1
16
17 package bootstrappolicy
18
19 import (
20 "strings"
21
22 "k8s.io/klog/v2"
23
24 rbacv1 "k8s.io/api/rbac/v1"
25 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
26 "k8s.io/apiserver/pkg/authentication/user"
27 rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1"
28 )
29
30 var (
31
32 namespaceRoles = map[string][]rbacv1.Role{}
33
34
35 namespaceRoleBindings = map[string][]rbacv1.RoleBinding{}
36 )
37
38 func addNamespaceRole(namespace string, role rbacv1.Role) {
39 if !strings.HasPrefix(namespace, "kube-") {
40 klog.Fatalf(`roles can only be bootstrapped into reserved namespaces starting with "kube-", not %q`, namespace)
41 }
42
43 existingRoles := namespaceRoles[namespace]
44 for _, existingRole := range existingRoles {
45 if role.Name == existingRole.Name {
46 klog.Fatalf("role %q was already registered in %q", role.Name, namespace)
47 }
48 }
49
50 role.Namespace = namespace
51 addDefaultMetadata(&role)
52 existingRoles = append(existingRoles, role)
53 namespaceRoles[namespace] = existingRoles
54 }
55
56 func addNamespaceRoleBinding(namespace string, roleBinding rbacv1.RoleBinding) {
57 if !strings.HasPrefix(namespace, "kube-") {
58 klog.Fatalf(`rolebindings can only be bootstrapped into reserved namespaces starting with "kube-", not %q`, namespace)
59 }
60
61 existingRoleBindings := namespaceRoleBindings[namespace]
62 for _, existingRoleBinding := range existingRoleBindings {
63 if roleBinding.Name == existingRoleBinding.Name {
64 klog.Fatalf("rolebinding %q was already registered in %q", roleBinding.Name, namespace)
65 }
66 }
67
68 roleBinding.Namespace = namespace
69 addDefaultMetadata(&roleBinding)
70 existingRoleBindings = append(existingRoleBindings, roleBinding)
71 namespaceRoleBindings[namespace] = existingRoleBindings
72 }
73
74 func init() {
75 addNamespaceRole(metav1.NamespaceSystem, rbacv1.Role{
76
77 ObjectMeta: metav1.ObjectMeta{Name: "extension-apiserver-authentication-reader"},
78 Rules: []rbacv1.PolicyRule{
79
80 rbacv1helpers.NewRule("get", "list", "watch").Groups(legacyGroup).Resources("configmaps").Names("extension-apiserver-authentication").RuleOrDie(),
81 },
82 })
83 addNamespaceRole(metav1.NamespaceSystem, rbacv1.Role{
84
85 ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "bootstrap-signer"},
86 Rules: []rbacv1.PolicyRule{
87 rbacv1helpers.NewRule("get", "list", "watch").Groups(legacyGroup).Resources("secrets").RuleOrDie(),
88 },
89 })
90 addNamespaceRole(metav1.NamespaceSystem, rbacv1.Role{
91
92
93 ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "cloud-provider"},
94 Rules: []rbacv1.PolicyRule{
95 rbacv1helpers.NewRule("create", "get", "list", "watch").Groups(legacyGroup).Resources("configmaps").RuleOrDie(),
96 },
97 })
98 addNamespaceRole(metav1.NamespaceSystem, rbacv1.Role{
99
100 ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "token-cleaner"},
101 Rules: []rbacv1.PolicyRule{
102 rbacv1helpers.NewRule("get", "list", "watch", "delete").Groups(legacyGroup).Resources("secrets").RuleOrDie(),
103 eventsRule(),
104 },
105 })
106
107 addNamespaceRole(metav1.NamespaceSystem, rbacv1.Role{
108
