From c4119e58f3357a5661ee9129ed4a6863f7957c0d Mon Sep 17 00:00:00 2001 From: Patryk Diak Date: Thu, 3 Aug 2023 14:54:39 +0200 Subject: [PATCH] Refactor RBAC This commit refactors the RBAC rules and serviceAccount ovn-kubernetes uses. Instead of using one ServiceAcoount with one ClusterRole break it down per component. This makes it easier to track which permissions are required by which piece and avoid the mess of granting high privilages to everyone. Signed-off-by: Patryk Diak --- contrib/kind.sh | 4 + dist/images/daemonset.sh | 6 + dist/templates/ovn-ipsec.yaml.j2 | 33 +++- dist/templates/ovn-setup.yaml.j2 | 132 --------------- dist/templates/ovnkube-control-plane.yaml.j2 | 2 +- dist/templates/ovnkube-db-raft.yaml.j2 | 2 +- dist/templates/ovnkube-db.yaml.j2 | 2 +- dist/templates/ovnkube-master.yaml.j2 | 2 +- dist/templates/ovnkube-node.yaml.j2 | 2 +- .../ovnkube-single-node-zone.yaml.j2 | 2 +- .../templates/ovnkube-zone-controller.yaml.j2 | 2 +- .../rbac-ovnkube-cluster-manager.yaml.j2 | 78 +++++++++ dist/templates/rbac-ovnkube-db.yaml.j2 | 69 ++++++++ dist/templates/rbac-ovnkube-master.yaml.j2 | 127 +++++++++++++++ dist/templates/rbac-ovnkube-node.yaml.j2 | 150 ++++++++++++++++++ test/scripts/upgrade-ovn.sh | 4 + 16 files changed, 477 insertions(+), 140 deletions(-) create mode 100644 dist/templates/rbac-ovnkube-cluster-manager.yaml.j2 create mode 100644 dist/templates/rbac-ovnkube-db.yaml.j2 create mode 100644 dist/templates/rbac-ovnkube-master.yaml.j2 create mode 100644 dist/templates/rbac-ovnkube-node.yaml.j2 diff --git a/contrib/kind.sh b/contrib/kind.sh index 6fbba7e53da..d962e011bbd 100755 --- a/contrib/kind.sh +++ b/contrib/kind.sh @@ -958,6 +958,10 @@ install_ovn() { run_kubectl apply -f policy.networking.k8s.io_adminnetworkpolicies.yaml run_kubectl apply -f policy.networking.k8s.io_baselineadminnetworkpolicies.yaml run_kubectl apply -f ovn-setup.yaml + run_kubectl apply -f rbac-ovnkube-cluster-manager.yaml + run_kubectl apply -f rbac-ovnkube-master.yaml + run_kubectl apply -f rbac-ovnkube-node.yaml + run_kubectl apply -f rbac-ovnkube-db.yaml MASTER_NODES=$(kind get nodes --name "${KIND_CLUSTER_NAME}" | sort | head -n "${KIND_NUM_MASTER}") # We want OVN HA not Kubernetes HA # leverage the kubeadm well-known label node-role.kubernetes.io/control-plane= diff --git a/dist/images/daemonset.sh b/dist/images/daemonset.sh index 98255f3c8dc..9c1f03ca792 100755 --- a/dist/images/daemonset.sh +++ b/dist/images/daemonset.sh @@ -817,6 +817,12 @@ net_cidr=${net_cidr} svc_cidr=${svc_cidr} \ in_upgrade=${in_upgrade} \ j2 ../templates/ovn-setup.yaml.j2 -o ${output_dir}/ovn-setup.yaml +ovn_enable_interconnect=${ovn_enable_interconnect} \ + j2 ../templates/rbac-ovnkube-node.yaml.j2 -o ${output_dir}/rbac-ovnkube-node.yaml + +cp ../templates/rbac-ovnkube-master.yaml.j2 ${output_dir}/rbac-ovnkube-master.yaml +cp ../templates/rbac-ovnkube-db.yaml.j2 ${output_dir}/rbac-ovnkube-db.yaml +cp ../templates/rbac-ovnkube-cluster-manager.yaml.j2 ${output_dir}/rbac-ovnkube-cluster-manager.yaml cp ../templates/ovnkube-monitor.yaml.j2 ${output_dir}/ovnkube-monitor.yaml cp ../templates/k8s.ovn.org_egressfirewalls.yaml.j2 ${output_dir}/k8s.ovn.org_egressfirewalls.yaml cp ../templates/k8s.ovn.org_egressips.yaml.j2 ${output_dir}/k8s.ovn.org_egressips.yaml diff --git a/dist/templates/ovn-ipsec.yaml.j2 b/dist/templates/ovn-ipsec.yaml.j2 index d8eb9dad31c..580732604a2 100644 --- a/dist/templates/ovn-ipsec.yaml.j2 +++ b/dist/templates/ovn-ipsec.yaml.j2 @@ -1,3 +1,34 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ovn-kubernetes-csr-request +rules: + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - create + - get + - list + - watch + - delete + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ovn-kubernetes-csr-request +roleRef: + name: ovn-kubernetes-csr-request + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: ovnkube-node + namespace: ovn-kubernetes + +--- kind: DaemonSet apiVersion: apps/v1 metadata: @@ -32,7 +63,7 @@ spec: - matchExpressions: - key: network.operator.openshift.io/dpu-host operator: DoesNotExist - serviceAccountName: ovn + serviceAccountName: ovnkube-node hostNetwork: true dnsPolicy: Default priorityClassName: "system-node-critical" diff --git a/dist/templates/ovn-setup.yaml.j2 b/dist/templates/ovn-setup.yaml.j2 index 201f0d74a5d..d82adec2384 100644 --- a/dist/templates/ovn-setup.yaml.j2 +++ b/dist/templates/ovn-setup.yaml.j2 @@ -26,125 +26,9 @@ metadata: # This provisioning is done as part of installation after the cluster is # up and before the ovn daemonsets are created. -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ovn - namespace: ovn-kubernetes {%- endif %} ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ovn-kubernetes -rules: -- apiGroups: - - "" - resources: - - pods - - namespaces - - nodes - - endpoints - - services - verbs: ["get", "list", "watch"] -- apiGroups: - - extensions - - networking.k8s.io - - apps - resources: - - networkpolicies - - statefulsets - verbs: ["get", "list", "watch"] -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - - endpoints - - configmaps - verbs: ["create", "patch", "update"] -- apiGroups: - - "" - resources: - - namespaces - - nodes - - pods - - services - verbs: ["patch", "update"] -- apiGroups: - - k8s.ovn.org - resources: - - egressfirewalls - - egressips - - egressqoses - - egressservices - - egressservices/status - - adminpolicybasedexternalroutes - verbs: ["list", "get", "watch", "update", "patch"] -- apiGroups: - - k8s.ovn.org - resources: - - adminpolicybasedexternalroutes/status - verbs: [ "update"] -- apiGroups: - - policy.networking.k8s.io - resources: - - adminnetworkpolicies - - baselineadminnetworkpolicies - verbs: ["list", "get", "watch"] -- apiGroups: - - policy.networking.k8s.io - resources: - - adminnetworkpolicies/status - - baselineadminnetworkpolicies/status - verbs: ["update"] -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: ["list", "get", "watch"] -- apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - verbs: - - create - - get - - list - - watch - - delete -- apiGroups: - - k8s.cni.cncf.io - resources: - - network-attachment-definitions - - multi-networkpolicies - verbs: ["list", "get", "watch"] - - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ovn-kubernetes -roleRef: - name: ovn-kubernetes - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: ovn - namespace: ovn-kubernetes --- - apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -164,22 +48,6 @@ rules: - list - update ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: only-ovnk8s-configmaps - namespace: ovn-kubernetes -roleRef: - name: ovn-k8s-configmap - kind: Role - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: ovn - namespace: ovn-kubernetes - {% if in_upgrade != "true" -%} --- diff --git a/dist/templates/ovnkube-control-plane.yaml.j2 b/dist/templates/ovnkube-control-plane.yaml.j2 index e56eaa7a91a..19c70193751 100644 --- a/dist/templates/ovnkube-control-plane.yaml.j2 +++ b/dist/templates/ovnkube-control-plane.yaml.j2 @@ -34,7 +34,7 @@ spec: priorityClassName: "system-cluster-critical" # Requires fairly broad permissions - ability to read all services and network functions as well # as all pods. - serviceAccountName: ovn + serviceAccountName: ovnkube-cluster-manager hostNetwork: true dnsPolicy: Default diff --git a/dist/templates/ovnkube-db-raft.yaml.j2 b/dist/templates/ovnkube-db-raft.yaml.j2 index c1d66db351e..51d95ec1ff3 100644 --- a/dist/templates/ovnkube-db-raft.yaml.j2 +++ b/dist/templates/ovnkube-db-raft.yaml.j2 @@ -68,7 +68,7 @@ spec: terminationGracePeriodSeconds: 30 imagePullSecrets: - name: registry-credentials - serviceAccountName: ovn + serviceAccountName: ovnkube-db hostNetwork: true dnsPolicy: Default diff --git a/dist/templates/ovnkube-db.yaml.j2 b/dist/templates/ovnkube-db.yaml.j2 index 30657e36b77..2e667d5c01f 100644 --- a/dist/templates/ovnkube-db.yaml.j2 +++ b/dist/templates/ovnkube-db.yaml.j2 @@ -57,7 +57,7 @@ spec: priorityClassName: "system-cluster-critical" # Requires fairly broad permissions - ability to read all services and network functions as well # as all pods. - serviceAccountName: ovn + serviceAccountName: ovnkube-db hostNetwork: true dnsPolicy: Default containers: diff --git a/dist/templates/ovnkube-master.yaml.j2 b/dist/templates/ovnkube-master.yaml.j2 index 54b31e706c4..f679fb64156 100644 --- a/dist/templates/ovnkube-master.yaml.j2 +++ b/dist/templates/ovnkube-master.yaml.j2 @@ -34,7 +34,7 @@ spec: priorityClassName: "system-cluster-critical" # Requires fairly broad permissions - ability to read all services and network functions as well # as all pods. - serviceAccountName: ovn + serviceAccountName: ovnkube-master hostNetwork: true dnsPolicy: Default {% if ovnkube_compact_mode_enable=="true" and ovn_unprivileged_mode=="no" %} diff --git a/dist/templates/ovnkube-node.yaml.j2 b/dist/templates/ovnkube-node.yaml.j2 index c34ffe23995..6d22d806d16 100644 --- a/dist/templates/ovnkube-node.yaml.j2 +++ b/dist/templates/ovnkube-node.yaml.j2 @@ -30,7 +30,7 @@ spec: priorityClassName: "system-cluster-critical" # Requires fairly broad permissions - ability to read all services and network functions as well # as all pods. - serviceAccountName: ovn + serviceAccountName: ovnkube-node hostNetwork: true dnsPolicy: Default {{ "hostPID: true" if ovn_unprivileged_mode=="no" }} diff --git a/dist/templates/ovnkube-single-node-zone.yaml.j2 b/dist/templates/ovnkube-single-node-zone.yaml.j2 index 0ccdf44105f..fedd63b9bf1 100644 --- a/dist/templates/ovnkube-single-node-zone.yaml.j2 +++ b/dist/templates/ovnkube-single-node-zone.yaml.j2 @@ -30,7 +30,7 @@ spec: spec: # Requires fairly broad permissions - ability to read all services and network functions as well # as all pods. - serviceAccountName: ovn + serviceAccountName: ovnkube-node hostNetwork: true dnsPolicy: Default {{ "hostPID: true" if ovn_unprivileged_mode=="no" }} diff --git a/dist/templates/ovnkube-zone-controller.yaml.j2 b/dist/templates/ovnkube-zone-controller.yaml.j2 index e26abebe4c2..9ffff1c0dad 100644 --- a/dist/templates/ovnkube-zone-controller.yaml.j2 +++ b/dist/templates/ovnkube-zone-controller.yaml.j2 @@ -30,7 +30,7 @@ spec: spec: # Requires fairly broad permissions - ability to read all services and network functions as well # as all pods. - serviceAccountName: ovn + serviceAccountName: ovnkube-node hostNetwork: true dnsPolicy: Default {{ "hostPID: true" if ovn_unprivileged_mode=="no" }} diff --git a/dist/templates/rbac-ovnkube-cluster-manager.yaml.j2 b/dist/templates/rbac-ovnkube-cluster-manager.yaml.j2 new file mode 100644 index 00000000000..660cd6e009d --- /dev/null +++ b/dist/templates/rbac-ovnkube-cluster-manager.yaml.j2 @@ -0,0 +1,78 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ovnkube-cluster-manager + namespace: ovn-kubernetes + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ovnkube-cluster-manager +roleRef: + name: ovnkube-cluster-manager + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: ovnkube-cluster-manager + namespace: ovn-kubernetes + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ovnkube-cluster-manager-configmaps + namespace: ovn-kubernetes +roleRef: + name: ovn-k8s-configmap + kind: Role + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: ovnkube-cluster-manager + namespace: ovn-kubernetes + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ovnkube-cluster-manager +rules: + - apiGroups: [""] + resources: + - namespaces + - nodes + - pods + - services + - endpoints + verbs: [ "get", "list", "watch" ] + - apiGroups: ["discovery.k8s.io"] + resources: + - endpointslices + verbs: [ "get", "list", "watch" ] + - apiGroups: ["k8s.cni.cncf.io"] + resources: + - network-attachment-definitions + - multi-networkpolicies + verbs: ["list", "get", "watch"] + - apiGroups: ["k8s.ovn.org"] + resources: + - egressips + - egressservices + verbs: [ "get", "list", "watch" ] + - apiGroups: ["k8s.ovn.org"] + resources: + - egressips + - egressservices/status + verbs: [ "patch", "update" ] + - apiGroups: [""] + resources: + - events + verbs: ["create", "patch", "update"] + - apiGroups: [""] + resources: + - pods/status # used in multi-homing: https://github.com/ovn-org/ovn-kubernetes/blob/a9beb6fd4f8ea32b264999a8ebec25cd6bdc2281/go-controller/pkg/util/pod.go#L49 + - nodes/status + - services/status + verbs: [ "patch", "update" ] diff --git a/dist/templates/rbac-ovnkube-db.yaml.j2 b/dist/templates/rbac-ovnkube-db.yaml.j2 new file mode 100644 index 00000000000..b70b12eb21d --- /dev/null +++ b/dist/templates/rbac-ovnkube-db.yaml.j2 @@ -0,0 +1,69 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ovnkube-db + namespace: ovn-kubernetes + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ovnkube-db +roleRef: + name: ovnkube-db + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: ovnkube-db + namespace: ovn-kubernetes + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ovnkube-db-ep + namespace: ovn-kubernetes +roleRef: + name: ovnkube-db-ep + kind: Role + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: ovnkube-db + namespace: ovn-kubernetes + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ovnkube-db +rules: + - apiGroups: [""] + resources: + - nodes + - namespaces + verbs: [ "get", "list", "watch" ] + +# ovnkube-db startup scripts create an endpoint: +# https://github.com/ovn-org/ovn-kubernetes/blob/d3b10e87f7fffa38fdf4ad52f98bc8ba998df6c2/dist/images/ovnkube.sh#L699 +# in HA statefulsets/pods are inspected +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: ovnkube-db-ep + namespace: ovn-kubernetes +rules: + - apiGroups: [""] + resources: + - endpoints + verbs: [ "get", "create" ] + - apiGroups: [""] + resources: + - pods + verbs: [ "get", "list" ] + - apiGroups: ["apps"] + resources: + - statefulsets + verbs: [ "get" ] diff --git a/dist/templates/rbac-ovnkube-master.yaml.j2 b/dist/templates/rbac-ovnkube-master.yaml.j2 new file mode 100644 index 00000000000..16cedff05db --- /dev/null +++ b/dist/templates/rbac-ovnkube-master.yaml.j2 @@ -0,0 +1,127 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ovnkube-master + namespace: ovn-kubernetes + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ovnkube-master +roleRef: + name: ovnkube-master + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: ovnkube-master + namespace: ovn-kubernetes + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ovnkube-master-configmaps + namespace: ovn-kubernetes +roleRef: + name: ovn-k8s-configmap + kind: Role + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: ovnkube-master + namespace: ovn-kubernetes + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ovnkube-master-configmaps-update + namespace: ovn-kubernetes +roleRef: + name: ovn-k8s-configmap-update + kind: Role + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: ovnkube-master + namespace: ovn-kubernetes + + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ovnkube-master +rules: + - apiGroups: [""] + resources: + - namespaces + - nodes + - pods + - services + - endpoints + verbs: [ "get", "list", "watch" ] + - apiGroups: ["discovery.k8s.io"] + resources: + - endpointslices + verbs: [ "get", "list", "watch" ] + - apiGroups: ["networking.k8s.io"] + resources: + - networkpolicies + verbs: [ "get", "list", "watch" ] + - apiGroups: ["policy.networking.k8s.io"] + resources: + - adminnetworkpolicies + - baselineadminnetworkpolicies + verbs: ["list", "get", "watch"] + - apiGroups: ["k8s.ovn.org"] + resources: + - egressfirewalls + - egressips + - egressqoses + - egressservices + - adminpolicybasedexternalroutes + verbs: [ "get", "list", "watch" ] + - apiGroups: ["k8s.cni.cncf.io"] + resources: + - network-attachment-definitions + - multi-networkpolicies + verbs: ["list", "get", "watch"] + - apiGroups: ["policy.networking.k8s.io"] + resources: + - adminnetworkpolicies/status + - baselineadminnetworkpolicies/status + verbs: [ "patch", "update" ] + - apiGroups: ["k8s.ovn.org"] + resources: + - egressfirewalls + - egressips + - egressqoses + - egressservices/status + - adminpolicybasedexternalroutes/status + verbs: [ "patch", "update" ] + - apiGroups: [""] + resources: + - events + verbs: ["create", "patch", "update"] + - apiGroups: [""] + resources: + - nodes/status + - pods/status + - services/status + verbs: [ "patch", "update" ] + + +# https://github.com/ovn-org/ovn-kubernetes/blob/b63a59b89209cc1adc1ea6b3859b037f29a3b69b/go-controller/pkg/ovn/topology_version.go#L28 +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: ovn-kubernetes + name: ovn-k8s-configmap-update +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "patch", "update"] diff --git a/dist/templates/rbac-ovnkube-node.yaml.j2 b/dist/templates/rbac-ovnkube-node.yaml.j2 new file mode 100644 index 00000000000..3dfdad9b60f --- /dev/null +++ b/dist/templates/rbac-ovnkube-node.yaml.j2 @@ -0,0 +1,150 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ovnkube-node + namespace: ovn-kubernetes + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ovnkube-node +roleRef: + name: ovnkube-node + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: ovnkube-node + namespace: ovn-kubernetes + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ovnkube-node-configmaps + namespace: ovn-kubernetes +roleRef: + name: ovn-k8s-configmap + kind: Role + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: ovnkube-node + namespace: ovn-kubernetes + +# In IC ovnkube-node pod needs configmap