From 44752414ea1f7538f7e310b36d297ab4f1c9a692 Mon Sep 17 00:00:00 2001 From: Shubham Chaudhary Date: Mon, 7 Dec 2020 22:50:31 +0530 Subject: [PATCH] chore(psp): Adding podSecurityPolicies in RBAC (#387) Signed-off-by: shubhamchaudhary --- charts/generic/container-kill/rbac-psp.yaml | 44 +++++++++++++++++++ charts/generic/disk-fill/rbac-psp.yaml | 41 +++++++++++++++++ .../kubelet-service-kill/rbac-psp.yaml | 44 +++++++++++++++++++ charts/generic/node-cpu-hog/rbac-psp.yaml | 44 +++++++++++++++++++ charts/generic/node-drain/rbac-psp.yaml | 44 +++++++++++++++++++ charts/generic/node-io-stress/rbac-psp.yaml | 44 +++++++++++++++++++ charts/generic/node-memory-hog/rbac-psp.yaml | 44 +++++++++++++++++++ charts/generic/node-poweroff/rbac-psp.yaml | 44 +++++++++++++++++++ charts/generic/node-restart/rbac-psp.yaml | 44 +++++++++++++++++++ charts/generic/node-taint/rbac-psp.yaml | 44 +++++++++++++++++++ charts/generic/pod-autoscaler/rbac-psp.yaml | 44 +++++++++++++++++++ charts/generic/pod-cpu-hog/rbac-psp.yaml | 43 ++++++++++++++++++ charts/generic/pod-delete/litmus-psp.yaml | 34 ++++++++++++++ charts/generic/pod-delete/rbac-psp.yaml | 44 +++++++++++++++++++ charts/generic/pod-io-stress/rbac-psp.yaml | 43 ++++++++++++++++++ charts/generic/pod-memory-hog/rbac-psp.yaml | 43 ++++++++++++++++++ .../pod-network-corruption/rbac-psp.yaml | 43 ++++++++++++++++++ .../pod-network-duplication/rbac-psp.yaml | 42 ++++++++++++++++++ .../generic/pod-network-latency/rbac-psp.yaml | 43 ++++++++++++++++++ charts/generic/pod-network-loss/rbac-psp.yaml | 42 ++++++++++++++++++ 20 files changed, 858 insertions(+) create mode 100644 charts/generic/container-kill/rbac-psp.yaml create mode 100644 charts/generic/disk-fill/rbac-psp.yaml create mode 100644 charts/generic/kubelet-service-kill/rbac-psp.yaml create mode 100644 charts/generic/node-cpu-hog/rbac-psp.yaml create mode 100644 charts/generic/node-drain/rbac-psp.yaml create mode 100644 charts/generic/node-io-stress/rbac-psp.yaml create mode 100644 charts/generic/node-memory-hog/rbac-psp.yaml create mode 100644 charts/generic/node-poweroff/rbac-psp.yaml create mode 100644 charts/generic/node-restart/rbac-psp.yaml create mode 100644 charts/generic/node-taint/rbac-psp.yaml create mode 100644 charts/generic/pod-autoscaler/rbac-psp.yaml create mode 100644 charts/generic/pod-cpu-hog/rbac-psp.yaml create mode 100644 charts/generic/pod-delete/litmus-psp.yaml create mode 100644 charts/generic/pod-delete/rbac-psp.yaml create mode 100644 charts/generic/pod-io-stress/rbac-psp.yaml create mode 100644 charts/generic/pod-memory-hog/rbac-psp.yaml create mode 100644 charts/generic/pod-network-corruption/rbac-psp.yaml create mode 100644 charts/generic/pod-network-duplication/rbac-psp.yaml create mode 100644 charts/generic/pod-network-latency/rbac-psp.yaml create mode 100644 charts/generic/pod-network-loss/rbac-psp.yaml diff --git a/charts/generic/container-kill/rbac-psp.yaml b/charts/generic/container-kill/rbac-psp.yaml new file mode 100644 index 0000000..abf8d14 --- /dev/null +++ b/charts/generic/container-kill/rbac-psp.yaml @@ -0,0 +1,44 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: container-kill-sa + namespace: default + labels: + name: container-kill-sa + app.kubernetes.io/part-of: litmus +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: container-kill-sa + namespace: default + labels: + name: container-kill-sa + app.kubernetes.io/part-of: litmus +rules: +- apiGroups: ["","litmuschaos.io","batch","apps"] + resources: ["pods","jobs","pods/exec","pods/log","events","chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete","deletecollection"] +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: container-kill-sa + namespace: default + labels: + name: container-kill-sa + app.kubernetes.io/part-of: litmus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: container-kill-sa +subjects: +- kind: ServiceAccount + name: container-kill-sa + namespace: default + diff --git a/charts/generic/disk-fill/rbac-psp.yaml b/charts/generic/disk-fill/rbac-psp.yaml new file mode 100644 index 0000000..4602d82 --- /dev/null +++ b/charts/generic/disk-fill/rbac-psp.