From bebec3acb1ab61ea9a85752b200b44b816e07c67 Mon Sep 17 00:00:00 2001 From: Aleksandr Nogikh Date: Wed, 26 Feb 2025 17:22:07 +0100 Subject: syz-cluster: rewrite RBAC for argo service accounts They must relate to argo-executor-ksa and argo-controller-ksa. Use ClusterRole since the entities are in different namespaces. --- syz-cluster/overlays/common/kustomization.yaml | 13 +++ .../overlays/common/patch-workflow-controller.yaml | 12 +++ syz-cluster/overlays/common/workflow-roles.yaml | 96 ++++++++++++++++------ .../overlays/minikube/service-accounts.yaml | 16 ++++ 4 files changed, 113 insertions(+), 24 deletions(-) create mode 100644 syz-cluster/overlays/common/patch-workflow-controller.yaml diff --git a/syz-cluster/overlays/common/kustomization.yaml b/syz-cluster/overlays/common/kustomization.yaml index 1b765f7e2..813c4f89e 100644 --- a/syz-cluster/overlays/common/kustomization.yaml +++ b/syz-cluster/overlays/common/kustomization.yaml @@ -14,6 +14,10 @@ resources: - network-policy-git-access.yaml - workflow-roles.yaml +patches: + - patch-argo-controller.yaml + + patches: - target: kind: Deployment @@ -21,3 +25,12 @@ patches: - op: replace path: /spec/template/spec/containers/0/imagePullPolicy value: IfNotPresent + - target: + kind: ConfigMap + name: workflow-controller-configmap + patch: |- + - op: replace + path: /data + value: + workflowDefaults: + serviceAccountName: argo-executor-ksa diff --git a/syz-cluster/overlays/common/patch-workflow-controller.yaml b/syz-cluster/overlays/common/patch-workflow-controller.yaml new file mode 100644 index 000000000..e9d025d8e --- /dev/null +++ b/syz-cluster/overlays/common/patch-workflow-controller.yaml @@ -0,0 +1,12 @@ +# Copyright 2025 syzkaller project authors. All rights reserved. +# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: workflow-controller + namespace: argo +spec: + template: + spec: + serviceAccountName: argo-workflows-ksa diff --git a/syz-cluster/overlays/common/workflow-roles.yaml b/syz-cluster/overlays/common/workflow-roles.yaml index 933a8b8a2..c666f25fb 100644 --- a/syz-cluster/overlays/common/workflow-roles.yaml +++ b/syz-cluster/overlays/common/workflow-roles.yaml @@ -2,9 +2,8 @@ # Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: - namespace: default name: argo-workflow-role rules: - apiGroups: @@ -20,6 +19,20 @@ rules: - patch - delete - status + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: argo-workflowtasks-role +rules: +- apiGroups: ["argoproj.io"] + resources: + - workflowtaskresults + verbs: + - create + - patch - apiGroups: - argoproj.io resources: @@ -35,52 +48,87 @@ rules: - workflowartifactgctasks/status verbs: - patch + --- +# Some more permissions that are necessary for the argo-controller process. apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: Role +metadata: + name: argo-controller-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - watch +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: + - get + - list + - watch + - create + - update + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: - name: argo-workflow-list-binding + name: argo-workflow-role-binding namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: argo-workflow-role subjects: +- kind: ServiceAccount + name: argo-executor-ksa + namespace: default +- kind: ServiceAccount + name: argo-controller-ksa + namespace: default - kind: ServiceAccount name: gke-service-ksa namespace: default -roleRef: - kind: Role - name: argo-workflow-role - apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRoleBinding metadata: + name: argo-workflowtasks-role-binding + namespace: argo +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: argo-workflowtasks-role +subjects: +- kind: ServiceAccount + name: argo-executor-ksa namespace: default - name: executor -rules: -- apiGroups: ["argoproj.io"] - resources: - - workflowtaskresults - verbs: - - create - - patch +- kind: ServiceAccount + name: argo-controller-ksa + namespace: argo --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: executor-default - namespace: default + name: argo-workflowtasks-controller-binding + namespace: argo roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: executor + name: argo-controller-role subjects: - kind: ServiceAccount - name: gke-service-ksa - namespace: default + name: argo-controller-ksa + namespace: argo --- @@ -88,6 +136,6 @@ apiVersion: v1 kind: Secret metadata: annotations: - kubernetes.io/service-account.name: default - name: default.service-account-token + kubernetes.io/service-account.name: argo-executor-ksa + name: argo-executor-ksa.service-account-token type: kubernetes.io/service-account-token diff --git a/syz-cluster/overlays/minikube/service-accounts.yaml b/syz-cluster/overlays/minikube/service-accounts.yaml index 7dc437948..bcec70c6c 100644 --- a/syz-cluster/overlays/minikube/service-accounts.yaml +++ b/syz-cluster/overlays/minikube/service-accounts.yaml @@ -6,3 +6,19 @@ kind: ServiceAccount metadata: name: gke-service-ksa namespace: default + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: argo-executor-ksa + namespace: default + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: argo-controller-ksa + namespace: argo -- cgit mrf-deployment