chore(rbac): Consolidate the serviceaccounts in the chaos infrastructure (#4598)

* chore(rbac): Consolidate the serviceaccounts in the chaos infrastructure

Signed-off-by: Shubham Chaudhary <[email protected]>

* add rbac for event tracker

Signed-off-by: Shubham Chaudhary <[email protected]>

---------

Signed-off-by: Shubham Chaudhary <[email protected]>

Author: ispeakc0de

chaoscenter/graphql/server/manifests/cluster/1b_argo_rbac.yaml

@@ -2,54 +2,53 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: argo
+  name: argo-chaos
   namespace: #{INFRA_NAMESPACE}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: argo-cluster-role
+  name: chaos-cluster-role
 rules:
-  - apiGroups: [""]
-    resources: ["pods", "pods/exec"]
-    verbs: ["create", "get", "list", "watch", "update", "patch", "delete"]
-  - apiGroups: [""]
-    resources: ["configmaps"]
-    verbs: ["get", "watch", "list"]
-  - apiGroups: [""]
-    resources: ["persistentvolumeclaims"]
-    verbs: ["create", "delete"]
-  - apiGroups: ["argoproj.io"]
-    resources: ["workflows", "workflows/finalizers"]
-    verbs: ["get", "list", "watch", "update", "patch", "delete", "create"]
-  - apiGroups: ["argoproj.io"]
-    resources: ["workflowtemplates","workflowtemplates/finalizers","clusterworkflowtemplates","clusterworkflowtemplates/finalizers","workflowtasksets"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["argoproj.io"]
-    resources: ["workflowtaskresults"]
-    verbs: ["list", "watch", "deletecollection"]
-  - apiGroups: [""]
-    resources: ["serviceaccounts"]
-    verbs: ["get", "list"]
-  - apiGroups: ["argoproj.io"]
-    resources: ["cronworkflows", "cronworkflows/finalizers"]
-    verbs: ["get", "list", "watch", "update", "patch", "delete"]
-  - apiGroups: [""]
-    resources: ["events"]
-    verbs: ["create", "patch"]
-  - apiGroups: ["policy"]
-    resources: ["poddisruptionbudgets"]
-    verbs: ["create", "get", "delete"]
+  # for managing the pods created by workflow controller to implement individual steps in the workflow
+  - apiGroups: ['']
+    resources: ['pods', 'services']
+    verbs: ['create', 'get', 'watch', 'patch', 'delete', 'list']
+  - apiGroups: ['']
+    resources: ['namespaces']
+    verbs: ['get', 'watch', 'patch', 'list']
+
+  # for tracking & getting logs of the pods created by workflow controller to implement individual steps in the workflow
+  - apiGroups: ['']
+    resources: ['pods/log', 'pods/exec']
+    verbs: ['get', 'watch', 'create', 'delete', 'patch']
+  - apiGroups: ['']
+    resources: ['secrets', 'configmaps']
+    verbs: ['get', 'watch', 'create', 'patch']
+
+  # for creation & deletion of application in predefined workflows
+  - apiGroups: ['apps']
+    resources: ['deployments']
+    verbs: ['delete']
+  - apiGroups: ['apps']
+    resources: ['deployments', 'statefulsets']
+    verbs: ['get', 'watch', 'patch' , 'create']
+
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources:
+      ["chaosengines", "chaosexperiments", "chaosresults", "chaosschedules"]
+    verbs: ["create", "list", "get", "patch", "delete", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: argo-binding
+  name: chaos-cluster-role-binding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: argo-cluster-role
+  name: chaos-cluster-role
 subjects:
   - kind: ServiceAccount
-    name: argo
+    name: argo-chaos
     namespace: #{INFRA_NAMESPACE}

chaoscenter/graphql/server/manifests/cluster/1c_argo_deployment.yaml

@@ -67,4 +67,4 @@ spec:
               memory: "500Mi"
               cpu: "225m"
               ephemeral-storage: "1Gi"
-      serviceAccountName: argo
+      serviceAccountName: #{INFRA_SERVICE_ACCOUNT}

chaoscenter/graphql/server/manifests/cluster/2b_litmus_admin_rbac.yaml

@@ -0,0 +1,123 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: litmus-admin
+  namespace: #{INFRA_NAMESPACE}
+  labels:
+    name: litmus-admin
+---
+# Source: openebs/templates/clusterrole.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: litmus-admin
+  labels:
+    name: litmus-admin
+rules:
+  # ***************************************************************************************
+  # Permissions needed for preparing and monitor the chaos resources by chaos-runner
+  # ***************************************************************************************
+
+  # The chaos operator watches the chaosengine resource and orchestrates the chaos experiment..
+  ## .. by creating the chaos-runner
+
+  # for creating and monitoring the chaos-runner pods
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create","get","list","patch","update"]
+
+    # for fetching configmaps and secrets to inject into chaos-runner pod (if specified)
+  - apiGroups: [""]
+    resources: ["secrets", "configmaps"]
+    verbs: ["get", "list"]
+
+    # for tracking & getting logs of the pods created by chaos-runner to implement individual steps in the runner
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get", "list", "watch"]
+
+    # for configuring and monitor the experiment job by chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create", "list", "get", "delete", "deletecollection"]
+
+  # ********************************************************************
+  # Permissions needed for creation and discovery of chaos experiments
+  # ********************************************************************
+
+  # The helper pods are created by experiment to perform the actual chaos injection ...
+  # ... for a period of chaos duration
+
+  # for creating and managing to execute comands inside target container
+  - apiGroups: [""]
+    resources: ["pods/exec","pods/eviction","replicationcontrollers"]
+    verbs: ["get","list","create"]
+
+    # for tracking & getting logs of the pods created by experiment pod to implement individual steps in the experiment
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get", "list", "watch"]
+
+  # for creating and monitoring liveness services or monitoring target app services during chaos injection
+  - apiGroups: [""]
+    resources: ["services"]
+    verbs: ["create","get","list"]
+
+    # for checking the app parent resources as deployments or sts and are eligible chaos candidates
+  - apiGroups: ["apps"]
+    resources: ["deployments", "statefulsets"]
+    verbs: ["list", "get", "patch", "update"]
+
+    # for checking the app parent resources as replicasets and are eligible chaos candidates
+  - apiGroups: ["apps"]
+    resources: ["replicasets"]
+    verbs: ["list", "get"]
+
+  # for checking the app parent resources as deamonsets and are eligible chaos candidates
+  - apiGroups: ["apps"]
+    resources: ["daemonsets"]
+    verbs: ["list","get"]
+
+    # for checking (openshift) app parent resources if they are eligible chaos candidates
+  - apiGroups: ["apps.openshift.io"]
+    resources: ["deploymentconfigs"]
+    verbs: ["list", "get"]
+
+    # for checking (argo) app parent resources if they are eligible chaos candidates
+  - apiGroups: ["argoproj.io"]
+    resources: ["rollouts"]
+    verbs: ["list", "get"]
+
+  # performs CRUD operations on the network policies
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["networkpolicies"]
+    verbs: ["create","delete","list","get"]
+
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+
+    # for experiment to perform node status checks and other node level operations like taint, drain in the experiment.
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["patch", "get", "list", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: litmus-admin
+  labels:
+    name: litmus-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: litmus-admin
+subjects:
+  - kind: ServiceAccount
+    name: litmus-admin
+    namespace: #{INFRA_NAMESPACE}

chaoscenter/graphql/server/manifests/cluster/2b_litmus_rbac.yaml

@@ -30,7 +30,7 @@ spec:
         app.kubernetes.io/managed-by: kubectl
         name: chaos-operator
     spec:
-      serviceAccountName: litmus-cluster-scope
+      serviceAccountName: #{INFRA_SERVICE_ACCOUNT}
       #{TOLERATIONS}
       #{NODE_SELECTOR}
       containers:
@@ -114,7 +114,7 @@ spec:
               memory: "500Mi"
               cpu: "225m"
               ephemeral-storage: "1Gi"
-      serviceAccountName: litmus-cluster-scope
+      serviceAccountName: #{INFRA_SERVICE_ACCOUNT}
 ---
 apiVersion: v1
 kind: Service