From be5acfa6a426d15158e8418913b788c8c6261bb0 Mon Sep 17 00:00:00 2001 From: yy Date: Thu, 29 Aug 2024 15:11:46 +0800 Subject: [PATCH] add default rbac rules for devbox runtime and runtime class. --- .../devbox/config/manager/manager.yaml | 4 +++ .../devbox/config/rbac/role_binding.yaml | 26 +++++++++++++++++++ .../devbox/deploy/manifests/deploy.yaml.tmpl | 26 +++++++++++++++++++ 3 files changed, 56 insertions(+) diff --git a/controllers/devbox/config/manager/manager.yaml b/controllers/devbox/config/manager/manager.yaml index 1fcdd3622a3..940f2fc9b99 100644 --- a/controllers/devbox/config/manager/manager.yaml +++ b/controllers/devbox/config/manager/manager.yaml @@ -77,6 +77,10 @@ spec: args: - --leader-elect - --health-probe-bind-address=:8081 + - --registry-addr={{ .registryAddr }} + - --registry-user={{ .registryUser }} + - --registry-password={{ .registryPassword }} + - --auth-addr={{ .authAddr }} image: controller:latest name: manager securityContext: diff --git a/controllers/devbox/config/rbac/role_binding.yaml b/controllers/devbox/config/rbac/role_binding.yaml index ce24d3bb832..1d2e8c1762e 100644 --- a/controllers/devbox/config/rbac/role_binding.yaml +++ b/controllers/devbox/config/rbac/role_binding.yaml @@ -27,3 +27,29 @@ subjects: - kind: ServiceAccount name: controller-manager namespace: system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: devbox-runtime-default-user-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: runtime-viewer-role +subjects: + - kind: Group + name: system:serviceaccounts + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: devbox-runtimeclass-default-user-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: runtimeclass-viewer-role +subjects: + - kind: Group + name: system:serviceaccounts + apiGroup: rbac.authorization.k8s.io diff --git a/controllers/devbox/deploy/manifests/deploy.yaml.tmpl b/controllers/devbox/deploy/manifests/deploy.yaml.tmpl index 3026a4b1bc5..cd6fc843c8a 100644 --- a/controllers/devbox/deploy/manifests/deploy.yaml.tmpl +++ b/controllers/devbox/deploy/manifests/deploy.yaml.tmpl @@ -865,6 +865,32 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding +metadata: + name: devbox-devbox-runtime-default-user-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: devbox-runtime-viewer-role +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: devbox-devbox-runtimeclass-default-user-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: devbox-runtimeclass-viewer-role +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/managed-by: kustomize