109 ObjectMeta: metav1.ObjectMeta{Name: "system::leader-locking-kube-controller-manager"},
110 Rules: []rbacv1.PolicyRule{
111 rbacv1helpers.NewRule("watch").Groups(legacyGroup).Resources("configmaps").RuleOrDie(),
112 rbacv1helpers.NewRule("get", "update").Groups(legacyGroup).Resources("configmaps").Names("kube-controller-manager").RuleOrDie(),
113 },
114 })
115 addNamespaceRole(metav1.NamespaceSystem, rbacv1.Role{
116
117 ObjectMeta: metav1.ObjectMeta{Name: "system::leader-locking-kube-scheduler"},
118 Rules: []rbacv1.PolicyRule{
119 rbacv1helpers.NewRule("watch").Groups(legacyGroup).Resources("configmaps").RuleOrDie(),
120 rbacv1helpers.NewRule("get", "update").Groups(legacyGroup).Resources("configmaps").Names("kube-scheduler").RuleOrDie(),
121 },
122 })
123
124 delegatedAuthBinding := rbacv1helpers.NewRoleBinding("extension-apiserver-authentication-reader", metav1.NamespaceSystem).Users(user.KubeControllerManager, user.KubeScheduler).BindingOrDie()
125 delegatedAuthBinding.Name = "system::extension-apiserver-authentication-reader"
126 addNamespaceRoleBinding(metav1.NamespaceSystem, delegatedAuthBinding)
127
128 addNamespaceRoleBinding(metav1.NamespaceSystem,
129 rbacv1helpers.NewRoleBinding("system::leader-locking-kube-controller-manager", metav1.NamespaceSystem).Users(user.KubeControllerManager).SAs(metav1.NamespaceSystem, "kube-controller-manager").BindingOrDie())
130 addNamespaceRoleBinding(metav1.NamespaceSystem,
131 rbacv1helpers.NewRoleBinding("system::leader-locking-kube-scheduler", metav1.NamespaceSystem).Users(user.KubeScheduler).SAs(metav1.NamespaceSystem, "kube-scheduler").BindingOrDie())
132 addNamespaceRoleBinding(metav1.NamespaceSystem,
133 rbacv1helpers.NewRoleBinding(saRolePrefix+"bootstrap-signer", metav1.NamespaceSystem).SAs(metav1.NamespaceSystem, "bootstrap-signer").BindingOrDie())
134
135 addNamespaceRoleBinding(metav1.NamespaceSystem,
136 rbacv1helpers.NewRoleBinding(saRolePrefix+"cloud-provider", metav1.NamespaceSystem).SAs(metav1.NamespaceSystem, "cloud-provider").BindingOrDie())
137 addNamespaceRoleBinding(metav1.NamespaceSystem,
138 rbacv1helpers.NewRoleBinding(saRolePrefix+"token-cleaner", metav1.NamespaceSystem).SAs(metav1.NamespaceSystem, "token-cleaner").BindingOrDie())
139
140 addNamespaceRole(metav1.NamespacePublic, rbacv1.Role{
141
142 ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "bootstrap-signer"},
143 Rules: []rbacv1.PolicyRule{
144 rbacv1helpers.NewRule("get", "list", "watch").Groups(legacyGroup).Resources("configmaps").RuleOrDie(),
145 rbacv1helpers.NewRule("update").Groups(legacyGroup).Resources("configmaps").Names("cluster-info").RuleOrDie(),
146 eventsRule(),
147 },
148 })
149 addNamespaceRoleBinding(metav1.NamespacePublic,
150 rbacv1helpers.NewRoleBinding(saRolePrefix+"bootstrap-signer", metav1.NamespacePublic).SAs(metav1.NamespaceSystem, "bootstrap-signer").BindingOrDie())
151
152 }
153
154
155 func NamespaceRoles() map[string][]rbacv1.Role {
156 return namespaceRoles
157 }
158
159
160 func NamespaceRoleBindings() map[string][]rbacv1.RoleBinding {
161 return namespaceRoleBindings
162 }
163
View as plain text