Add the option to allow users to see cluster network configuration an…

…d create NaD (#8883)
redhat-cop · Dec 13, 2024 · f2d9dee · f2d9dee
1 parent a723098
commit f2d9dee
Show file tree

Hide file tree

Showing 8 changed files with 96 additions and 0 deletions.
diff --git a/ansible/roles_ocp_workloads/ocp4_workload_virt_roadshow_multi_user/defaults/main.yml b/ansible/roles_ocp_workloads/ocp4_workload_virt_roadshow_multi_user/defaults/main.yml
@@ -6,3 +6,8 @@ silent: false
 # In the future once bug https://issues.redhat.com/browse/CNV-38284 is in the product
 # the namespace will need to change to openshift-cnv
 ocp4_workload_virt_roadshow_multi_user_configmap_namespace: default
+
+
+# Configure ClusterRole and RoleBinding to allow users to list network information
+# from the cluster and allow create Network Attach Definition
+ocp4_workload_virt_roadshow_multi_user_network_roles_configure: false
diff --git a/...ad_virt_roadshow_multi_user/files/clusterrole-list-nodenetworkconfigurationresources.yaml b/...ad_virt_roadshow_multi_user/files/clusterrole-list-nodenetworkconfigurationresources.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: list-nodenetworkconfigurationresources
+rules:
+  - apiGroups:
+      - nmstate.io
+    resources:
+      - nodenetworkconfigurationenactments
+      - nodenetworkconfigurationpolicies
+    verbs:
+      - list
diff --git a/...oads/ocp4_workload_virt_roadshow_multi_user/files/clusterrole-list-nodenetworkstates.yaml b/...oads/ocp4_workload_virt_roadshow_multi_user/files/clusterrole-list-nodenetworkstates.yaml
@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: list-nodenetworkstates
+rules:
+  - apiGroups:
+      - nmstate.io
+    resources:
+      - nodenetworkstates
+    verbs:
+      - list
diff --git a/...ds/ocp4_workload_virt_roadshow_multi_user/files/clusterrole-network-attachment-admin.yaml b/...ds/ocp4_workload_virt_roadshow_multi_user/files/clusterrole-network-attachment-admin.yaml
@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: network-attachment-admin
+rules:
+  - apiGroups:
+      - "k8s.cni.cncf.io"
+    resources:
+      - network-attachment-definitions
+    verbs:
+      - create
+      - get
+      - list
+      - watch
+      - delete
+      - update
diff --git a/...4_workload_virt_roadshow_multi_user/files/clusterrolebiding-network-attachment-admin.yaml b/...4_workload_virt_roadshow_multi_user/files/clusterrolebiding-network-attachment-admin.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: network-attachment-admin-binding
+subjects:
+  - kind: Group
+    apiGroup: rbac.authorization.k8s.io
+    name: 'system:authenticated'
+roleRef:
+  kind: ClusterRole
+  name: network-attachment-admin
+  apiGroup: rbac.authorization.k8s.io
diff --git a/..._roadshow_multi_user/files/clusterrolebinding-list-nodenetworkconfigurationresources.yaml b/..._roadshow_multi_user/files/clusterrolebinding-list-nodenetworkconfigurationresources.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: list-nodenetworkconfigurationresources-binding
+subjects:
+  - kind: Group
+    apiGroup: rbac.authorization.k8s.io
+    name: 'system:authenticated'
+roleRef:
+  kind: ClusterRole
+  name: list-nodenetworkconfigurationresources
+  apiGroup: rbac.authorization.k8s.io
diff --git a/...p4_workload_virt_roadshow_multi_user/files/clusterrolebinding-list-nodenetworkstates.yaml b/...p4_workload_virt_roadshow_multi_user/files/clusterrolebinding-list-nodenetworkstates.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: list-nodenetworkstates-binding
+  namespace: default
+subjects:
+  - kind: Group
+    apiGroup: rbac.authorization.k8s.io
+    name: 'system:authenticated'
+roleRef:
+  kind: ClusterRole
+  name: list-nodenetworkstates
+  apiGroup: rbac.authorization.k8s.io
diff --git a/ansible/roles_ocp_workloads/ocp4_workload_virt_roadshow_multi_user/tasks/workload.yml b/ansible/roles_ocp_workloads/ocp4_workload_virt_roadshow_multi_user/tasks/workload.yml
@@ -34,6 +34,21 @@
   loop_control:
     loop_var: resource
 
+- name: Set up users permissions to see node network configuration and allow create NaD
+  when: ocp4_workload_virt_roadshow_multi_user_network_roles_configure | default(false)
+  kubernetes.core.k8s:
+    state: present
+    definition: "{{ lookup('file', resource | from_yaml) }}"
+  loop:
+  - clusterrole-list-nodenetworkstates.yaml
+  - clusterrolebinding-list-nodenetworkstates.yaml
+  - clusterrole-list-nodenetworkconfigurationresources.yaml
+  - clusterrolebinding-list-nodenetworkconfigurationresources.yaml
+  - clusterrole-network-attachment-admin.yaml
+  - clusterrolebiding-network-attachment-admin.yaml
+  loop_control:
+    loop_var: resource
+
 # Leave this as the last task in the playbook.
 - name: Workload tasks complete
   when: not silent|bool