From f9900bebd22cb63fc3d86f55f252b0c5faf461bc Mon Sep 17 00:00:00 2001 From: Mohammed Naser Date: Mon, 20 Apr 2020 19:20:47 -0400 Subject: [PATCH] Added basic RBAC Depends-On: https://review.opendev.org/721365 Depends-On: https://review.opendev.org/721369 Change-Id: Id7a01e39d9cd2bbecdb77bd5285b98e92eecf7c2 --- .zuul.yaml | 29 +++++++++++ charts/rbac/Chart.yaml | 21 ++++++++ .../rbac/templates/clusterrole-members.yaml | 36 +++++++++++++ .../templates/clusterrolebinding-admins.yaml | 29 +++++++++++ .../templates/clusterrolebinding-members.yaml | 29 +++++++++++ charts/rbac/test-values.yaml | 18 +++++++ charts/rbac/values.yaml | 17 +++++++ playbooks/functional.yaml | 50 +++++++++++++++++++ playbooks/tasks/setup-test-context.yaml | 37 ++++++++++++++ 9 files changed, 266 insertions(+) create mode 100644 .zuul.yaml create mode 100644 charts/rbac/Chart.yaml create mode 100644 charts/rbac/templates/clusterrole-members.yaml create mode 100644 charts/rbac/templates/clusterrolebinding-admins.yaml create mode 100644 charts/rbac/templates/clusterrolebinding-members.yaml create mode 100644 charts/rbac/test-values.yaml create mode 100644 charts/rbac/values.yaml create mode 100644 playbooks/functional.yaml create mode 100644 playbooks/tasks/setup-test-context.yaml diff --git a/.zuul.yaml b/.zuul.yaml new file mode 100644 index 0000000..f4a15ca --- /dev/null +++ b/.zuul.yaml @@ -0,0 +1,29 @@ +--- +# Copyright 2020 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- job: + name: rbac-helm-functional + parent: apply-helm-charts + run: playbooks/functional.yaml + +- project: + check: + jobs: + - chart-testing-lint + - rbac-helm-functional + gate: + jobs: + - chart-testing-lint + - rbac-helm-functional diff --git a/charts/rbac/Chart.yaml b/charts/rbac/Chart.yaml new file mode 100644 index 0000000..e1a908a --- /dev/null +++ b/charts/rbac/Chart.yaml @@ -0,0 +1,21 @@ +--- +# Copyright 2020 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +name: rbac +description: RBAC for Kubernetes cluster +version: 0.0.0 +appVersion: 0.0.0 +home: https://opendev.org/vexxhost/rbac-helm diff --git a/charts/rbac/templates/clusterrole-members.yaml b/charts/rbac/templates/clusterrole-members.yaml new file mode 100644 index 0000000..072e187 --- /dev/null +++ b/charts/rbac/templates/clusterrole-members.yaml @@ -0,0 +1,36 @@ +--- +# Copyright 2020 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: rbac-members +rules: +# List and get nodes +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list"] +# List all get applications +- apiGroups: ["apps"] + resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] + verbs: ["get", "list"] +# List and get pods +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list"] +# View logs for pods +- apiGroups: [""] + resources: ["pods/log"] + verbs: ["get", "list"] diff --git a/charts/rbac/templates/clusterrolebinding-admins.yaml b/charts/rbac/templates/clusterrolebinding-admins.yaml new file mode 100644 index 0000000..bf00bbf --- /dev/null +++ b/charts/rbac/templates/clusterrolebinding-admins.yaml @@ -0,0 +1,29 @@ +--- +# Copyright 2020 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: rbac-admins +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +{{- range .Values.admins }} +- apiGroup: rbac.authorization.k8s.io + kind: User + name: {{ . }} +{{- end }} diff --git a/charts/rbac/templates/clusterrolebinding-members.yaml b/charts/rbac/templates/clusterrolebinding-members.yaml new file mode 100644 index 0000000..ec13b28 --- /dev/null +++ b/charts/rbac/templates/clusterrolebinding-members.yaml @@ -0,0 +1,29 @@ +--- +# Copyright 2020 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: rbac-members +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: rbac-members +subjects: +{{- range .Values.members }} +- apiGroup: rbac.authorization.k8s.io + kind: User + name: {{ . }} +{{- end }} diff --git a/charts/rbac/test-values.yaml b/charts/rbac/test-values.yaml new file mode 100644 index 0000000..59ddb77 --- /dev/null +++ b/charts/rbac/test-values.yaml @@ -0,0 +1,18 @@ +--- +# Copyright 2020 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +admins: [] +members: +- system:serviceaccount:default:test-member diff --git a/charts/rbac/values.yaml b/charts/rbac/values.yaml new file mode 100644 index 0000000..c21b1ee --- /dev/null +++ b/charts/rbac/values.yaml @@ -0,0 +1,17 @@ +--- +# Copyright 2020 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +admins: [] +members: [] diff --git a/playbooks/functional.yaml b/playbooks/functional.yaml new file mode 100644 index 0000000..0511fb3 --- /dev/null +++ b/playbooks/functional.yaml @@ -0,0 +1,50 @@ +--- +# Copyright 2020 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- hosts: all + roles: + - name: helm-template + helm_release_name: rbac + helm_chart: charts/rbac + helm_wait_for_pods: false + helm_values_file: charts/rbac/test-values.yaml + tasks: + - import_tasks: tasks/setup-test-context.yaml + + # List and get nodes + - name: Ensure listing nodes works + shell: kubectl --context=test get nodes + - name: Ensure getting a node works + shell: kubectl --context=test get $(kubectl get nodes -oname | head -1) + + # List and get applications + - name: Ensure listing applications works + shell: kubectl --context=test get {{ item }} + loop: + - daemonsets + - deployments + - replicasets + - statefulsets + # TODO: Get applications + + # List and get pods + - name: Ensure listing pods works + shell: kubectl --context=test -n kube-system get pods + - name: Ensure getting a pod works + shell: kubectl --context=test -n kube-system get $(kubectl -n kube-system get pods -oname | head -1) + + # View logs for pods + - name: Ensure getting logs for a pod works + shell: kubectl --context=test -n kube-system logs $(kubectl -n kube-system get pods -oname | head -1) diff --git a/playbooks/tasks/setup-test-context.yaml b/playbooks/tasks/setup-test-context.yaml new file mode 100644 index 0000000..7da204a --- /dev/null +++ b/playbooks/tasks/setup-test-context.yaml @@ -0,0 +1,37 @@ +--- +# Copyright 2020 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Create ServiceAccount + shell: | + cat <