Refactor RBAC

This commit refactors the RBAC rules and serviceAccount ovn-kubernetes uses. Instead of using one ServiceAcoount with one ClusterRole break it down per component. This makes it easier to track which permissions are required by which piece and avoid the mess of granting high privilages to everyone. Signed-off-by: Patryk Diak <[email protected]>
kyrtapz · Aug 22, 2023 · c4119e5 · c4119e5
1 parent 511f635
commit c4119e5
Show file tree

Hide file tree

Showing 16 changed files with 477 additions and 140 deletions.
diff --git a/contrib/kind.sh b/contrib/kind.sh
@@ -958,6 +958,10 @@ install_ovn() {
   run_kubectl apply -f policy.networking.k8s.io_adminnetworkpolicies.yaml
   run_kubectl apply -f policy.networking.k8s.io_baselineadminnetworkpolicies.yaml
   run_kubectl apply -f ovn-setup.yaml
+  run_kubectl apply -f rbac-ovnkube-cluster-manager.yaml
+  run_kubectl apply -f rbac-ovnkube-master.yaml
+  run_kubectl apply -f rbac-ovnkube-node.yaml
+  run_kubectl apply -f rbac-ovnkube-db.yaml
   MASTER_NODES=$(kind get nodes --name "${KIND_CLUSTER_NAME}" | sort | head -n "${KIND_NUM_MASTER}")
   # We want OVN HA not Kubernetes HA
   # leverage the kubeadm well-known label node-role.kubernetes.io/control-plane=

diff --git a/dist/images/daemonset.sh b/dist/images/daemonset.sh
@@ -817,6 +817,12 @@ net_cidr=${net_cidr} svc_cidr=${svc_cidr} \
   in_upgrade=${in_upgrade} \
   j2 ../templates/ovn-setup.yaml.j2 -o ${output_dir}/ovn-setup.yaml
 
+ovn_enable_interconnect=${ovn_enable_interconnect} \
+  j2 ../templates/rbac-ovnkube-node.yaml.j2 -o ${output_dir}/rbac-ovnkube-node.yaml
+
+cp ../templates/rbac-ovnkube-master.yaml.j2 ${output_dir}/rbac-ovnkube-master.yaml
+cp ../templates/rbac-ovnkube-db.yaml.j2 ${output_dir}/rbac-ovnkube-db.yaml
+cp ../templates/rbac-ovnkube-cluster-manager.yaml.j2 ${output_dir}/rbac-ovnkube-cluster-manager.yaml
 cp ../templates/ovnkube-monitor.yaml.j2 ${output_dir}/ovnkube-monitor.yaml
 cp ../templates/k8s.ovn.org_egressfirewalls.yaml.j2 ${output_dir}/k8s.ovn.org_egressfirewalls.yaml
 cp ../templates/k8s.ovn.org_egressips.yaml.j2 ${output_dir}/k8s.ovn.org_egressips.yaml

diff --git a/dist/templates/ovn-ipsec.yaml.j2 b/dist/templates/ovn-ipsec.yaml.j2
@@ -1,3 +1,34 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ovn-kubernetes-csr-request
+rules:
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - certificatesigningrequests
+    verbs:
+      - create
+      - get
+      - list
+      - watch
+      - delete
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ovn-kubernetes-csr-request
+roleRef:
+  name: ovn-kubernetes-csr-request
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: ovnkube-node
+    namespace: ovn-kubernetes
+
+---
 kind: DaemonSet
 apiVersion: apps/v1
 metadata:
@@ -32,7 +63,7 @@ spec:
             - matchExpressions:
               - key: network.operator.openshift.io/dpu-host
                 operator: DoesNotExist
-      serviceAccountName: ovn
+      serviceAccountName: ovnkube-node
       hostNetwork: true
       dnsPolicy: Default
       priorityClassName: "system-node-critical"

diff --git a/dist/templates/ovn-setup.yaml.j2 b/dist/templates/ovn-setup.yaml.j2
@@ -26,125 +26,9 @@ metadata:
 # This provisioning is done as part of installation after the cluster is
 # up and before the ovn daemonsets are created.
 
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: ovn
-  namespace: ovn-kubernetes
 {%- endif %}
----
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: ovn-kubernetes
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  - namespaces
-  - nodes
-  - endpoints
-  - services
-  verbs: ["get", "list", "watch"]
-- apiGroups:
-  - extensions
-  - networking.k8s.io
-  - apps
-  resources:
-  - networkpolicies
-  - statefulsets
-  verbs: ["get", "list", "watch"]
-- apiGroups:
-  - discovery.k8s.io
-  resources:
-  - endpointslices
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - events
-  - endpoints
-  - configmaps
-  verbs: ["create", "patch", "update"]
-- apiGroups:
-  - ""
-  resources:
-  - namespaces
-  - nodes
-  - pods
-  - services
-  verbs: ["patch", "update"]
-- apiGroups:
-  - k8s.ovn.org
-  resources:
-  - egressfirewalls
-  - egressips
-  - egressqoses
-  - egressservices
-  - egressservices/status
-  - adminpolicybasedexternalroutes
-  verbs: ["list", "get", "watch", "update", "patch"]
-- apiGroups:
-  - k8s.ovn.org
-  resources:
-  - adminpolicybasedexternalroutes/status  
-  verbs: [ "update"]
-- apiGroups:
-  - policy.networking.k8s.io
-  resources:
-  - adminnetworkpolicies
-  - baselineadminnetworkpolicies
-  verbs: ["list", "get", "watch"]
-- apiGroups:
-  - policy.networking.k8s.io
-  resources:
-  - adminnetworkpolicies/status
-  - baselineadminnetworkpolicies/status
-  verbs: ["update"]
-- apiGroups:
-  - apiextensions.k8s.io
-  resources:
-  - customresourcedefinitions
-  verbs: ["list", "get", "watch"]
-- apiGroups:
-  - certificates.k8s.io
-  resources:
-  - certificatesigningrequests
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - delete
-- apiGroups:
-  - k8s.cni.cncf.io
-  resources:
-  - network-attachment-definitions
-  - multi-networkpolicies
-  verbs: ["list", "get", "watch"]
-
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: ovn-kubernetes
-roleRef:
-  name: ovn-kubernetes
-  kind: ClusterRole
-  apiGroup: rbac.authorization.k8s.io
-subjects:
-- kind: ServiceAccount
-  name: ovn
-  namespace: ovn-kubernetes
 
 ---
-
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -164,22 +48,6 @@ rules:
   - list
   - update
 
----
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: only-ovnk8s-configmaps
-  namespace: ovn-kubernetes
-roleRef:
-  name: ovn-k8s-configmap
-  kind: Role
-  apiGroup: rbac.authorization.k8s.io
-subjects:
-- kind: ServiceAccount
-  name: ovn
-  namespace: ovn-kubernetes
-
 {% if in_upgrade != "true" -%}
 ---
 

diff --git a/dist/templates/ovnkube-control-plane.yaml.j2 b/dist/templates/ovnkube-control-plane.yaml.j2
@@ -34,7 +34,7 @@ spec:
       priorityClassName: "system-cluster-critical"
       # Requires fairly broad permissions - ability to read all services and network functions as well
       # as all pods.
-      serviceAccountName: ovn
+      serviceAccountName: ovnkube-cluster-manager
       hostNetwork: true
       dnsPolicy: Default
 

diff --git a/dist/templates/ovnkube-db-raft.yaml.j2 b/dist/templates/ovnkube-db-raft.yaml.j2
@@ -68,7 +68,7 @@ spec:
       terminationGracePeriodSeconds: 30
       imagePullSecrets:
         - name: registry-credentials
-      serviceAccountName: ovn
+      serviceAccountName: ovnkube-db
       hostNetwork: true
       dnsPolicy: Default
 

diff --git a/dist/templates/ovnkube-db.yaml.j2 b/dist/templates/ovnkube-db.yaml.j2
@@ -57,7 +57,7 @@ spec:
       priorityClassName: "system-cluster-critical"
       # Requires fairly broad permissions - ability to read all services and network functions as well
       # as all pods.
-      serviceAccountName: ovn
+      serviceAccountName: ovnkube-db
       hostNetwork: true
       dnsPolicy: Default
       containers:

