From 88441502023da803971b477d85cc52f3ae3462d9 Mon Sep 17 00:00:00 2001 From: Peng Liu Date: Tue, 28 May 2019 09:03:24 +0800 Subject: [PATCH] Add RBAC for cluster resource Update Makefile --- Makefile | 12 ++++++------ deploy/clusterrole.yaml | 14 ++++++++++++++ deploy/clusterrolebinding.yaml | 11 +++++++++++ deploy/role.yaml | 1 - deploy/role_binding.yaml | 1 - deploy/service_account.yaml | 1 - hack/deploy-setup.sh | 12 ++++++------ hack/run-locally.sh | 1 + hack/undeploy.sh | 15 +++++++++++++++ 9 files changed, 53 insertions(+), 15 deletions(-) create mode 100644 deploy/clusterrole.yaml create mode 100644 deploy/clusterrolebinding.yaml create mode 100755 hack/undeploy.sh diff --git a/Makefile b/Makefile index f89dc3bde..bdd539b8f 100644 --- a/Makefile +++ b/Makefile @@ -61,13 +61,13 @@ gencode: operator-sdk @operator-sdk generate k8s @operator-sdk generate openapi -# deploy-setup: -# hack/deploy-setup.sh +deploy-setup: + @EXCLUSIONS=() hack/deploy-setup.sh sriov-network-operator # test-unit: # @go test -v $(PKGS) test-e2e: operator-sdk - @operator-sdk test local ./test/e2e --go-test-flags "-v -parallel=2" - -# undeploy: -# hack/undeploy.sh + @EXCLUSIONS=() hack/deploy-setup.sh sriov-network-operator && operator-sdk test local ./test/e2e --go-test-flags "-v" --namespace sriov-network-operator --no-setup + @hack/undeploy.sh sriov-network-operator +undeploy: + @hack/undeploy.sh sriov-network-operator diff --git a/deploy/clusterrole.yaml b/deploy/clusterrole.yaml new file mode 100644 index 000000000..2c37566e5 --- /dev/null +++ b/deploy/clusterrole.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: sriov-network-operator +rules: +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: [namespaces, serviceaccounts, ] + verbs: ["*"] +- apiGroups: [rbac.authorization.k8s.io] + resources: [rolebindings, roles] + verbs: ["*"] diff --git a/deploy/clusterrolebinding.yaml b/deploy/clusterrolebinding.yaml new file mode 100644 index 000000000..1b0403ae8 --- /dev/null +++ b/deploy/clusterrolebinding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: sriov-network-operator +roleRef: + kind: ClusterRole + name: sriov-network-operator +subjects: +- kind: ServiceAccount + namespace: sriov-network-operator + name: sriov-network-operator diff --git a/deploy/role.yaml b/deploy/role.yaml index 928a48c22..69ca5f7bc 100644 --- a/deploy/role.yaml +++ b/deploy/role.yaml @@ -3,7 +3,6 @@ kind: Role metadata: creationTimestamp: null name: sriov-network-operator - namespace: sriov-network-operator rules: - apiGroups: - "" diff --git a/deploy/role_binding.yaml b/deploy/role_binding.yaml index 1a95c4288..048368a1e 100644 --- a/deploy/role_binding.yaml +++ b/deploy/role_binding.yaml @@ -2,7 +2,6 @@ kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: sriov-network-operator - namespace: sriov-network-operator subjects: - kind: ServiceAccount name: sriov-network-operator diff --git a/deploy/service_account.yaml b/deploy/service_account.yaml index 286646f80..b1d72cd41 100644 --- a/deploy/service_account.yaml +++ b/deploy/service_account.yaml @@ -2,4 +2,3 @@ apiVersion: v1 kind: ServiceAccount metadata: name: sriov-network-operator - namespace: sriov-network-operator diff --git a/hack/deploy-setup.sh b/hack/deploy-setup.sh index 1c7d643f1..9760c01f8 100755 --- a/hack/deploy-setup.sh +++ b/hack/deploy-setup.sh @@ -1,9 +1,9 @@ #!/bin/bash -# This script inits a cluster to allow node-network-operator +# This script inits a cluster to allow sriov-network-operator # to deploy. It assumes it is capable of login as a # user who has the cluster-admin role -set -euxo pipefail +# set -euxo pipefail source "$(dirname $0)/common" @@ -15,12 +15,12 @@ load_manifest() { fi pushd ${repo}/deploy - if ! oc get project node-network-operator > /dev/null 2>&1 && test -f namespace.yaml ; then + if ! oc get ns sriov-network-operator > /dev/null 2>&1 && test -f namespace.yaml ; then oc apply -f namespace.yaml fi - files="service_account.yaml role.yaml role_binding.yaml operator.yaml crds/sriovnetwork_v1_sriovnetwork_crd.yaml crds/k8s_v1_networkattachmentdefinition_crd.yaml crds/sriovnetwork_v1_sriovnetworknodepolicy_crd.yaml crds/sriovnetwork_v1_sriovnetworknodestate_crd.yaml" + files="service_account.yaml role.yaml role_binding.yaml clusterrole.yaml clusterrolebinding.yaml crds/sriovnetwork_v1_sriovnetwork_crd.yaml crds/k8s_v1_networkattachmentdefinition_crd.yaml crds/sriovnetwork_v1_sriovnetworknodepolicy_crd.yaml crds/sriovnetwork_v1_sriovnetworknodestate_crd.yaml operator.yaml" for m in ${files}; do - if [ "$(echo ${EXCLUSIONS[@]} | grep -o ${m} | wc -w)" == "0" ] ; then + if [ "$(echo ${EXCLUSIONS[@]} | grep -o ${m} | wc -w | xargs)" == "0" ] ; then oc apply -f ${m} ${namespace:-} fi done @@ -31,4 +31,4 @@ load_manifest() { rm -rf /tmp/_working_dir mkdir /tmp/_working_dir -load_manifest ${repo_dir} +load_manifest ${repo_dir} $1 diff --git a/hack/run-locally.sh b/hack/run-locally.sh index d1680a8ff..9cb800371 100755 --- a/hack/run-locally.sh +++ b/hack/run-locally.sh @@ -1,2 +1,3 @@ #!/bin/bash +EXCLUSIONS=(operator.yaml) hack/deploy-setup.sh sriov-network-operator env $(cat hack/env.sh) operator-sdk up local --namespace sriov-network-operator diff --git a/hack/undeploy.sh b/hack/undeploy.sh new file mode 100755 index 000000000..fc328a93c --- /dev/null +++ b/hack/undeploy.sh @@ -0,0 +1,15 @@ +#!/bin/bash +#set -euxo pipefail + +repo_dir="$(dirname $0)/.." +namespace=${1:-} +if [ -n "${namespace}" ] ; then + namespace="-n ${namespace}" +fi + +pushd ${repo_dir}/deploy +files="operator.yaml service_account.yaml role.yaml role_binding.yaml clusterrole.yaml clusterrolebinding.yaml crds/sriovnetwork_v1_sriovnetwork_crd.yaml crds/k8s_v1_networkattachmentdefinition_crd.yaml crds/sriovnetwork_v1_sriovnetworknodepolicy_crd.yaml crds/sriovnetwork_v1_sriovnetworknodestate_crd.yaml" +for file in ${files}; do + oc delete -f $file --ignore-not-found ${namespace} +done +popd \ No newline at end of file