources: []string{"kubecontrollersconfigurations"}, Verbs: []string{"get", "create", "update", "watch"}, }, + { + // calico-kube-controllers requires tiers create + APIGroups: []string{"crd.projectcalico.org"}, + Resources: []string{"tiers"}, + Verbs: []string{"create"}, + }, } if cfg.Installation.KubernetesProvider.IsOpenShift() { @@ -429,12 +435,6 @@ func kubeControllersRoleEnterpriseCommonRules(cfg *KubeControllersConfiguration) Resources: []string{"licensekeys"}, Verbs: []string{"get", "watch", "list"}, }, - { - // calico-kube-controllers requires tiers create - APIGroups: []string{"crd.projectcalico.org"}, - Resources: []string{"tiers"}, - Verbs: []string{"create"}, - }, { // Needed to validate the license APIGroups: []string{"crd.projectcalico.org"}, diff --git a/pkg/render/node.go b/pkg/render/node.go index 2eb8dd2a03..fc1e7888b3 100644 --- a/pkg/render/node.go +++ b/pkg/render/node.go @@ -444,6 +444,7 @@ func (c *nodeComponent) nodeRole() *rbacv1.ClusterRole { "stagedkubernetesnetworkpolicies", "stagednetworkpolicies", "networksets", + "tiers", }, Verbs: []string{"get", "list", "watch"}, }, @@ -475,6 +476,14 @@ func (c *nodeComponent) nodeRole() *rbacv1.ClusterRole { }, Verbs: []string{"create", "update"}, }, + { + // Calico creates some tiers on startup. + APIGroups: []string{"crd.projectcalico.org"}, + Resources: []string{ + "tiers", + }, + Verbs: []string{"create"}, + }, { // Calico monitors nodes for some networking configuration. APIGroups: []string{""}, @@ -520,19 +529,10 @@ func (c *nodeComponent) nodeRole() *rbacv1.ClusterRole { "stagedglobalnetworkpolicies", "stagedkubernetesnetworkpolicies", "stagednetworkpolicies", - "tiers", "packetcaptures", }, Verbs: []string{"get", "list", "watch"}, }, - { - // Tigera Secure creates some tiers on startup. - APIGroups: []string{"crd.projectcalico.org"}, - Resources: []string{ - "tiers", - }, - Verbs: []string{"create"}, - }, { // Tigera Secure updates status for packet captures. APIGroups: []string{"crd.projectcalico.org"}, diff --git a/pkg/render/typha.go b/pkg/render/typha.go index a5ffb9bf1b..7e42550e9d 100644 --- a/pkg/render/typha.go +++ b/pkg/render/typha.go @@ -254,6 +254,7 @@ func (c *typhaComponent) typhaRole() *rbacv1.ClusterRole { "ipreservations", "networkpolicies", "networksets", + "tiers", }, Verbs: []string{"get", "list", "watch"}, }, @@ -277,6 +278,14 @@ func (c *typhaComponent) typhaRole() *rbacv1.ClusterRole { }, Verbs: []string{"create", "update"}, }, + { + // Calico creates some tiers on startup. + APIGroups: []string{"crd.projectcalico.org"}, + Resources: []string{ + "tiers", + }, + Verbs: []string{"create"}, + }, { // Calico monitors nodes for some networking configuration. APIGroups: []string{""}, @@ -311,7 +320,7 @@ func (c *typhaComponent) typhaRole() *rbacv1.ClusterRole { if c.cfg.Installation.Variant == operatorv1.TigeraSecureEnterprise { extraRules := []rbacv1.PolicyRule{ { - // Tigera Secure needs to be able to read licenses, tiers, and config. + // Tigera Secure needs to be able to read licenses, and config. APIGroups: []string{"crd.projectcalico.org"}, Resources: []string{ "licensekeys", @@ -319,7 +328,6 @@ func (c *typhaComponent) typhaRole() *rbacv1.ClusterRole { "stagedglobalnetworkpolicies", "stagedkubernetesnetworkpolicies", "stagednetworkpolicies", - "tiers", "packetcaptures", "deeppacketinspections", "externalnetworks", @@ -327,14 +335,6 @@ func (c *typhaComponent) typhaRole() *rbacv1.ClusterRole { }, Verbs: []string{"get", "list", "watch"}, }, - { - // Tigera Secure creates some tiers on startup. - APIGroups: []string{"crd.projectcalico.org"}, - Resources: []string{ - "tiers", - }, - Verbs: []string{"create"}, - }, } role.Rules = append(role.Rules, extraRules...) }