This is an automated email from the ASF dual-hosted git repository.
lburgazzoli pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/camel-k.git
commit 318c20667ddd464cb52831b8a14655d1c6a00d0a
Author: nferraro <ni.ferr...@gmail.com>
AuthorDate: Wed Jun 5 17:19:48 2019 +0200
Fix #703: fix add reduced permissions to pod builder
---
deploy/builder-role-binding.yaml | 13 ++
deploy/builder-role-kubernetes.yaml | 34 +++++
deploy/builder-role-openshift.yaml | 78 ++++++++++++
deploy/builder-service-account.yaml | 6 +
deploy/operator-role-kubernetes.yaml | 12 ++
deploy/operator-role-openshift.yaml | 12 ++
deploy/resources.go | 171 ++++++++++++++++++++++++++
pkg/controller/build/schedule_pod.go | 6 +-
pkg/install/{serviceaccount.go => builder.go} | 33 ++---
9 files changed, 341 insertions(+), 24 deletions(-)
diff --git a/deploy/builder-role-binding.yaml b/deploy/builder-role-binding.yaml
new file mode 100644
index 0000000..0217c79
--- /dev/null
+++ b/deploy/builder-role-binding.yaml
@@ -0,0 +1,13 @@
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: camel-k-builder
+ labels:
+ app: "camel-k"
+subjects:
+- kind: ServiceAccount
+ name: camel-k-builder
+roleRef:
+ kind: Role
+ name: camel-k-builder
+ apiGroup: rbac.authorization.k8s.io
diff --git a/deploy/builder-role-kubernetes.yaml
b/deploy/builder-role-kubernetes.yaml
new file mode 100644
index 0000000..e3ee33e
--- /dev/null
+++ b/deploy/builder-role-kubernetes.yaml
@@ -0,0 +1,34 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: camel-k-builder
+ labels:
+ app: "camel-k"
+rules:
+- apiGroups:
+ - camel.apache.org
+ resources:
+ - "*"
+ verbs:
+ - "*"
+- apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - get
+ - list
+ - watch
diff --git a/deploy/builder-role-openshift.yaml
b/deploy/builder-role-openshift.yaml
new file mode 100644
index 0000000..ad92516
--- /dev/null
+++ b/deploy/builder-role-openshift.yaml
@@ -0,0 +1,78 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: camel-k-builder
+ labels:
+ app: "camel-k"
+rules:
+- apiGroups:
+ - camel.apache.org
+ resources:
+ - "*"
+ verbs:
+ - "*"
+- apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ""
+ - "build.openshift.io"
+ resources:
+ - buildconfigs
+ - buildconfigs/webhooks
+ - builds
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - ""
+ - "image.openshift.io"
+ resources:
+ - imagestreamimages
+ - imagestreammappings
+ - imagestreams
+ - imagestreams/secrets
+ - imagestreamtags
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - ""
+ - build.openshift.io
+ attributeRestrictions: null
+ resources:
+ - buildconfigs/instantiate
+ - buildconfigs/instantiatebinary
+ - builds/clone
+ verbs:
+ - create
diff --git a/deploy/builder-service-account.yaml
b/deploy/builder-service-account.yaml
new file mode 100644
index 0000000..7499e4f
--- /dev/null
+++ b/deploy/builder-service-account.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: camel-k-builder
+ labels:
+ app: "camel-k"
diff --git a/deploy/operator-role-kubernetes.yaml
b/deploy/operator-role-kubernetes.yaml
index 5b44671..3ec172a 100644
--- a/deploy/operator-role-kubernetes.yaml
+++ b/deploy/operator-role-kubernetes.yaml
@@ -38,6 +38,18 @@ rules:
- configmaps
- secrets
- serviceaccounts
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - rbac.authorization.k8s.io
+ resources:
- roles
- rolebindings
verbs:
diff --git a/deploy/operator-role-openshift.yaml
b/deploy/operator-role-openshift.yaml
index ea12152..6921e65 100644
--- a/deploy/operator-role-openshift.yaml
+++ b/deploy/operator-role-openshift.yaml
@@ -38,6 +38,18 @@ rules:
- configmaps
- secrets
- serviceaccounts
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - rbac.authorization.k8s.io
+ resources:
- roles
- rolebindings
verbs:
diff --git a/deploy/resources.go b/deploy/resources.go
index cc87284..1c85319 100644
--- a/deploy/resources.go
+++ b/deploy/resources.go
@@ -24,6 +24,153 @@ var Resources map[string]string
func init() {
Resources = make(map[string]string)
+ Resources["builder-role-binding.yaml"] =
+ `
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: camel-k-builder
+ labels:
+ app: "camel-k"
+subjects:
+- kind: ServiceAccount
+ name: camel-k-builder
+roleRef:
+ kind: Role
+ name: camel-k-builder
+ apiGroup: rbac.authorization.k8s.io
+
+`
+ Resources["builder-role-kubernetes.yaml"] =
+ `
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: camel-k-builder
+ labels:
+ app: "camel-k"
+rules:
+- apiGroups:
+ - camel.apache.org
+ resources:
+ - "*"
+ verbs:
+ - "*"
+- apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - get
+ - list
+ - watch
+
+`
+ Resources["builder-role-openshift.yaml"] =
+ `
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: camel-k-builder
+ labels:
+ app: "camel-k"
+rules:
+- apiGroups:
+ - camel.apache.org
+ resources:
+ - "*"
+ verbs:
+ - "*"
+- apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ""
+ - "build.openshift.io"
+ resources:
+ - buildconfigs
+ - buildconfigs/webhooks
+ - builds
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - ""
+ - "image.openshift.io"
+ resources:
+ - imagestreamimages
+ - imagestreammappings
+ - imagestreams
+ - imagestreams/secrets
+ - imagestreamtags
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - ""
+ - build.openshift.io
+ attributeRestrictions: null
+ resources:
+ - buildconfigs/instantiate
+ - buildconfigs/instantiatebinary
+ - builds/clone
+ verbs:
+ - create
+
+`
+ Resources["builder-service-account.yaml"] =
+ `
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: camel-k-builder
+ labels:
+ app: "camel-k"
+
+`
Resources["camel-catalog-2.23.0.yaml"] =
`
apiVersion: camel.apache.org/v1alpha1
@@ -10816,6 +10963,18 @@ rules:
- configmaps
- secrets
- serviceaccounts
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - rbac.authorization.k8s.io
+ resources:
- roles
- rolebindings
verbs:
@@ -10899,6 +11058,18 @@ rules:
- configmaps
- secrets
- serviceaccounts
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - rbac.authorization.k8s.io
+ resources:
- roles
- rolebindings
verbs:
diff --git a/pkg/controller/build/schedule_pod.go
b/pkg/controller/build/schedule_pod.go
index ee84c54..801d84c 100644
--- a/pkg/controller/build/schedule_pod.go
+++ b/pkg/controller/build/schedule_pod.go
@@ -131,14 +131,14 @@ func (action *schedulePodAction) Handle(ctx
context.Context, build *v1alpha1.Bui
func (action *schedulePodAction) ensureServiceAccount(ctx context.Context,
buildPod *corev1.Pod) error {
sa := corev1.ServiceAccount{}
saKey := k8sclient.ObjectKey{
- Name: "camel-k-operator",
+ Name: "camel-k-builder",
Namespace: buildPod.Namespace,
}
err := action.client.Get(ctx, saKey, &sa)
if err != nil && k8serrors.IsNotFound(err) {
// Create a proper service account
- return install.ServiceAccountRoles(ctx, action.client,
buildPod.Namespace)
+ return install.BuilderServiceAccountRoles(ctx, action.client,
buildPod.Namespace)
}
return err
}
@@ -161,7 +161,7 @@ func newBuildPod(build *v1alpha1.Build, operatorImage
string) *corev1.Pod {
},
},
Spec: corev1.PodSpec{
- ServiceAccountName: "camel-k-operator",
+ ServiceAccountName: "camel-k-builder",
Containers: []corev1.Container{
{
Name: "builder",
diff --git a/pkg/install/serviceaccount.go b/pkg/install/builder.go
similarity index 55%
rename from pkg/install/serviceaccount.go
rename to pkg/install/builder.go
index 7a9cf9f..27a1488 100644
--- a/pkg/install/serviceaccount.go
+++ b/pkg/install/builder.go
@@ -20,48 +20,39 @@ package install
import (
"context"
"github.com/apache/camel-k/pkg/client"
- "github.com/apache/camel-k/pkg/util/knative"
"github.com/apache/camel-k/pkg/util/openshift"
)
-// ServiceAccountRoles installs the service account and related roles in the
given namespace
-func ServiceAccountRoles(ctx context.Context, c client.Client, namespace
string) error {
+// BuilderServiceAccountRoles installs the builder service account and related
roles in the given namespace
+func BuilderServiceAccountRoles(ctx context.Context, c client.Client,
namespace string) error {
isOpenshift, err := openshift.IsOpenShift(c)
if err != nil {
return err
}
if isOpenshift {
- if err := installServiceAccountRolesOpenshift(ctx, c,
namespace); err != nil {
+ if err := installBuilderServiceAccountRolesOpenshift(ctx, c,
namespace); err != nil {
return err
}
} else {
- if err := installServiceAccountRolesKubernetes(ctx, c,
namespace); err != nil {
+ if err := installBuilderServiceAccountRolesKubernetes(ctx, c,
namespace); err != nil {
return err
}
}
- // Install Knative resources if required
- isKnative, err := knative.IsInstalled(ctx, c)
- if err != nil {
- return err
- }
- if isKnative {
- return installKnative(ctx, c, namespace, nil)
- }
return nil
}
-func installServiceAccountRolesOpenshift(ctx context.Context, c client.Client,
namespace string) error {
+func installBuilderServiceAccountRolesOpenshift(ctx context.Context, c
client.Client, namespace string) error {
return ResourcesOrCollect(ctx, c, namespace, nil,
IdentityResourceCustomizer,
- "operator-service-account.yaml",
- "operator-role-openshift.yaml",
- "operator-role-binding.yaml",
+ "builder-service-account.yaml",
+ "builder-role-openshift.yaml",
+ "builder-role-binding.yaml",
)
}
-func installServiceAccountRolesKubernetes(ctx context.Context, c
client.Client, namespace string) error {
+func installBuilderServiceAccountRolesKubernetes(ctx context.Context, c
client.Client, namespace string) error {
return ResourcesOrCollect(ctx, c, namespace, nil,
IdentityResourceCustomizer,
- "operator-service-account.yaml",
- "operator-role-kubernetes.yaml",
- "operator-role-binding.yaml",
+ "builder-service-account.yaml",
+ "builder-role-kubernetes.yaml",
+ "builder-role-binding.yaml",
)
}
