公用k8s集群，对milvus operator做权限收敛

[bozai111]

使用milvus operator部署milvus集群，意外发现milvus operator chart包内申请的k8s的权限比较大，为了避免权限过大，误操作k8s内的其他资源，对milvus operator的权限做收敛。

权限收敛策略：
1、milvus集群在部署时，先申请namespace，然后申请milvus operator在namespace内的所有权限。
2、全局资源权限，按需要给到milvus operator

目前主要修改两个文件：
clusterrole.yaml
clusterrolebinding.yaml

milvus-operator/templates/clusterrole.yaml
{{- /* Code generated by make. DO NOT EDIT. */ -}}
{{- if .Values.rbac.create }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: '{{ include "chart.fullname" . }}-manager-role-for-cluster'
rules:
- apiGroups:
- ""
- apps
- extensions
resources:
- configmaps
- persistentvolumeclaims
- persistentvolumes
- deployments
- pods
- pods/exec
- secrets
- serviceaccounts
- services
verbs:
- get
- list
- watch
- apiGroups:
- milvus.io
resources:
- milvusclusters
- milvuses
- milvusupgrades
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- milvus.io
resources:
- milvusclusters/finalizers
- milvuses/finalizers
- milvusupgrades/finalizers
verbs:
- update
- apiGroups:
- monitoring.coreos.com
resources:
- podmonitors
- servicemonitors
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- milvus.io
resources:
- milvusclusters/status
- milvuses/status
- milvusupgrades/status
verbs:
- get
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: '{{ include "chart.fullname" . }}-manager-role-for-ns'
rules:
- apiGroups:
- ""
resources:
- configmaps
- persistentvolumeclaims
- persistentvolumes
- pods
- pods/exec
- secrets
- serviceaccounts
- services
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
- apps
- extensions
resources:
- deployments
- ingresses
- pods
- secrets
- services
- statefulsets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- controllerrevisions
- deployments
- replicasets
- statefulsets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- batch
resources:
- jobs
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- milvus.io
resources:
- milvusclusters
- milvuses
- milvusupgrades
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- milvus.io
resources:
- milvusclusters/finalizers
- milvuses/finalizers
- milvusupgrades/finalizers
verbs:
- update
- apiGroups:
- milvus.io
resources:
- milvusclusters/status
- milvuses/status
- milvusupgrades/status
verbs:
- get
- patch
- update
- apiGroups:
- monitoring.coreos.com
resources:
- podmonitors
- servicemonitors
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
- podsecuritypolicies
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
- clusterroles
- rolebindings
- roles
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
{{- end -}}

milvus-operator/templates/clusterrolebinding.yaml
{{- /* Code generated by make. DO NOT EDIT. */ -}}
{{- if .Values.rbac.create }}
{{- range .Values.rbac.namespaces }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: '{{ include "chart.fullname" $ }}-manager-rolebinding'
namespace: {{ . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: '{{ include "chart.fullname" $ }}-manager-role-for-ns'
subjects:
- kind: ServiceAccount
name: {{ include "chart.serviceAccountName" $ | quote }}
namespace: {{ $.Release.Namespace | quote }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: '{{ include "chart.fullname" . }}-manager-rolebinding-for-cluster'
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: '{{ include "chart.fullname" . }}-manager-role-for-cluster'
subjects:
- kind: ServiceAccount
name: {{ include "chart.serviceAccountName" . | quote }}
namespace: {{ .Release.Namespace | quote }}
{{- end -}}

需要帮忙确认下这样调整是否会有问题？另外权限是否会不足？

[yhmo]

Wait @LoveEachDay

[LoveEachDay]

@haorenfsa Could you double check the privileges provided above?

[haorenfsa]

@bozai111 The reason why we have to introduce a lot of permissions is because the dependent pulsar chart incorrectly defines a lot of high permissions. You can try this and then adjust it according to the log error.

之所以不得不引入很多权限的原因是因为依赖的pulsar chart错误定义了很多很高的权限。你可以用这个试试，然后根据日志报错再调整

[bozai111]

我们这边的pulsar是外部服务，有专门的团队提供的服务，不是通过milvus operator部署的pulsar。pulsar的权限应该不用考虑。

[haorenfsa]

那应该没问题