From 8e69a7e196e6645183952840a02bf03370cf8c24 Mon Sep 17 00:00:00 2001 From: Udit Gaurav <35391335+uditgaurav@users.noreply.github.com> Date: Thu, 24 Dec 2020 21:33:08 +0530 Subject: [PATCH] chore(permission): Fix rbac permission for kafka pod delete experiment (#405) * chore(permission): Fix rbac permission for kafka pod delete experiment Signed-off-by: udit * update permission for cassandra experiment Signed-off-by: udit * add default annotation check to false Signed-off-by: udit --- .../cassandra/cassandra-pod-delete/engine.yaml | 2 +- charts/cassandra/cassandra-pod-delete/rbac.yaml | 15 ++++++++++++--- .../kafka/kafka-broker-pod-failure/engine.yaml | 2 +- charts/kafka/kafka-broker-pod-failure/rbac.yaml | 17 ++++++++++++++--- 4 files changed, 28 insertions(+), 8 deletions(-) diff --git a/charts/cassandra/cassandra-pod-delete/engine.yaml b/charts/cassandra/cassandra-pod-delete/engine.yaml index 7890399..e3fd7a2 100644 --- a/charts/cassandra/cassandra-pod-delete/engine.yaml +++ b/charts/cassandra/cassandra-pod-delete/engine.yaml @@ -9,7 +9,7 @@ spec: applabel: 'app=cassandra' appkind: 'statefulset' # It can be true/false - annotationCheck: 'true' + annotationCheck: 'false' # It can be active/stop engineState: 'active' #ex. values: ns1:name=percona,ns2:run=nginx diff --git a/charts/cassandra/cassandra-pod-delete/rbac.yaml b/charts/cassandra/cassandra-pod-delete/rbac.yaml index 23b9188..af79919 100644 --- a/charts/cassandra/cassandra-pod-delete/rbac.yaml +++ b/charts/cassandra/cassandra-pod-delete/rbac.yaml @@ -17,9 +17,18 @@ metadata: name: cassandra-pod-delete-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: ["","litmuschaos.io","batch","apps"] - resources: ["pods","deployments","statefulsets","services","pods/log","pods/exec","events","jobs","chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update","delete", "deletecollection"] +- apiGroups: [""] + resources: ["pods","pods/exec","pods/log","events","services"] + verbs: ["create","list","get","patch","update","delete","deletecollection"] +- apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] +- apiGroups: ["apps"] + resources: ["deployments","statefulsets"] + verbs: ["list","get"] +- apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/kafka/kafka-broker-pod-failure/engine.yaml b/charts/kafka/kafka-broker-pod-failure/engine.yaml index caa7c19..d3932e8 100644 --- a/charts/kafka/kafka-broker-pod-failure/engine.yaml +++ b/charts/kafka/kafka-broker-pod-failure/engine.yaml @@ -5,7 +5,7 @@ metadata: namespace: default spec: # It can be true/false - annotationCheck: 'true' + annotationCheck: 'false' # It can be active/stop engineState: 'active' #ex. values: ns1:name=percona,ns2:run=nginx diff --git a/charts/kafka/kafka-broker-pod-failure/rbac.yaml b/charts/kafka/kafka-broker-pod-failure/rbac.yaml index cf78684..adef1dc 100644 --- a/charts/kafka/kafka-broker-pod-failure/rbac.yaml +++ b/charts/kafka/kafka-broker-pod-failure/rbac.yaml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -15,9 +16,18 @@ metadata: name: kafka-broker-pod-failure-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: ["","litmuschaos.io","batch","apps"] - resources: ["pods","deployments","pods/log","events","jobs","pods/exec","statefulsets","configmaps","chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","delete"] +- apiGroups: [""] + resources: ["pods","pods/exec","pods/log","events"] + verbs: ["create","list","get","patch","update","delete","deletecollection"] +- apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] +- apiGroups: ["apps"] + resources: ["deployments","statefulsets"] + verbs: ["list","get"] +- apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update"] - apiGroups: [""] resources: ["nodes"] verbs: ["get","list"] @@ -37,3 +47,4 @@ subjects: - kind: ServiceAccount name: kafka-broker-pod-failure-sa namespace: default +