From 4d8bfab3ec6676a6b55285438d32d6ff8260bd37 Mon Sep 17 00:00:00 2001 From: Anthony Lazam Date: Wed, 30 Aug 2023 16:33:50 +0200 Subject: [PATCH 1/4] Add role to read PV used by nodes --- charts/testnet-manager/Chart.yaml | 2 +- charts/testnet-manager/templates/rbac.yaml | 24 ++++++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/charts/testnet-manager/Chart.yaml b/charts/testnet-manager/Chart.yaml index 52f6491e..0dfc8a16 100644 --- a/charts/testnet-manager/Chart.yaml +++ b/charts/testnet-manager/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: testnet-manager description: A Helm chart to deploy testnet-manager type: application -version: 1.3.0 +version: 1.3.1 appVersion: "1.0.0" maintainers: - name: Parity diff --git a/charts/testnet-manager/templates/rbac.yaml b/charts/testnet-manager/templates/rbac.yaml index 5da207bf..b2703aa4 100644 --- a/charts/testnet-manager/templates/rbac.yaml +++ b/charts/testnet-manager/templates/rbac.yaml @@ -27,6 +27,15 @@ rules: resources: ["statefulsets"] verbs: ["get", "list"] --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $fullName }}-volume-reader +rules: + - apiGroups: [""] + resources: ["persistentvolumes", "persistentvolumeclaims"] + verbs: ["get", "list"] +--- # Creat Role bindings {{- $serviceAccountName := include "testnet-manager.serviceAccountName" . -}} # Allow the testnet-manager service account to read pods in the rococo namespace @@ -74,3 +83,18 @@ subjects: name: {{ $serviceAccountName }} namespace: {{ $.Release.Namespace }} --- +# Allow the testnet-manager service account to read volumes in the rococo namespace +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ $fullName }}-read-volume + namespace: {{ $.Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $fullName }}-volume-reader +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $.Release.Namespace }} +--- From ad553e715b07cb5a60cd88c6558756aa195f6f1d Mon Sep 17 00:00:00 2001 From: Anthony Lazam Date: Fri, 1 Sep 2023 12:13:27 +0200 Subject: [PATCH 2/4] Add node read permission --- charts/testnet-manager/templates/rbac.yaml | 30 +++++++++++++++++++--- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/charts/testnet-manager/templates/rbac.yaml b/charts/testnet-manager/templates/rbac.yaml index b2703aa4..c4a17174 100644 --- a/charts/testnet-manager/templates/rbac.yaml +++ b/charts/testnet-manager/templates/rbac.yaml @@ -38,7 +38,7 @@ rules: --- # Creat Role bindings {{- $serviceAccountName := include "testnet-manager.serviceAccountName" . -}} -# Allow the testnet-manager service account to read pods in the rococo namespace +# Allow the testnet-manager service account to read pods in the current namespace kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -53,7 +53,7 @@ subjects: name: {{ $serviceAccountName }} namespace: {{ $.Release.Namespace }} --- -# Allow the testnet-manager service account to read configmaps in the rococo namespace +# Allow the testnet-manager service account to read configmaps in the current namespace kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -68,7 +68,7 @@ subjects: name: {{ $serviceAccountName }} namespace: {{ $.Release.Namespace }} --- -# Allow the testnet-manager service account to read statefulsets in the rococo namespace +# Allow the testnet-manager service account to read statefulsets in the current namespace kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -83,7 +83,7 @@ subjects: name: {{ $serviceAccountName }} namespace: {{ $.Release.Namespace }} --- -# Allow the testnet-manager service account to read volumes in the rococo namespace +# Allow the testnet-manager service account to read volumes in the current namespace kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -98,3 +98,25 @@ subjects: name: {{ $serviceAccountName }} namespace: {{ $.Release.Namespace }} --- +# Allow the testnet-manager service account to read nodes of the pod in the current namespace +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ $fullName }}-read-node +rules: +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ $fullName }}-node-reader +subjects: +- kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $.Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ $fullName }}-node-reader + apiGroup: rbac.authorization.k8s.io \ No newline at end of file From 34af1e120b429970ec5702b744ac64c12f5adda3 Mon Sep 17 00:00:00 2001 From: Anthony Lazam Date: Fri, 1 Sep 2023 15:21:43 +0200 Subject: [PATCH 3/4] Update with helm docs --- charts/testnet-manager/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/testnet-manager/README.md b/charts/testnet-manager/README.md index 0a032537..395e588b 100644 --- a/charts/testnet-manager/README.md +++ b/charts/testnet-manager/README.md @@ -20,7 +20,7 @@ This is intended behaviour. Make sure to run `git add -A` once again to stage ch The helm chart installs the [Testnet Manager](https://github.com/paritytech/testnet-manager). -![Version: 1.3.0](https://img.shields.io/badge/Version-1.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) +![Version: 1.3.1](https://img.shields.io/badge/Version-1.3.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) ## Maintainers From d451f82befb9758eece0a4462517f3267832eb20 Mon Sep 17 00:00:00 2001 From: Anthony Lazam Date: Fri, 1 Sep 2023 15:23:31 +0200 Subject: [PATCH 4/4] Rectify role name --- charts/testnet-manager/templates/rbac.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/testnet-manager/templates/rbac.yaml b/charts/testnet-manager/templates/rbac.yaml index c4a17174..e5d1ab40 100644 --- a/charts/testnet-manager/templates/rbac.yaml +++ b/charts/testnet-manager/templates/rbac.yaml @@ -118,5 +118,5 @@ subjects: namespace: {{ $.Release.Namespace }} roleRef: kind: ClusterRole - name: {{ $fullName }}-node-reader - apiGroup: rbac.authorization.k8s.io \ No newline at end of file + name: {{ $fullName }}-read-node + apiGroup: rbac.authorization.k8s.io