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: disk-fill-sa + namespace: default + labels: + name: disk-fill-sa + app.kubernetes.io/part-of: litmus +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: disk-fill-sa + labels: + name: disk-fill-sa + app.kubernetes.io/part-of: litmus +rules: +- apiGroups: ["","apps","litmuschaos.io","batch"] + resources: ["pods","jobs","pods/exec","events","pods/log","chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete","deletecollection"] +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: disk-fill-sa + labels: + name: disk-fill-sa + app.kubernetes.io/part-of: litmus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: disk-fill-sa +subjects: +- kind: ServiceAccount + name: disk-fill-sa + namespace: default diff --git a/charts/generic/kubelet-service-kill/rbac-psp.yaml b/charts/generic/kubelet-service-kill/rbac-psp.yaml new file mode 100644 index 0000000..4680c3d --- /dev/null +++ b/charts/generic/kubelet-service-kill/rbac-psp.yaml @@ -0,0 +1,44 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kubelet-service-kill-sa + namespace: default + labels: + name: kubelet-service-kill-sa + app.kubernetes.io/part-of: litmus +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubelet-service-kill-sa + labels: + name: kubelet-service-kill-sa + app.kubernetes.io/part-of: litmus +rules: +- apiGroups: ["","litmuschaos.io","batch","apps"] + resources: ["pods","jobs","pods/log","events","chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubelet-service-kill-sa + labels: + name: kubelet-service-kill-sa + app.kubernetes.io/part-of: litmus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubelet-service-kill-sa +subjects: +- kind: ServiceAccount + name: kubelet-service-kill-sa + namespace: default diff --git a/charts/generic/node-cpu-hog/rbac-psp.yaml b/charts/generic/node-cpu-hog/rbac-psp.yaml new file mode 100644 index 0000000..8c6ea25 --- /dev/null +++ b/charts/generic/node-cpu-hog/rbac-psp.yaml @@ -0,0 +1,44 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: node-cpu-hog-sa + namespace: default + labels: + name: node-cpu-hog-sa + app.kubernetes.io/part-of: litmus +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: node-cpu-hog-sa + labels: + name: node-cpu-hog-sa + app.kubernetes.io/part-of: litmus +rules: +- apiGroups: ["","litmuschaos.io","batch","apps"] + resources: ["pods","jobs","events","chaosengines","pods/log","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete","deletecollection"] +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: node-cpu-hog-sa + labels: + name: node-cpu-hog-sa + app.kubernetes.io/part-of: litmus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: node-cpu-hog-sa +subjects: +- kind: ServiceAccount + name: node-cpu-hog-sa + namespace: default diff --git a/charts/generic/node-drain/rbac-psp.yaml b/charts/generic/node-drain/rbac-psp.yaml new file mode 100644 index 0000000..da47d5c --- /dev/null +++ b/charts/generic/node-drain/rbac-psp.yaml @@ -0,0 +1,44 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: node-drain-sa + namespace: default + labels: + name: node-drain-sa + app.kubernetes.io/part-of: litmus +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: node-drain-sa + labels: + name: node-drain-sa + app.kubernetes.io/part-of: litmus +rules: +- apiGroups: ["","litmuschaos.io","batch","extensions","apps"] + resources: ["pods","jobs","events","chaosengines","pods/log","daemonsets","pods/eviction","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] +- apiGroups: [""] + resources: ["nodes"] + verbs: ["patch","get","list"] +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: node-drain-sa + labels: + name: node-drain-sa + app.kubernetes.io/part-of: litmus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: node-drain-sa +subjects: +- kind: ServiceAccount + name: node-drain-sa + namespace: default diff --git a/charts/generic/node-io-stress/rbac-psp.yaml b/charts/generic/node-io-stress/rbac-psp.yaml new file mode 100644 index 0000000..b622587 --- /dev/null +++ b/charts/generic/node-io-stress/rbac-psp.yaml @@ -0,0 +1,44 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: node-io-stress-sa + namespace: default + labels: + name: node-io-stress-sa + app.kubernetes.io/part-of: litmus +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: node-io-stress-sa + labels: + name: node-io-stress-sa + app.kubernetes.io/part-of: litmus +rules: +- apiGroups: ["","litmuschaos.io","batch","apps"] + resources: ["pods","jobs","pods/log","events","chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete","deletecollection"] +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: node-io-stress-sa + labels: + name: node-io-stress-sa + app.kubernetes.io/part-of: litmus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: node-io-stress-sa +subjects: +- kind: ServiceAccount + name: node-io-stress-sa + namespace: default diff --git a/charts/generic/node-memory-hog/rbac-psp.yaml b/charts/generic/node-memory-hog/rbac-psp.yaml new file mode 100644 index 0000000..cb0ed67 --- /dev/null +++ b/charts/generic/node-memory-hog/rbac-psp.yaml @@ -0,0 +1,44 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: node-memory-hog-sa + namespace: default + labels: + name: node-memory-hog-sa + app.kubernetes.io/part-of: litmus +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: node-memory-hog-sa + labels: + name: node-memory-hog-sa + app.kubernetes.io/part-of: litmus +rules: +- apiGroups: ["","litmuschaos.io","batch","apps"] + resources: ["pods","jobs","pods/log","events","chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete","deletecollection"] +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: node-memory-hog-sa + labels: + name: node-memory-hog-sa + app.kubernetes.io/part-of: litmus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: node-memory-hog-sa +subjects: +- kind: ServiceAccount + name: node-memory-hog-sa + namespace: default diff --git a/charts/generic/node-poweroff/rbac-psp.yaml b/charts/generic/node-poweroff/rbac-psp.yaml new file mode 100644 index 0000000..1b0ed78 --- /dev/null +++ b/charts/generic/node-poweroff/rbac-psp.yaml @@ -0,0 +1,44 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: node-poweroff-sa + namespace: default + labels: + name: node-poweroff-sa + app.kubernetes.io/part-of: litmus +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: node-poweroff-sa + labels: + name: node-poweroff-sa + app.kubernetes.io/part-of: litmus +rules: +- apiGroups: ["","litmuschaos.io","batch","apps"] + resources: ["pods","jobs","secrets","events","chaosengines","pods/log","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete","deletecollection"] +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: node-poweroff-sa + labels: + name: node-poweroff-sa + app.kubernetes.io/part-of: litmus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: node-poweroff-sa +subjects: +- kind: ServiceAccount + name: node-poweroff-sa + namespace: default diff --git a/charts/generic/node-restart/rbac-psp.yaml b/charts/generic/node-restart/rbac-psp.yaml new file mode 100644 index 0000000..2bdf44d --- /dev/null +++ b/charts/generic/node-restart/rbac-psp.yaml @@ -0,0 +1,44 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: node-restart-sa + namespace: default + labels: + name: node-restart-sa + app.kubernetes.io/part-of: litmus +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: node-restart-sa + labels: + name: node-restart-sa + app.kubernetes.io/part-of: litmus +rules: +- apiGroups: ["","litmuschaos.io","batch","apps"] + resources: ["pods","jobs","secrets","events","chaosengines","pods/log","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete","deletecollection"] +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: node-restart-sa + labels: + name: node-restart-sa + app.kubernetes.io/part-of: litmus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: node-restart-sa +subjects: +- kind: ServiceAccount + name: node-restart-sa + namespace: default diff --git a/charts/generic/node-taint/rbac-psp.yaml b/charts/generic/node-taint/rbac-psp.yaml new file mode 100644 index 0000000..021e957 --- /dev/null +++ b/charts/generic/node-taint/rbac-psp.yaml @@ -0,0 +1,44 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: node-taint-sa + namespace: default + labels: + name: node-taint-sa + app.kubernetes.io/part-of: litmus +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: node-taint-sa + labels: + name: node-taint-sa + app.kubernetes.io/part-of: litmus +rules: +- apiGroups: ["","litmuschaos.io","batch","extensions"] + resources: ["pods","jobs","events","chaosengines","pods/log","daemonsets","pods/eviction","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] +- apiGroups: [""] + resources: ["nodes"] + verbs: ["patch","get","list","update"] +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: node-taint-sa + labels: + name: node-taint-sa + app.kubernetes.io/part-of: litmus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: node-taint-sa +subjects: +- kind: ServiceAccount + name: node-taint-sa + namespace: default diff --git a/charts/generic/pod-autoscaler/rbac-psp.yaml b/charts/generic/pod-autoscaler/rbac-psp.yaml new file mode 100644 index 0000000..b21a0cc --- /dev/null +++ b/charts/generic/pod-autoscaler/rbac-psp.yaml @@ -0,0 +1,44 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pod-autoscaler-sa + namespace: default + labels: + name: pod-autoscaler-sa + app.kubernetes.io/part-of: litmus +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: pod-autoscaler-sa + labels: + name: pod-autoscaler-sa + app.kubernetes.io/part-of: litmus +rules: +- apiGroups: ["","litmuschaos.io","batch","apps"] + resources: ["pods","deployments","jobs","events","chaosengines","pods/log","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: pod-autoscaler-sa + labels: + name: pod-autoscaler-sa + app.kubernetes.io/part-of: litmus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: pod-autoscaler-sa +subjects: +- kind: ServiceAccount + name: pod-autoscaler-sa + namespace: default diff --git a/charts/generic/pod-cpu-hog/rbac-psp.yaml b/charts/generic/pod-cpu-hog/rbac-psp.yaml new file mode 100644 index 0000000..d263e9c --- /dev/null +++ b/charts/generic/pod-cpu-hog/rbac-psp.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pod-cpu-hog-sa + namespace: default + labels: + name: pod-cpu-hog-sa + app.kubernetes.io/part-of: litmus +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: pod-cpu-hog-sa + namespace: default + labels: + name: pod-cpu-hog-sa + app.kubernetes.io/part-of: litmus +rules: +- apiGroups: ["","litmuschaos.io","batch"] + resources: ["pods","jobs","events","pods/log","pods/exec","chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete","deletecollection"] +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: pod-cpu-hog-sa + namespace: default + labels: + name: pod-cpu-hog-sa + app.kubernetes.io/part-of: litmus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: pod-cpu-hog-sa +subjects: +- kind: ServiceAccount + name: pod-cpu-hog-sa + namespace: default diff --git a/charts/generic/pod-delete/litmus-psp.yaml b/charts/generic/pod-delete/litmus-psp.yaml new file mode 100644 index 0000000..c82cba1 --- /dev/null +++ b/charts/generic/pod-delete/litmus-psp.yaml @@ -0,0 +1,34 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: litmus + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + # Assume that persistentVolumes set up by the cluster admin are safe to use. + - 'persistentVolumeClaim' + - 'hostPath' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: 'RunAsAny' + seLinux: + # This policy assumes the nodes are using AppArmor rather than SELinux. + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false \ No newline at end of file diff --git a/charts/generic/pod-delete/rbac-psp.yaml b/charts/generic/pod-delete/rbac-psp.yaml new file mode 100644 index 0000000..f06fdc7 --- /dev/null +++ b/charts/generic/pod-delete/rbac-psp.yaml @@ -0,0 +1,44 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pod-delete-sa + namespace: default + labels: + name: pod-delete-sa + app.kubernetes.io/part-of: litmus +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: pod-delete-sa + namespace: default + labels: + name: pod-delete-sa + app.kubernetes.io/part-of: litmus +rules: +- apiGroups: ["","litmuschaos.io","batch","apps"] + resources: ["pods","deployments","pods/log","events","jobs","chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete","deletecollection"] +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: pod-delete-sa + namespace: default + labels: + name: pod-delete-sa + app.kubernetes.io/part-of: litmus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: pod-delete-sa +subjects: +- kind: ServiceAccount + name: pod-delete-sa + namespace: default + diff --git a/charts/generic/pod-io-stress/rbac-psp.yaml b/charts/generic/pod-io-stress/rbac-psp.yaml new file mode 100644 index 0000000..3b444a9 --- /dev/null +++ b/charts/generic/pod-io-stress/rbac-psp.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pod-io-stress-sa + namespace: default + labels: + name: pod-io-stress-sa + app.kubernetes.io/part-of: litmus +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: pod-io-stress-sa + namespace: default + labels: + name: pod-io-stress-sa + app.kubernetes.io/part-of: litmus +rules: +- apiGroups: ["","litmuschaos.io","batch"] + resources: ["pods","jobs","events","pods/log","pods/exec","chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete","deletecollection"] +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: pod-io-stress-sa + namespace: default + labels: + name: pod-io-stress-sa + app.kubernetes.io/part-of: litmus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: pod-io-stress-sa +subjects: +- kind: ServiceAccount + name: pod-io-stress-sa + namespace: default diff --git a/charts/generic/pod-memory-hog/rbac-psp.yaml b/charts/generic/pod-memory-hog/rbac-psp.yaml new file mode 100644 index 0000000..67dd23f --- /dev/null +++ b/charts/generic/pod-memory-hog/rbac-psp.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pod-memory-hog-sa + namespace: default + labels: + name: pod-memory-hog-sa + app.kubernetes.io/part-of: litmus +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: pod-memory-hog-sa + namespace: default + labels: + name: pod-memory-hog-sa + app.kubernetes.io/part-of: litmus +rules: +- apiGroups: ["","litmuschaos.io","batch"] + resources: ["pods","jobs","events","pods/log","pods/exec","chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete","deletecollection"] +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: pod-memory-hog-sa + namespace: default + labels: + name: pod-memory-hog-sa + app.kubernetes.io/part-of: litmus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: pod-memory-hog-sa +subjects: +- kind: ServiceAccount + name: pod-memory-hog-sa + namespace: default diff --git a/charts/generic/pod-network-corruption/rbac-psp.yaml b/charts/generic/pod-network-corruption/rbac-psp.yaml new file mode 100644 index 0000000..e789f80 --- /dev/null +++ b/charts/generic/pod-network-corruption/rbac-psp.