Skip to content

Commit

Permalink
add rbac for desktop. (labring#3825)
Browse files Browse the repository at this point in the history
  • Loading branch information
@lingdie
lingdie committed Sep 4, 2023
1 parent 8b4449a commit 8f4db16
Show file tree
Hide file tree
Showing 2 changed files with 45 additions and 57 deletions.
77 changes: 32 additions & 45 deletions controllers/user/deploy/manifests/rbac.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,82 +1,69 @@
---
## 新建管理员,只允许创建管理员
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
kind: ClusterRoleBinding
metadata:
name: sealos-user-create-role
rules:
- apiGroups:
- user.sealos.io
resources:
- 'usergroupbindings'
verbs:
- create
- delete
- deletecollection
- patch
- update
name: user-controller-manager-clusterrolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: user-controller-manager
namespace: user-system
---
## 新增、删除用户,管理员只允许移入移除用户
# permissions for end users to edit users.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: sealos-user-manager-role
name: user-editor-role
rules:
- apiGroups:
- user.sealos.io
resources:
- 'usergroupbindings'
- users
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- user.sealos.io
resources:
- 'users'
- users/status
verbs:
- list
- get
- watch
---
##普通用户创建namespace,usergroup
# permissions for end users to edit operationrequests.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: sealos-user-user-role
labels:
app.kubernetes.io/name: clusterrole
app.kubernetes.io/instance: operationrequest-editor-role
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: user
app.kubernetes.io/part-of: user
app.kubernetes.io/managed-by: kustomize
name: operationrequest-editor-role
rules:
- apiGroups:
- user.sealos.io
resources:
- 'usergroupbindings'
- operationrequests
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- user.sealos.io
resources:
- 'usergroups'
- operationrequests/status
verbs:
- create
- delete
- deletecollection
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: user-controller-manager-clusterrolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: user-controller-manager
namespace: user-system
- get
25 changes: 13 additions & 12 deletions frontend/desktop/deploy/manifests/rbac.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,24 +1,25 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
kind: ClusterRoleBinding
metadata:
name: auth-system-manager-role
rules:
- apiGroups: ["user.sealos.io"]
resources: ["users"]
verbs: ["list", "get", "create", "update", "patch", "watch"]
- apiGroups: ["user.sealos.io"]
resources: ["users/status"]
verbs: ["list", "get", "create", "update", "patch", "watch"]
name: desktop-user-editor-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: user-editor-role
subjects:
- kind: ServiceAccount
name: desktop-frontend
namespace: sealos
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: auth-system-manager-role-binding
name: desktop-operationrequest-editor-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: auth-system-manager-role
name: operationrequest-editor-role
subjects:
- kind: ServiceAccount
name: desktop-frontend
namespace: sealos
namespace: sealos

0 comments on commit 8f4db16

Please sign in to comment.