From 6f8e4497ba91f651653932d4db1e802715fc1290 Mon Sep 17 00:00:00 2001 From: Tobias Jungel <1773291+toanju@users.noreply.github.com> Date: Fri, 7 Feb 2025 14:46:30 +0100 Subject: [PATCH] [neutron] add rbac related parts for ovn This adds the following kinds used by ovn: * ClusterRole * ClusterRoleBinding * Role * RoleBinding * ServiceAccount --- .../neutron/templates/rbac-ovn-db-raft.yaml | 67 ++++++++++ .../templates/rbac-ovn-kube-master.yaml | 124 ++++++++++++++++++ 2 files changed, 191 insertions(+) create mode 100644 openstack/neutron/templates/rbac-ovn-db-raft.yaml create mode 100644 openstack/neutron/templates/rbac-ovn-kube-master.yaml diff --git a/openstack/neutron/templates/rbac-ovn-db-raft.yaml b/openstack/neutron/templates/rbac-ovn-db-raft.yaml new file mode 100644 index 00000000000..be730653393 --- /dev/null +++ b/openstack/neutron/templates/rbac-ovn-db-raft.yaml @@ -0,0 +1,67 @@ +{{- if ((.Values).ovn).enabled | default false }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ovnkube-db + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ovnkube-db +roleRef: + name: ovnkube-db + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: ovnkube-db + namespace: {{ .Release.Namespace }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ovnkube-db-ep +roleRef: + name: ovnkube-db-ep + kind: Role + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: ovnkube-db + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ovnkube-db +rules: + - apiGroups: [""] + resources: + - nodes + - namespaces + verbs: [ "get", "list", "watch" ] + +# ovnkube-db startup scripts create an endpoint: +# https://github.com/ovn-org/ovn-kubernetes/blob/d3b10e87f7fffa38fdf4ad52f98bc8ba998df6c2/dist/images/ovnkube.sh#L699 +# in HA statefulsets/pods are inspected +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: ovnkube-db-ep +rules: + - apiGroups: [""] + resources: + - endpoints + verbs: [ "get", "create" ] + - apiGroups: [""] + resources: + - pods + verbs: [ "get", "list" ] + - apiGroups: ["apps"] + resources: + - statefulsets + verbs: [ "get" ] +{{- end }} diff --git a/openstack/neutron/templates/rbac-ovn-kube-master.yaml b/openstack/neutron/templates/rbac-ovn-kube-master.yaml new file mode 100644 index 00000000000..3d26e498a6a --- /dev/null +++ b/openstack/neutron/templates/rbac-ovn-kube-master.yaml @@ -0,0 +1,124 @@ +{{- if ((.Values).ovn).enabled | default false }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ovnkube-master + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ovnkube-master +roleRef: + name: ovnkube-master + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: ovnkube-master + namespace: {{ .Release.Namespace }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ovnkube-master-configmaps +roleRef: + name: ovn-k8s-configmap + kind: Role + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: ovnkube-master + namespace: {{ .Release.Namespace }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ovnkube-master-configmaps-update +roleRef: + name: ovn-k8s-configmap-update + kind: Role + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: ovnkube-master + namespace: {{ .Release.Namespace }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ovnkube-master +rules: + - apiGroups: [""] + resources: + - namespaces + - nodes + - pods + - services + - endpoints + verbs: [ "get", "list", "watch" ] + - apiGroups: ["discovery.k8s.io"] + resources: + - endpointslices + verbs: [ "get", "list", "watch" ] + - apiGroups: ["networking.k8s.io"] + resources: + - networkpolicies + verbs: [ "get", "list", "watch" ] + - apiGroups: ["policy.networking.k8s.io"] + resources: + - adminnetworkpolicies + - baselineadminnetworkpolicies + verbs: ["list", "get", "watch"] + - apiGroups: ["k8s.ovn.org"] + resources: + - egressfirewalls + - egressips + - egressqoses + - egressservices + - adminpolicybasedexternalroutes + verbs: [ "get", "list", "watch" ] + - apiGroups: ["k8s.cni.cncf.io"] + resources: + - network-attachment-definitions + - multi-networkpolicies + verbs: ["list", "get", "watch"] + - apiGroups: ["policy.networking.k8s.io"] + resources: + - adminnetworkpolicies/status + - baselineadminnetworkpolicies/status + verbs: [ "patch", "update" ] + - apiGroups: ["k8s.ovn.org"] + resources: + - egressfirewalls/status + - egressips + - egressqoses + - egressservices/status + - adminpolicybasedexternalroutes/status + - egressqoses/status + verbs: [ "patch", "update" ] + - apiGroups: [""] + resources: + - events + verbs: ["create", "patch", "update"] + - apiGroups: [""] + resources: + - nodes/status + - pods/status + - services/status + verbs: [ "patch", "update" ] + +# https://github.com/ovn-org/ovn-kubernetes/blob/e1e7d40f9a6c6038b52696c1b8f8915a4d73160e/go-controller/pkg/ovn/topology_version.go#L28 +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: ovn-k8s-configmap-update +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "patch", "update"] +{{- end }}