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pod-network-corruption-sa + namespace: default + labels: + name: pod-network-corruption-sa + app.kubernetes.io/part-of: litmus +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: pod-network-corruption-sa + namespace: default + labels: + name: pod-network-corruption-sa + app.kubernetes.io/part-of: litmus +rules: +- apiGroups: ["","litmuschaos.io","batch"] + resources: ["pods","jobs","events","pods/log","chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete","deletecollection"] +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: pod-network-corruption-sa + namespace: default + labels: + name: pod-network-corruption-sa + app.kubernetes.io/part-of: litmus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: pod-network-corruption-sa +subjects: +- kind: ServiceAccount + name: pod-network-corruption-sa + namespace: default diff --git a/charts/generic/pod-network-duplication/rbac-psp.yaml b/charts/generic/pod-network-duplication/rbac-psp.yaml new file mode 100644 index 0000000..1284c1e --- /dev/null +++ b/charts/generic/pod-network-duplication/rbac-psp.yaml @@ -0,0 +1,42 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pod-network-duplication-sa + namespace: default + labels: + name: pod-network-duplication-sa + app.kubernetes.io/part-of: litmus +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: pod-network-duplication-sa + namespace: default + labels: + name: pod-network-duplication-sa + app.kubernetes.io/part-of: litmus +rules: +- apiGroups: ["","litmuschaos.io","batch"] + resources: ["pods","jobs","events","pods/log","chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete","deletecollection"] +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: pod-network-duplication-sa + namespace: default + labels: + name: pod-network-duplication-sa + app.kubernetes.io/part-of: litmus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: pod-network-duplication-sa +subjects: +- kind: ServiceAccount + name: pod-network-duplication-sa + namespace: default diff --git a/charts/generic/pod-network-latency/rbac-psp.yaml b/charts/generic/pod-network-latency/rbac-psp.yaml new file mode 100644 index 0000000..5e0ac25 --- /dev/null +++ b/charts/generic/pod-network-latency/rbac-psp.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pod-network-latency-sa + namespace: default + labels: + name: pod-network-latency-sa + app.kubernetes.io/part-of: litmus +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: pod-network-latency-sa + namespace: default + labels: + name: pod-network-latency-sa + app.kubernetes.io/part-of: litmus +rules: +- apiGroups: ["","litmuschaos.io","batch"] + resources: ["pods","jobs","pods/log","events","chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete","deletecollection"] +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: pod-network-latency-sa + namespace: default + labels: + name: pod-network-latency-sa + app.kubernetes.io/part-of: litmus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: pod-network-latency-sa +subjects: +- kind: ServiceAccount + name: pod-network-latency-sa + namespace: default diff --git a/charts/generic/pod-network-loss/rbac-psp.yaml b/charts/generic/pod-network-loss/rbac-psp.yaml new file mode 100644 index 0000000..afdfb00 --- /dev/null +++ b/charts/generic/pod-network-loss/rbac-psp.yaml @@ -0,0 +1,42 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pod-network-loss-sa + namespace: default + labels: + name: pod-network-loss-sa + app.kubernetes.io/part-of: litmus +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: pod-network-loss-sa + namespace: default + labels: + name: pod-network-loss-sa + app.kubernetes.io/part-of: litmus +rules: +- apiGroups: ["","litmuschaos.io","batch"] + resources: ["pods","jobs","events","pods/log","chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete","deletecollection"] +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: pod-network-loss-sa + namespace: default + labels: + name: pod-network-loss-sa + app.kubernetes.io/part-of: litmus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: pod-network-loss-sa +subjects: +- kind: ServiceAccount + name: pod-network-loss-sa + namespace: default