Created
June 27, 2023 17:07
-
-
Save joelanford/e20d431a6b0572c14c68a2447bc2bc34 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
declare -a TMPROOT | |
declare -a CLUSTER_NAME | |
# We're going to do file manipulation, so let's work in a temp dir | |
TMPROOT="$(mktemp -p . -d 2>/dev/null || mktemp -d ./tmp-generate-rbac-XXXXXXX)" | |
# Make sure to delete the temp dir when we exit | |
#trap 'rm -rf $TMPROOT' EXIT | |
CLUSTER_NAME=$(basename "${TMPROOT}" | tr '[:upper:]' '[:lower:]') | |
pushd "${TMPROOT}" | |
###### | |
# Create a kind cluster with auditing enabled | |
##### | |
cat <<EOF > audit-policy.yaml | |
apiVersion: audit.k8s.io/v1 | |
kind: Policy | |
rules: | |
- level: Metadata | |
EOF | |
cat <<EOF > kind-config.yaml | |
kind: Cluster | |
apiVersion: kind.x-k8s.io/v1alpha4 | |
nodes: | |
- role: control-plane | |
kubeadmConfigPatches: | |
- | | |
kind: ClusterConfiguration | |
apiServer: | |
# enable auditing flags on the API server | |
extraArgs: | |
audit-log-path: /var/log/kubernetes/kube-apiserver-audit.log | |
audit-policy-file: /etc/kubernetes/policies/audit-policy.yaml | |
# mount new files / directories on the control plane | |
extraVolumes: | |
- name: audit-policies | |
hostPath: /etc/kubernetes/policies | |
mountPath: /etc/kubernetes/policies | |
readOnly: true | |
pathType: "DirectoryOrCreate" | |
- name: "audit-logs" | |
hostPath: "/var/log/kubernetes" | |
mountPath: "/var/log/kubernetes" | |
readOnly: false | |
pathType: DirectoryOrCreate | |
# mount the local file on the control plane | |
extraMounts: | |
- hostPath: ./audit-policy.yaml | |
containerPath: /etc/kubernetes/policies/audit-policy.yaml | |
readOnly: true | |
EOF | |
kind create cluster --config kind-config.yaml --name "${CLUSTER_NAME}" | |
#trap "kind delete cluster --name ${CLUSTER_NAME}" EXIT | |
###### | |
# Apply the manifests to the cluster. Also add an extra cluster-admin binding to the cluster-olm-operator | |
# so that it can do everything. This avoid short-circuit scenarios. | |
###### | |
kubectl apply -f ../vendor/github.com/openshift/api/config/v1/0000_00_cluster-version-operator_01_clusteroperator.crd.yaml | |
kubectl apply -f ../vendor/github.com/openshift/api/operator/v1alpha1/0000_10_config-operator_01_olm.crd.yaml | |
#kubectl create clusterrolebinding cluster-olm-operator-admin --clusterrole=cluster-admin --user=system:serviceaccount:openshift-cluster-olm-operator:cluster-olm-operator | |
kubectl apply -f ../manifests | |
###### | |
# Exercise the operator | |
# - Wait until it fully reconciles the OLM "cluster" object | |
# - Delete the OLM "cluster" object and wait until it handles any finalizers | |
###### | |
#kubectl wait clusteroperators.config.openshift.io/olm --for condition=Available --timeout=60s | |
#kubectl delete olms.operator.openshift.io cluster | |
#kubectl wait olms.operator.openshift.io/cluster --for=delete | |
###### | |
# Generate the RBAC | |
###### | |
#docker exec tmp.xl4losmkz4-control-plane cat /var/log/kubernetes/kube-apiserver-audit.log | audit2rbac --user system:serviceaccount:openshift-cluster-olm-operator:cluster-olm-operator -f - > rbac.yaml |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment