From 215d8e7965d2505720186587ac98330e1ee853e2 Mon Sep 17 00:00:00 2001 From: shaynafinocchiaro <66699024+shaynafinocchiaro@users.noreply.github.com> Date: Fri, 16 Jun 2023 10:58:09 -0400 Subject: [PATCH] Remove unsupported Authorization manifests (#277) * follow n-2 supported versions * update supported version for each driver --- .../authorization/v1.4.0/cert-manager.yaml | 1104 ----------------- .../authorization/v1.4.0/container.yaml | 27 - .../authorization/v1.4.0/deployment.yaml | 492 -------- .../authorization/v1.4.0/ingress.yaml | 108 -- .../v1.4.0/nginx-ingress-controller.yaml | 663 ---------- .../authorization/v1.4.0/policies.yaml | 351 ------ .../authorization/v1.4.0/volumes.yaml | 6 - .../moduleconfig/common/version-values.yaml | 6 +- 8 files changed, 3 insertions(+), 2754 deletions(-) delete mode 100644 operatorconfig/moduleconfig/authorization/v1.4.0/cert-manager.yaml delete mode 100644 operatorconfig/moduleconfig/authorization/v1.4.0/container.yaml delete mode 100644 operatorconfig/moduleconfig/authorization/v1.4.0/deployment.yaml delete mode 100644 operatorconfig/moduleconfig/authorization/v1.4.0/ingress.yaml delete mode 100644 operatorconfig/moduleconfig/authorization/v1.4.0/nginx-ingress-controller.yaml delete mode 100644 operatorconfig/moduleconfig/authorization/v1.4.0/policies.yaml delete mode 100644 operatorconfig/moduleconfig/authorization/v1.4.0/volumes.yaml diff --git a/operatorconfig/moduleconfig/authorization/v1.4.0/cert-manager.yaml b/operatorconfig/moduleconfig/authorization/v1.4.0/cert-manager.yaml deleted file mode 100644 index ffc9f5f1f..000000000 --- a/operatorconfig/moduleconfig/authorization/v1.4.0/cert-manager.yaml +++ /dev/null @@ -1,1104 +0,0 @@ -# Copyright 2021 The cert-manager Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -# Source: cert-manager/templates/cainjector-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -automountServiceAccountToken: true -metadata: - name: -cert-manager-cainjector - namespace: "" - labels: - app: cainjector - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: - app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.6.1" ---- -# Source: cert-manager/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -automountServiceAccountToken: true -metadata: - name: -cert-manager - namespace: "" - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.6.1" ---- -# Source: cert-manager/templates/webhook-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -automountServiceAccountToken: true -metadata: - name: -cert-manager-webhook - namespace: "" - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: - app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.6.1" ---- -# Source: cert-manager/templates/cainjector-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: -cert-manager-cainjector - labels: - app: cainjector - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: - app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.6.1" -rules: - - apiGroups: ["cert-manager.io"] - resources: ["certificates"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["get", "create", "update", "patch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["apiregistration.k8s.io"] - resources: ["apiservices"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["auditregistration.k8s.io"] - resources: ["auditsinks"] - verbs: ["get", "list", "watch", "update"] ---- -# Source: cert-manager/templates/rbac.yaml -# Issuer controller role -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: -cert-manager-controller-issuers - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.6.1" -rules: - - apiGroups: ["cert-manager.io"] - resources: ["issuers", "issuers/status"] - verbs: ["update"] - - apiGroups: ["cert-manager.io"] - resources: ["issuers"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch", "create", "update", "delete"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] ---- -# Source: cert-manager/templates/rbac.yaml -# ClusterIssuer controller role -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: -cert-manager-controller-clusterissuers - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.6.1" -rules: - - apiGroups: ["cert-manager.io"] - resources: ["clusterissuers", "clusterissuers/status"] - verbs: ["update"] - - apiGroups: ["cert-manager.io"] - resources: ["clusterissuers"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch", "create", "update", "delete"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] ---- -# Source: cert-manager/templates/rbac.yaml -# Certificates controller role -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: -cert-manager-controller-certificates - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.6.1" -rules: - - apiGroups: ["cert-manager.io"] - resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"] - verbs: ["update"] - - apiGroups: ["cert-manager.io"] - resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"] - verbs: ["get", "list", "watch"] - # We require these rules to support users with the OwnerReferencesPermissionEnforcement - # admission controller enabled: - # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - - apiGroups: ["cert-manager.io"] - resources: ["certificates/finalizers", "certificaterequests/finalizers"] - verbs: ["update"] - - apiGroups: ["acme.cert-manager.io"] - resources: ["orders"] - verbs: ["create", "delete", "get", "list", "watch"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch", "create", "update", "delete"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] ---- -# Source: cert-manager/templates/rbac.yaml -# Orders controller role -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: -cert-manager-controller-orders - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.6.1" -rules: - - apiGroups: ["acme.cert-manager.io"] - resources: ["orders", "orders/status"] - verbs: ["update"] - - apiGroups: ["acme.cert-manager.io"] - resources: ["orders", "challenges"] - verbs: ["get", "list", "watch"] - - apiGroups: ["cert-manager.io"] - resources: ["clusterissuers", "issuers"] - verbs: ["get", "list", "watch"] - - apiGroups: ["acme.cert-manager.io"] - resources: ["challenges"] - verbs: ["create", "delete"] - # We require these rules to support users with the OwnerReferencesPermissionEnforcement - # admission controller enabled: - # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - - apiGroups: ["acme.cert-manager.io"] - resources: ["orders/finalizers"] - verbs: ["update"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] ---- -# Source: cert-manager/templates/rbac.yaml -# Challenges controller role -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: -cert-manager-controller-challenges - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.6.1" -rules: - # Use to update challenge resource status - - apiGroups: ["acme.cert-manager.io"] - resources: ["challenges", "challenges/status"] - verbs: ["update"] - # Used to watch challenge resources - - apiGroups: ["acme.cert-manager.io"] - resources: ["challenges"] - verbs: ["get", "list", "watch"] - # Used to watch challenges, issuer and clusterissuer resources - - apiGroups: ["cert-manager.io"] - resources: ["issuers", "clusterissuers"] - verbs: ["get", "list", "watch"] - # Need to be able to retrieve ACME account private key to complete challenges - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch"] - # Used to create events - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] - # HTTP01 rules - - apiGroups: [""] - resources: ["pods", "services"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch", "create", "delete", "update"] - - apiGroups: [ "networking.x-k8s.io" ] - resources: [ "httproutes" ] - verbs: ["get", "list", "watch", "create", "delete", "update"] - # We require the ability to specify a custom hostname when we are creating - # new ingress resources. - # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148 - - apiGroups: ["route.openshift.io"] - resources: ["routes/custom-host"] - verbs: ["create"] - # We require these rules to support users with the OwnerReferencesPermissionEnforcement - # admission controller enabled: - # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - - apiGroups: ["acme.cert-manager.io"] - resources: ["challenges/finalizers"] - verbs: ["update"] - # DNS01 rules (duplicated above) - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch"] ---- -# Source: cert-manager/templates/rbac.yaml -# ingress-shim controller role -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: -cert-manager-controller-ingress-shim - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.6.1" -rules: - - apiGroups: ["cert-manager.io"] - resources: ["certificates", "certificaterequests"] - verbs: ["create", "update", "delete"] - - apiGroups: ["cert-manager.io"] - resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - # We require these rules to support users with the OwnerReferencesPermissionEnforcement - # admission controller enabled: - # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/finalizers"] - verbs: ["update"] - - apiGroups: ["networking.x-k8s.io"] - resources: ["gateways", "httproutes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.x-k8s.io"] - resources: ["gateways/finalizers", "httproutes/finalizers"] - verbs: ["update"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] ---- -# Source: cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: -cert-manager-view - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.6.1" - rbac.authorization.k8s.io/aggregate-to-view: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: ["cert-manager.io"] - resources: ["certificates", "certificaterequests", "issuers"] - verbs: ["get", "list", "watch"] - - apiGroups: ["acme.cert-manager.io"] - resources: ["challenges", "orders"] - verbs: ["get", "list", "watch"] ---- -# Source: cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: -cert-manager-edit - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.6.1" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: ["cert-manager.io"] - resources: ["certificates", "certificaterequests", "issuers"] - verbs: ["create", "delete", "deletecollection", "patch", "update"] - - apiGroups: ["acme.cert-manager.io"] - resources: ["challenges", "orders"] - verbs: ["create", "delete", "deletecollection", "patch", "update"] ---- -# Source: cert-manager/templates/rbac.yaml -# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: -cert-manager-controller-approve:cert-manager-io - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: - app.kubernetes.io/component: "cert-manager" - app.kubernetes.io/version: "v1.6.1" -rules: - - apiGroups: ["cert-manager.io"] - resources: ["signers"] - verbs: ["approve"] - resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"] ---- -# Source: cert-manager/templates/rbac.yaml -# Permission to: -# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers -# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: -cert-manager-controller-certificatesigningrequests - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: - app.kubernetes.io/component: "cert-manager" - app.kubernetes.io/version: "v1.6.1" -rules: - - apiGroups: ["certificates.k8s.io"] - resources: ["certificatesigningrequests"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["certificates.k8s.io"] - resources: ["certificatesigningrequests/status"] - verbs: ["update"] - - apiGroups: ["certificates.k8s.io"] - resources: ["signers"] - resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"] - verbs: ["sign"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] ---- -# Source: cert-manager/templates/webhook-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: -cert-manager-webhook:subjectaccessreviews - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: - app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.6.1" -rules: -- apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] ---- -# Source: cert-manager/templates/cainjector-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: -cert-manager-cainjector - labels: - app: cainjector - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: - app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.6.1" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: -cert-manager-cainjector -subjects: - - name: -cert-manager-cainjector - namespace: "" - kind: ServiceAccount ---- -# Source: cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: -cert-manager-controller-issuers - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.6.1" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: -cert-manager-controller-issuers -subjects: - - name: -cert-manager - namespace: "" - kind: ServiceAccount ---- -# Source: cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: -cert-manager-controller-clusterissuers - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.6.1" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: -cert-manager-controller-clusterissuers -subjects: - - name: -cert-manager - namespace: "" - kind: ServiceAccount ---- -# Source: -cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: -cert-manager-controller-certificates - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.6.1" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: -cert-manager-controller-certificates -subjects: - - name: -cert-manager - namespace: "" - kind: ServiceAccount ---- -# Source: cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: -cert-manager-controller-orders - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.6.1" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: -cert-manager-controller-orders -subjects: - - name: -cert-manager - namespace: "" - kind: ServiceAccount ---- -# Source: cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: -cert-manager-controller-challenges - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.6.1" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: -cert-manager-controller-challenges -subjects: - - name: -cert-manager - namespace: "" - kind: ServiceAccount ---- -# Source: cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: -cert-manager-controller-ingress-shim - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.6.1" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: -cert-manager-controller-ingress-shim -subjects: - - name: -cert-manager - namespace: "" - kind: ServiceAccount ---- -# Source: cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: -cert-manager-controller-approve:cert-manager-io - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: - app.kubernetes.io/component: "cert-manager" - app.kubernetes.io/version: "v1.6.1" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: -cert-manager-controller-approve:cert-manager-io -subjects: - - name: -cert-manager - namespace: "" - kind: ServiceAccount ---- -# Source: cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: -cert-manager-controller-certificatesigningrequests - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: - app.kubernetes.io/component: "cert-manager" - app.kubernetes.io/version: "v1.6.1" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: -cert-manager-controller-certificatesigningrequests -subjects: - - name: -cert-manager - namespace: "" - kind: ServiceAccount ---- -# Source: cert-manager/templates/webhook-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: -cert-manager-webhook:subjectaccessreviews - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: - app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.6.1" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: -cert-manager-webhook:subjectaccessreviews -subjects: -- apiGroup: "" - kind: ServiceAccount - name: -cert-manager-webhook - namespace: ---- -# Source: cert-manager/templates/cainjector-rbac.yaml -# leader election rules -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: -cert-manager-cainjector:leaderelection - namespace: kube-system - labels: - app: cainjector - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: - app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.6.1" -rules: - # Used for leader election by the controller - # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller - # see cmd/cainjector/start.go#L113 - # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller - # see cmd/cainjector/start.go#L137 - # See also: https://github.com/kubernetes-sigs/controller-runtime/pull/1144#discussion_r480173688 - - apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"] - verbs: ["get", "update", "patch"] - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"] - verbs: ["get", "update", "patch"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["create"] ---- -# Source: cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: -cert-manager:leaderelection - namespace: kube-system - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.6.1" -rules: - # Used for leader election by the controller - # See also: https://github.com/kubernetes-sigs/controller-runtime/pull/1144#discussion_r480173688 - - apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["cert-manager-controller"] - verbs: ["get", "update", "patch"] - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - resourceNames: ["cert-manager-controller"] - verbs: ["get", "update", "patch"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["create"] ---- -# Source: cert-manager/templates/webhook-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: -cert-manager-webhook:dynamic-serving - namespace: - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: - app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.6.1" -rules: -- apiGroups: [""] - resources: ["secrets"] - resourceNames: ["cert-manager-webhook-ca"] - verbs: ["get", "list", "watch", "update"] -# It's not possible to grant CREATE permission on a single resourceName. -- apiGroups: [""] - resources: ["secrets"] - verbs: ["create"] ---- -# Source: cert-manager/templates/cainjector-rbac.yaml -# grant cert-manager permission to manage the leaderelection configmap in the -# leader election namespace -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: -cert-manager-cainjector:leaderelection - namespace: kube-system - labels: - app: cainjector - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: - app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.6.1" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: -cert-manager-cainjector:leaderelection -subjects: - - kind: ServiceAccount - name: -cert-manager-cainjector - namespace: ---- -# Source: cert-manager/templates/rbac.yaml -# grant cert-manager permission to manage the leaderelection configmap in the -# leader election namespace -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: -cert-manager:leaderelection - namespace: kube-system - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.6.1" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: -cert-manager:leaderelection -subjects: - - apiGroup: "" - kind: ServiceAccount - name: -cert-manager - namespace: ---- -# Source: cert-manager/templates/webhook-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: -cert-manager-webhook:dynamic-serving - namespace: "" - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: - app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.6.1" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: -cert-manager-webhook:dynamic-serving -subjects: -- apiGroup: "" - kind: ServiceAccount - name: -cert-manager-webhook - namespace: ---- -# Source: cert-manager/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: -cert-manager - namespace: "" - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.6.1" -spec: - type: ClusterIP - ports: - - protocol: TCP - port: 9402 - name: tcp-prometheus-servicemonitor - targetPort: 9402 - selector: - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: - app.kubernetes.io/component: "controller" ---- -# Source: cert-manager/templates/webhook-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: -cert-manager-webhook - namespace: "" - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: - app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.6.1" -spec: - type: ClusterIP - ports: - - name: https - port: 443 - protocol: TCP - targetPort: 10250 - selector: - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: - app.kubernetes.io/component: "webhook" ---- -# Source: cert-manager/templates/cainjector-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: -cert-manager-cainjector - namespace: "" - labels: - app: cainjector - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: - app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.6.1" -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: - app.kubernetes.io/component: "cainjector" - template: - metadata: - labels: - app: cainjector - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: - app.kubernetes.io/component: "cainjector" - app.kubernetes.io/version: "v1.6.1" - spec: - serviceAccountName: -cert-manager-cainjector - securityContext: - runAsNonRoot: true - containers: - - name: cert-manager - image: "quay.io/jetstack/cert-manager-cainjector:v1.6.1" - imagePullPolicy: IfNotPresent - args: - - --v=2 - - --leader-election-namespace=kube-system - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - resources: - {} ---- -# Source: cert-manager/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: -cert-manager - namespace: "" - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.6.1" -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: - app.kubernetes.io/component: "controller" - template: - metadata: - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: - app.kubernetes.io/component: "controller" - app.kubernetes.io/version: "v1.6.1" - annotations: - prometheus.io/path: "/metrics" - prometheus.io/scrape: 'true' - prometheus.io/port: '9402' - spec: - serviceAccountName: -cert-manager - securityContext: - runAsNonRoot: true - containers: - - name: cert-manager - image: "quay.io/jetstack/cert-manager-controller:v1.6.1" - imagePullPolicy: IfNotPresent - args: - - --v=2 - - --cluster-resource-namespace=$(POD_NAMESPACE) - - --leader-election-namespace=kube-system - ports: - - containerPort: 9402 - protocol: TCP - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - resources: - {} ---- -# Source: cert-manager/templates/webhook-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: -cert-manager-webhook - namespace: "" - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: - app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.6.1" -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: - app.kubernetes.io/component: "webhook" - template: - metadata: - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: - app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.6.1" - spec: - serviceAccountName: -cert-manager-webhook - securityContext: - runAsNonRoot: true - containers: - - name: cert-manager - image: "quay.io/jetstack/cert-manager-webhook:v1.6.1" - imagePullPolicy: IfNotPresent - args: - - --v=2 - - --secure-port=10250 - - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE) - - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca - - --dynamic-serving-dns-names=-cert-manager-webhook,-cert-manager-webhook.,-cert-manager-webhook..svc - ports: - - name: https - protocol: TCP - containerPort: 10250 - livenessProbe: - httpGet: - path: /livez - port: 6080 - scheme: HTTP - initialDelaySeconds: 60 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /healthz - port: 6080 - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 5 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - resources: - {} ---- -# Source: cert-manager/templates/webhook-mutating-webhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: -cert-manager-webhook - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: - app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.6.1" - annotations: - cert-manager.io/inject-ca-from-secret: "/cert-manager-webhook-ca" -webhooks: - - name: webhook.cert-manager.io - rules: - - apiGroups: - - "cert-manager.io" - - "acme.cert-manager.io" - apiVersions: - - "v1" - operations: - - CREATE - - UPDATE - resources: - - "*/*" - # We don't actually support `v1beta1` but is listed here as it is a - # required value for - # [Kubernetes v1.16](https://github.com/kubernetes/kubernetes/issues/82025). - # The API server reads the supported versions in order, so _should always_ - # attempt a `v1` request which is understood by the cert-manager webhook. - # Any `v1beta1` request will return an error and fail closed for that - # resource (the whole object request is rejected). When we no longer - # support v1.16 we can remove `v1beta1` from this list. - admissionReviewVersions: ["v1", "v1beta1"] - # This webhook only accepts v1 cert-manager resources. - # Equivalent matchPolicy ensures that non-v1 resource requests are sent to - # this webhook (after the resources have been converted to v1). - matchPolicy: Equivalent - timeoutSeconds: 10 - failurePolicy: Fail - # Only include 'sideEffects' field in Kubernetes 1.12+ - sideEffects: None - clientConfig: - service: - name: -cert-manager-webhook - namespace: "" - path: /mutate ---- -# Source: cert-manager/templates/webhook-validating-webhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: -cert-manager-webhook - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: - app.kubernetes.io/component: "webhook" - app.kubernetes.io/version: "v1.6.1" - annotations: - cert-manager.io/inject-ca-from-secret: "/cert-manager-webhook-ca" -webhooks: - - name: webhook.cert-manager.io - namespaceSelector: - matchExpressions: - - key: "cert-manager.io/disable-validation" - operator: "NotIn" - values: - - "true" - - key: "name" - operator: "NotIn" - values: - - cert-manager - rules: - - apiGroups: - - "cert-manager.io" - - "acme.cert-manager.io" - apiVersions: - - "v1" - operations: - - CREATE - - UPDATE - resources: - - "*/*" - # We don't actually support `v1beta1` but is listed here as it is a - # required value for - # [Kubernetes v1.16](https://github.com/kubernetes/kubernetes/issues/82025). - # The API server reads the supported versions in order, so _should always_ - # attempt a `v1` request which is understood by the cert-manager webhook. - # Any `v1beta1` request will return an error and fail closed for that - # resource (the whole object request is rejected). When we no longer - # support v1.16 we can remove `v1beta1` from this list. - admissionReviewVersions: ["v1", "v1beta1"] - # This webhook only accepts v1 cert-manager resources. - # Equivalent matchPolicy ensures that non-v1 resource requests are sent to - # this webhook (after the resources have been converted to v1). - matchPolicy: Equivalent - timeoutSeconds: 10 - failurePolicy: Fail - sideEffects: None - clientConfig: - service: - name: -cert-manager-webhook - namespace: "" - path: /validate \ No newline at end of file diff --git a/operatorconfig/moduleconfig/authorization/v1.4.0/container.yaml b/operatorconfig/moduleconfig/authorization/v1.4.0/container.yaml deleted file mode 100644 index 4a81b698d..000000000 --- a/operatorconfig/moduleconfig/authorization/v1.4.0/container.yaml +++ /dev/null @@ -1,27 +0,0 @@ -name: karavi-authorization-proxy -imagePullPolicy: IfNotPresent -image: dellemc/csm-authorization-sidecar:v1.4.0 -env: - - name: PROXY_HOST - value: "" - - name: SKIP_CERTIFICATE_VALIDATION - value: "true" - - name: PLUGIN_IDENTIFIER - value: - - name: ACCESS_TOKEN - valueFrom: - secretKeyRef: - name: proxy-authz-tokens - key: access - - name: REFRESH_TOKEN - valueFrom: - secretKeyRef: - name: proxy-authz-tokens - key: refresh -volumeMounts: - - name: karavi-authorization-config - mountPath: /etc/karavi-authorization/config - - name: proxy-server-root-certificate - mountPath: /etc/karavi-authorization/root-certificates - - name: - mountPath: /etc/karavi-authorization diff --git a/operatorconfig/moduleconfig/authorization/v1.4.0/deployment.yaml b/operatorconfig/moduleconfig/authorization/v1.4.0/deployment.yaml deleted file mode 100644 index e36c4ecde..000000000 --- a/operatorconfig/moduleconfig/authorization/v1.4.0/deployment.yaml +++ /dev/null @@ -1,492 +0,0 @@ -# Proxy service -apiVersion: apps/v1 -kind: Deployment -metadata: - name: proxy-server - namespace: - labels: - app: proxy-server -spec: - replicas: 1 - selector: - matchLabels: - app: proxy-server - template: - metadata: - labels: - app: proxy-server - spec: - containers: - - name: proxy-server - image: - imagePullPolicy: Always - args: - - "--redis-host=redis..svc.cluster.local:6379" - - "--tenant-service=tenant-service..svc.cluster.local:50051" - ports: - - containerPort: 8080 - volumeMounts: - - name: config-volume - mountPath: /etc/karavi-authorization/config - - name: storage-volume - mountPath: /etc/karavi-authorization/storage - - name: csm-config-params - mountPath: /etc/karavi-authorization/csm-config-params - - name: opa - image: - imagePullPolicy: IfNotPresent - args: - - "run" - - "--ignore=." - - "--server" - - "--log-level=debug" - ports: - - name: http - containerPort: 8181 - - name: kube-mgmt - image: - imagePullPolicy: IfNotPresent - args: - - "--policies=authorization" - - "--enable-data" - volumes: - - name: config-volume - secret: - secretName: karavi-config-secret - - name: storage-volume - secret: - secretName: karavi-storage-secret - - name: csm-config-params - configMap: - name: csm-config-params ---- -apiVersion: v1 -kind: Service -metadata: - name: proxy-server - namespace: -spec: - selector: - app: proxy-server - ports: - - name: http - protocol: TCP - port: 8080 - targetPort: 8080 ---- -# Tenant Service -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tenant-service - namespace: - labels: - app: tenant-service -spec: - replicas: 1 - selector: - matchLabels: - app: tenant-service - template: - metadata: - labels: - app: tenant-service - spec: - containers: - - name: tenant-service - image: - imagePullPolicy: Always - args: - - "--redis-host=redis..svc.cluster.local:6379" - ports: - - containerPort: 50051 - name: grpc - volumeMounts: - - name: config-volume - mountPath: /etc/karavi-authorization/config - - name: csm-config-params - mountPath: /etc/karavi-authorization/csm-config-params - volumes: - - name: config-volume - secret: - secretName: karavi-config-secret - - name: csm-config-params - configMap: - name: csm-config-params ---- -apiVersion: v1 -kind: Service -metadata: - name: tenant-service - namespace: -spec: - selector: - app: tenant-service - ports: - - port: 50051 - targetPort: 50051 - name: grpc ---- -# Role Service -apiVersion: v1 -kind: ServiceAccount -metadata: - name: role-service - namespace: ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: role-service -rules: - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "patch"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: role-service -subjects: - - kind: ServiceAccount - name: role-service - namespace: -roleRef: - kind: ClusterRole - name: role-service - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: role-service - namespace: - labels: - app: role-service -spec: - replicas: 1 - selector: - matchLabels: - app: role-service - template: - metadata: - labels: - app: role-service - spec: - serviceAccountName: role-service - containers: - - name: role-service - image: - imagePullPolicy: Always - ports: - - containerPort: 50051 - name: grpc - env: - - name: NAMESPACE - value: authorization - volumeMounts: - - name: csm-config-params - mountPath: /etc/karavi-authorization/csm-config-params - volumes: - - name: csm-config-params - configMap: - name: csm-config-params ---- -apiVersion: v1 -kind: Service -metadata: - name: role-service - namespace: -spec: - selector: - app: role-service - ports: - - port: 50051 - targetPort: 50051 - name: grpc ---- -# Storage service -apiVersion: v1 -kind: ServiceAccount -metadata: - name: storage-service - namespace: ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: storage-service -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "patch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: storage-service -subjects: - - kind: ServiceAccount - name: storage-service - namespace: -roleRef: - kind: ClusterRole - name: storage-service - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: storage-service - namespace: - labels: - app: storage-service -spec: - replicas: 1 - selector: - matchLabels: - app: storage-service - template: - metadata: - labels: - app: storage-service - spec: - serviceAccountName: storage-service - containers: - - name: storage-service - image: - imagePullPolicy: Always - ports: - - containerPort: 50051 - name: grpc - env: - - name: NAMESPACE - value: authorization - volumeMounts: - - name: storage-volume - mountPath: /etc/karavi-authorization/storage - - name: csm-config-params - mountPath: /etc/karavi-authorization/csm-config-params - volumes: - - name: storage-volume - secret: - secretName: karavi-storage-secret - - name: csm-config-params - configMap: - name: csm-config-params ---- -apiVersion: v1 -kind: Service -metadata: - name: storage-service - namespace: -spec: - selector: - app: storage-service - ports: - - port: 50051 - targetPort: 50051 - name: grpc ---- -# Redis -apiVersion: apps/v1 -kind: Deployment -metadata: - name: redis-primary - namespace: - labels: - app: redis -spec: - selector: - matchLabels: - app: redis - role: primary - tier: backend - replicas: 1 - template: - metadata: - labels: - app: redis - role: primary - tier: backend - spec: - containers: - - name: primary - image: - imagePullPolicy: IfNotPresent - args: ["--appendonly", "yes", "--appendfsync", "always"] - resources: - requests: - cpu: 100m - memory: 100Mi - ports: - - containerPort: 6379 - volumeMounts: - - name: redis-primary-volume - mountPath: /data - volumes: - - name: redis-primary-volume - persistentVolumeClaim: - claimName: redis-primary-pv-claim ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: redis-primary-pv-claim - namespace: - labels: - app: redis-primary -spec: - accessModes: - - ReadWriteOnce - storageClassName: - resources: - requests: - storage: 8Gi ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: redis-commander - namespace: -spec: - replicas: 1 - selector: - matchLabels: - app: redis-commander - template: - metadata: - labels: - app: redis-commander - tier: backend - spec: - containers: - - name: redis-commander - image: - imagePullPolicy: IfNotPresent - env: - - name: REDIS_HOSTS - value: "rbac:redis..svc.cluster.local:6379" - - name: K8S_SIGTERM - value: "1" - ports: - - name: redis-commander - containerPort: 8081 - livenessProbe: - httpGet: - path: /favicon.png - port: 8081 - initialDelaySeconds: 10 - timeoutSeconds: 5 - resources: - limits: - cpu: "500m" - memory: "512M" - securityContext: - runAsNonRoot: true - readOnlyRootFilesystem: false - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL ---- -apiVersion: v1 -kind: Service -metadata: - name: redis - namespace: -spec: - selector: - app: redis - ports: - - protocol: TCP - port: 6379 - targetPort: 6379 ---- -apiVersion: v1 -kind: Service -metadata: - name: redis-commander - namespace: -spec: - selector: - app: redis-commander - ports: - - protocol: TCP - port: 8081 - targetPort: 8081 ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: auth-resource-reader -rules: - - apiGroups: [""] - resources: ["secrets", "configmaps", "pods"] - verbs: ["get", "watch", "list", "patch", "create", "update", "delete"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - resourceNames: ["ingress-controller-leader"] - verbs: ["get", "update"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: system:serviceaccounts:authorization -subjects: - - kind: Group - name: system:serviceaccounts:authorization - namespace: -roleRef: - kind: ClusterRole - name: auth-resource-reader - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: view ---- -# Grant OPA/kube-mgmt read-only access to resources. This lets kube-mgmt -# list configmaps to be loaded into OPA as policies. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: opa-viewer -roleRef: - kind: ClusterRole - name: view - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: Group - name: system:serviceaccounts:authorization - apiGroup: rbac.authorization.k8s.io ---- -# Define role for OPA/kube-mgmt to update configmaps with policy status. -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - namespace: - name: configmap-modifier -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["update", "patch"] ---- -# Grant OPA/kube-mgmt role defined above. -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - namespace: - name: opa-configmap-modifier -roleRef: - kind: Role - name: configmap-modifier - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: Group - name: system:serviceaccounts:authorization - apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/operatorconfig/moduleconfig/authorization/v1.4.0/ingress.yaml b/operatorconfig/moduleconfig/authorization/v1.4.0/ingress.yaml deleted file mode 100644 index c2e7fb1ef..000000000 --- a/operatorconfig/moduleconfig/authorization/v1.4.0/ingress.yaml +++ /dev/null @@ -1,108 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: proxy-server - namespace: -spec: - ingressClassName: - tls: - - hosts: - - - - - secretName: karavi-auth-tls - rules: - - host: - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: proxy-server - port: - number: 8080 - - host: - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: proxy-server - port: - number: 8080 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: tenant-service - namespace: - annotations: - nginx.ingress.kubernetes.io/backend-protocol: "GRPC" -spec: - ingressClassName: - tls: - - hosts: - - tenant. - secretName: karavi-auth-tls - rules: - - host: tenant. - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: tenant-service - port: - number: 50051 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: role-service - namespace: - annotations: - nginx.ingress.kubernetes.io/backend-protocol: "GRPC" -spec: - ingressClassName: - tls: - - hosts: - - role. - secretName: karavi-auth-tls - rules: - - host: role. - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: role-service - port: - number: 50051 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: storage-service - namespace: - annotations: - nginx.ingress.kubernetes.io/backend-protocol: "GRPC" -spec: - ingressClassName: - tls: - - hosts: - - storage. - secretName: karavi-auth-tls - rules: - - host: storage. - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: storage-service - port: - number: 50051 \ No newline at end of file diff --git a/operatorconfig/moduleconfig/authorization/v1.4.0/nginx-ingress-controller.yaml b/operatorconfig/moduleconfig/authorization/v1.4.0/nginx-ingress-controller.yaml deleted file mode 100644 index 3bafbb56f..000000000 --- a/operatorconfig/moduleconfig/authorization/v1.4.0/nginx-ingress-controller.yaml +++ /dev/null @@ -1,663 +0,0 @@ -apiVersion: v1 -automountServiceAccountToken: true -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.3 - name: -ingress-nginx - namespace: ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.3 - name: -ingress-nginx-admission - namespace: ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.3 - name: -ingress-nginx - namespace: -rules: -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get -- apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - endpoints - - namespaces - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch -- apiGroups: - - "" - resourceNames: - - ingress-controller-leader - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create -- apiGroups: - - coordination.k8s.io - resourceNames: - - ingress-controller-leader - resources: - - leases - verbs: - - get - - update -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - list - - watch - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.3 - name: -ingress-nginx-admission - namespace: -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/instance: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.3 - name: -ingress-nginx -rules: -- apiGroups: - - "" - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - - namespaces - verbs: - - list - - watch -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - list - - watch -- apiGroups: - - "" - resources: - - nodes - verbs: - - get -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - list - - watch - - get -- apiGroups: - - "" - resources: - - namespaces - resourceNames: - - authorization - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.3 - name: -ingress-nginx-admission -rules: -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.3 - name: -ingress-nginx - namespace: -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: -ingress-nginx -subjects: -- kind: ServiceAccount - name: -ingress-nginx - namespace: ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.3 - name: -ingress-nginx-admission - namespace: -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: -ingress-nginx-admission -subjects: -- kind: ServiceAccount - name: -ingress-nginx-admission - namespace: ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/instance: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.3 - name: -ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: -ingress-nginx -subjects: -- kind: ServiceAccount - name: -ingress-nginx - namespace: ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.3 - name: -ingress-nginx-admission -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: -ingress-nginx-admission -subjects: -- kind: ServiceAccount - name: -ingress-nginx-admission - namespace: ---- -apiVersion: v1 -data: - allow-snippet-annotations: "true" -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.3 - name: -ingress-nginx-controller - namespace: ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.3 - name: -ingress-nginx-controller - namespace: -spec: - externalTrafficPolicy: Cluster - ipFamilies: - - IPv4 - ipFamilyPolicy: SingleStack - ports: - - appProtocol: http - name: http - port: 80 - protocol: TCP - targetPort: http - - appProtocol: https - name: https - port: 443 - protocol: TCP - targetPort: https - selector: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: - app.kubernetes.io/name: ingress-nginx - type: LoadBalancer ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.3 - name: -ingress-nginx-controller-admission - namespace: -spec: - ports: - - appProtocol: https - name: https-webhook - port: 443 - targetPort: webhook - selector: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: - app.kubernetes.io/name: ingress-nginx - type: ClusterIP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.3 - name: -ingress-nginx-controller - namespace: -spec: - minReadySeconds: 0 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: - app.kubernetes.io/name: ingress-nginx - template: - metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: - app.kubernetes.io/name: ingress-nginx - spec: - containers: - - args: - - /nginx-ingress-controller - - --publish-service=$(POD_NAMESPACE)/-ingress-nginx-controller - - --election-id=ingress-controller-leader - - --controller-class=k8s.io/ingress-nginx - - --ingress-class=nginx - - --configmap=$(POD_NAMESPACE)/-ingress-nginx-controller - - --validating-webhook=:8443 - - --validating-webhook-certificate=/usr/local/certificates/cert - - --validating-webhook-key=/usr/local/certificates/key - - --v=3 - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LD_PRELOAD - value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.4.0@sha256:34ee929b111ffc7aa426ffd409af44da48e5a0eea1eb2207994d9e0c0882d143 - imagePullPolicy: IfNotPresent - lifecycle: - preStop: - exec: - command: - - /wait-shutdown - livenessProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - name: controller - ports: - - containerPort: 80 - name: http - protocol: TCP - - containerPort: 443 - name: https - protocol: TCP - - containerPort: 8443 - name: webhook - protocol: TCP - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - resources: - requests: - cpu: 100m - memory: 90Mi - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - NET_BIND_SERVICE - drop: - - ALL - runAsUser: 101 - volumeMounts: - - mountPath: /usr/local/certificates/ - name: webhook-cert - readOnly: true - dnsPolicy: ClusterFirst - nodeSelector: - kubernetes.io/os: linux - serviceAccountName: -ingress-nginx - terminationGracePeriodSeconds: 300 - volumes: - - name: webhook-cert - secret: - secretName: -ingress-nginx-admission ---- -apiVersion: batch/v1 -kind: Job -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.3 - name: -ingress-nginx-admission-create - namespace: -spec: - ttlSecondsAfterFinished: 10 - template: - metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.3 - name: -ingress-nginx-admission-create - spec: - containers: - - args: - - create - - --host=-ingress-nginx-controller-admission,-ingress-nginx-controller-admission.$(POD_NAMESPACE).svc - - --namespace=$(POD_NAMESPACE) - - --secret-name=-ingress-nginx-admission - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f - imagePullPolicy: IfNotPresent - name: create - securityContext: - allowPrivilegeEscalation: false - nodeSelector: - kubernetes.io/os: linux - restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 - serviceAccountName: -ingress-nginx-admission ---- -apiVersion: batch/v1 -kind: Job -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.3 - name: -ingress-nginx-admission-patch - namespace: -spec: - ttlSecondsAfterFinished: 10 - template: - metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.3 - name: -ingress-nginx-admission-patch - spec: - containers: - - args: - - patch - - --webhook-name=-ingress-nginx-admission - - --namespace=$(POD_NAMESPACE) - - --patch-mutating=false - - --secret-name=-ingress-nginx-admission - - --patch-failure-policy=Fail - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f - imagePullPolicy: IfNotPresent - name: patch - securityContext: - allowPrivilegeEscalation: false - nodeSelector: - kubernetes.io/os: linux - restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 - serviceAccountName: -ingress-nginx-admission ---- -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.3 - name: nginx -spec: - controller: k8s.io/ingress-nginx ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.3 - name: -ingress-nginx-admission -webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: -ingress-nginx-controller-admission - namespace: - path: /networking/v1/ingresses - failurePolicy: Fail - matchPolicy: Equivalent - name: validate.nginx.ingress.kubernetes.io - rules: - - apiGroups: - - networking.k8s.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - ingresses - sideEffects: None - \ No newline at end of file diff --git a/operatorconfig/moduleconfig/authorization/v1.4.0/policies.yaml b/operatorconfig/moduleconfig/authorization/v1.4.0/policies.yaml deleted file mode 100644 index ea9427a4a..000000000 --- a/operatorconfig/moduleconfig/authorization/v1.4.0/policies.yaml +++ /dev/null @@ -1,351 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: common - namespace: -data: - common.rego: | - package karavi.common - default roles = {} - roles = {} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: powermax-urls - namespace: -data: - powermax-url.rego: | - package karavi.authz.powermax.url - - allowlist = [ - "GET /univmax/restapi/version", - "GET /univmax/restapi/(90|91)/system/symmetrix/[a-f0-9A-F]+", - "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/srp", - "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/storagegroup", - "POST /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/storagegroup", - "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/storagegroup/(.+)", - "PUT /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/storagegroup/(.+)", - "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/volume", - "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/volume/[a-f0-9A-F]+", - "PUT /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/volume/[a-f0-9A-F]+", - "DELETE /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/volume/[a-f0-9A-F]+", - "DELETE /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/storagegroup/[a-f0-9A-F]+", - "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/volume/[a-f0-9A-F]+/snapshot", - "GET /univmax/restapi/91/sloprovisioning/symmetrix/[a-f0-9A-F]+/portgroup/(.+)", - "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/initiator", - "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/host/(.+)", - "GET /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/maskingview/(.+)", - "GET /univmax/restapi/(90|91)/system/symmetrix", - "GET /univmax/restapi/private/(90|91)/replication/symmetrix/[a-f0-9A-F]+/volume/[a-f0-9A-F]+/snapshot", - "GET /univmax/restapi/private/(90|91)/replication/symmetrix/[a-f0-9A-F]+/volume/", - "DELETE /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/maskingview/(.+)", - "GET /univmax/restapi/(90|91)/replication/capabilities/symmetrix/", - "POST /univmax/restapi/(90|91)/sloprovisioning/symmetrix/[a-f0-9A-F]+/maskingview", - ] - - default allow = true - - allow { - regex.match(allowlist[_], sprintf("%s %s", [input.method, input.url])) - } ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: powerscale-urls - namespace: -data: - powerscale-url.rego: | - package karavi.authz.powerscale.url - - allowlist = [ - "GET /platform/latest/", - "GET /platform/[0-9]/cluster/config/", - "GET /namespace/(.+)", - "GET /platform/[0-9]/protocols/nfs/exports/?(.+)", - "PUT /namespace/(.+)", - "GET /platform/[0-9]/quota/license/", - "POST /platform/[0-9]/quota/quotas/", - "POST /platform/[0-9]/protocols/nfs/exports/?(.+)", - "GET /platform/[0-9]/protocols/nfs/exports/[0-9]+?(.+)", - "PUT /platform/[0-9]/protocols/nfs/exports/[0-9]+?(.