Skip to content

Commit

Permalink
Add RBAC files for metrics authentication and authorization
Browse files Browse the repository at this point in the history
metal3-io#2102 has introduced controller-runtime's WithAuthenticationAndAuthorization filter which also requires extra RBAC roles and role bindings for metrics authentication and authorization. This PR adds those.

Signed-off-by: Kashif Khan <kashif.khan@est.tech>
  • Loading branch information
kashifest committed Dec 12, 2024
1 parent e709508 commit c0c2f01
Show file tree
Hide file tree
Showing 8 changed files with 124 additions and 4 deletions.
10 changes: 10 additions & 0 deletions config/base/rbac/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,13 @@ resources:
- role_binding.yaml
- leader_election_role.yaml
- leader_election_role_binding.yaml
# The following RBAC configurations are used to protect
# the metrics endpoint with authn/authz. These configurations
# ensure that only authorized users and service accounts
# can access the metrics endpoint. Comment the following
# permissions if you want to disable this protection.
# More info: https://book.kubebuilder.io/reference/metrics.html
- metrics_auth_role.yaml
- metrics_auth_role_binding.yaml
- metrics_reader_role.yaml
- metrics_service.yaml
17 changes: 17 additions & 0 deletions config/base/rbac/metrics_auth_role.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: metrics-auth-role
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
12 changes: 12 additions & 0 deletions config/base/rbac/metrics_auth_role_binding.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: metrics-auth-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: metrics-auth-role
subjects:
- kind: ServiceAccount
name: controller-manager
namespace: system
9 changes: 9 additions & 0 deletions config/base/rbac/metrics_reader_role.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: metrics-reader
rules:
- nonResourceURLs:
- "/metrics"
verbs:
- get
14 changes: 14 additions & 0 deletions config/base/rbac/metrics_service.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
labels:
control-plane: controller-manager
name: controller-manager-metrics-service
namespace: system
spec:
ports:
- name: https
port: 8443
targetPort: https
selector:
control-plane: controller-manager
9 changes: 5 additions & 4 deletions config/overlays/e2e/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ kind: Kustomization
namespace: baremetal-operator-system
resources:
- ../basic-auth_tls
- ../../base/prometheus

configMapGenerator:
- name: ironic
Expand Down Expand Up @@ -31,7 +32,7 @@ generatorOptions:

# NOTE: These credentials are generated automatically in hack/ci-e2e.sh
secretGenerator:
- name: ironic-credentials
files:
- username=ironic-username
- password=ironic-password
- name: ironic-credentials
files:
- username=ironic-username
- password=ironic-password
1 change: 1 addition & 0 deletions config/overlays/fixture/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ kind: Kustomization
resources:
- ../../namespace
- ../../default
- ../../base/prometheus

patches:
- patch: |
Expand Down
56 changes: 56 additions & 0 deletions config/render/capm3.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2435,6 +2435,34 @@ rules:
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: baremetal-operator-metrics-auth-role
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: baremetal-operator-metrics-reader
rules:
- nonResourceURLs:
- /metrics
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: baremetal-operator-leader-election-rolebinding
Expand All @@ -2461,6 +2489,19 @@ subjects:
name: baremetal-operator-controller-manager
namespace: baremetal-operator-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: baremetal-operator-metrics-auth-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: baremetal-operator-metrics-auth-role
subjects:
- kind: ServiceAccount
name: baremetal-operator-controller-manager
namespace: baremetal-operator-system
---
apiVersion: v1
data:
CACHEURL: http://172.22.0.1/images
Expand All @@ -2477,6 +2518,21 @@ metadata:
---
apiVersion: v1
kind: Service
metadata:
labels:
control-plane: controller-manager
name: baremetal-operator-controller-manager-metrics-service
namespace: baremetal-operator-system
spec:
ports:
- name: https
port: 8443
targetPort: https
selector:
control-plane: controller-manager
---
apiVersion: v1
kind: Service
metadata:
name: baremetal-operator-webhook-service
namespace: baremetal-operator-system
Expand Down

0 comments on commit c0c2f01

Please sign in to comment.