Skip to content

Commit

Permalink
Create separate ServiceAccount for Smart Gateways (#119) (#120)
Browse files Browse the repository at this point in the history 
Create a separate ServiceAccount for use by the Smart Gateway workloads.
This requires changes to the Operator RBAC permissions so that it can
create ClusterRoles, ClusterRoleBindings, and ServiceAcccounts.

Implement Ansible changes to the smartgateway role so that the
appropriate resources are created in the cluster, and assigned the RBAC
permissions to the Smart Gateway workload. Move the Deployment of Smart
Gateways from using the default ServiceAccount, and instead use the new
smart-gateway ServiceAccount.

Signed-off-by: Leif Madsen <lmadsen@redhat.com>
Resolves: rhbz#2082310
  • Loading branch information
@leifmadsen
leifmadsen authored May 11, 2022
1 parent da8845c commit e13398a
Show file tree
Hide file tree
Showing 7 changed files with 257 additions and 10 deletions.
95 changes: 95 additions & 0 deletions ...atalog/smart-gateway-operator/manifests/smart-gateway-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,78 @@ spec:
mediatype: image/svg+xml
install:
spec:
clusterPermissions:
- rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
verbs:
- create
- list
- get
- update
- patch
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
verbs:
- create
- list
- get
- update
- patch
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
verbs:
- create
- list
- get
- update
- patch
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- update
serviceAccountName: smart-gateway-operator
deployments:
- name: smart-gateway-operator
spec:
Expand Down Expand Up @@ -186,6 +258,7 @@ spec:
- events
- configmaps
- secrets
- serviceaccounts
verbs:
- create
- delete
Expand Down Expand Up @@ -249,6 +322,28 @@ spec:
- patch
- update
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
verbs:
- create
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
verbs:
- get
- list
- watch
serviceAccountName: smart-gateway-operator
strategy: deployment
installModes:
Expand Down
100 changes: 99 additions & 1 deletion deploy/role.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,81 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: smart-gateway-operator
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
verbs:
- create
- list
- get
- update
- patch
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
verbs:
- create
- list
- get
- update
- patch
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
verbs:
- create
- list
- get
- update
- patch
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
name: smart-gateway-operator
rules:
- apiGroups:
Expand All @@ -15,6 +89,7 @@ rules:
- events
- configmaps
- secrets
- serviceaccounts
verbs:
- create
- delete
Expand Down Expand Up @@ -78,3 +153,26 @@ rules:
- patch
- update
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
verbs:
- create
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
verbs:
- get
- list
- watch

16 changes: 8 additions & 8 deletions deploy/role_binding.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,24 +1,24 @@
kind: RoleBinding
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: smart-gateway-operator
subjects:
- kind: ServiceAccount
name: smart-gateway-operator
namespace: service-telemetry
roleRef:
kind: Role
kind: ClusterRole
name: smart-gateway-operator
apiGroup: rbac.authorization.k8s.io
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: smart-gateway-auth-delegator
name: smart-gateway-operator
subjects:
- kind: ServiceAccount
name: default
namespace: placeholder
name: smart-gateway-operator
roleRef:
kind: Role
name: smart-gateway-operator
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
1 change: 1 addition & 0 deletions roles/smartgateway/defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ tls_secret_name: elasticsearch-es-cert
exporter_host: 0.0.0.0
exporter_port: 8081
block_event_bus: false
service_account_name: smart-gateway

# - This image works on OCP 4.6, 4.7, and 4.8
oauth_proxy_image: image-registry.openshift-image-registry.svc:5000/openshift/oauth-proxy:v4.4
Expand Down
35 changes: 35 additions & 0 deletions roles/smartgateway/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,41 @@
session_secret: "{{ lookup('password', '/dev/null') }}"
when: session_secret.resources|length == 0

- name: Create Smart Gateway ServiceAccount
k8s:
state: present
definition:
apiVersion: v1
kind: ServiceAccount
metadata:
name: "{{ service_account_name }}"
namespace: "{{ meta.namespace }}"

- name: Create Smart Gateway Role
k8s:
state: present
definition: "{{ lookup('template', 'sg-role.yaml.j2') | from_yaml }}"

- name: Create Smart Gateway RoleBinding
k8s:
definition:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: smart-gateway
app.kubernetes.io/name: smart-gateway
app.kubernetes.io/part-of: service-telemetry-framework
name: smart-gateway
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: smart-gateway
subjects:
- kind: ServiceAccount
name: smart-gateway
namespace: "{{ meta.namespace }}"

# used as part of the Deployment object in order to trigger pod restarts on ConfigMap change
- name: Get Smart Gateway ConfigMap Environment
set_fact:
Expand Down
3 changes: 2 additions & 1 deletion roles/smartgateway/templates/deployment.yaml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ spec:
- -tls-cert=/etc/tls/private/tls.crt
- -tls-key=/etc/tls/private/tls.key
- -cookie-secret-file=/etc/proxy/secrets/session_secret
- -openshift-service-account=NA
- -openshift-service-account={{ service_account_name }}
- -upstream=http://localhost:8081/
- '-openshift-delegate-urls={"/": {"resource": "namespaces", "verb": "get"}}'
ports:
Expand Down Expand Up @@ -136,6 +136,7 @@ spec:
{% endfor %}
{% endif %}
{% endif %}
serviceAccountName: {{ service_account_name }}
volumes:
{% if (applications | selectattr('name','equalto','prometheus') | list | count > 0) %}
- name: {{ meta.name }}-proxy-tls
Expand Down
17 changes: 17 additions & 0 deletions roles/smartgateway/templates/sg-role.yaml.j2
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: smart-gateway
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create

0 comments on commit e13398a

Please sign in to comment.