From 7ffdcc5656d6df83778e34cba5d7bdd9c7b5faea Mon Sep 17 00:00:00 2001 From: weilaaa Date: Mon, 19 Jul 2021 15:37:07 +0800 Subject: [PATCH] modify images.list --- hnc/hnc.yaml | 2 +- images/v1.18.20/images.list | 2 +- images/v1.19.13/images.list | 2 +- images/v1.20.9/images.list | 2 +- images/v1.21.2/images.list | 4 +- .../rbac/buildin/plarformAdminAg.yaml | 484 ++++++++++++++++++ .../templates/rbac/buildin/platformAdmin.yaml | 475 +---------------- .../templates/rbac/buildin/projectAdmin.yaml | 315 +----------- .../rbac/buildin/projectAdminAg.yaml | 324 ++++++++++++ .../rbac/buildin/projectAdminCluster.yaml | 97 +--- .../rbac/buildin/projectAdminClusterAg.yaml | 106 ++++ .../templates/rbac/buildin/reviewer.yaml | 222 +------- .../templates/rbac/buildin/reviewerAg.yaml | 231 +++++++++ .../rbac/buildin/reviewerCluster.yaml | 68 +-- .../rbac/buildin/reviewerClusterAg.yaml | 77 +++ .../templates/rbac/buildin/tenantAdmin.yaml | 315 +----------- .../templates/rbac/buildin/tenantAdminAg.yaml | 324 ++++++++++++ .../rbac/buildin/tenantAdminCluster.yaml | 124 +---- .../rbac/buildin/tenantAdminClusterAg.yaml | 133 +++++ 19 files changed, 1692 insertions(+), 1615 deletions(-) create mode 100644 kubecube/v0.0.1/templates/rbac/buildin/plarformAdminAg.yaml create mode 100644 kubecube/v0.0.1/templates/rbac/buildin/projectAdminAg.yaml create mode 100644 kubecube/v0.0.1/templates/rbac/buildin/projectAdminClusterAg.yaml create mode 100644 kubecube/v0.0.1/templates/rbac/buildin/reviewerAg.yaml create mode 100644 kubecube/v0.0.1/templates/rbac/buildin/reviewerClusterAg.yaml create mode 100644 kubecube/v0.0.1/templates/rbac/buildin/tenantAdminAg.yaml create mode 100644 kubecube/v0.0.1/templates/rbac/buildin/tenantAdminClusterAg.yaml diff --git a/hnc/hnc.yaml b/hnc/hnc.yaml index 8737505..d97f5cc 100644 --- a/hnc/hnc.yaml +++ b/hnc/hnc.yaml @@ -542,7 +542,7 @@ spec: - --cert-restart-on-secret-refresh command: - /manager - image: hub.c.163.com/kubecube/hnc:v0.8.0 + image: hub.c.163.com/kubecube/hnc/hnc-manager:v0.8.0-kubecube.1 name: manager ports: - containerPort: 9443 diff --git a/images/v1.18.20/images.list b/images/v1.18.20/images.list index f033f89..c485495 100644 --- a/images/v1.18.20/images.list +++ b/images/v1.18.20/images.list @@ -13,7 +13,7 @@ hub.c.163.com/kubecube/kube-state-metrics:v1.9.8 hub.c.163.com/kubecube/prometheus-operator:v0.47.0 hub.c.163.com/kubecube/node-exporter:v1.1.2 hub.c.163.com/kubecube/prometheus:v2.26.0 -hub.c.163.com/kubecube/hnc:v0.8.0 +hub.c.163.com/kubecube/hnc/hnc-manager:v0.8.0-kubecube.1 hub.c.163.com/kubecube/ingress-nginx/controller:v0.46.0-m hub.c.163.com/kubecube/calico/node:v3.19.1-m hub.c.163.com/kubecube/calico/cni:v3.19.1-m diff --git a/images/v1.19.13/images.list b/images/v1.19.13/images.list index 2793035..bbbea10 100644 --- a/images/v1.19.13/images.list +++ b/images/v1.19.13/images.list @@ -13,7 +13,7 @@ hub.c.163.com/kubecube/kube-state-metrics:v1.9.8 hub.c.163.com/kubecube/prometheus-operator:v0.47.0 hub.c.163.com/kubecube/node-exporter:v1.1.2 hub.c.163.com/kubecube/prometheus:v2.26.0 -hub.c.163.com/kubecube/hnc:v0.8.0 +hub.c.163.com/kubecube/hnc/hnc-manager:v0.8.0-kubecube.1 hub.c.163.com/kubecube/ingress-nginx/controller:v0.46.0-m hub.c.163.com/kubecube/calico/node:v3.19.1-m hub.c.163.com/kubecube/calico/cni:v3.19.1-m diff --git a/images/v1.20.9/images.list b/images/v1.20.9/images.list index 4506e44..fdb48b3 100644 --- a/images/v1.20.9/images.list +++ b/images/v1.20.9/images.list @@ -13,7 +13,7 @@ hub.c.163.com/kubecube/kube-state-metrics:v1.9.8 hub.c.163.com/kubecube/prometheus-operator:v0.47.0 hub.c.163.com/kubecube/node-exporter:v1.1.2 hub.c.163.com/kubecube/prometheus:v2.26.0 -hub.c.163.com/kubecube/hnc:v0.8.0 +hub.c.163.com/kubecube/hnc/hnc-manager:v0.8.0-kubecube.1 hub.c.163.com/kubecube/ingress-nginx/controller:v0.46.0-m hub.c.163.com/kubecube/calico/node:v3.19.1-m hub.c.163.com/kubecube/calico/cni:v3.19.1-m diff --git a/images/v1.21.2/images.list b/images/v1.21.2/images.list index 06fc701..a27b4a3 100644 --- a/images/v1.21.2/images.list +++ b/images/v1.21.2/images.list @@ -13,7 +13,7 @@ hub.c.163.com/kubecube/kube-state-metrics:v1.9.8 hub.c.163.com/kubecube/prometheus-operator:v0.47.0 hub.c.163.com/kubecube/node-exporter:v1.1.2 hub.c.163.com/kubecube/prometheus:v2.26.0 -hub.c.163.com/kubecube/hnc:v0.8.0 +hub.c.163.com/kubecube/hnc/hnc-manager:v0.8.0-kubecube.1 hub.c.163.com/kubecube/ingress-nginx/controller:v0.46.0-m hub.c.163.com/kubecube/calico/node:v3.19.1-m hub.c.163.com/kubecube/calico/cni:v3.19.1-m @@ -30,4 +30,4 @@ registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler:v1.21.2 registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy:v1.21.2 registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.4.1 registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:3.4.13-0 -registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:v1.8.0 \ No newline at end of file +registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:1.8.0 \ No newline at end of file diff --git a/kubecube/v0.0.1/templates/rbac/buildin/plarformAdminAg.yaml b/kubecube/v0.0.1/templates/rbac/buildin/plarformAdminAg.yaml new file mode 100644 index 0000000..dcd941c --- /dev/null +++ b/kubecube/v0.0.1/templates/rbac/buildin/plarformAdminAg.yaml @@ -0,0 +1,484 @@ +# platform-admin has all privileges used +# of ClusterRoleBinding. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aggregate-to-platform-admin + labels: + rbac.authorization.k8s.io/aggregate-to-platform-admin: "true" + annotations: + kubecube.io/sync: "true" +rules: + - apiGroups: + - "*" + resources: + - pods + - pods/attach + - pods/status + - pods/execescalate + - pods/exec + - pods/portforward + - pods/proxy + - pods/log + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - replicationcontrollers + - replicationcontrollers/scale + - replicationcontrollers/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - persistentvolumeclaims + - persistentvolumeclaims/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - configmaps + - endpoints + - secrets + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - services + - services/proxy + - services/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - serviceaccounts + verbs: + - impersonate + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - daemonsets + - daemonsets/status + - deployments + - deployments/rollback + - deployments/scale + - deployments/status + - statefulsets + - statefulsets/scale + - statefulsets/status + - replicasets + - replicasets/scale + - replicasets/status + - controllerrevisions + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - horizontalpodautoscalers + - horizontalpodautoscalers/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - cronjobs + - cronjobs/status + - jobs + - jobs/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - ingresses + - ingresses/status + - networkpolicies + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - poddisruptionbudgets + - poddisruptionbudgets/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - nodes + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - persistentvolumes + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - storageclasses + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - bindings + - events + - limitranges + - resourcequotas + - resourcequotas/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - namespaces + - namespaces/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - localsubjectaccessreviews + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - "*" + resources: + - rolebindings + - roles + - clusterrolebindings + - clusterroles + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + # access to operate cuberesourcequota + - apiGroups: + - "*" + resources: + - cuberesourcequota + - cuberesourcequota/finalizers + - cuberesourcequota/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + # access to operate cluster + - apiGroups: + - "*" + resources: + - clusters + - clusters/finalizers + - clusters/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + # access to operate tenant + - apiGroups: + - "*" + resources: + - tenants + - tenants/finalizers + - tenants/status + - projects + - projects/finalizers + - projects/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + # access to operate project + - apiGroups: + - "*" + resources: + - users + - users/finalizers + - users/status + - keys + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" #monitoring.kubecube.io + resources: + - dashboards + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" #apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" #monitoring.coreos.com + resources: + - alertmanagerconfigs + - alertmanagers + - podmonitors + - probes + - prometheuses + - prometheusrules + - servicemonitors + - thanosrulers + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" #crd.projectcalico.org + resources: + - bgpconfigurations + - bgppeers + - blockaffinities + - clusterinformations + - felixconfigurations + - globalnetworkpolicies + - globalnetworksets + - hostendpoints + - ipamblocks + - ipamconfigs + - ipamhandles + - ippools + - kubecontrollersconfigurations + - networkpolicies + - networksets + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" #hnc.x-k8s.io + resources: + - hierarchyconfigurations + - hncconfigurations + - subnamespaceanchors + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" #hotplug.kubecube.io + resources: + - hotplugs + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" #netease.com + resources: + - nodelogconfigs + - logconfigs + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" #storage.kubecube.io + resources: + - cephs + - nfs + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update diff --git a/kubecube/v0.0.1/templates/rbac/buildin/platformAdmin.yaml b/kubecube/v0.0.1/templates/rbac/buildin/platformAdmin.yaml index 5f447b5..9792ced 100644 --- a/kubecube/v0.0.1/templates/rbac/buildin/platformAdmin.yaml +++ b/kubecube/v0.0.1/templates/rbac/buildin/platformAdmin.yaml @@ -13,477 +13,4 @@ aggregationRule: clusterRoleSelectors: - matchLabels: rbac.authorization.k8s.io/aggregate-to-platform-admin: "true" -rules: - - apiGroups: - - "*" - resources: - - pods - - pods/attach - - pods/status - - pods/execescalate - - pods/exec - - pods/portforward - - pods/proxy - - pods/log - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - replicationcontrollers - - replicationcontrollers/scale - - replicationcontrollers/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - persistentvolumeclaims - - persistentvolumeclaims/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - configmaps - - endpoints - - secrets - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - services - - services/proxy - - services/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - serviceaccounts - verbs: - - impersonate - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - daemonsets - - daemonsets/status - - deployments - - deployments/rollback - - deployments/scale - - deployments/status - - statefulsets - - statefulsets/scale - - statefulsets/status - - replicasets - - replicasets/scale - - replicasets/status - - controllerrevisions - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - horizontalpodautoscalers - - horizontalpodautoscalers/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - cronjobs - - cronjobs/status - - jobs - - jobs/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - ingresses - - ingresses/status - - networkpolicies - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - poddisruptionbudgets - - poddisruptionbudgets/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - nodes - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - persistentvolumes - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - storageclasses - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - bindings - - events - - limitranges - - resourcequotas - - resourcequotas/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - namespaces - - namespaces/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - localsubjectaccessreviews - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: - - "*" - resources: - - rolebindings - - roles - - clusterrolebindings - - clusterroles - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - # access to operate cuberesourcequota - - apiGroups: - - "*" - resources: - - cuberesourcequota - - cuberesourcequota/finalizers - - cuberesourcequota/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - # access to operate cluster - - apiGroups: - - "*" - resources: - - clusters - - clusters/finalizers - - clusters/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - # access to operate tenant - - apiGroups: - - "*" - resources: - - tenants - - tenants/finalizers - - tenants/status - - projects - - projects/finalizers - - projects/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - # access to operate project - - apiGroups: - - "*" - resources: - - users - - users/finalizers - - users/status - - keys - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" #monitoring.kubecube.io - resources: - - dashboards - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" #apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" #monitoring.coreos.com - resources: - - alertmanagerconfigs - - alertmanagers - - podmonitors - - probes - - prometheuses - - prometheusrules - - servicemonitors - - thanosrulers - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" #crd.projectcalico.org - resources: - - bgpconfigurations - - bgppeers - - blockaffinities - - clusterinformations - - felixconfigurations - - globalnetworkpolicies - - globalnetworksets - - hostendpoints - - ipamblocks - - ipamconfigs - - ipamhandles - - ippools - - kubecontrollersconfigurations - - networkpolicies - - networksets - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" #hnc.x-k8s.io - resources: - - hierarchyconfigurations - - hncconfigurations - - subnamespaceanchors - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" #hotplug.kubecube.io - resources: - - hotplugs - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" #netease.com - resources: - - nodelogconfigs - - logconfigs - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" #storage.kubecube.io - resources: - - cephs - - nfs - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update +rules: [] diff --git a/kubecube/v0.0.1/templates/rbac/buildin/projectAdmin.yaml b/kubecube/v0.0.1/templates/rbac/buildin/projectAdmin.yaml index fe1d35e..d6bde33 100644 --- a/kubecube/v0.0.1/templates/rbac/buildin/projectAdmin.yaml +++ b/kubecube/v0.0.1/templates/rbac/buildin/projectAdmin.yaml @@ -13,317 +13,4 @@ aggregationRule: clusterRoleSelectors: - matchLabels: rbac.authorization.k8s.io/aggregate-to-project-admin: "true" -rules: - - apiGroups: - - "*" - resources: - - pods - - pods/attach - - pods/status - - pods/execescalate - - pods/exec - - pods/portforward - - pods/proxy - - pods/log - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - replicationcontrollers - - replicationcontrollers/scale - - replicationcontrollers/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - persistentvolumeclaims - - persistentvolumeclaims/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - configmaps - - endpoints - - secrets - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - services - - services/proxy - - services/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - serviceaccounts - verbs: - - impersonate - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - daemonsets - - daemonsets/status - - deployments - - deployments/rollback - - deployments/scale - - deployments/status - - statefulsets - - statefulsets/scale - - statefulsets/status - - replicasets - - replicasets/scale - - replicasets/status - - controllerrevisions - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - horizontalpodautoscalers - - horizontalpodautoscalers/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - cronjobs - - cronjobs/status - - jobs - - jobs/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - ingresses - - ingresses/status - - networkpolicies - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - poddisruptionbudgets - - poddisruptionbudgets/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - bindings - - events - - limitranges - - resourcequotas - - resourcequotas/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - rolebindings - - roles - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: - - "*" - resources: - - cronjobs - - cronjobs/status - - jobs - - jobs/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - bindings - - events - - limitranges - - resourcequotas - - resourcequotas/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - horizontalpodautoscalers - - horizontalpodautoscalers/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" #hnc.x-k8s.io - resources: - - hierarchyconfigurations - - hncconfigurations - - subnamespaceanchors - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" #monitoring.kubecube.io - resources: - - dashboards - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" #netease.com - resources: - - nodelogconfigs - - logconfigs - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" #monitoring.coreos.com - resources: - - alertmanagerconfigs - - podmonitors - - prometheusrules - - servicemonitors - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update \ No newline at end of file +rules: [] \ No newline at end of file diff --git a/kubecube/v0.0.1/templates/rbac/buildin/projectAdminAg.yaml b/kubecube/v0.0.1/templates/rbac/buildin/projectAdminAg.yaml new file mode 100644 index 0000000..98a641e --- /dev/null +++ b/kubecube/v0.0.1/templates/rbac/buildin/projectAdminAg.yaml @@ -0,0 +1,324 @@ +# project-admin has limited privileges under of +# project namespace used of RoleBinding. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aggregate-to-project-admin + labels: + rbac.authorization.k8s.io/aggregate-to-project-admin: "true" + annotations: + kubecube.io/sync: "true" +rules: + - apiGroups: + - "*" + resources: + - pods + - pods/attach + - pods/status + - pods/execescalate + - pods/exec + - pods/portforward + - pods/proxy + - pods/log + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - replicationcontrollers + - replicationcontrollers/scale + - replicationcontrollers/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - persistentvolumeclaims + - persistentvolumeclaims/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - configmaps + - endpoints + - secrets + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - services + - services/proxy + - services/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - serviceaccounts + verbs: + - impersonate + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - daemonsets + - daemonsets/status + - deployments + - deployments/rollback + - deployments/scale + - deployments/status + - statefulsets + - statefulsets/scale + - statefulsets/status + - replicasets + - replicasets/scale + - replicasets/status + - controllerrevisions + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - horizontalpodautoscalers + - horizontalpodautoscalers/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - cronjobs + - cronjobs/status + - jobs + - jobs/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - ingresses + - ingresses/status + - networkpolicies + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - poddisruptionbudgets + - poddisruptionbudgets/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - bindings + - events + - limitranges + - resourcequotas + - resourcequotas/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - rolebindings + - roles + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - "*" + resources: + - cronjobs + - cronjobs/status + - jobs + - jobs/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - bindings + - events + - limitranges + - resourcequotas + - resourcequotas/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - horizontalpodautoscalers + - horizontalpodautoscalers/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" #hnc.x-k8s.io + resources: + - hierarchyconfigurations + - hncconfigurations + - subnamespaceanchors + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" #monitoring.kubecube.io + resources: + - dashboards + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" #netease.com + resources: + - nodelogconfigs + - logconfigs + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" #monitoring.coreos.com + resources: + - alertmanagerconfigs + - podmonitors + - prometheusrules + - servicemonitors + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update \ No newline at end of file diff --git a/kubecube/v0.0.1/templates/rbac/buildin/projectAdminCluster.yaml b/kubecube/v0.0.1/templates/rbac/buildin/projectAdminCluster.yaml index b04f804..0a76923 100644 --- a/kubecube/v0.0.1/templates/rbac/buildin/projectAdminCluster.yaml +++ b/kubecube/v0.0.1/templates/rbac/buildin/projectAdminCluster.yaml @@ -10,99 +10,4 @@ aggregationRule: clusterRoleSelectors: - matchLabels: rbac.authorization.k8s.io/aggregate-to-project-admin-cluster: "true" -rules: - # only has read authority of namespace cause - # subNamespace will replace it - - apiGroups: - - "" - resources: - - namespaces - - namespaces/status - verbs: - - get - - list - - watch - - apiGroups: - - metrics.k8s.io - resources: - - pods - - nodes - verbs: - - get - - list - - watch - # access to operate cuberesourcequota - - apiGroups: - - quota.kubecube.io - resources: - - cuberesourcequota - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - quota.kubecube.io - resources: - - cuberesourcequota/finalizers - verbs: - - update - - apiGroups: - - quota.kubecube.io - resources: - - cuberesourcequota/status - verbs: - - get - - patch - - update - # project has read authority of user - - apiGroups: - - user.kubecube.io - resources: - - users - verbs: - - get - - list - - watch - - apiGroups: - - user.kubecube.io - resources: - - users/status - verbs: - - get - - apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - get - - list - - watch - - apiGroups: - - "*" #apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - list - - watch - - apiGroups: - - "*" #storage.kubecube.io - resources: - - cephs - - nfs - verbs: - - get - - list - - watch \ No newline at end of file +rules: [] \ No newline at end of file diff --git a/kubecube/v0.0.1/templates/rbac/buildin/projectAdminClusterAg.yaml b/kubecube/v0.0.1/templates/rbac/buildin/projectAdminClusterAg.yaml new file mode 100644 index 0000000..18f7080 --- /dev/null +++ b/kubecube/v0.0.1/templates/rbac/buildin/projectAdminClusterAg.yaml @@ -0,0 +1,106 @@ +# project-admin has limited privileges under of +# project namespace used of RoleBinding. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aggregate-to-project-admin-cluster + labels: + rbac.authorization.k8s.io/aggregate-to-project-admin-cluster: "true" + annotations: + kubecube.io/sync: "true" +rules: + # only has read authority of namespace cause + # subNamespace will replace it + - apiGroups: + - "" + resources: + - namespaces + - namespaces/status + verbs: + - get + - list + - watch + - apiGroups: + - metrics.k8s.io + resources: + - pods + - nodes + verbs: + - get + - list + - watch + # access to operate cuberesourcequota + - apiGroups: + - quota.kubecube.io + resources: + - cuberesourcequota + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - quota.kubecube.io + resources: + - cuberesourcequota/finalizers + verbs: + - update + - apiGroups: + - quota.kubecube.io + resources: + - cuberesourcequota/status + verbs: + - get + - patch + - update + # project has read authority of user + - apiGroups: + - user.kubecube.io + resources: + - users + verbs: + - get + - list + - watch + - apiGroups: + - user.kubecube.io + resources: + - users/status + verbs: + - get + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - persistentvolumes + verbs: + - get + - list + - watch + - apiGroups: + - "*" #apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - apiGroups: + - "*" #storage.kubecube.io + resources: + - cephs + - nfs + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/kubecube/v0.0.1/templates/rbac/buildin/reviewer.yaml b/kubecube/v0.0.1/templates/rbac/buildin/reviewer.yaml index 195bb8f..6e77b77 100644 --- a/kubecube/v0.0.1/templates/rbac/buildin/reviewer.yaml +++ b/kubecube/v0.0.1/templates/rbac/buildin/reviewer.yaml @@ -13,224 +13,4 @@ aggregationRule: clusterRoleSelectors: - matchLabels: rbac.authorization.k8s.io/aggregate-to-reviewer: "true" -rules: - - apiGroups: - - "*" - resources: - - pods - - pods/attach - - pods/execescalate - - pods/exec - - pods/portforward - - pods/proxy - - pods/log - verbs: - - get - - list - - watch - - apiGroups: - - "*" - resources: - - replicationcontrollers - - replicationcontrollers/scale - - replicationcontrollers/status - verbs: - - get - - list - - watch - - apiGroups: - - "*" - resources: - - persistentvolumeclaims - - persistentvolumeclaims/status - verbs: - - get - - list - - watch - - apiGroups: - - "*" - resources: - - configmaps - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - "*" - resources: - - services - - services/proxy - - services/status - verbs: - - get - - list - - watch - - apiGroups: - - "*" - resources: - - serviceaccounts - verbs: - - get - - list - - watch - - apiGroups: - - "*" - resources: - - daemonsets - - daemonsets/status - - deployments - - deployments/rollback - - deployments/scale - - deployments/status - - statefulsets - - statefulsets/scale - - statefulsets/status - - replicasets - - replicasets/scale - - replicasets/status - - controllerrevisions - verbs: - - get - - list - - watch - - apiGroups: - - "*" - resources: - - horizontalpodautoscalers - - horizontalpodautoscalers/status - verbs: - - get - - list - - watch - - apiGroups: - - "*" - resources: - - cronjobs - - cronjobs/status - - jobs - - jobs/status - verbs: - - get - - list - - watch - - apiGroups: - - "*" - resources: - - ingresses - - ingresses/status - - networkpolicies - verbs: - - get - - list - - watch - - apiGroups: - - "*" - resources: - - poddisruptionbudgets - - poddisruptionbudgets/status - verbs: - - get - - list - - watch - - apiGroups: - - "*" - resources: - - bindings - - events - - limitranges - - resourcequotas - - resourcequotas/status - verbs: - - get - - list - - watch - - apiGroups: - - "*" - resources: - - rolebindings - - roles - verbs: - - get - - list - - watch - - apiGroups: - - "*" - resources: - - cronjobs - - cronjobs/status - - jobs - - jobs/status - verbs: - - get - - list - - watch - - apiGroups: - - "*" - resources: - - bindings - - events - - limitranges - - resourcequotas - - resourcequotas/status - verbs: - - get - - list - - watch - - apiGroups: - - "*" - resources: - - horizontalpodautoscalers - - horizontalpodautoscalers/status - verbs: - - get - - list - - watch - - apiGroups: - - "*" #hnc.x-k8s.io - resources: - - hierarchyconfigurations - - hncconfigurations - - subnamespaceanchors - verbs: - - get - - list - - watch - - apiGroups: - - "*" #monitoring.kubecube.io - resources: - - dashboards - verbs: - - get - - list - - watch - - apiGroups: - - "*" #netease.com - resources: - - nodelogconfigs - - logconfigs - verbs: - - get - - list - - watch - - apiGroups: - - "*" #monitoring.coreos.com - resources: - - alertmanagerconfigs - - podmonitors - - prometheusrules - - servicemonitors - verbs: - - get - - list - - watch - - apiGroups: - - "*" #storage.kubecube.io - resources: - - cephs - - nfs - verbs: - - get - - list - - watch \ No newline at end of file +rules: [] \ No newline at end of file diff --git a/kubecube/v0.0.1/templates/rbac/buildin/reviewerAg.yaml b/kubecube/v0.0.1/templates/rbac/buildin/reviewerAg.yaml new file mode 100644 index 0000000..00ed3f2 --- /dev/null +++ b/kubecube/v0.0.1/templates/rbac/buildin/reviewerAg.yaml @@ -0,0 +1,231 @@ +# ordinary only has read authority under of +# bottom layer namespace used of RoleBinding. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aggregate-to-reviewer + labels: + rbac.authorization.k8s.io/aggregate-to-reviewer: "true" + annotations: + kubecube.io/sync: "true" +rules: + - apiGroups: + - "*" + resources: + - pods + - pods/attach + - pods/execescalate + - pods/exec + - pods/portforward + - pods/proxy + - pods/log + verbs: + - get + - list + - watch + - apiGroups: + - "*" + resources: + - replicationcontrollers + - replicationcontrollers/scale + - replicationcontrollers/status + verbs: + - get + - list + - watch + - apiGroups: + - "*" + resources: + - persistentvolumeclaims + - persistentvolumeclaims/status + verbs: + - get + - list + - watch + - apiGroups: + - "*" + resources: + - configmaps + - endpoints + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - "*" + resources: + - services + - services/proxy + - services/status + verbs: + - get + - list + - watch + - apiGroups: + - "*" + resources: + - serviceaccounts + verbs: + - get + - list + - watch + - apiGroups: + - "*" + resources: + - daemonsets + - daemonsets/status + - deployments + - deployments/rollback + - deployments/scale + - deployments/status + - statefulsets + - statefulsets/scale + - statefulsets/status + - replicasets + - replicasets/scale + - replicasets/status + - controllerrevisions + verbs: + - get + - list + - watch + - apiGroups: + - "*" + resources: + - horizontalpodautoscalers + - horizontalpodautoscalers/status + verbs: + - get + - list + - watch + - apiGroups: + - "*" + resources: + - cronjobs + - cronjobs/status + - jobs + - jobs/status + verbs: + - get + - list + - watch + - apiGroups: + - "*" + resources: + - ingresses + - ingresses/status + - networkpolicies + verbs: + - get + - list + - watch + - apiGroups: + - "*" + resources: + - poddisruptionbudgets + - poddisruptionbudgets/status + verbs: + - get + - list + - watch + - apiGroups: + - "*" + resources: + - bindings + - events + - limitranges + - resourcequotas + - resourcequotas/status + verbs: + - get + - list + - watch + - apiGroups: + - "*" + resources: + - rolebindings + - roles + verbs: + - get + - list + - watch + - apiGroups: + - "*" + resources: + - cronjobs + - cronjobs/status + - jobs + - jobs/status + verbs: + - get + - list + - watch + - apiGroups: + - "*" + resources: + - bindings + - events + - limitranges + - resourcequotas + - resourcequotas/status + verbs: + - get + - list + - watch + - apiGroups: + - "*" + resources: + - horizontalpodautoscalers + - horizontalpodautoscalers/status + verbs: + - get + - list + - watch + - apiGroups: + - "*" #hnc.x-k8s.io + resources: + - hierarchyconfigurations + - hncconfigurations + - subnamespaceanchors + verbs: + - get + - list + - watch + - apiGroups: + - "*" #monitoring.kubecube.io + resources: + - dashboards + verbs: + - get + - list + - watch + - apiGroups: + - "*" #netease.com + resources: + - nodelogconfigs + - logconfigs + verbs: + - get + - list + - watch + - apiGroups: + - "*" #monitoring.coreos.com + resources: + - alertmanagerconfigs + - podmonitors + - prometheusrules + - servicemonitors + verbs: + - get + - list + - watch + - apiGroups: + - "*" #storage.kubecube.io + resources: + - cephs + - nfs + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/kubecube/v0.0.1/templates/rbac/buildin/reviewerCluster.yaml b/kubecube/v0.0.1/templates/rbac/buildin/reviewerCluster.yaml index bd86c1f..4091a97 100644 --- a/kubecube/v0.0.1/templates/rbac/buildin/reviewerCluster.yaml +++ b/kubecube/v0.0.1/templates/rbac/buildin/reviewerCluster.yaml @@ -10,70 +10,4 @@ aggregationRule: clusterRoleSelectors: - matchLabels: rbac.authorization.k8s.io/aggregate-to-reviewer-cluster: "true" -rules: - - apiGroups: - - "" - resources: - - namespaces - - namespaces/status - verbs: - - get - - list - - watch - - apiGroups: - - metrics.k8s.io - resources: - - pods - - nodes - verbs: - - get - - list - - watch - # reviewer has read authority of user - - apiGroups: - - user.kubecube.io - resources: - - users - verbs: - - get - - list - - watch - - apiGroups: - - user.kubecube.io - resources: - - users/status - verbs: - - get - - apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - get - - list - - watch - - apiGroups: - - "*" #apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - list - - watch - - apiGroups: - - "*" #storage.kubecube.io - resources: - - cephs - - nfs - verbs: - - get - - list - - watch \ No newline at end of file +rules: [] \ No newline at end of file diff --git a/kubecube/v0.0.1/templates/rbac/buildin/reviewerClusterAg.yaml b/kubecube/v0.0.1/templates/rbac/buildin/reviewerClusterAg.yaml new file mode 100644 index 0000000..c46ec4c --- /dev/null +++ b/kubecube/v0.0.1/templates/rbac/buildin/reviewerClusterAg.yaml @@ -0,0 +1,77 @@ +# ordinary only has read authority under of +# bottom layer namespace used of RoleBinding. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aggregate-to-reviewer-cluster + labels: + rbac.authorization.k8s.io/aggregate-to-reviewer-cluster: "true" + annotations: + kubecube.io/sync: "true" +rules: + - apiGroups: + - "" + resources: + - namespaces + - namespaces/status + verbs: + - get + - list + - watch + - apiGroups: + - metrics.k8s.io + resources: + - pods + - nodes + verbs: + - get + - list + - watch + # reviewer has read authority of user + - apiGroups: + - user.kubecube.io + resources: + - users + verbs: + - get + - list + - watch + - apiGroups: + - user.kubecube.io + resources: + - users/status + verbs: + - get + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - persistentvolumes + verbs: + - get + - list + - watch + - apiGroups: + - "*" #apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - apiGroups: + - "*" #storage.kubecube.io + resources: + - cephs + - nfs + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/kubecube/v0.0.1/templates/rbac/buildin/tenantAdmin.yaml b/kubecube/v0.0.1/templates/rbac/buildin/tenantAdmin.yaml index 02e8932..288ada4 100644 --- a/kubecube/v0.0.1/templates/rbac/buildin/tenantAdmin.yaml +++ b/kubecube/v0.0.1/templates/rbac/buildin/tenantAdmin.yaml @@ -13,317 +13,4 @@ aggregationRule: clusterRoleSelectors: - matchLabels: rbac.authorization.k8s.io/aggregate-to-tenant-admin: "true" -rules: - - apiGroups: - - "*" - resources: - - pods - - pods/attach - - pods/status - - pods/execescalate - - pods/exec - - pods/portforward - - pods/proxy - - pods/log - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - replicationcontrollers - - replicationcontrollers/scale - - replicationcontrollers/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - persistentvolumeclaims - - persistentvolumeclaims/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - configmaps - - endpoints - - secrets - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - services - - services/proxy - - services/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - serviceaccounts - verbs: - - impersonate - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - daemonsets - - daemonsets/status - - deployments - - deployments/rollback - - deployments/scale - - deployments/status - - statefulsets - - statefulsets/scale - - statefulsets/status - - replicasets - - replicasets/scale - - replicasets/status - - controllerrevisions - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - horizontalpodautoscalers - - horizontalpodautoscalers/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - cronjobs - - cronjobs/status - - jobs - - jobs/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - ingresses - - ingresses/status - - networkpolicies - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - poddisruptionbudgets - - poddisruptionbudgets/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - bindings - - events - - limitranges - - resourcequotas - - resourcequotas/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - rolebindings - - roles - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: - - "*" - resources: - - cronjobs - - cronjobs/status - - jobs - - jobs/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - bindings - - events - - limitranges - - resourcequotas - - resourcequotas/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" - resources: - - horizontalpodautoscalers - - horizontalpodautoscalers/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" #hnc.x-k8s.io - resources: - - hierarchyconfigurations - - hncconfigurations - - subnamespaceanchors - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" #monitoring.kubecube.io - resources: - - dashboards - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" #netease.com - resources: - - nodelogconfigs - - logconfigs - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "*" #monitoring.coreos.com - resources: - - alertmanagerconfigs - - podmonitors - - prometheusrules - - servicemonitors - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update \ No newline at end of file +rules: [] \ No newline at end of file diff --git a/kubecube/v0.0.1/templates/rbac/buildin/tenantAdminAg.yaml b/kubecube/v0.0.1/templates/rbac/buildin/tenantAdminAg.yaml new file mode 100644 index 0000000..e0c13b7 --- /dev/null +++ b/kubecube/v0.0.1/templates/rbac/buildin/tenantAdminAg.yaml @@ -0,0 +1,324 @@ +# tenant admin has limited privileges under of +# tenant namespace used of RoleBinding. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aggregate-to-tenant-admin + labels: + rbac.authorization.k8s.io/aggregate-to-tenant-admin: "true" + annotations: + kubecube.io/sync: "true" +rules: + - apiGroups: + - "*" + resources: + - pods + - pods/attach + - pods/status + - pods/execescalate + - pods/exec + - pods/portforward + - pods/proxy + - pods/log + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - replicationcontrollers + - replicationcontrollers/scale + - replicationcontrollers/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - persistentvolumeclaims + - persistentvolumeclaims/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - configmaps + - endpoints + - secrets + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - services + - services/proxy + - services/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - serviceaccounts + verbs: + - impersonate + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - daemonsets + - daemonsets/status + - deployments + - deployments/rollback + - deployments/scale + - deployments/status + - statefulsets + - statefulsets/scale + - statefulsets/status + - replicasets + - replicasets/scale + - replicasets/status + - controllerrevisions + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - horizontalpodautoscalers + - horizontalpodautoscalers/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - cronjobs + - cronjobs/status + - jobs + - jobs/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - ingresses + - ingresses/status + - networkpolicies + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - poddisruptionbudgets + - poddisruptionbudgets/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - bindings + - events + - limitranges + - resourcequotas + - resourcequotas/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - rolebindings + - roles + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - "*" + resources: + - cronjobs + - cronjobs/status + - jobs + - jobs/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - bindings + - events + - limitranges + - resourcequotas + - resourcequotas/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" + resources: + - horizontalpodautoscalers + - horizontalpodautoscalers/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" #hnc.x-k8s.io + resources: + - hierarchyconfigurations + - hncconfigurations + - subnamespaceanchors + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" #monitoring.kubecube.io + resources: + - dashboards + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" #netease.com + resources: + - nodelogconfigs + - logconfigs + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "*" #monitoring.coreos.com + resources: + - alertmanagerconfigs + - podmonitors + - prometheusrules + - servicemonitors + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update \ No newline at end of file diff --git a/kubecube/v0.0.1/templates/rbac/buildin/tenantAdminCluster.yaml b/kubecube/v0.0.1/templates/rbac/buildin/tenantAdminCluster.yaml index 6aa8eb2..f26968d 100644 --- a/kubecube/v0.0.1/templates/rbac/buildin/tenantAdminCluster.yaml +++ b/kubecube/v0.0.1/templates/rbac/buildin/tenantAdminCluster.yaml @@ -10,126 +10,4 @@ aggregationRule: clusterRoleSelectors: - matchLabels: rbac.authorization.k8s.io/aggregate-to-tenant-admin-cluster: "true" -rules: - # only has read authority of namespace cause - # subNamespace will replace it - - apiGroups: - - "" - resources: - - namespaces - - namespaces/status - verbs: - - get - - list - - watch - - apiGroups: - - metrics.k8s.io - resources: - - pods - - nodes - verbs: - - get - - list - - watch - # tenant access to operate project - - apiGroups: - - tenant.kubecube.io - resources: - - projects - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - tenant.kubecube.io - resources: - - projects/finalizers - verbs: - - update - - apiGroups: - - tenant.kubecube.io - resources: - - projects/status - verbs: - - get - - patch - - update - # access to operate cuberesourcequota - - apiGroups: - - quota.kubecube.io - resources: - - cuberesourcequota - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - quota.kubecube.io - resources: - - cuberesourcequota/finalizers - verbs: - - update - - apiGroups: - - quota.kubecube.io - resources: - - cuberesourcequota/status - verbs: - - get - - patch - - update - # tenant has read authority of user - - apiGroups: - - user.kubecube.io - resources: - - users - verbs: - - get - - list - - watch - - apiGroups: - - user.kubecube.io - resources: - - users/status - verbs: - - get - - apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - get - - list - - watch - - apiGroups: - - "*" #apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - list - - watch - - apiGroups: - - "*" #storage.kubecube.io - resources: - - cephs - - nfs - verbs: - - get - - list - - watch \ No newline at end of file +rules: [] \ No newline at end of file diff --git a/kubecube/v0.0.1/templates/rbac/buildin/tenantAdminClusterAg.yaml b/kubecube/v0.0.1/templates/rbac/buildin/tenantAdminClusterAg.yaml new file mode 100644 index 0000000..14fbb37 --- /dev/null +++ b/kubecube/v0.0.1/templates/rbac/buildin/tenantAdminClusterAg.yaml @@ -0,0 +1,133 @@ +# tenant admin has limited privileges under of +# tenant namespace used of RoleBinding. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aggregate-to-tenant-admin-cluster + labels: + rbac.authorization.k8s.io/aggregate-to-tenant-admin-cluster: "true" + annotations: + kubecube.io/sync: "true" +rules: + # only has read authority of namespace cause + # subNamespace will replace it + - apiGroups: + - "" + resources: + - namespaces + - namespaces/status + verbs: + - get + - list + - watch + - apiGroups: + - metrics.k8s.io + resources: + - pods + - nodes + verbs: + - get + - list + - watch + # tenant access to operate project + - apiGroups: + - tenant.kubecube.io + resources: + - projects + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - tenant.kubecube.io + resources: + - projects/finalizers + verbs: + - update + - apiGroups: + - tenant.kubecube.io + resources: + - projects/status + verbs: + - get + - patch + - update + # access to operate cuberesourcequota + - apiGroups: + - quota.kubecube.io + resources: + - cuberesourcequota + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - quota.kubecube.io + resources: + - cuberesourcequota/finalizers + verbs: + - update + - apiGroups: + - quota.kubecube.io + resources: + - cuberesourcequota/status + verbs: + - get + - patch + - update + # tenant has read authority of user + - apiGroups: + - user.kubecube.io + resources: + - users + verbs: + - get + - list + - watch + - apiGroups: + - user.kubecube.io + resources: + - users/status + verbs: + - get + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - persistentvolumes + verbs: + - get + - list + - watch + - apiGroups: + - "*" #apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - apiGroups: + - "*" #storage.kubecube.io + resources: + - cephs + - nfs + verbs: + - get + - list + - watch \ No newline at end of file