Skip to content

Commit 26dc69a

Browse files
simusimu
committed
Move read permissions for ingressclasses.networking.k8s.io to ClusterRole
`IngressClass` is a cluster-scoped resource, so granting read permissions to the ServiceAccount in a namespaced role and rolebinding isn't sufficient. This commit changes the logic to generate a ClusterRole and ClusterRoleBinding which allow the SA to `get/list/watch` `IngressClass` resources. Fixes #41
1 parent 1e81f53 commit 26dc69a

File tree

4 files changed

+123
-37
lines changed

4 files changed

+123
-37
lines changed

component/cluster.libsonnet

Lines changed: 24 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -76,19 +76,6 @@ local cluster = function(name, options)
7676
'watch',
7777
],
7878
},
79-
{
80-
apiGroups: [
81-
'networking.k8s.io',
82-
],
83-
resources: [
84-
'ingressclasses',
85-
],
86-
verbs: [
87-
'get',
88-
'list',
89-
'watch',
90-
],
91-
},
9279
{
9380
apiGroups: [
9481
'apps',
@@ -127,6 +114,28 @@ local cluster = function(name, options)
127114
roleRef_: role,
128115
};
129116

117+
local clusterRole = kube.ClusterRole('syn-vcluster-%s' % [ name ]) {
118+
rules: [
119+
{
120+
apiGroups: [
121+
'networking.k8s.io',
122+
],
123+
resources: [
124+
'ingressclasses',
125+
],
126+
verbs: [
127+
'get',
128+
'list',
129+
'watch',
130+
],
131+
},
132+
],
133+
};
134+
local clusterRoleBinding = kube.ClusterRoleBinding('syn-vcluster-%s' % [ name ]) {
135+
subjects_: [ sa ],
136+
roleRef_: clusterRole,
137+
};
138+
130139
local service = kube.Service(name) {
131140
metadata+: {
132141
namespace: options.namespace,
@@ -408,6 +417,8 @@ local cluster = function(name, options)
408417
sa,
409418
role,
410419
roleBinding,
420+
clusterRole,
421+
clusterRoleBinding,
411422
service,
412423
headlessService,
413424
statefulSet,

tests/golden/defaults/defaults/defaults/10_cluster.yaml

Lines changed: 33 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -57,14 +57,6 @@ rules:
5757
- get
5858
- list
5959
- watch
60-
- apiGroups:
61-
- networking.k8s.io
62-
resources:
63-
- ingressclasses
64-
verbs:
65-
- get
66-
- list
67-
- watch
6860
- apiGroups:
6961
- apps
7062
resources:
@@ -93,6 +85,39 @@ subjects:
9385
name: vc-defaults
9486
namespace: syn-defaults
9587
---
88+
apiVersion: rbac.authorization.k8s.io/v1
89+
kind: ClusterRole
90+
metadata:
91+
annotations: {}
92+
labels:
93+
name: syn-vcluster-defaults
94+
name: syn-vcluster-defaults
95+
rules:
96+
- apiGroups:
97+
- networking.k8s.io
98+
resources:
99+
- ingressclasses
100+
verbs:
101+
- get
102+
- list
103+
- watch
104+
---
105+
apiVersion: rbac.authorization.k8s.io/v1
106+
kind: ClusterRoleBinding
107+
metadata:
108+
annotations: {}
109+
labels:
110+
name: syn-vcluster-defaults
111+
name: syn-vcluster-defaults
112+
roleRef:
113+
apiGroup: rbac.authorization.k8s.io
114+
kind: ClusterRole
115+
name: syn-vcluster-defaults
116+
subjects:
117+
- kind: ServiceAccount
118+
name: vc-defaults
119+
namespace: syn-defaults
120+
---
96121
apiVersion: v1
97122
kind: Service
98123
metadata:

tests/golden/oidc/oidc/oidc/10_cluster.yaml

Lines changed: 33 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -57,14 +57,6 @@ rules:
5757
- get
5858
- list
5959
- watch
60-
- apiGroups:
61-
- networking.k8s.io
62-
resources:
63-
- ingressclasses
64-
verbs:
65-
- get
66-
- list
67-
- watch
6860
- apiGroups:
6961
- apps
7062
resources:
@@ -93,6 +85,39 @@ subjects:
9385
name: vc-oidc
9486
namespace: testns
9587
---
88+
apiVersion: rbac.authorization.k8s.io/v1
89+
kind: ClusterRole
90+
metadata:
91+
annotations: {}
92+
labels:
93+
name: syn-vcluster-oidc
94+
name: syn-vcluster-oidc
95+
rules:
96+
- apiGroups:
97+
- networking.k8s.io
98+
resources:
99+
- ingressclasses
100+
verbs:
101+
- get
102+
- list
103+
- watch
104+
---
105+
apiVersion: rbac.authorization.k8s.io/v1
106+
kind: ClusterRoleBinding
107+
metadata:
108+
annotations: {}
109+
labels:
110+
name: syn-vcluster-oidc
111+
name: syn-vcluster-oidc
112+
roleRef:
113+
apiGroup: rbac.authorization.k8s.io
114+
kind: ClusterRole
115+
name: syn-vcluster-oidc
116+
subjects:
117+
- kind: ServiceAccount
118+
name: vc-oidc
119+
namespace: testns
120+
---
96121
apiVersion: v1
97122
kind: Service
98123
metadata:

tests/golden/openshift/openshift/openshift/10_cluster.yaml

Lines changed: 33 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -57,14 +57,6 @@ rules:
5757
- get
5858
- list
5959
- watch
60-
- apiGroups:
61-
- networking.k8s.io
62-
resources:
63-
- ingressclasses
64-
verbs:
65-
- get
66-
- list
67-
- watch
6860
- apiGroups:
6961
- apps
7062
resources:
@@ -99,6 +91,39 @@ subjects:
9991
name: vc-openshift
10092
namespace: syn-openshift
10193
---
94+
apiVersion: rbac.authorization.k8s.io/v1
95+
kind: ClusterRole
96+
metadata:
97+
annotations: {}
98+
labels:
99+
name: syn-vcluster-openshift
100+
name: syn-vcluster-openshift
101+
rules:
102+
- apiGroups:
103+
- networking.k8s.io
104+
resources:
105+
- ingressclasses
106+
verbs:
107+
- get
108+
- list
109+
- watch
110+
---
111+
apiVersion: rbac.authorization.k8s.io/v1
112+
kind: ClusterRoleBinding
113+
metadata:
114+
annotations: {}
115+
labels:
116+
name: syn-vcluster-openshift
117+
name: syn-vcluster-openshift
118+
roleRef:
119+
apiGroup: rbac.authorization.k8s.io
120+
kind: ClusterRole
121+
name: syn-vcluster-openshift
122+
subjects:
123+
- kind: ServiceAccount
124+
name: vc-openshift
125+
namespace: syn-openshift
126+
---
102127
apiVersion: v1
103128
kind: Service
104129
metadata:

0 commit comments

Comments
 (0)