diff --git a/dist/templates/ovnkube-master.yaml.j2 b/dist/templates/ovnkube-master.yaml.j2
@@ -34,7 +34,7 @@ spec:
       priorityClassName: "system-cluster-critical"
       # Requires fairly broad permissions - ability to read all services and network functions as well
       # as all pods.
-      serviceAccountName: ovn
+      serviceAccountName: ovnkube-master
       hostNetwork: true
       dnsPolicy: Default
       {% if ovnkube_compact_mode_enable=="true" and ovn_unprivileged_mode=="no" %}

diff --git a/dist/templates/ovnkube-node.yaml.j2 b/dist/templates/ovnkube-node.yaml.j2
@@ -30,7 +30,7 @@ spec:
       priorityClassName: "system-cluster-critical"
       # Requires fairly broad permissions - ability to read all services and network functions as well
       # as all pods.
-      serviceAccountName: ovn
+      serviceAccountName: ovnkube-node
       hostNetwork: true
       dnsPolicy: Default
       {{ "hostPID: true" if ovn_unprivileged_mode=="no" }}

diff --git a/dist/templates/ovnkube-single-node-zone.yaml.j2 b/dist/templates/ovnkube-single-node-zone.yaml.j2
@@ -30,7 +30,7 @@ spec:
     spec:
       # Requires fairly broad permissions - ability to read all services and network functions as well
       # as all pods.
-      serviceAccountName: ovn
+      serviceAccountName: ovnkube-node
       hostNetwork: true
       dnsPolicy: Default
       {{ "hostPID: true" if ovn_unprivileged_mode=="no" }}

diff --git a/dist/templates/ovnkube-zone-controller.yaml.j2 b/dist/templates/ovnkube-zone-controller.yaml.j2
@@ -30,7 +30,7 @@ spec:
     spec:
       # Requires fairly broad permissions - ability to read all services and network functions as well
       # as all pods.
-      serviceAccountName: ovn
+      serviceAccountName: ovnkube-node
       hostNetwork: true
       dnsPolicy: Default
       {{ "hostPID: true" if ovn_unprivileged_mode=="no" }}

diff --git a/dist/templates/rbac-ovnkube-cluster-manager.yaml.j2 b/dist/templates/rbac-ovnkube-cluster-manager.yaml.j2
@@ -0,0 +1,78 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+    name: ovnkube-cluster-manager
+    namespace: ovn-kubernetes
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+    name: ovnkube-cluster-manager
+roleRef:
+    name: ovnkube-cluster-manager
+    kind: ClusterRole
+    apiGroup: rbac.authorization.k8s.io
+subjects:
+    - kind: ServiceAccount
+      name: ovnkube-cluster-manager
+      namespace: ovn-kubernetes
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+    name: ovnkube-cluster-manager-configmaps
+    namespace: ovn-kubernetes
+roleRef:
+    name: ovn-k8s-configmap
+    kind: Role
+    apiGroup: rbac.authorization.k8s.io
+subjects:
+    - kind: ServiceAccount
+      name: ovnkube-cluster-manager
+      namespace: ovn-kubernetes
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+    name: ovnkube-cluster-manager
+rules:
+    - apiGroups: [""]
+      resources:
+          - namespaces
+          - nodes
+          - pods
+          - services
+          - endpoints
+      verbs: [ "get", "list", "watch" ]
+    - apiGroups: ["discovery.k8s.io"]
+      resources:
+          - endpointslices
+      verbs: [ "get", "list", "watch" ]
+    - apiGroups: ["k8s.cni.cncf.io"]
+      resources:
+          - network-attachment-definitions
+          - multi-networkpolicies
+      verbs: ["list", "get", "watch"]
+    - apiGroups: ["k8s.ovn.org"]
+      resources:
+          - egressips
+          - egressservices
+      verbs: [ "get", "list", "watch" ]
+    - apiGroups: ["k8s.ovn.org"]
+      resources:
+          - egressips
+          - egressservices/status
+      verbs: [ "patch", "update" ]
+    - apiGroups: [""]
+      resources:
+          - events
+      verbs: ["create", "patch", "update"]
+    - apiGroups: [""]
+      resources:
+          - pods/status # used in multi-homing: https://github.com/ovn-org/ovn-kubernetes/blob/a9beb6fd4f8ea32b264999a8ebec25cd6bdc2281/go-controller/pkg/util/pod.go#L49
+          - nodes/status
+          - services/status
+      verbs: [ "patch", "update" ]