+)", - "DELETE /platform/[0-9]/quota/quotas/[a-z0-9A-Z]+/", - "DELETE /platform/[0-9]/protocols/nfs/exports/[0-9]+?(.+)", - "DELETE /namespace/(.+)", - "GET /platform/[0-9]/snapshot/snapshots/(.+)", - "POST /platform/[0-9]/snapshot/snapshots", - "DELETE /platform/[0-9]/snapshot/snapshots/(.+)", - "POST /session/[0-9]/session/", - "GET /session/[0-9]/session/", - "POST /proxy/refresh-token/" - ] - - default allow = true - allow { - regex.match(allowlist[_], sprintf("%s %s", [input.method, input.url])) - } ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: powerflex-urls - namespace: -data: - url.rego: | - package karavi.authz.url - - allowlist = [ - "GET /api/login/", - "POST /proxy/refresh-token/", - "GET /api/version/", - "GET /api/types/System/instances/", - "GET /api/types/StoragePool/instances/", - "POST /api/types/Volume/instances/", - "GET /api/instances/Volume::[a-f0-9]+/$", - "POST /api/types/Volume/instances/action/queryIdByKey/", - "GET /api/instances/System::[a-f0-9]+/relationships/Sdc/", - "GET /api/instances/Sdc::[a-f0-9]+/relationships/Statistics/", - "GET /api/instances/Sdc::[a-f0-9]+/relationships/Volume/", - "GET /api/instances/Volume::[a-f0-9]+/relationships/Statistics/", - "GET /api/instances/StoragePool::[a-f0-9]+/relationships/Statistics/", - "POST /api/instances/Volume::[a-f0-9]+/action/addMappedSdc/", - "POST /api/instances/Volume::[a-f0-9]+/action/removeMappedSdc/", - "POST /api/instances/Volume::[a-f0-9]+/action/removeVolume/" - ] - - default allow = true - allow { - regex.match(allowlist[_], sprintf("%s %s", [input.method, input.url])) - } ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: volumes-create - namespace: -data: - volumes-create.rego: | - package karavi.volumes.create - - import data.karavi.common - default allow = false - - allow { - count(permitted_roles) != 0 - count(deny) == 0 - } - - deny[msg] { - common.roles == {} - msg := sprintf("no configured roles", []) - } - - deny[msg] { - count(permitted_roles) == 0 - msg := sprintf("no roles in [%s] allow the %s Kb request on %s/%s/%s", - [input.claims.roles, - input.request.volumeSizeInKb, - input.systemtype, - input.storagesystemid, - input.storagepool]) - } - - permitted_roles[v] = y { - claimed_roles := split(input.claims.roles, ",") - - some i - a := claimed_roles[i] - common.roles[a] - - v := claimed_roles[i] - common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] >= to_number(input.request.volumeSizeInKb) - y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) - } ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: volumes-delete - namespace: -data: - volumes-delete.rego: | - package karavi.volumes.delete - - import data.karavi.common - - default response = { - "allowed": true - } - response = { - "allowed": false, - "status": { - "reason": reason, - }, - } { - reason = concat(", ", deny) - reason != "" - } - - deny[msg] { - common.roles == {} - msg := sprintf("no role data found", []) - } - - default claims = {} - claims = input.claims - deny[msg] { - claims == {} - msg := sprintf("missing claims", []) - } ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: volumes-map - namespace: -data: - volumes-map.rego: | - package karavi.volumes.map - - import data.karavi.common - - default response = { - "allowed": true - } - response = { - "allowed": false, - "status": { - "reason": reason, - }, - } { - reason = concat(", ", deny) - reason != "" - } - - deny[msg] { - common.roles == {} - msg := sprintf("no role data found", []) - } - - default claims = {} - claims = input.claims - deny[msg] { - claims == {} - msg := sprintf("missing claims", []) - } ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: powermax-volumes-create - namespace: -data: - volumes-powermax-create.rego: | - package karavi.volumes.powermax.create - - import data.karavi.common - - default allow = false - - allow { - count(permitted_roles) != 0 - count(deny) == 0 - } - - deny[msg] { - common.roles == {} - msg := sprintf("no configured roles", []) - } - - deny[msg] { - count(permitted_roles) == 0 - msg := sprintf("no roles in [%s] allow the %v Kb request on %s/%s/%s", - [input.claims.roles, - input.request.volumeSizeInKb, - input.systemtype, - input.storagesystemid, - input.storagepool]) - } - - permitted_roles[v] = y { - claimed_roles := split(input.claims.roles, ",") - - some i - a := claimed_roles[i] - common.roles[a] - - v := claimed_roles[i] - common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] >= to_number(input.request.volumeSizeInKb) - y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) - } ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: powerscale-volumes-create - namespace: -data: - volumes-powerscale-create.rego: | - package karavi.volumes.powerscale.create - - import data.karavi.common - - default allow = false - - allow { - count(deny) == 0 - } - - deny[msg] { - common.roles == {} - msg := sprintf("no configured roles", []) - } - - permitted_roles[v] = y { - claimed_roles := split(input.claims.roles, ",") - - some i - a := claimed_roles[i] - common.roles[a] - - v := claimed_roles[i] - common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] >= to_number(input.request.volumeSizeInKb) - y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) - } ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: volumes-unmap - namespace: -data: - volumes-unmap.rego: | - package karavi.volumes.unmap - - import data.karavi.common - - default response = { - "allowed": true - } - response = { - "allowed": false, - "status": { - "reason": reason, - }, - } { - reason = concat(", ", deny) - reason != "" - } - - deny[msg] { - common.roles == {} - msg := sprintf("no role data found", []) - } - - default claims = {} - claims = input.claims - deny[msg] { - claims == {} - msg := sprintf("missing claims", []) - } diff --git a/operatorconfig/moduleconfig/authorization/v1.4.0/volumes.yaml b/operatorconfig/moduleconfig/authorization/v1.4.0/volumes.yaml deleted file mode 100644 index ec4a5b445..000000000 --- a/operatorconfig/moduleconfig/authorization/v1.4.0/volumes.yaml +++ /dev/null @@ -1,6 +0,0 @@ -- name: karavi-authorization-config - secret: - secretName: karavi-authorization-config -- name: proxy-server-root-certificate - secret: - secretName: proxy-server-root-certificate diff --git a/operatorconfig/moduleconfig/common/version-values.yaml b/operatorconfig/moduleconfig/common/version-values.yaml index ffac602db..48f423b5f 100644 --- a/operatorconfig/moduleconfig/common/version-values.yaml +++ b/operatorconfig/moduleconfig/common/version-values.yaml @@ -10,7 +10,7 @@ powerscale: replication: "v1.4.0" observability: "v1.5.0" v2.7.0: - authorization: "v1.6.0" + authorization: "v1.7.0" replication: "v1.5.0" observability: "v1.5.0" resiliency: "v1.6.0" @@ -24,7 +24,7 @@ powerflex: observability: "v1.5.0" replication: "v1.4.0" v2.7.0: - authorization: "v1.6.0" + authorization: "v1.7.0" observability: "v1.5.0" replication: "v1.5.0" resiliency: "v1.6.0" @@ -40,5 +40,5 @@ powermax: replication: "v1.4.0" v2.7.0: csireverseproxy: "v2.6.0" - authorization: "v1.6.0" + authorization: "v1.7.0" replication: "v1.5.0"