From 82d585b0ac3e8d365e0ca613111e2ca216acf449 Mon Sep 17 00:00:00 2001 From: Paul Langton Date: Wed, 6 Jun 2018 17:21:35 -0700 Subject: [PATCH] pulled rules out of templates, added rbac to starter.yaml removed permissive policy added service account to deployments, removed tide rbac from starter.yaml commented out serviceaccounts for use with RBAC added get to hook rbac fixed tide deployment --- prow/cluster/deck_deployment.yaml | 1 + prow/cluster/deck_rbac.yaml | 66 +++++++++++ prow/cluster/hook_deployment.yaml | 1 + prow/cluster/hook_rbac.yaml | 35 ++++++ prow/cluster/horologium_deployment.yaml | 1 + prow/cluster/horologium_rbac.yaml | 29 +++++ prow/cluster/plank_deployment.yaml | 1 + prow/cluster/plank_rbac.yaml | 38 +++++++ prow/cluster/sinker_deployment.yaml | 1 + prow/cluster/sinker_rbac.yaml | 36 ++++++ prow/cluster/starter.yaml | 144 ++++++++++++++++++++++++ prow/cluster/tide_deployment.yaml | 1 + prow/cluster/tide_rbac.yaml | 29 +++++ prow/getting_started.md | 15 --- 14 files changed, 383 insertions(+), 15 deletions(-) create mode 100644 prow/cluster/deck_rbac.yaml create mode 100644 prow/cluster/hook_rbac.yaml create mode 100644 prow/cluster/horologium_rbac.yaml create mode 100644 prow/cluster/plank_rbac.yaml create mode 100644 prow/cluster/sinker_rbac.yaml create mode 100644 prow/cluster/tide_rbac.yaml diff --git a/prow/cluster/deck_deployment.yaml b/prow/cluster/deck_deployment.yaml index ef48a10595b4..67ab5bc1f6b1 100644 --- a/prow/cluster/deck_deployment.yaml +++ b/prow/cluster/deck_deployment.yaml @@ -30,6 +30,7 @@ spec: labels: app: deck spec: + # serviceAccountName: "deck" # Uncomment for use with RBAC terminationGracePeriodSeconds: 30 containers: - name: deck diff --git a/prow/cluster/deck_rbac.yaml b/prow/cluster/deck_rbac.yaml new file mode 100644 index 000000000000..137c0a612510 --- /dev/null +++ b/prow/cluster/deck_rbac.yaml @@ -0,0 +1,66 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "deck" +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: "deck" +rules: + - apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - apiGroups: + - "prow.k8s.io" + resources: + - prowjobs + verbs: + - get + - list +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: "deck" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "deck" +subjects: +- kind: ServiceAccount + name: "deck" +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: "deck-oauth" +rules: + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: "deck-oauth" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "deck-oauth" +subjects: +- kind: ServiceAccount + name: "deck" + namespace: ci diff --git a/prow/cluster/hook_deployment.yaml b/prow/cluster/hook_deployment.yaml index e3adec2229c7..776134fe3e1b 100644 --- a/prow/cluster/hook_deployment.yaml +++ b/prow/cluster/hook_deployment.yaml @@ -30,6 +30,7 @@ spec: labels: app: hook spec: + # serviceAccountName: "hook" # Uncomment for use with RBAC terminationGracePeriodSeconds: 180 containers: - name: hook diff --git a/prow/cluster/hook_rbac.yaml b/prow/cluster/hook_rbac.yaml new file mode 100644 index 000000000000..513345948652 --- /dev/null +++ b/prow/cluster/hook_rbac.yaml @@ -0,0 +1,35 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "hook" +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: "hook" +rules: + - apiGroups: + - "prow.k8s.io" + resources: + - prowjobs + verbs: + - create + - get + - apiGroups: + - "" + resources: + - configmaps + verbs: + - update +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: "hook" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "hook" +subjects: +- kind: ServiceAccount + name: "hook" diff --git a/prow/cluster/horologium_deployment.yaml b/prow/cluster/horologium_deployment.yaml index 7bd5aab13290..76221468b43e 100644 --- a/prow/cluster/horologium_deployment.yaml +++ b/prow/cluster/horologium_deployment.yaml @@ -25,6 +25,7 @@ spec: labels: app: horologium spec: + # serviceAccountName: "horologium" # Uncomment for use with RBAC terminationGracePeriodSeconds: 30 containers: - name: horologium diff --git a/prow/cluster/horologium_rbac.yaml b/prow/cluster/horologium_rbac.yaml new file mode 100644 index 000000000000..08bd4bcc0262 --- /dev/null +++ b/prow/cluster/horologium_rbac.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "horologium" +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: "horologium" +rules: + - apiGroups: + - "prow.k8s.io" + resources: + - prowjobs + verbs: + - create + - list +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: "horologium" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "horologium" +subjects: +- kind: ServiceAccount + name: "horologium" diff --git a/prow/cluster/plank_deployment.yaml b/prow/cluster/plank_deployment.yaml index 30d81632e8fa..62ea9fed09e6 100644 --- a/prow/cluster/plank_deployment.yaml +++ b/prow/cluster/plank_deployment.yaml @@ -25,6 +25,7 @@ spec: labels: app: plank spec: + # serviceAccountName: "plank" # Uncomment for use with RBAC containers: - name: plank image: gcr.io/k8s-prow/plank:v20180529-e9431eaa3 diff --git a/prow/cluster/plank_rbac.yaml b/prow/cluster/plank_rbac.yaml new file mode 100644 index 000000000000..7e3a5c5f7597 --- /dev/null +++ b/prow/cluster/plank_rbac.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "plank" +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: "plank" +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - list + - apiGroups: + - "prow.k8s.io" + resources: + - prowjobs + verbs: + - create + - list + - update +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: "plank" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "plank" +subjects: +- kind: ServiceAccount + name: "plank" diff --git a/prow/cluster/sinker_deployment.yaml b/prow/cluster/sinker_deployment.yaml index 5ab051515912..1648fdd68695 100644 --- a/prow/cluster/sinker_deployment.yaml +++ b/prow/cluster/sinker_deployment.yaml @@ -11,6 +11,7 @@ spec: labels: app: sinker spec: + # serviceAccountName: "sinker" # Uncomment for use with RBAC containers: - name: sinker args: diff --git a/prow/cluster/sinker_rbac.yaml b/prow/cluster/sinker_rbac.yaml new file mode 100644 index 000000000000..387eba870d60 --- /dev/null +++ b/prow/cluster/sinker_rbac.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "sinker" +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: "sinker" +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - delete + - list + - apiGroups: + - "prow.k8s.io" + resources: + - prowjobs + verbs: + - delete + - list +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: "sinker" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "sinker" +subjects: +- kind: ServiceAccount + name: "sinker" diff --git a/prow/cluster/starter.yaml b/prow/cluster/starter.yaml index 39674cb724ec..44ce14421253 100644 --- a/prow/cluster/starter.yaml +++ b/prow/cluster/starter.yaml @@ -94,6 +94,7 @@ spec: app: hook spec: terminationGracePeriodSeconds: 180 + serviceAccountName: "hook" containers: - name: hook image: gcr.io/k8s-prow/hook:v20180529-e9431eaa3 @@ -154,6 +155,7 @@ spec: labels: app: plank spec: + serviceAccountName: "plank" containers: - name: plank image: gcr.io/k8s-prow/plank:v20180529-e9431eaa3 @@ -187,6 +189,7 @@ spec: labels: app: sinker spec: + serviceAccountName: "sinker" containers: - name: sinker image: gcr.io/k8s-prow/sinker:v20180529-e9431eaa3 @@ -217,6 +220,7 @@ spec: labels: app: deck spec: + serviceAccountName: "deck" terminationGracePeriodSeconds: 30 containers: - name: deck @@ -260,6 +264,7 @@ spec: labels: app: horologium spec: + serviceAccountName: "horologium" terminationGracePeriodSeconds: 30 containers: - name: horologium @@ -289,3 +294,142 @@ spec: backend: serviceName: hook servicePort: 8888 +--- + +kind: ServiceAccount +apiVersion: v1 +metadata: + name: "deck" +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: "deck" +rules: + - apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - apiGroups: + - "prow.k8s.io" + resources: + - prowjobs + verbs: + - get + - list +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: "deck" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "deck" +subjects: +- kind: ServiceAccount + name: "deck" +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: "horologium" +rules: + - apiGroups: + - "prow.k8s.io" + resources: + - prowjobs + verbs: + - create + - list +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: "horologium" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "horologium" +subjects: +- kind: ServiceAccount + name: "horologium" +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "plank" +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: "plank" +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - list + - apiGroups: + - "prow.k8s.io" + resources: + - prowjobs + verbs: + - create + - list + - update +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: "plank" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "plank" +subjects: +- kind: ServiceAccount + name: "plank" +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: "sinker" +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: "sinker" +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - delete + - list + - apiGroups: + - "prow.k8s.io" + resources: + - prowjobs + verbs: + - delete + - list +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: "sinker" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "sinker" +subjects: +- kind: ServiceAccount + name: "sinker" + diff --git a/prow/cluster/tide_deployment.yaml b/prow/cluster/tide_deployment.yaml index fee990b67bf1..9e1ae9c50ec4 100644 --- a/prow/cluster/tide_deployment.yaml +++ b/prow/cluster/tide_deployment.yaml @@ -25,6 +25,7 @@ spec: labels: app: tide spec: + # serviceAccountName: "tide" # Uncomment for use with RBAC containers: - name: tide image: gcr.io/k8s-prow/tide:v20180529-e9431eaa3 diff --git a/prow/cluster/tide_rbac.yaml b/prow/cluster/tide_rbac.yaml new file mode 100644 index 000000000000..c84a92a4558f --- /dev/null +++ b/prow/cluster/tide_rbac.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "tide" +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: "tide" +rules: + - apiGroups: + - "prow.k8s.io" + resources: + - prowjobs + verbs: + - create + - list +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: "tide" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "tide" +subjects: +- kind: ServiceAccount + name: "tide" diff --git a/prow/getting_started.md b/prow/getting_started.md index 48660508acbe..774828b81505 100644 --- a/prow/getting_started.md +++ b/prow/getting_started.md @@ -199,21 +199,6 @@ update-config: get-cluster-credentials Presubmits and postsubmits are triggered by the `trigger` plugin. Be sure to enable that plugin by adding it to the list you created in the last section. -By default, services are not granted permission to run these jobs. Run the -following to grant permission to all services to create and run Prow Jobs (NOTE: This -command grants a permissive policy to _all_ services in the cluster. We do this -because the only services running in the prow starter are ones that we have -written and trust. This is not the recommended policy for most clusters. -See [RBAC documentation](https://kubernetes.io/docs/admin/authorization/rbac/) for more details): - -``` -kubectl create clusterrolebinding permissive-binding \ - --clusterrole=cluster-admin \ - --user=admin \ - --user=kubelet \ - --group=system:serviceaccounts -``` - Now when you open a PR it will automatically run the presubmit that you added to this file. You can see it on your prow dashboard. Once you are happy that it is stable, switch `skip_report` to `false`. Then, it will post a status on the