From 496ac7fd16614c73b64be41336e59c626479b9cd Mon Sep 17 00:00:00 2001 From: Shubham Chaudhary Date: Wed, 24 Apr 2024 14:38:43 +0530 Subject: [PATCH] chore(rbac): Consolidate the serviceaccounts in the chaos infrastructure (#4598) * chore(rbac): Consolidate the serviceaccounts in the chaos infrastructure Signed-off-by: Shubham Chaudhary * add rbac for event tracker Signed-off-by: Shubham Chaudhary --------- Signed-off-by: Shubham Chaudhary --- .../manifests/cluster/1b_argo_rbac.yaml | 69 ++- .../manifests/cluster/1c_argo_deployment.yaml | 2 +- .../cluster/2b_litmus_admin_rbac.yaml | 123 ++++++ .../manifests/cluster/2b_litmus_rbac.yaml | 115 ----- .../cluster/2c_litmus_deployment.yaml | 4 +- .../manifests/cluster/3a_agents_rbac.yaml | 412 ++++++------------ .../cluster/3b_agents_deployment.yaml | 4 +- .../manifests/namespace/1a_argo_rbac.yaml | 66 ++- .../namespace/1b_argo_deployment.yaml | 2 +- .../namespace/2a_litmus_admin_rbac.yaml | 119 +++++ .../manifests/namespace/2a_litmus_rbac.yaml | 112 ----- .../namespace/2b_litmus_deployment.yaml | 4 +- .../manifests/namespace/3a_agents_rbac.yaml | 408 ++++++----------- .../namespace/3b_agents_deployment.yaml | 4 +- .../pkg/chaos_infrastructure/infra_utils.go | 2 +- 15 files changed, 583 insertions(+), 863 deletions(-) create mode 100644 chaoscenter/graphql/server/manifests/cluster/2b_litmus_admin_rbac.yaml delete mode 100644 chaoscenter/graphql/server/manifests/cluster/2b_litmus_rbac.yaml create mode 100644 chaoscenter/graphql/server/manifests/namespace/2a_litmus_admin_rbac.yaml delete mode 100644 chaoscenter/graphql/server/manifests/namespace/2a_litmus_rbac.yaml diff --git a/chaoscenter/graphql/server/manifests/cluster/1b_argo_rbac.yaml b/chaoscenter/graphql/server/manifests/cluster/1b_argo_rbac.yaml index e7131e319e5..41cfdc5912b 100644 --- a/chaoscenter/graphql/server/manifests/cluster/1b_argo_rbac.yaml +++ b/chaoscenter/graphql/server/manifests/cluster/1b_argo_rbac.yaml @@ -2,54 +2,53 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: argo + name: argo-chaos namespace: #{INFRA_NAMESPACE} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: argo-cluster-role + name: chaos-cluster-role rules: - - apiGroups: [""] - resources: ["pods", "pods/exec"] - verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "watch", "list"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["create", "delete"] - - apiGroups: ["argoproj.io"] - resources: ["workflows", "workflows/finalizers"] - verbs: ["get", "list", "watch", "update", "patch", "delete", "create"] - - apiGroups: ["argoproj.io"] - resources: ["workflowtemplates","workflowtemplates/finalizers","clusterworkflowtemplates","clusterworkflowtemplates/finalizers","workflowtasksets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["argoproj.io"] - resources: ["workflowtaskresults"] - verbs: ["list", "watch", "deletecollection"] - - apiGroups: [""] - resources: ["serviceaccounts"] - verbs: ["get", "list"] - - apiGroups: ["argoproj.io"] - resources: ["cronworkflows", "cronworkflows/finalizers"] - verbs: ["get", "list", "watch", "update", "patch", "delete"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] - - apiGroups: ["policy"] - resources: ["poddisruptionbudgets"] - verbs: ["create", "get", "delete"] + # for managing the pods created by workflow controller to implement individual steps in the workflow + - apiGroups: [''] + resources: ['pods', 'services'] + verbs: ['create', 'get', 'watch', 'patch', 'delete', 'list'] + - apiGroups: [''] + resources: ['namespaces'] + verbs: ['get', 'watch', 'patch', 'list'] + + # for tracking & getting logs of the pods created by workflow controller to implement individual steps in the workflow + - apiGroups: [''] + resources: ['pods/log', 'pods/exec'] + verbs: ['get', 'watch', 'create', 'delete', 'patch'] + - apiGroups: [''] + resources: ['secrets', 'configmaps'] + verbs: ['get', 'watch', 'create', 'patch'] + + # for creation & deletion of application in predefined workflows + - apiGroups: ['apps'] + resources: ['deployments'] + verbs: ['delete'] + - apiGroups: ['apps'] + resources: ['deployments', 'statefulsets'] + verbs: ['get', 'watch', 'patch' , 'create'] + + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: + ["chaosengines", "chaosexperiments", "chaosresults", "chaosschedules"] + verbs: ["create", "list", "get", "patch", "delete", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: argo-binding + name: chaos-cluster-role-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: argo-cluster-role + name: chaos-cluster-role subjects: - kind: ServiceAccount - name: argo + name: argo-chaos namespace: #{INFRA_NAMESPACE} \ No newline at end of file diff --git a/chaoscenter/graphql/server/manifests/cluster/1c_argo_deployment.yaml b/chaoscenter/graphql/server/manifests/cluster/1c_argo_deployment.yaml index 4d15d1f0df7..263aec09885 100644 --- a/chaoscenter/graphql/server/manifests/cluster/1c_argo_deployment.yaml +++ b/chaoscenter/graphql/server/manifests/cluster/1c_argo_deployment.yaml @@ -67,4 +67,4 @@ spec: memory: "500Mi" cpu: "225m" ephemeral-storage: "1Gi" - serviceAccountName: argo + serviceAccountName: #{INFRA_SERVICE_ACCOUNT} diff --git a/chaoscenter/graphql/server/manifests/cluster/2b_litmus_admin_rbac.yaml b/chaoscenter/graphql/server/manifests/cluster/2b_litmus_admin_rbac.yaml new file mode 100644 index 00000000000..fc60ab50d66 --- /dev/null +++ b/chaoscenter/graphql/server/manifests/cluster/2b_litmus_admin_rbac.yaml @@ -0,0 +1,123 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: litmus-admin + namespace: #{INFRA_NAMESPACE} + labels: + name: litmus-admin +--- +# Source: openebs/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: litmus-admin + labels: + name: litmus-admin +rules: + # *************************************************************************************** + # Permissions needed for preparing and monitor the chaos resources by chaos-runner + # *************************************************************************************** + + # The chaos operator watches the chaosengine resource and orchestrates the chaos experiment.. + ## .. by creating the chaos-runner + + # for creating and monitoring the chaos-runner pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + + # for fetching configmaps and secrets to inject into chaos-runner pod (if specified) + - apiGroups: [""] + resources: ["secrets", "configmaps"] + verbs: ["get", "list"] + + # for tracking & getting logs of the pods created by chaos-runner to implement individual steps in the runner + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get", "list", "watch"] + + # for configuring and monitor the experiment job by chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create", "list", "get", "delete", "deletecollection"] + + # ******************************************************************** + # Permissions needed for creation and discovery of chaos experiments + # ******************************************************************** + + # The helper pods are created by experiment to perform the actual chaos injection ... + # ... for a period of chaos duration + + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec","pods/eviction","replicationcontrollers"] + verbs: ["get","list","create"] + + # for tracking & getting logs of the pods created by experiment pod to implement individual steps in the experiment + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get", "list", "watch"] + + # for creating and monitoring liveness services or monitoring target app services during chaos injection + - apiGroups: [""] + resources: ["services"] + verbs: ["create","get","list"] + + # for checking the app parent resources as deployments or sts and are eligible chaos candidates + - apiGroups: ["apps"] + resources: ["deployments", "statefulsets"] + verbs: ["list", "get", "patch", "update"] + + # for checking the app parent resources as replicasets and are eligible chaos candidates + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["list", "get"] + + # for checking the app parent resources as deamonsets and are eligible chaos candidates + - apiGroups: ["apps"] + resources: ["daemonsets"] + verbs: ["list","get"] + + # for checking (openshift) app parent resources if they are eligible chaos candidates + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list", "get"] + + # for checking (argo) app parent resources if they are eligible chaos candidates + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list", "get"] + + # performs CRUD operations on the network policies + - apiGroups: ["networking.k8s.io"] + resources: ["networkpolicies"] + verbs: ["create","delete","list","get"] + + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + + # for experiment to perform node status checks and other node level operations like taint, drain in the experiment. + - apiGroups: [""] + resources: ["nodes"] + verbs: ["patch", "get", "list", "update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: litmus-admin + labels: + name: litmus-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: litmus-admin +subjects: + - kind: ServiceAccount + name: litmus-admin + namespace: #{INFRA_NAMESPACE} \ No newline at end of file diff --git a/chaoscenter/graphql/server/manifests/cluster/2b_litmus_rbac.yaml b/chaoscenter/graphql/server/manifests/cluster/2b_litmus_rbac.yaml deleted file mode 100644 index bb74565a1e3..00000000000 --- a/chaoscenter/graphql/server/manifests/cluster/2b_litmus_rbac.yaml +++ /dev/null @@ -1,115 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: litmus-cluster-scope - namespace: #{INFRA_NAMESPACE} - labels: - app.kubernetes.io/name: litmus - # provide unique instance-id if applicable - # app.kubernetes.io/instance: litmus-abcxzy - app.kubernetes.io/version: v2.0.0 - app.kubernetes.io/component: operator-serviceaccount - app.kubernetes.io/part-of: litmus - app.kubernetes.io/managed-by: kubectl - name: litmus-cluster-scope ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: litmus-cluster-scope - labels: - app.kubernetes.io/name: litmus - # provide unique instance-id if applicable - # app.kubernetes.io/instance: litmus-abcxzy - app.kubernetes.io/version: v2.0.0 - app.kubernetes.io/component: operator-clusterrole - app.kubernetes.io/part-of: litmus - app.kubernetes.io/managed-by: kubectl - name: litmus-cluster-scope -rules: - - apiGroups: [""] - resources: ["replicationcontrollers", "secrets"] - verbs: ["get", "list"] - - apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["get", "list"] - - apiGroups: ["apps"] - resources: ["deployments", "daemonsets", "replicasets", "statefulsets"] - verbs: ["get", "list"] - - apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["get", "list", "deletecollection"] - - apiGroups: ["argoproj.io"] - resources: ["rollouts"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["pods"] - verbs: - [ - "get", - "create", - "update", - "patch", - "delete", - "list", - "watch", - "deletecollection", - ] - - apiGroups: [""] - resources: ["configmaps", "events", "services"] - verbs: - [ - "get", - "create", - "update", - "patch", - "list", - "watch", - ] - - apiGroups: ["litmuschaos.io"] - resources: ["chaosengines", "chaosexperiments", "chaosresults"] - verbs: - [ - "get", - "create", - "update", - "patch", - "delete", - "list", - "watch", - "deletecollection", - ] - # for validation of existance of chaosresult crd - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["list", "get"] - - apiGroups: ["litmuschaos.io"] - resources: ["chaosengines/finalizers"] - verbs: ["update"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get","create","list","update","delete"] - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: litmus-cluster-scope - labels: - app.kubernetes.io/name: litmus - # provide unique instance-id if applicable - # app.kubernetes.io/instance: litmus-abcxzy - app.kubernetes.io/version: v2.0.0 - app.kubernetes.io/component: operator-clusterrolebinding - app.kubernetes.io/part-of: litmus - app.kubernetes.io/managed-by: kubectl - name: litmus-cluster-scope -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: litmus-cluster-scope -subjects: - - kind: ServiceAccount - name: litmus-cluster-scope - namespace: #{INFRA_NAMESPACE} diff --git a/chaoscenter/graphql/server/manifests/cluster/2c_litmus_deployment.yaml b/chaoscenter/graphql/server/manifests/cluster/2c_litmus_deployment.yaml index 340af2eb246..18632fc1410 100644 --- a/chaoscenter/graphql/server/manifests/cluster/2c_litmus_deployment.yaml +++ b/chaoscenter/graphql/server/manifests/cluster/2c_litmus_deployment.yaml @@ -30,7 +30,7 @@ spec: app.kubernetes.io/managed-by: kubectl name: chaos-operator spec: - serviceAccountName: litmus-cluster-scope + serviceAccountName: #{INFRA_SERVICE_ACCOUNT} #{TOLERATIONS} #{NODE_SELECTOR} containers: @@ -114,7 +114,7 @@ spec: memory: "500Mi" cpu: "225m" ephemeral-storage: "1Gi" - serviceAccountName: litmus-cluster-scope + serviceAccountName: #{INFRA_SERVICE_ACCOUNT} --- apiVersion: v1 kind: Service diff --git a/chaoscenter/graphql/server/manifests/cluster/3a_agents_rbac.yaml b/chaoscenter/graphql/server/manifests/cluster/3a_agents_rbac.yaml index aa213198237..3c10b2840da 100644 --- a/chaoscenter/graphql/server/manifests/cluster/3a_agents_rbac.yaml +++ b/chaoscenter/graphql/server/manifests/cluster/3a_agents_rbac.yaml @@ -1,219 +1,95 @@ --- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: litmus-admin - namespace: #{INFRA_NAMESPACE} - labels: - name: litmus-admin ---- -# Source: openebs/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: litmus-admin - labels: - name: litmus-admin + name: infra-cluster-role rules: - # *************************************************************************************** - # Permissions needed for preparing and monitor the chaos resources by chaos-runner - # *************************************************************************************** - - # The chaos operator watches the chaosengine resource and orchestartes the chaos experiment.. - ## .. by creating the chaos-runner - - # for creating and monitoring the chaos-runner pods - - apiGroups: [""] - resources: ["pods"] - verbs: ["create","delete","get","list","patch","update", "deletecollection"] - - - apiGroups: [""] - resources: ["events"] - verbs: ["create","get","list","patch","update"] - - # for fetching configmaps and secrets to inject into chaos-runner pod (if specified) - - apiGroups: [""] - resources: ["secrets", "configmaps"] - verbs: ["get", "list"] - - # for tracking & getting logs of the pods created by chaos-runner to implement individual steps in the runner - - apiGroups: [""] - resources: ["pods/log"] - verbs: ["get", "list", "watch"] - - # for configuring and monitor the experiment job by chaos-runner pod - - apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create", "list", "get", "delete", "deletecollection"] - - # ******************************************************************** - # Permissions needed for creation and discovery of chaos experiments - # ******************************************************************** - - # The helper pods are created by experiment to perform the actual chaos injection ... - # ... for a period of chaos duration - - # for creating and managing to execute comands inside target container - - apiGroups: [""] - resources: ["pods/exec","pods/eviction","replicationcontrollers"] - verbs: ["get","list","create"] - - # for tracking & getting logs of the pods created by experiment pod to implement individual steps in the experiment - - apiGroups: [""] - resources: ["pods/log"] - verbs: ["get", "list", "watch"] - - # for creating and monitoring liveness services or monitoring target app services during chaos injection - - apiGroups: [""] - resources: ["services"] - verbs: ["create","get","list"] - - # for checking the app parent resources as deployments or sts and are eligible chaos candidates - - apiGroups: ["apps"] - resources: ["deployments", "statefulsets"] - verbs: ["list", "get", "patch", "update"] - - # for checking the app parent resources as replicasets and are eligible chaos candidates - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["list", "get"] - - # for checking the app parent resources as deamonsets and are eligible chaos candidates - - apiGroups: ["apps"] - resources: ["daemonsets"] - verbs: ["list","get"] - - # for checking (openshift) app parent resources if they are eligible chaos candidates - - apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["list", "get"] - - # for checking (argo) app parent resources if they are eligible chaos candidates - - apiGroups: ["argoproj.io"] - resources: ["rollouts"] - verbs: ["list", "get"] - - # performs CRUD operations on the network policies - - apiGroups: ["networking.k8s.io"] - resources: ["networkpolicies"] - verbs: ["create","delete","list","get"] + # *********************************************************************************************** + # Permissions needed for orchestration and monitoring chaos by chaos-operator and chaos-exporter + # *********************************************************************************************** + + # for mounting the secrets to the chaos-runner pod + - apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: [ "get", "list" ] + + # for deriving the owner references of the operator pod + - apiGroups: [ "apps" ] + resources: [ "deployments", "replicasets"] + verbs: [ "get", "list" ] + + # for the cleanup of jobs in abort scenarios + - apiGroups: [ "batch" ] + resources: [ "jobs" ] + verbs: [ "get", "list", "deletecollection" ] + + # for creation and management of the chaos-runner pod + - apiGroups: [ "" ] + resources: [ "pods" ] + verbs: ["get", "create", "update", "patch", "delete", "list", "watch", "deletecollection" ] + + # for creating of events, monitoring and leader election + - apiGroups: [ "" ] + resources: [ "configmaps", "events", "services" ] + verbs: ["get", "create", "update", "patch", "list", "watch" ] # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow - - apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update","delete"] - - # for experiment to perform node status checks and other node level operations like taint, drain in the experiment. - - apiGroups: [""] - resources: ["nodes"] - verbs: ["patch", "get", "list", "update"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: litmus-admin - labels: - name: litmus-admin -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: litmus-admin -subjects: -- kind: ServiceAccount - name: litmus-admin - namespace: #{INFRA_NAMESPACE} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: argo-chaos - namespace: #{INFRA_NAMESPACE} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: chaos-cluster-role -rules: - # for managing the pods created by workflow controller to implement individual steps in the workflow - - apiGroups: [''] - resources: ['pods', 'services'] - verbs: ['create', 'get', 'watch', 'patch', 'delete', 'list'] - - - apiGroups: [''] - resources: ['namespaces'] - verbs: ['get', 'watch', 'patch', 'list', 'create'] - - # for tracking & getting logs of the pods created by workflow controller to implement individual steps in the workflow - - apiGroups: [''] - resources: ['pods/log'] - verbs: ['get', 'watch', 'create', 'delete', 'patch'] - - apiGroups: [''] - resources: ['secrets', 'configmaps'] - verbs: ['get', 'watch', 'create', 'patch'] - # for creation & deletion of application in predefined workflows - - apiGroups: ['apps'] - resources: ['deployments'] - verbs: ['delete'] - - apiGroups: ['apps'] - resources: ['deployments', 'statefulsets'] - verbs: ['get', 'watch', 'patch' , 'create'] - - # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow - - apiGroups: ["litmuschaos.io"] - resources: - ["chaosengines", "chaosexperiments", "chaosresults", "chaosschedules"] - verbs: ["create", "list", "get", "patch", "delete", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: chaos-cluster-role-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: chaos-cluster-role -subjects: - - kind: ServiceAccount - name: argo-chaos - namespace: #{INFRA_NAMESPACE} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: subscriber-cluster-role - namespace: #{INFRA_NAMESPACE} - labels: - name: subscriber-cluster-role -rules: - - apiGroups: [""] - resources: ["configmaps", "secrets"] - verbs: ["get", "create", "delete", "update"] - - - apiGroups: [""] - resources: ["pods/log"] - verbs: ["get", "list", "watch"] - - - apiGroups: [""] - resources: ["pods", "namespaces", "nodes", "services"] - verbs: ["get", "list", "watch"] - - - apiGroups: ["litmuschaos.io"] - resources: ["chaosengines", "chaosschedules", "chaosresults"] - verbs: ["get", "list", "create", "delete", "update", "watch", "patch"] - - - apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["get", "list"] - - - apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["delete"] - - - apiGroups: ["apps"] - resources: ["deployments", "daemonsets", "replicasets", "statefulsets"] - verbs: ["get","list"] - - - apiGroups: ["argoproj.io"] + - apiGroups: [ "litmuschaos.io" ] + resources: [ "chaosengines", "chaosexperiments", "chaosresults" ] + verbs: ["get", "create", "update", "patch", "delete", "list", "watch", "deletecollection" ] + + # for validation of existance of chaosresult crd + - apiGroups: [ "apiextensions.k8s.io" ] + resources: [ "customresourcedefinitions" ] + verbs: [ "list", "get" ] + + # for managing the finalizers to the primary resource + - apiGroups: [ "litmuschaos.io" ] + resources: [ "chaosengines/finalizers" ] + verbs: [ "update" ] + + # for managing the leader elections in multi-replicas scenario + - apiGroups: [ "coordination.k8s.io" ] + resources: [ "leases" ] + verbs: [ "get","create","list","update","delete" ] + + # ****************************************************************************************************** + # Permissions needed to manage and communicate between control plane and execution plane by subscriber + # ******************************************************************************************************* + + - apiGroups: [ "" ] + resources: [ "configmaps", "secrets" ] + verbs: [ "get", "create", "delete", "update", "patch" ] + + - apiGroups: [ "batch" ] + resources: [ "jobs" ] + verbs: [ "get", "create", "patch", "update" ] + + - apiGroups: [ "" ] + resources: [ "pods/log" ] + verbs: [ "get", "list", "watch" ] + + - apiGroups: [ "" ] + resources: [ "pods", "namespaces", "nodes", "services" ] + verbs: [ "get", "list", "watch" ] + + - apiGroups: [ "litmuschaos.io" ] + resources: [ "chaosengines", "chaosschedules", "chaosresults" ] + verbs: [ "get", "list", "create", "delete", "update", "watch", "patch" ] + + - apiGroups: [ "apps.openshift.io" ] + resources: [ "deploymentconfigs" ] + verbs: [ "get", "list" ] + + - apiGroups: [ "apps" ] + resources: [ "deployments" ] + verbs: [ "delete" ] + + - apiGroups: [ "apps" ] + resources: [ "deployments", "daemonsets", "replicasets", "statefulsets" ] + verbs: [ "get","list" ] + + - apiGroups: [ "argoproj.io" ] resources: [ "workflows", @@ -226,78 +102,64 @@ rules: "clusterworkflowtemplates/finalizers", "rollouts", ] - verbs: ["get", "list", "create", "delete", "update", "watch", "patch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: subscriber-cluster-role-binding - namespace: #{INFRA_NAMESPACE} -subjects: - - kind: ServiceAccount - name: #{SUBSCRIBER_SERVICE_ACCOUNT} - namespace: #{INFRA_NAMESPACE} -roleRef: - kind: ClusterRole - name: subscriber-cluster-role - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: event-tracker-sa - namespace: #{INFRA_NAMESPACE} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: event-tracker-cluster-role -rules: - - apiGroups: - - eventtracker.litmuschaos.io - resources: - - eventtrackerpolicies - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - eventtracker.litmuschaos.io - resources: - - eventtrackerpolicies/status - verbs: - - get - - patch - - update - - apiGroups: - - "" - - extensions - - apps - resources: - - deployments - - daemonsets - - statefulsets - - pods - - configmaps - - secrets - verbs: - - get - - list - - watch + verbs: [ "get", "list", "create", "delete", "update", "watch", "patch" ] + + # ************************************************************************ + # Permissions needed to orchestrate the workflows by workflow controller + # ************************************************************************ + + - apiGroups: [ "" ] + resources: [ "pods", "pods/exec" ] + verbs: [ "create", "get", "list", "watch", "update", "patch", "delete" ] + - apiGroups: [ "" ] + resources: [ "configmaps" ] + verbs: [ "get", "watch", "list" ] + - apiGroups: [ "" ] + resources: [ "persistentvolumeclaims" ] + verbs: [ "create", "delete" ] + - apiGroups: [ "argoproj.io" ] + resources: [ "workflows", "workflows/finalizers" ] + verbs: [ "get", "list", "watch", "update", "patch", "delete", "create" ] + - apiGroups: [ "argoproj.io" ] + resources: [ "workflowtemplates","workflowtemplates/finalizers","clusterworkflowtemplates","clusterworkflowtemplates/finalizers","workflowtasksets","workflowartifactgctasks" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [ "argoproj.io" ] + resources: [ "workflowtaskresults" ] + verbs: [ "list", "watch", "deletecollection" ] + - apiGroups: [ "" ] + resources: [ "serviceaccounts" ] + verbs: [ "get", "list" ] + - apiGroups: [ "argoproj.io" ] + resources: [ "cronworkflows", "cronworkflows/finalizers" ] + verbs: [ "get", "list", "watch", "update", "patch", "delete" ] + - apiGroups: [ "" ] + resources: [ "events" ] + verbs: [ "create", "patch" ] + - apiGroups: [ "policy" ] + resources: [ "poddisruptionbudgets" ] + verbs: [ "create", "get", "delete" ] + + # ************************************************************************ + # Permissions needed to for the event-tracker + # ************************************************************************ + + - apiGroups: [ "eventtracker.litmuschaos.io" ] + resources: [ "eventtrackerpolicies" ] + verbs: [ "create", "get", "list", "delete", "update", "patch", "watch" ] + + - apiGroups: [ "eventtracker.litmuschaos.io" ] + resources: [ "eventtrackerpolicies/status" ] + verbs: [ "get","patch", "update" ] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: event-tracker-clusterole-binding + name: infra-cluster-role-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: event-tracker-cluster-role + name: infra-cluster-role subjects: - kind: ServiceAccount - name: event-tracker-sa - namespace: #{INFRA_NAMESPACE} \ No newline at end of file + name: #{INFRA_SERVICE_ACCOUNT} + namespace: #{INFRA_NAMESPACE} diff --git a/chaoscenter/graphql/server/manifests/cluster/3b_agents_deployment.yaml b/chaoscenter/graphql/server/manifests/cluster/3b_agents_deployment.yaml index 165ea2baddf..8e954ee9d6e 100644 --- a/chaoscenter/graphql/server/manifests/cluster/3b_agents_deployment.yaml +++ b/chaoscenter/graphql/server/manifests/cluster/3b_agents_deployment.yaml @@ -40,7 +40,7 @@ spec: labels: app: subscriber spec: - serviceAccountName: #{SUBSCRIBER_SERVICE_ACCOUNT} + serviceAccountName: #{INFRA_SERVICE_ACCOUNT} #{TOLERATIONS} #{NODE_SELECTOR} containers: @@ -89,7 +89,7 @@ spec: spec: #{TOLERATIONS} #{NODE_SELECTOR} - serviceAccountName: event-tracker-sa + serviceAccountName: #{INFRA_SERVICE_ACCOUNT} containers: - image: #{EVENT_TRACKER_IMAGE} imagePullPolicy: Always diff --git a/chaoscenter/graphql/server/manifests/namespace/1a_argo_rbac.yaml b/chaoscenter/graphql/server/manifests/namespace/1a_argo_rbac.yaml index 731ae4062a8..f91f931b577 100644 --- a/chaoscenter/graphql/server/manifests/namespace/1a_argo_rbac.yaml +++ b/chaoscenter/graphql/server/manifests/namespace/1a_argo_rbac.yaml @@ -2,59 +2,51 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: argo + name: argo-chaos namespace: #{INFRA_NAMESPACE} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: argo-role + name: chaos-role namespace: #{INFRA_NAMESPACE} rules: + # for managing the pods created by workflow controller to implement individual steps in the workflow - apiGroups: [""] - resources: ["pods", "pods/exec"] - verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "watch", "list"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["create", "delete"] - - apiGroups: ["argoproj.io"] - resources: ["workflows", "workflows/finalizers"] - verbs: ["get", "list", "watch", "update", "patch", "delete", "create"] - - apiGroups: ["argoproj.io"] - resources: ["workflowtemplates", "workflowtemplates/finalizers", "workflowtasksets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["argoproj.io"] - resources: ["workflowtaskresults"] - verbs: ["list", "watch", "deletecollection"] - - apiGroups: [""] - resources: ["serviceaccounts"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get"] - - apiGroups: ["argoproj.io"] - resources: ["cronworkflows", "cronworkflows/finalizers"] - verbs: ["get", "list", "watch", "update", "patch", "delete"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] - - apiGroups: ["policy"] - resources: ["poddisruptionbudgets"] - verbs: ["create", "get", "delete"] + resources: ["pods", "services"] + verbs: ["create", "get", "watch", "patch", "delete", "list"] + + # for tracking & getting logs of the pods created by workflow controller to implement individual steps in the workflow + - apiGroups: [''] + resources: ['pods/log', 'pods/exec'] + verbs: ['get', 'watch', 'create', 'delete', 'patch'] + - apiGroups: [''] + resources: ['secrets', 'configmaps'] + verbs: ['get', 'watch', 'create', 'patch'] + + # for creation & deletion of application in predefined workflows + - apiGroups: ['apps'] + resources: ['deployments'] + verbs: ['delete'] + - apiGroups: ['apps'] + resources: ['deployments', 'statefulsets'] + verbs: ['get', 'watch', 'patch' , 'create'] + + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines", "chaosexperiments", "chaosresults", "chaosschedules"] + verbs: ["create", "list", "get", "patch", "delete", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: argo-binding + name: chaos-role-binding namespace: #{INFRA_NAMESPACE} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: argo-role + name: chaos-role subjects: - kind: ServiceAccount - name: argo + name: argo-chaos namespace: #{INFRA_NAMESPACE} \ No newline at end of file diff --git a/chaoscenter/graphql/server/manifests/namespace/1b_argo_deployment.yaml b/chaoscenter/graphql/server/manifests/namespace/1b_argo_deployment.yaml index b19a13ca4db..7be9f9901ad 100644 --- a/chaoscenter/graphql/server/manifests/namespace/1b_argo_deployment.yaml +++ b/chaoscenter/graphql/server/manifests/namespace/1b_argo_deployment.yaml @@ -72,4 +72,4 @@ spec: memory: "500Mi" cpu: "225m" ephemeral-storage: "1Gi" - serviceAccountName: argo + serviceAccountName: #{INFRA_SERVICE_ACCOUNT} diff --git a/chaoscenter/graphql/server/manifests/namespace/2a_litmus_admin_rbac.yaml b/chaoscenter/graphql/server/manifests/namespace/2a_litmus_admin_rbac.yaml new file mode 100644 index 00000000000..2d12ead082c --- /dev/null +++ b/chaoscenter/graphql/server/manifests/namespace/2a_litmus_admin_rbac.yaml @@ -0,0 +1,119 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: litmus-admin + namespace: #{INFRA_NAMESPACE} + labels: + name: litmus-admin +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: litmus-admin + namespace: #{INFRA_NAMESPACE} + labels: + name: litmus-admin +rules: + # *************************************************************************************** + # Permissions needed for preparing and monitor the chaos resources by chaos-runner + # *************************************************************************************** + + # The chaos operator watches the chaosengine resource and orchestrates the chaos experiment.. + ## .. by creating the chaos-runner + + # for creating and monitoring the chaos-runner pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create", "delete", "get", "list", "patch", "update", "deletecollection"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "get", "list", "patch", "update"] + + # for fetching configmaps and secrets to inject into chaos-runner pod (if specified) + - apiGroups: [""] + resources: ["secrets", "configmaps"] + verbs: ["get", "list"] + + # for tracking & getting logs of the pods created by chaos-runner to implement individual steps in the runner + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get", "list", "watch"] + + # for configuring and monitor the experiment job by chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create", "list", "get", "delete", "deletecollection"] + + # ******************************************************************** + # Permissions needed for creation and discovery of chaos experiments + # ******************************************************************** + + # The helper pods are created by experiment to perform the actual chaos injection ... + # ... for a period of chaos duration + + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec", "pods/eviction", "replicationcontrollers"] + verbs: ["get", "list", "create"] + + # for tracking & getting logs of the pods created by experiment pod to implement individual steps in the experiment + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get", "list", "watch"] + + # for creating and monitoring liveness services or monitoring target app services during chaos injection + - apiGroups: [""] + resources: ["services"] + verbs: ["create", "get", "list"] + + # for checking the app parent resources as deployments or sts and are eligible chaos candidates + - apiGroups: ["apps"] + resources: ["deployments", "statefulsets"] + verbs: ["list", "get", "patch", "update"] + + # for checking the app parent resources as replicasets and are eligible chaos candidates + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["list", "get"] + + # for checking the app parent resources as deamonsets and are eligible chaos candidates + - apiGroups: ["apps"] + resources: ["daemonsets"] + verbs: ["list", "get"] + + # for checking (openshift) app parent resources if they are eligible chaos candidates + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list", "get"] + + # for checking (argo) app parent resources if they are eligible chaos candidates + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list", "get"] + + # performs CRUD operations on the network policies + - apiGroups: ["networking.k8s.io"] + resources: ["networkpolicies"] + verbs: ["create","delete","list","get"] + + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines", "chaosexperiments", "chaosresults"] + verbs: ["create", "list", "get", "patch", "update", "delete"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: litmus-admin + namespace: #{INFRA_NAMESPACE} + labels: + name: litmus-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: litmus-admin +subjects: + - kind: ServiceAccount + name: litmus-admin + namespace: #{INFRA_NAMESPACE} \ No newline at end of file diff --git a/chaoscenter/graphql/server/manifests/namespace/2a_litmus_rbac.yaml b/chaoscenter/graphql/server/manifests/namespace/2a_litmus_rbac.yaml deleted file mode 100644 index 0dcea796847..00000000000 --- a/chaoscenter/graphql/server/manifests/namespace/2a_litmus_rbac.yaml +++ /dev/null @@ -1,112 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: litmus-namespace-scope - namespace: #{INFRA_NAMESPACE} - labels: - app.kubernetes.io/name: litmus - # provide unique instance-id if applicable - # app.kubernetes.io/instance: litmus-abcxzy - app.kubernetes.io/version: v2.0.0 - app.kubernetes.io/component: operator-serviceaccount - app.kubernetes.io/part-of: litmus - app.kubernetes.io/managed-by: kubectl - name: litmus-namespace-scope ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: litmus-namespace-scope - namespace: #{INFRA_NAMESPACE} - labels: - app.kubernetes.io/name: litmus - # provide unique instance-id if applicable - # app.kubernetes.io/instance: litmus-abcxzy - app.kubernetes.io/version: v2.0.0 - app.kubernetes.io/component: operator-role - app.kubernetes.io/part-of: litmus - app.kubernetes.io/managed-by: kubectl - name: litmus-namespace-scope -rules: - - apiGroups: [""] - resources: ["replicationcontrollers", "secrets"] - verbs: ["get", "list"] - - apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["get", "list"] - - apiGroups: ["apps"] - resources: ["deployments", "daemonsets", "replicasets", "statefulsets"] - verbs: ["get", "list", "update"] - - apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["get", "list", "create", "deletecollection"] - - apiGroups: ["argoproj.io"] - resources: ["rollouts"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["pods", "pods/exec"] - verbs: - [ - "get", - "create", - "update", - "patch", - "delete", - "list", - "watch", - "deletecollection", - ] - - apiGroups: [""] - resources: ["configmaps", "events", "services"] - verbs: - [ - "get", - "create", - "update", - "patch", - "list", - "watch", - ] - - apiGroups: ["litmuschaos.io"] - resources: ["chaosengines", "chaosexperiments", "chaosresults"] - verbs: - [ - "get", - "create", - "update", - "patch", - "delete", - "list", - "watch", - "deletecollection", - ] - - apiGroups: ["litmuschaos.io"] - resources: ["chaosengines/finalizers"] - verbs: ["update"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get","create","list","update","delete"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: litmus-namespace-scope - namespace: #{INFRA_NAMESPACE} - labels: - app.kubernetes.io/name: litmus - # provide unique instance-id if applicable - # app.kubernetes.io/instance: litmus-abcxzy - app.kubernetes.io/version: v2.0.0 - app.kubernetes.io/component: operator-rolebinding - app.kubernetes.io/part-of: litmus - app.kubernetes.io/managed-by: kubectl - name: litmus-namespace-scope -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: litmus-namespace-scope -subjects: - - kind: ServiceAccount - name: litmus-namespace-scope - namespace: #{INFRA_NAMESPACE} diff --git a/chaoscenter/graphql/server/manifests/namespace/2b_litmus_deployment.yaml b/chaoscenter/graphql/server/manifests/namespace/2b_litmus_deployment.yaml index 7bb5417bc3b..af99cde5a78 100644 --- a/chaoscenter/graphql/server/manifests/namespace/2b_litmus_deployment.yaml +++ b/chaoscenter/graphql/server/manifests/namespace/2b_litmus_deployment.yaml @@ -29,7 +29,7 @@ spec: app.kubernetes.io/managed-by: kubectl name: chaos-operator spec: - serviceAccountName: litmus-namespace-scope + serviceAccountName: #{INFRA_SERVICE_ACCOUNT} #{TOLERATIONS} #{NODE_SELECTOR} containers: @@ -117,7 +117,7 @@ spec: memory: "500Mi" cpu: "225m" ephemeral-storage: "1Gi" - serviceAccountName: litmus-namespace-scope + serviceAccountName: #{INFRA_SERVICE_ACCOUNT} --- apiVersion: v1 kind: Service diff --git a/chaoscenter/graphql/server/manifests/namespace/3a_agents_rbac.yaml b/chaoscenter/graphql/server/manifests/namespace/3a_agents_rbac.yaml index b6804017de0..49260a9c79e 100644 --- a/chaoscenter/graphql/server/manifests/namespace/3a_agents_rbac.yaml +++ b/chaoscenter/graphql/server/manifests/namespace/3a_agents_rbac.yaml @@ -2,38 +2,86 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: subscriber-role + name: infra-role namespace: #{INFRA_NAMESPACE} labels: - name: subscriber-role + name: infra-role rules: - - apiGroups: [""] - resources: ["configmaps", "secrets"] - verbs: ["get", "create", "delete", "update"] + # *********************************************************************************************** + # Permissions needed for orchestration and monitoring chaos by chaos-operator and chaos-exporter + # *********************************************************************************************** + + # for mounting the secrets to the chaos-runner pod + - apiGroups: [ "" ] + resources: ["secrets" ] + verbs: [ "get", "list" ] + + # for deriving the owner references of the operator pod + - apiGroups: [ "apps" ] + resources: [ "deployments", "replicasets"] + verbs: [ "get", "list" ] + + # for the cleanup of jobs in abort scenarios + - apiGroups: [ "batch" ] + resources: [ "jobs" ] + verbs: [ "get", "list", "create", "deletecollection" ] + + # for creation and management of the chaos-runner pod + - apiGroups: [ "" ] + resources: [ "pods"] + verbs: ["get", "create", "update", "patch", "delete", "list", "watch", "deletecollection" ] + + # for creating of events, monitoring and leader election + - apiGroups: [ "" ] + resources: [ "configmaps", "events", "services" ] + verbs: ["get", "create", "update", "patch", "list", "watch" ] - - apiGroups: [""] - resources: ["pods/log"] - verbs: ["get", "list", "watch"] - - - apiGroups: [""] - resources: ["pods", "services"] - verbs: ["get", "list", "watch"] - - - apiGroups: ["litmuschaos.io"] - resources: ["chaosengines", "chaosschedules", "chaosresults"] - verbs: ["get", "list", "create", "delete", "update", "watch", "patch"] - - - apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["get", "list"] - - - apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["delete"] - - apiGroups: ["apps"] - resources: ["deployments", "daemonsets", "replicasets", "statefulsets"] - verbs: ["get", "list"] - - apiGroups: ["argoproj.io"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: [ "litmuschaos.io" ] + resources: [ "chaosengines", "chaosexperiments", "chaosresults" ] + verbs: ["get", "create", "update", "patch", "delete", "list", "watch", "deletecollection" ] + + # for managing the finalizers to the primary resource + - apiGroups: [ "litmuschaos.io" ] + resources: [ "chaosengines/finalizers" ] + verbs: [ "update" ] + + # for managing the leader elections in multi-replicas scenario + - apiGroups: [ "coordination.k8s.io" ] + resources: [ "leases" ] + verbs: [ "get","create","list","update","delete" ] + + # ****************************************************************************************************** + # Permissions needed to manage and communicate between control plane and execution plane by subscriber + # ******************************************************************************************************* + + - apiGroups: [ "" ] + resources: [ "configmaps", "secrets" ] + verbs: [ "get", "create", "delete", "update", "patch" ] + + - apiGroups: [ "" ] + resources: [ "pods/log" ] + verbs: [ "get", "list", "watch" ] + + - apiGroups: [ "" ] + resources: [ "pods", "services" ] + verbs: [ "get", "list", "watch" ] + + - apiGroups: [ "litmuschaos.io" ] + resources: [ "chaosengines", "chaosschedules", "chaosresults" ] + verbs: [ "get", "list", "create", "delete", "update", "watch", "patch" ] + + - apiGroups: [ "apps.openshift.io" ] + resources: [ "deploymentconfigs" ] + verbs: [ "get", "list" ] + + - apiGroups: [ "apps" ] + resources: [ "deployments" ] + verbs: [ "delete" ] + - apiGroups: [ "apps" ] + resources: [ "deployments", "daemonsets", "replicasets", "statefulsets" ] + verbs: [ "get", "list" ] + - apiGroups: [ "argoproj.io" ] resources: [ "workflows", @@ -44,264 +92,68 @@ rules: "cronworkflows/finalizers", "rollouts", ] - verbs: ["get", "list", "create", "delete", "update", "watch", "patch"] + verbs: [ "get", "list", "create", "delete", "update", "watch", "patch" ] + + # ************************************************************************ + # Permissions needed to orchestrate the workflows by workflow controller + # ************************************************************************ + + - apiGroups: [ "" ] + resources: [ "pods", "pods/exec" ] + verbs: [ "create", "get", "list", "watch", "update", "patch", "delete" ] + - apiGroups: [ "" ] + resources: [ "configmaps" ] + verbs: [ "get", "watch", "list" ] + - apiGroups: [ "" ] + resources: [ "persistentvolumeclaims" ] + verbs: [ "create", "delete" ] + - apiGroups: [ "argoproj.io" ] + resources: [ "workflows", "workflows/finalizers" ] + verbs: [ "get", "list", "watch", "update", "patch", "delete", "create" ] + - apiGroups: [ "argoproj.io" ] + resources: [ "workflowtemplates", "workflowtemplates/finalizers", "workflowtasksets", "workflowartifactgctasks" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [ "argoproj.io" ] + resources: [ "workflowtaskresults" ] + verbs: [ "list", "watch", "deletecollection" ] + - apiGroups: [ "" ] + resources: [ "serviceaccounts" ] + verbs: [ "get", "list" ] + - apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: [ "get" ] + - apiGroups: [ "argoproj.io" ] + resources: [ "cronworkflows", "cronworkflows/finalizers" ] + verbs: [ "get", "list", "watch", "update", "patch", "delete" ] + - apiGroups: [ "" ] + resources: [ "events" ] + verbs: [ "create", "patch" ] + - apiGroups: [ "policy" ] + resources: [ "poddisruptionbudgets" ] + verbs: [ "create", "get", "delete" ] + + # ************************************************************************ + # Permissions needed to for the event-tracker + # ************************************************************************ + + - apiGroups: [ "eventtracker.litmuschaos.io" ] + resources: [ "eventtrackerpolicies" ] + verbs: [ "create", "get", "list", "delete", "update", "patch", "watch" ] + + - apiGroups: [ "eventtracker.litmuschaos.io" ] + resources: [ "eventtrackerpolicies/status" ] + verbs: [ "get","patch", "update" ] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: subscriber-role-binding + name: infra-role-binding namespace: #{INFRA_NAMESPACE} subjects: - kind: ServiceAccount - name: #{SUBSCRIBER_SERVICE_ACCOUNT} - namespace: #{INFRA_NAMESPACE} -roleRef: - kind: Role - name: subscriber-role - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: litmus-admin - namespace: #{INFRA_NAMESPACE} - labels: - name: litmus-admin ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: litmus-admin - namespace: #{INFRA_NAMESPACE} - labels: - name: litmus-admin -rules: - # *************************************************************************************** - # Permissions needed for preparing and monitor the chaos resources by chaos-runner - # *************************************************************************************** - - # The chaos operator watches the chaosengine resource and orchestartes the chaos experiment.. - ## .. by creating the chaos-runner - - # for creating and monitoring the chaos-runner pods - - apiGroups: [""] - resources: ["pods"] - verbs: - ["create", "delete", "get", "list", "patch", "update", "deletecollection"] - - apiGroups: [""] - resources: ["events"] - verbs: - ["create", "get", "list", "patch", "update"] - - - # for fetching configmaps and secrets to inject into chaos-runner pod (if specified) - - apiGroups: [""] - resources: ["secrets", "configmaps"] - verbs: ["get", "list"] - - # for tracking & getting logs of the pods created by chaos-runner to implement individual steps in the runner - - apiGroups: [""] - resources: ["pods/log"] - verbs: ["get", "list", "watch"] - - # for configuring and monitor the experiment job by chaos-runner pod - - apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create", "list", "get", "delete", "deletecollection"] - - # ******************************************************************** - # Permissions needed for creation and discovery of chaos experiments - # ******************************************************************** - - # The helper pods are created by experiment to perform the actual chaos injection ... - # ... for a period of chaos duration - - - - - # for creating and managing to execute comands inside target container - - apiGroups: [""] - resources: ["pods/exec", "pods/eviction", "replicationcontrollers"] - verbs: ["get", "list", "create"] - - # for tracking & getting logs of the pods created by experiment pod to implement individual steps in the experiment - - apiGroups: [""] - resources: ["pods/log"] - verbs: ["get", "list", "watch"] - - # for creating and monitoring liveness services or monitoring target app services during chaos injection - - apiGroups: [""] - resources: ["services"] - verbs: ["create", "get", "list"] - - # for checking the app parent resources as deployments or sts and are eligible chaos candidates - - apiGroups: ["apps"] - resources: ["deployments", "statefulsets"] - verbs: ["list", "get", "patch", "update"] - - # for checking the app parent resources as replicasets and are eligible chaos candidates - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["list", "get"] - - # for checking the app parent resources as deamonsets and are eligible chaos candidates - - apiGroups: ["apps"] - resources: ["daemonsets"] - verbs: ["list", "get"] - - # for checking (openshift) app parent resources if they are eligible chaos candidates - - apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["list", "get"] - - # for checking (argo) app parent resources if they are eligible chaos candidates - - apiGroups: ["argoproj.io"] - resources: ["rollouts"] - verbs: ["list", "get"] - - # performs CRUD operations on the network policies - - apiGroups: ["networking.k8s.io"] - resources: ["networkpolicies"] - verbs: ["create","delete","list","get"] - - # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow - - apiGroups: ["litmuschaos.io"] - resources: ["chaosengines", "chaosexperiments", "chaosresults"] - verbs: ["create", "list", "get", "patch", "update", "delete"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: litmus-admin - namespace: #{INFRA_NAMESPACE} - labels: - name: litmus-admin -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: litmus-admin -subjects: - - kind: ServiceAccount - name: litmus-admin + name: #{INFRA_SERVICE_ACCOUNT} namespace: #{INFRA_NAMESPACE} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: argo-chaos - namespace: #{INFRA_NAMESPACE} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: chaos-role - namespace: #{INFRA_NAMESPACE} -rules: - # for managing the pods created by workflow controller to implement individual steps in the workflow - - apiGroups: [""] - resources: ["pods", "services"] - verbs: ["create", "get", "watch", "patch", "delete", "list"] - - # for tracking & getting logs of the pods created by workflow controller to implement individual steps in the workflow - - apiGroups: [''] - resources: ['pods/log'] - verbs: ['get', 'watch', 'create', 'delete', 'patch'] - - apiGroups: [''] - resources: ['secrets', 'configmaps'] - verbs: ['get', 'watch', 'create', 'patch'] - - # for creation & deletion of application in predefined workflows - - apiGroups: ['apps'] - resources: ['deployments'] - verbs: ['delete'] - - apiGroups: ['apps'] - resources: ['deployments', 'statefulsets'] - verbs: ['get', 'watch', 'patch' , 'create'] - - # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow - - apiGroups: ["litmuschaos.io"] - resources: - ["chaosengines", "chaosexperiments", "chaosresults", "chaosschedules"] - verbs: ["create", "list", "get", "patch", "delete", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: chaos-role-binding - namespace: #{INFRA_NAMESPACE} roleRef: - apiGroup: rbac.authorization.k8s.io kind: Role - name: chaos-role -subjects: - - kind: ServiceAccount - name: argo-chaos - namespace: #{INFRA_NAMESPACE} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: event-tracker-sa - namespace: #{INFRA_NAMESPACE} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: event-tracker-role - namespace: #{INFRA_NAMESPACE} -rules: - - apiGroups: - - eventtracker.litmuschaos.io - resources: - - eventtrackerpolicies - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - eventtracker.litmuschaos.io - resources: - - eventtrackerpolicies/status - verbs: - - get - - patch - - update - - apiGroups: - - "" - resources: - - pods - - configmaps - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - apps - resources: - - deployments - - daemonsets - - statefulsets - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: event-tracker-role-binding - namespace: #{INFRA_NAMESPACE} -roleRef: + name: infra-role apiGroup: rbac.authorization.k8s.io - kind: Role - name: event-tracker-role -subjects: - - kind: ServiceAccount - name: event-tracker-sa - namespace: #{INFRA_NAMESPACE} diff --git a/chaoscenter/graphql/server/manifests/namespace/3b_agents_deployment.yaml b/chaoscenter/graphql/server/manifests/namespace/3b_agents_deployment.yaml index baaeb101354..0e1a85bb5d1 100644 --- a/chaoscenter/graphql/server/manifests/namespace/3b_agents_deployment.yaml +++ b/chaoscenter/graphql/server/manifests/namespace/3b_agents_deployment.yaml @@ -42,7 +42,7 @@ spec: spec: #{TOLERATIONS} #{NODE_SELECTOR} - serviceAccountName: #{SUBSCRIBER_SERVICE_ACCOUNT} + serviceAccountName: #{INFRA_SERVICE_ACCOUNT} containers: - name: subscriber image: #{SUBSCRIBER_IMAGE} @@ -89,7 +89,7 @@ spec: spec: #{TOLERATIONS} #{NODE_SELECTOR} - serviceAccountName: event-tracker-sa + serviceAccountName: #{INFRA_SERVICE_ACCOUNT} containers: - image: #{EVENT_TRACKER_IMAGE} imagePullPolicy: Always diff --git a/chaoscenter/graphql/server/pkg/chaos_infrastructure/infra_utils.go b/chaoscenter/graphql/server/pkg/chaos_infrastructure/infra_utils.go index d28acc65ac9..59d5aa59bce 100644 --- a/chaoscenter/graphql/server/pkg/chaos_infrastructure/infra_utils.go +++ b/chaoscenter/graphql/server/pkg/chaos_infrastructure/infra_utils.go @@ -188,7 +188,7 @@ func ManifestParser(infra dbChaosInfra.ChaosInfra, rootPath string, config *Subs newContent = strings.Replace(newContent, "#{SUBSCRIBER_IMAGE}", utils.Config.SubscriberImage, -1) newContent = strings.Replace(newContent, "#{EVENT_TRACKER_IMAGE}", utils.Config.EventTrackerImage, -1) newContent = strings.Replace(newContent, "#{INFRA_NAMESPACE}", InfraNamespace, -1) - newContent = strings.Replace(newContent, "#{SUBSCRIBER_SERVICE_ACCOUNT}", ServiceAccountName, -1) + newContent = strings.Replace(newContent, "#{INFRA_SERVICE_ACCOUNT}", ServiceAccountName, -1) newContent = strings.Replace(newContent, "#{INFRA_SCOPE}", infra.InfraScope, -1) newContent = strings.Replace(newContent, "#{ARGO_WORKFLOW_CONTROLLER}", utils.Config.ArgoWorkflowControllerImage, -1) newContent = strings.Replace(newContent, "#{LITMUS_CHAOS_OPERATOR}", utils.Config.LitmusChaosOperatorImage, -1)