diff options
| author | Aleksandr Nogikh <nogikh@google.com> | 2025-02-26 17:22:07 +0100 |
|---|---|---|
| committer | Aleksandr Nogikh <nogikh@google.com> | 2025-03-05 13:15:16 +0000 |
| commit | bebec3acb1ab61ea9a85752b200b44b816e07c67 (patch) | |
| tree | 06e83315cb73d96bee290e98168eb4c681266cf0 | |
| parent | 4044e35b2261e1db7b55a6039ae0b737f9a66656 (diff) | |
syz-cluster: rewrite RBAC for argo service accounts
They must relate to argo-executor-ksa and argo-controller-ksa.
Use ClusterRole since the entities are in different namespaces.
| -rw-r--r-- | syz-cluster/overlays/common/kustomization.yaml | 13 | ||||
| -rw-r--r-- | syz-cluster/overlays/common/patch-workflow-controller.yaml | 12 | ||||
| -rw-r--r-- | syz-cluster/overlays/common/workflow-roles.yaml | 96 | ||||
| -rw-r--r-- | syz-cluster/overlays/minikube/service-accounts.yaml | 16 |
4 files changed, 113 insertions, 24 deletions
diff --git a/syz-cluster/overlays/common/kustomization.yaml b/syz-cluster/overlays/common/kustomization.yaml index 1b765f7e2..813c4f89e 100644 --- a/syz-cluster/overlays/common/kustomization.yaml +++ b/syz-cluster/overlays/common/kustomization.yaml @@ -15,9 +15,22 @@ resources: - workflow-roles.yaml patches: + - patch-argo-controller.yaml + + +patches: - target: kind: Deployment patch: |- - op: replace path: /spec/template/spec/containers/0/imagePullPolicy value: IfNotPresent + - target: + kind: ConfigMap + name: workflow-controller-configmap + patch: |- + - op: replace + path: /data + value: + workflowDefaults: + serviceAccountName: argo-executor-ksa diff --git a/syz-cluster/overlays/common/patch-workflow-controller.yaml b/syz-cluster/overlays/common/patch-workflow-controller.yaml new file mode 100644 index 000000000..e9d025d8e --- /dev/null +++ b/syz-cluster/overlays/common/patch-workflow-controller.yaml @@ -0,0 +1,12 @@ +# Copyright 2025 syzkaller project authors. All rights reserved. +# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: workflow-controller + namespace: argo +spec: + template: + spec: + serviceAccountName: argo-workflows-ksa diff --git a/syz-cluster/overlays/common/workflow-roles.yaml b/syz-cluster/overlays/common/workflow-roles.yaml index 933a8b8a2..c666f25fb 100644 --- a/syz-cluster/overlays/common/workflow-roles.yaml +++ b/syz-cluster/overlays/common/workflow-roles.yaml @@ -2,9 +2,8 @@ # Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: - namespace: default name: argo-workflow-role rules: - apiGroups: @@ -20,6 +19,20 @@ rules: - patch - delete - status + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: argo-workflowtasks-role +rules: +- apiGroups: ["argoproj.io"] + resources: + - workflowtaskresults + verbs: + - create + - patch - apiGroups: - argoproj.io resources: @@ -35,52 +48,87 @@ rules: - workflowartifactgctasks/status verbs: - patch + --- +# Some more permissions that are necessary for the argo-controller process. apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: Role +metadata: + name: argo-controller-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - watch +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: + - get + - list + - watch + - create + - update + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: - name: argo-workflow-list-binding + name: argo-workflow-role-binding namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: argo-workflow-role subjects: - kind: ServiceAccount + name: argo-executor-ksa + namespace: default +- kind: ServiceAccount + name: argo-controller-ksa + namespace: default +- kind: ServiceAccount name: gke-service-ksa namespace: default -roleRef: - kind: Role - name: argo-workflow-role - apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRoleBinding metadata: + name: argo-workflowtasks-role-binding + namespace: argo +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: argo-workflowtasks-role +subjects: +- kind: ServiceAccount + name: argo-executor-ksa namespace: default - name: executor -rules: -- apiGroups: ["argoproj.io"] - resources: - - workflowtaskresults - verbs: - - create - - patch +- kind: ServiceAccount + name: argo-controller-ksa + namespace: argo --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: executor-default - namespace: default + name: argo-workflowtasks-controller-binding + namespace: argo roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: executor + name: argo-controller-role subjects: - kind: ServiceAccount - name: gke-service-ksa - namespace: default + name: argo-controller-ksa + namespace: argo --- @@ -88,6 +136,6 @@ apiVersion: v1 kind: Secret metadata: annotations: - kubernetes.io/service-account.name: default - name: default.service-account-token + kubernetes.io/service-account.name: argo-executor-ksa + name: argo-executor-ksa.service-account-token type: kubernetes.io/service-account-token diff --git a/syz-cluster/overlays/minikube/service-accounts.yaml b/syz-cluster/overlays/minikube/service-accounts.yaml index 7dc437948..bcec70c6c 100644 --- a/syz-cluster/overlays/minikube/service-accounts.yaml +++ b/syz-cluster/overlays/minikube/service-accounts.yaml @@ -6,3 +6,19 @@ kind: ServiceAccount metadata: name: gke-service-ksa namespace: default + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: argo-executor-ksa + namespace: default + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: argo-controller-ksa + namespace: argo |