Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added proper RBAC rules to Prow #8288

Merged
merged 1 commit into from
Jun 25, 2018
Merged

Added proper RBAC rules to Prow #8288

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions prow/cluster/deck_deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ spec:
labels:
app: deck
spec:
# serviceAccountName: "deck" # Uncomment for use with RBAC
terminationGracePeriodSeconds: 30
containers:
- name: deck
Expand Down
66 changes: 66 additions & 0 deletions prow/cluster/deck_rbac.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: "deck"
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: "deck"
rules:
- apiGroups:
- ""
resources:
- pods/log
verbs:
- get
- apiGroups:
- "prow.k8s.io"
resources:
- prowjobs
verbs:
- get
- list
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: "deck"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: "deck"
subjects:
- kind: ServiceAccount
name: "deck"
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: "deck-oauth"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You don't need this here; we use it in openshift because we run a deck instance for our private repos behind an oauth proxy. Unfortunately, the oauth proxy works only on openshift today :/

rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: "deck-oauth"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: "deck-oauth"
subjects:
- kind: ServiceAccount
name: "deck"
namespace: ci
1 change: 1 addition & 0 deletions prow/cluster/hook_deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ spec:
labels:
app: hook
spec:
# serviceAccountName: "hook" # Uncomment for use with RBAC
terminationGracePeriodSeconds: 180
containers:
- name: hook
Expand Down
35 changes: 35 additions & 0 deletions prow/cluster/hook_rbac.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: "hook"
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: "hook"
rules:
- apiGroups:
- "prow.k8s.io"
resources:
- prowjobs
verbs:
- create
- get
- apiGroups:
- ""
resources:
- configmaps
verbs:
- update
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: "hook"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: "hook"
subjects:
- kind: ServiceAccount
name: "hook"
1 change: 1 addition & 0 deletions prow/cluster/horologium_deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ spec:
labels:
app: horologium
spec:
# serviceAccountName: "horologium" # Uncomment for use with RBAC
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you should be able to use this service account regardless of running with rbac or not so it may be worth to uncomment upfront and move the service accounts alongside the deployment manifests.

terminationGracePeriodSeconds: 30
containers:
- name: horologium
Expand Down
29 changes: 29 additions & 0 deletions prow/cluster/horologium_rbac.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: "horologium"
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: "horologium"
rules:
- apiGroups:
- "prow.k8s.io"
resources:
- prowjobs
verbs:
- create
- list
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: "horologium"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: "horologium"
subjects:
- kind: ServiceAccount
name: "horologium"
1 change: 1 addition & 0 deletions prow/cluster/plank_deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ spec:
labels:
app: plank
spec:
# serviceAccountName: "plank" # Uncomment for use with RBAC
containers:
- name: plank
image: gcr.io/k8s-prow/plank:v20180529-e9431eaa3
Expand Down
38 changes: 38 additions & 0 deletions prow/cluster/plank_rbac.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: "plank"
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: "plank"
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- create
- delete
- list
- apiGroups:
- "prow.k8s.io"
resources:
- prowjobs
verbs:
- create
- list
- update
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: "plank"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: "plank"
subjects:
- kind: ServiceAccount
name: "plank"
1 change: 1 addition & 0 deletions prow/cluster/sinker_deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ spec:
labels:
app: sinker
spec:
# serviceAccountName: "sinker" # Uncomment for use with RBAC
containers:
- name: sinker
args:
Expand Down
36 changes: 36 additions & 0 deletions prow/cluster/sinker_rbac.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: "sinker"
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: "sinker"
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- delete
- list
- apiGroups:
- "prow.k8s.io"
resources:
- prowjobs
verbs:
- delete
- list
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: "sinker"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: "sinker"
subjects:
- kind: ServiceAccount
name: "sinker"
Loading