From b811a17250dfcfc5d79f66f43d1a5ac33562a363 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Fri, 22 Apr 2022 14:41:30 +0200 Subject: [PATCH] add RBAC for PSa label syncing controller --- ...n-label-syncer-controller-clusterrole.yaml | 53 +++++++++++++++++++ ...-syncer-controller-clusterrolebinding.yaml | 15 ++++++ pkg/cmd/render/render_test.go | 2 + 3 files changed, 70 insertions(+) create mode 100644 bindata/bootkube/manifests/00_podsecurity-admission-label-syncer-controller-clusterrole.yaml create mode 100644 bindata/bootkube/manifests/00_podsecurity-admission-label-syncer-controller-clusterrolebinding.yaml diff --git a/bindata/bootkube/manifests/00_podsecurity-admission-label-syncer-controller-clusterrole.yaml b/bindata/bootkube/manifests/00_podsecurity-admission-label-syncer-controller-clusterrole.yaml new file mode 100644 index 000000000..afedb03b7 --- /dev/null +++ b/bindata/bootkube/manifests/00_podsecurity-admission-label-syncer-controller-clusterrole.yaml @@ -0,0 +1,53 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + name: system:openshift:controller:podsecurity-admission-label-syncer-controller +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - update + - watch + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraings + verbs: + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + - roles + - rolebindings + verbs: + - get + - list + - watch diff --git a/bindata/bootkube/manifests/00_podsecurity-admission-label-syncer-controller-clusterrolebinding.yaml b/bindata/bootkube/manifests/00_podsecurity-admission-label-syncer-controller-clusterrolebinding.yaml new file mode 100644 index 000000000..830666184 --- /dev/null +++ b/bindata/bootkube/manifests/00_podsecurity-admission-label-syncer-controller-clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + name: system:openshift:controller:podsecurity-admission-label-syncer-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:controller:podsecurity-admission-label-syncer-controller +subjects: +- kind: ServiceAccount + name: podsecurity-admission-label-syncer-controller + namespace: openshift-infra diff --git a/pkg/cmd/render/render_test.go b/pkg/cmd/render/render_test.go index f5b538a5a..67cc910a2 100644 --- a/pkg/cmd/render/render_test.go +++ b/pkg/cmd/render/render_test.go @@ -153,6 +153,8 @@ func TestRenderCommand(t *testing.T) { "manifests/manifests/00_namespace-security-allocation-controller-clusterrolebinding.yaml", "manifests/manifests/00_openshift-kube-controller-manager-ns.yaml", "manifests/manifests/00_openshift-kube-controller-manager-operator-ns.yaml", + "manifests/manifests/00_podsecurity-admission-label-syncer-controller-clusterrole.yaml", + "manifests/manifests/00_podsecurity-admission-label-syncer-controller-clusterrolebinding.yaml", "manifests/manifests/secret-csr-signer-signer.yaml", "manifests/manifests/secret-initial-kube-controller-manager-service-account-private-key.yaml", },