[neutron] add rbac related parts for ovn

This adds the following kinds used by ovn: * ClusterRole * ClusterRoleBinding * Role * RoleBinding * ServiceAccount
sapcc · Feb 7, 2025 · 6f8e449 · 6f8e449
1 parent c8de36b
commit 6f8e449
Show file tree

Hide file tree

Showing 2 changed files with 191 additions and 0 deletions.
diff --git a/openstack/neutron/templates/rbac-ovn-db-raft.yaml b/openstack/neutron/templates/rbac-ovn-db-raft.yaml
@@ -0,0 +1,67 @@
+{{- if ((.Values).ovn).enabled | default false }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+    name: ovnkube-db
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+    name: ovnkube-db
+roleRef:
+    name: ovnkube-db
+    kind: ClusterRole
+    apiGroup: rbac.authorization.k8s.io
+subjects:
+    - kind: ServiceAccount
+      name: ovnkube-db
+      namespace: {{ .Release.Namespace }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+    name: ovnkube-db-ep
+roleRef:
+    name: ovnkube-db-ep
+    kind: Role
+    apiGroup: rbac.authorization.k8s.io
+subjects:
+    - kind: ServiceAccount
+      name: ovnkube-db
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+    name: ovnkube-db
+rules:
+    - apiGroups: [""]
+      resources:
+          - nodes
+          - namespaces
+      verbs: [ "get", "list", "watch" ]
+
+# ovnkube-db startup scripts create an endpoint:
+# https://github.com/ovn-org/ovn-kubernetes/blob/d3b10e87f7fffa38fdf4ad52f98bc8ba998df6c2/dist/images/ovnkube.sh#L699
+# in HA statefulsets/pods are inspected 
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+    name: ovnkube-db-ep
+rules:
+    - apiGroups: [""]
+      resources:
+          - endpoints
+      verbs: [ "get", "create" ]
+    - apiGroups: [""]
+      resources:
+          - pods
+      verbs: [ "get", "list" ]
+    - apiGroups: ["apps"]
+      resources:
+          - statefulsets
+      verbs: [ "get" ]
+{{- end }}
diff --git a/openstack/neutron/templates/rbac-ovn-kube-master.yaml b/openstack/neutron/templates/rbac-ovn-kube-master.yaml
@@ -0,0 +1,124 @@
+{{- if ((.Values).ovn).enabled | default false }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+    name: ovnkube-master
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+    name: ovnkube-master
+roleRef:
+    name: ovnkube-master
+    kind: ClusterRole
+    apiGroup: rbac.authorization.k8s.io
+subjects:
+    - kind: ServiceAccount
+      name: ovnkube-master
+      namespace: {{ .Release.Namespace }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+    name: ovnkube-master-configmaps
+roleRef:
+    name: ovn-k8s-configmap
+    kind: Role
+    apiGroup: rbac.authorization.k8s.io
+subjects:
+    - kind: ServiceAccount
+      name: ovnkube-master
+      namespace: {{ .Release.Namespace }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+    name: ovnkube-master-configmaps-update
+roleRef:
+    name: ovn-k8s-configmap-update
+    kind: Role
+    apiGroup: rbac.authorization.k8s.io
+subjects:
+    - kind: ServiceAccount
+      name: ovnkube-master
+      namespace: {{ .Release.Namespace }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+    name: ovnkube-master
+rules:
+    - apiGroups: [""]
+      resources:
+          - namespaces
+          - nodes
+          - pods
+          - services
+          - endpoints
+      verbs: [ "get", "list", "watch" ]
+    - apiGroups: ["discovery.k8s.io"]
+      resources:
+          - endpointslices
+      verbs: [ "get", "list", "watch" ]
+    - apiGroups: ["networking.k8s.io"]
+      resources:
+          - networkpolicies
+      verbs: [ "get", "list", "watch" ]
+    - apiGroups: ["policy.networking.k8s.io"]
+      resources:
+          - adminnetworkpolicies
+          - baselineadminnetworkpolicies
+      verbs: ["list", "get", "watch"]
+    - apiGroups: ["k8s.ovn.org"]
+      resources:
+          - egressfirewalls
+          - egressips
+          - egressqoses
+          - egressservices
+          - adminpolicybasedexternalroutes
+      verbs: [ "get", "list", "watch" ]
+    - apiGroups: ["k8s.cni.cncf.io"]
+      resources:
+          - network-attachment-definitions
+          - multi-networkpolicies
+      verbs: ["list", "get", "watch"]
+    - apiGroups: ["policy.networking.k8s.io"]
+      resources:
+          - adminnetworkpolicies/status
+          - baselineadminnetworkpolicies/status
+      verbs: [ "patch", "update" ]
+    - apiGroups: ["k8s.ovn.org"]
+      resources:
+          - egressfirewalls/status
+          - egressips
+          - egressqoses
+          - egressservices/status
+          - adminpolicybasedexternalroutes/status
+          - egressqoses/status
+      verbs: [ "patch", "update" ]
+    - apiGroups: [""]
+      resources:
+          - events
+      verbs: ["create", "patch", "update"]
+    - apiGroups: [""]
+      resources:
+          - nodes/status
+          - pods/status
+          - services/status
+      verbs: [ "patch", "update" ]
+
+# https://github.com/ovn-org/ovn-kubernetes/blob/e1e7d40f9a6c6038b52696c1b8f8915a4d73160e/go-controller/pkg/ovn/topology_version.go#L28
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+    name: ovn-k8s-configmap-update
+rules:
+    - apiGroups: [""]
+      resources: ["configmaps"]
+      verbs: ["create", "patch", "update"]
+{{- end }}