Remove create sa.sh (#39)

* Remove create-sa.sh script Signed-off-by: Waleed Malik <[email protected]> * Update RBAC Signed-off-by: Waleed Malik <[email protected]> --------- Signed-off-by: Waleed Malik <[email protected]>
kubermatic · Aug 5, 2024 · 1afb6b3 · 1afb6b3
1 parent 1ee6aa6
commit 1afb6b3
Show file tree

Hide file tree

Showing 9 changed files with 21 additions and 190 deletions.
diff --git a/charts/kubelb-ccm/README.md b/charts/kubelb-ccm/README.md
@@ -27,7 +27,7 @@ Now, we can install the helm chart:
 ```sh
 helm pull oci://quay.io/kubermatic/helm-charts/kubelb-ccm --version=v1.0.0 --untardir "kubelb-ccm" --untar
 ## Create and update values.yaml with the required values.
-helm install kubelb-ccm kubelb-ccm --namespace kubelb -f values.yaml
+helm install kubelb-ccm kubelb-ccm --namespace kubelb -f values.yaml --create-namespace
 ```
 
 ## Values
@@ -53,7 +53,7 @@ helm install kubelb-ccm kubelb-ccm --namespace kubelb -f values.yaml
 | kubelb.disableGatewayController | bool | `false` | disableGatewayController specifies whether to disable the Gateway Controller. |
 | kubelb.disableHTTPRouteController | bool | `false` | disableHTTPRouteController specifies whether to disable the HTTPRoute Controller. |
 | kubelb.disableIngressController | bool | `false` | disableIngressController specifies whether to disable the Ingress Controller. |
-| kubelb.enableLeaderElection | bool | `true` |  |
+| kubelb.enableLeaderElection | bool | `true` | Enable the leader election. |
 | kubelb.nodeAddressType | string | `"InternalIP"` |  |
 | kubelb.tenantName | string | `nil` | Name of the tenant, must be unique against a load balancer cluster. |
 | kubelb.useGatewayClass | bool | `true` | useGatewayClass specifies whether to target resources with `kubelb` gateway class or all resources. |

diff --git a/charts/kubelb-ccm/README.md.gotmpl b/charts/kubelb-ccm/README.md.gotmpl
@@ -27,7 +27,7 @@ Now, we can install the helm chart:
 ```sh
 helm pull oci://quay.io/kubermatic/helm-charts/kubelb-ccm --version=v1.0.0 --untardir "kubelb-ccm" --untar
 ## Create and update values.yaml with the required values.
-helm install kubelb-ccm kubelb-ccm --namespace kubelb -f values.yaml
+helm install kubelb-ccm kubelb-ccm --namespace kubelb -f values.yaml --create-namespace
 ```
 
 {{ template "chart.requirementsSection" . }}

diff --git a/charts/kubelb-ccm/values.yaml b/charts/kubelb-ccm/values.yaml
@@ -7,12 +7,15 @@ image:
 imagePullSecrets: []
 
 kubelb:
+  # Required to be configured.
   # -- Name of the tenant, must be unique against a load balancer cluster.
   tenantName: null
-  enableLeaderElection: true
-  nodeAddressType: InternalIP
   # -- Name of the secret that contains kubeconfig for the loadbalancer cluster
   clusterSecretName: kubelb-cluster
+
+  # -- Enable the leader election.
+  enableLeaderElection: true
+  nodeAddressType: InternalIP
   # -- useIngressClass specifies whether to target resources with `kubelb` ingress class or all resources.
   useIngressClass: true
   # -- useGatewayClass specifies whether to target resources with `kubelb` gateway class or all resources.

diff --git a/charts/kubelb-manager/README.md b/charts/kubelb-manager/README.md
@@ -17,7 +17,7 @@ Now, we can install the helm chart:
 ```sh
 helm pull oci://quay.io/kubermatic/helm-charts/kubelb-manager --version=v1.0.0 --untardir "kubelb-manager" --untar
 ## Create and update values.yaml with the required values.
-helm install kubelb-manager kubelb-manager --namespace kubelb -f values.yaml
+helm install kubelb-manager kubelb-manager --namespace kubelb -f values.yaml --create-namespace
 ```
 
 ## Values

diff --git a/charts/kubelb-manager/README.md.gotmpl b/charts/kubelb-manager/README.md.gotmpl
@@ -17,7 +17,7 @@ Now, we can install the helm chart:
 ```sh
 helm pull oci://quay.io/kubermatic/helm-charts/kubelb-manager --version=v1.0.0 --untardir "kubelb-manager" --untar
 ## Create and update values.yaml with the required values.
-helm install kubelb-manager kubelb-manager --namespace kubelb -f values.yaml
+helm install kubelb-manager kubelb-manager --namespace kubelb -f values.yaml --create-namespace
 ```
 
 {{ template "chart.requirementsSection" . }}

diff --git a/charts/kubelb-manager/templates/clusterrole.yaml b/charts/kubelb-manager/templates/clusterrole.yaml
@@ -10,41 +10,8 @@ rules:
   - ""
   resources:
   - namespaces
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - ""
-  resources:
   - secrets
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - ""
-  resources:
   - serviceaccounts
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - ""
-  resources:
   - services
   verbs:
   - create
@@ -175,6 +142,8 @@ rules:
 - apiGroups:
   - kubelb.k8c.io
   resources:
+  - routes
+  - tenants
   - loadbalancers
   verbs:
   - create
@@ -192,18 +161,6 @@ rules:
   - get
   - patch
   - update
-- apiGroups:
-  - kubelb.k8c.io
-  resources:
-  - routes
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
   - kubelb.k8c.io
   resources:
@@ -212,18 +169,6 @@ rules:
   - get
   - patch
   - update
-- apiGroups:
-  - kubelb.k8c.io
-  resources:
-  - tenants
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
   - kubelb.k8c.io
   resources:
@@ -256,19 +201,11 @@ rules:
   - rbac.authorization.k8s.io
   resources:
   - rolebindings
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
+  - clusterroles
   - roles
   verbs:
+  - bind
+  - escalate
   - create
   - delete
   - get

diff --git a/config/kubelb/rbac/role.yaml b/config/kubelb/rbac/role.yaml
@@ -255,8 +255,10 @@ rules:
   resources:
   - rolebindings
   verbs:
+  - bind
   - create
   - delete
+  - escalate
   - get
   - list
   - patch
@@ -267,8 +269,10 @@ rules:
   resources:
   - roles
   verbs:
+  - bind
   - create
   - delete
+  - escalate
   - get
   - list
   - patch

diff --git a/hack/create-sa.sh b/hack/create-sa.sh
diff --git a/internal/controllers/kubelb/tenant_controller.go b/internal/controllers/kubelb/tenant_controller.go
@@ -82,8 +82,8 @@ type TenantReconciler struct {
 // +kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update;patch;delete;bind;escalate
+// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update;patch;delete;bind;escalate
 // +kubebuilder:rbac:groups=kubelb.k8c.io,resources=tenants,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=kubelb.k8c.io,resources=tenants/status,verbs=get;update;patch