public_git
/
kubernetes-operator
mirror of https://github.com/jenkinsci/kubernetes-operator.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Default rule policy now allows watching resources required by OpenShift (#352)

This commit is contained in:
Akram Ben Aissi 2020-04-28 16:45:30 +02:00 committed by GitHub
parent fe9cb921bc
commit 83b3fa8cd0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 129 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
deploy/crds/openshift_jenkins_v1alpha2_jenkins_cr.yaml
View File

@ -1,16 +1,70 @@
apiVersion: jenkins.io/v1alpha2 apiVersion: jenkins.io/v1alpha2
kind: Jenkins kind: Jenkins
metadata: metadata:
annotations:
jenkins.io/openshift-mode: 'true'
name: jenkins name: jenkins
spec: spec:
master: master:
containers: containers:
- name: jenkins-master - name: jenkins-master
image: quay.io/openshift/origin-jenkins:latest command:
resources: - /usr/bin/go-init
limits: - '-main'
cpu: 1500m - /usr/libexec/s2i/run
memory: 3Gi env:
requests: - name: OPENSHIFT_ENABLE_OAUTH
cpu: "1" value: 'true'
memory: 500Mi - name: OPENSHIFT_ENABLE_REDIRECT_PROMPT
value: 'true'
- name: DISABLE_ADMINISTRATIVE_MONITORS
value: 'false'
- name: KUBERNETES_MASTER
value: 'https://kubernetes.default:443'
- name: KUBERNETES_TRUST_CERTIFICATES
value: 'true'
- name: JENKINS_SERVICE_NAME
value: jenkins-operator-http-example
- name: JNLP_SERVICE_NAME
value: jenkins-operator-slave-example
- name: JENKINS_UC_INSECURE
value: 'false'
- name: JENKINS_HOME
value: /var/lib/jenkins
- name: JAVA_OPTS
value: >-
-XX:+UnlockExperimentalVMOptions -XX:+UnlockExperimentalVMOptions
-XX:+UseCGroupMemoryLimitForHeap -XX:MaxRAMFraction=1
-Djenkins.install.runSetupWizard=false -Djava.awt.headless=true
image: 'quay.io/openshift/origin-jenkins:latest'
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /login
port: 8080
scheme: HTTP
initialDelaySeconds: 420
periodSeconds: 360
timeoutSeconds: 240
readinessProbe:
httpGet:
path: /login
port: 8080
scheme: HTTP
initialDelaySeconds: 3
periodSeconds: 0
timeoutSeconds: 240
resources:
limits:
cpu: 600m
memory: 4Gi
requests:
cpu: 500m
memory: 3Gi
service:
port: 8080
type: ClusterIP
slaveService:
port: 50000
type: ClusterIP

17
deploy/role.yaml
View File

@ -88,3 +88,20 @@ rules:
- get - get
- list - list
- watch - watch
- apiGroups:
- "image.openshift.io"
resources:
- imagestreams
verbs:
- get
- list
- watch
- apiGroups:
- "build.openshift.io"
resources:
- builds
- buildconfigs
verbs:
- get
- list
- watch

83
pkg/controller/jenkins/configuration/base/resources/rbac.go
View File

@ -6,50 +6,29 @@ import (
) )
const ( const (
createVerb = "create" createVerb = "create"
deleteVerb = "delete" deleteVerb = "delete"
getVerb = "get" getVerb = "get"
listVerb = "list" listVerb = "list"
watchVerb = "watch" watchVerb = "watch"
patchVerb = "patch" patchVerb = "patch"
updateVerb = "update" updateVerb = "update"
EmptyApiGroups = ""
OpenshiftApiGroup = "image.openshift.io"
BuildApiGroup = "build.openshift.io"
) )
// NewRole returns rbac role for jenkins master // NewRole returns rbac role for jenkins master
func NewRole(meta metav1.ObjectMeta) *v1.Role { func NewRole(meta metav1.ObjectMeta) *v1.Role {
rules := NewDefaultPolicyRules()
return &v1.Role{ return &v1.Role{
TypeMeta: metav1.TypeMeta{ TypeMeta: metav1.TypeMeta{
Kind: "Role", Kind: "Role",
APIVersion: "rbac.authorization.k8s.io/v1", APIVersion: "rbac.authorization.k8s.io/v1",
}, },
ObjectMeta: meta, ObjectMeta: meta,
Rules: []v1.PolicyRule{ Rules: rules,
{
APIGroups: []string{""},
Resources: []string{"pods/portforward"},
Verbs: []string{createVerb},
},
{
APIGroups: []string{""},
Resources: []string{"pods"},
Verbs: []string{createVerb, deleteVerb, getVerb, listVerb, patchVerb, updateVerb, watchVerb},
},
{
APIGroups: []string{""},
Resources: []string{"pods/exec"},
Verbs: []string{createVerb, deleteVerb, getVerb, listVerb, patchVerb, updateVerb, watchVerb},
},
{
APIGroups: []string{""},
Resources: []string{"pods/log"},
Verbs: []string{getVerb, listVerb, watchVerb},
},
{
APIGroups: []string{""},
Resources: []string{"secrets"},
Verbs: []string{getVerb, listVerb, watchVerb},
},
},
} }
} }
@ -74,3 +53,39 @@ func NewRoleBinding(name, namespace, serviceAccountName string, roleRef v1.RoleR
}, },
} }
} }
func NewDefaultPolicyRules() []v1.PolicyRule {
var rules []v1.PolicyRule
ReadOnly := []string{getVerb, listVerb, watchVerb}
Default := []string{createVerb, deleteVerb, getVerb, listVerb, patchVerb, updateVerb, watchVerb}
Create := []string{createVerb}
rules = append(rules, NewPolicyRule(EmptyApiGroups, "pods/portforward", Create))
rules = append(rules, NewPolicyRule(EmptyApiGroups, "pods", Default))
rules = append(rules, NewPolicyRule(EmptyApiGroups, "pods/exec", Default))
rules = append(rules, NewPolicyRule(EmptyApiGroups, "configmaps", ReadOnly))
rules = append(rules, NewPolicyRule(EmptyApiGroups, "pods/log", ReadOnly))
rules = append(rules, NewPolicyRule(EmptyApiGroups, "secrets", ReadOnly))
rules = append(rules, NewOpenShiftPolicyRule(OpenshiftApiGroup, "imagestreams", ReadOnly))
rules = append(rules, NewOpenShiftPolicyRule(BuildApiGroup, "buildconfigs", ReadOnly))
rules = append(rules, NewOpenShiftPolicyRule(BuildApiGroup, "builds", ReadOnly))
return rules
}
// NewPolicyRule returns a policyRule allowing verbs on resources
func NewPolicyRule(apiGroup string, resource string, verbs []string) v1.PolicyRule {
rule := v1.PolicyRule{
APIGroups: []string{apiGroup},
Resources: []string{resource},
Verbs: verbs,
}
return rule
}
// NewPolicyRule returns a policyRule allowing verbs on resources
func NewOpenShiftPolicyRule(apiGroup string, resource string, verbs []string) v1.PolicyRule {
return NewPolicyRule(apiGroup,resource,verbs)
}