access in ovn-k ns for topology version: +# https://github.com/ovn-org/ovn-kubernetes/blob/b63a59b89209cc1adc1ea6b3859b037f29a3b69b/go-controller/pkg/ovn/topology_version.go#L28 +{% if ovn_enable_interconnect == "true" -%} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ovnkube-node-ic-configmaps-update + namespace: ovn-kubernetes +roleRef: + name: ovn-k8s-configmap-update + kind: Role + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: ovnkube-node + namespace: ovn-kubernetes +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ovnkube-node-ep + namespace: ovn-kubernetes +roleRef: + name: ovnkube-node-ep + kind: Role + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: ovnkube-node + namespace: ovn-kubernetes +{%- endif %} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ovnkube-node +rules: + - apiGroups: [""] + resources: + - namespaces + - nodes + - pods + - services + - endpoints + verbs: [ "get", "list", "watch" ] + - apiGroups: ["discovery.k8s.io"] + resources: + - endpointslices + verbs: [ "get", "list", "watch" ] + {% if ovn_enable_interconnect == "true" -%} + - apiGroups: ["networking.k8s.io"] + resources: + - networkpolicies + verbs: [ "get", "list", "watch" ] + - apiGroups: ["k8s.cni.cncf.io"] + resources: + - network-attachment-definitions + - multi-networkpolicies + verbs: ["list", "get", "watch"] + - apiGroups: ["k8s.ovn.org"] + resources: + - egressfirewalls + - adminpolicybasedexternalroutes/status + verbs: [ "patch", "update" ] + - apiGroups: ["policy.networking.k8s.io"] + resources: + - adminnetworkpolicies/status + - baselineadminnetworkpolicies/status + verbs: [ "patch", "update" ] + {%- endif %} + - apiGroups: ["policy.networking.k8s.io"] + resources: + - adminnetworkpolicies + - baselineadminnetworkpolicies + verbs: ["list", "get", "watch"] + - apiGroups: ["k8s.ovn.org"] + resources: + - egressfirewalls + - egressips + - egressqoses + - egressservices + - adminpolicybasedexternalroutes + verbs: [ "get", "list", "watch" ] + - apiGroups: [""] + resources: + - events + verbs: ["create", "patch", "update"] + - apiGroups: [""] + resources: + {% if ovn_enable_interconnect == "true" -%} + - pods/status # In IC ovnkube-controller updates pod annotations for local pods + - namespaces/status #TODO(kyrtapz) all of the nodes update the exgw annotation on namespaces, we might need to change that + {%- endif %} + - nodes/status + verbs: [ "patch", "update" ] + +# Without IC endpoints are read by ovnkube-node on startup +# With IC endpoints are created by ovnkube-zone-controller/sb-ovsdb startup script in multinode-zone for IC +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: ovnkube-node-ep + namespace: ovn-kubernetes +rules: + - apiGroups: [""] + resources: + - endpoints + verbs: + - get + {% if ovn_enable_interconnect == "true" -%} + - create + {%- endif %} \ No newline at end of file diff --git a/test/scripts/upgrade-ovn.sh b/test/scripts/upgrade-ovn.sh index f52511f4462..03375777ba3 100755 --- a/test/scripts/upgrade-ovn.sh +++ b/test/scripts/upgrade-ovn.sh @@ -271,6 +271,10 @@ pushd ../dist/yaml # install updated k8s configuration for ovn-k (useful in case of ClusterRole updates) run_kubectl apply -f ovn-setup.yaml +run_kubectl apply -f rbac-ovnkube-cluster-manager.yaml +run_kubectl apply -f rbac-ovnkube-master.yaml +run_kubectl apply -f rbac-ovnkube-node.yaml +run_kubectl apply -f rbac-ovnkube-db.yaml # install updated ovnkube-node daemonset run_kubectl apply -f ovnkube-node.yaml