Last active
June 14, 2021 11:17
-
-
Save paulfantom/34bb889ce25ea7954936b2df22a3e999 to your computer and use it in GitHub Desktop.
One ClusterRole to rule them all
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// One ClusterRole to rule them all | |
// one ClusterRole to find them | |
// One ClusterRole to bring them all | |
// and in the darkness bind them; | |
{ | |
// This should live in https://github.com/openshift/cluster-monitoring-operator/blob/master/jsonnet/cluster-monitoring-operator.libsonnet | |
clusterRole: { | |
apiVersion: 'rbac.authorization.k8s.io/v1', | |
kind: 'ClusterRole', | |
metadata: { | |
name: 'cluster-monitoring-operator', | |
annotations: { // Ideally those come from https://github.com/openshift/cluster-monitoring-operator/blob/master/jsonnet/ibm-cloud-managed-profile.libsonnet | |
'include.release.openshift.io/ibm-cloud-managed': 'true', | |
'include.release.openshift.io/self-managed-high-availability': 'true', | |
'include.release.openshift.io/single-node-developer': 'true', | |
}, | |
}, | |
// All those currently are a bit hidden in https://github.com/openshift/cluster-monitoring-operator/blob/master/hack/cluster-monitoring-operator-role.yaml.in | |
rules: [ | |
{ | |
apiGroups: ['rbac.authorization.k8s.io'], | |
resources: ['roles', 'rolebindings', 'clusterroles', 'clusterrolebindings'], | |
verbs: ['create', 'get', 'list', 'watch', 'update', 'delete'], | |
}, | |
{ | |
apiGroups: ['admissionregistration.k8s.io'], | |
resources: ['validatingwebhookconfigurations'], | |
verbs: ['create', 'get', 'list', 'watch'], | |
}, | |
{ | |
apiGroups: ['admissionregistration.k8s.io'], | |
resourceNames: ['prometheusrules.openshift.io'], | |
resources: ['validatingwebhookconfigurations'], | |
verbs: ['create', 'get', 'list', 'watch', 'update', 'delete'], | |
}, | |
{ | |
apiGroups: [''], | |
resources: ['services', 'serviceaccounts', 'configmaps'], | |
verbs: ['create', 'get', 'list', 'watch', 'update', 'delete'], | |
}, | |
{ | |
apiGroups: ['apps'], | |
resources: ['deployments', 'daemonsets'], | |
verbs: ['create', 'get', 'list', 'watch', 'update', 'delete'], | |
}, | |
{ | |
apiGroups: ['route.openshift.io'], | |
resources: ['routes'], | |
verbs: ['create', 'get', 'list', 'watch', 'update', 'delete'], | |
}, | |
{ | |
apiGroups: ['security.openshift.io'], | |
resources: ['securitycontextconstraints'], | |
verbs: ['create', 'get', 'list', 'watch', 'update', 'delete'], | |
}, | |
{ | |
apiGroups: ['apiregistration.k8s.io'], | |
resources: ['apiservices'], | |
verbs: ['create', 'get', 'list', 'watch', 'update', 'delete'], | |
}, | |
{ | |
apiGroups: ['config.openshift.io'], | |
resources: ['clusterversions'], | |
verbs: ['get'], | |
}, | |
{ | |
apiGroups: ['config.openshift.io'], | |
resources: ['infrastructures'], | |
verbs: ['get', 'list', 'watch'], | |
}, | |
{ | |
apiGroups: ['config.openshift.io'], | |
resources: ['proxies'], | |
verbs: ['get'], | |
}, | |
{ | |
apiGroups: ['config.openshift.io'], | |
resources: ['clusteroperators', 'clusteroperators/status'], | |
verbs: ['get', 'update', 'create'], | |
}, | |
{ | |
apiGroups: ['policy'], | |
resources: ['poddisruptionbudgets'], | |
verbs: ['create', 'get', 'update', 'delete'], | |
}, | |
], | |
}, | |
// Sth like this should be in https://github.com/openshift/cluster-monitoring-operator/blob/master/jsonnet/main.jsonnet | |
local inCluster = { | |
// ... | |
clusterMonitoringOperator: clusterMonitoringOperator($.values.clusterMonitoringOperator) { | |
// Extend the ClusterRole | |
clusterRole+: { | |
// Ideally this would be some addon or sth, that would iterate over all ClusterRole objects. | |
// Similar to how patch-rules.libsonnet goes over all PrometheusRule objects | |
rules+: inCluster.alertmanager.clusterRole.rules + | |
inCluster.prometheus.clusterRole + | |
inCluster.prometheusOperator.clusterRole + | |
inCluster.grafana.clusterRole // + all other ClusterRole | |
}, | |
}, | |
// ... | |
}, | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment