diff --git a/charts/aws-ssm/aws-ssm-chaos-by-id/experiment.yaml b/charts/aws-ssm/aws-ssm-chaos-by-id/experiment.yaml index 1e8a13d..d8f5179 100644 --- a/charts/aws-ssm/aws-ssm-chaos-by-id/experiment.yaml +++ b/charts/aws-ssm/aws-ssm-chaos-by-id/experiment.yaml @@ -14,28 +14,34 @@ spec: definition: scope: Cluster permissions: - - apiGroups: - - "" - - "batch" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "events" - - "pods/log" - - "pods/exec" - - "secrets" - - "configmaps" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "create" - - "list" - - "get" - - "patch" - - "update" - - "delete" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps & secrets details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["secrets","configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] image: "litmuschaos/go-runner:ci" imagePullPolicy: Always args: diff --git a/charts/aws-ssm/aws-ssm-chaos-by-id/rbac.yaml b/charts/aws-ssm/aws-ssm-chaos-by-id/rbac.yaml index cea6238..72db75e 100644 --- a/charts/aws-ssm/aws-ssm-chaos-by-id/rbac.yaml +++ b/charts/aws-ssm/aws-ssm-chaos-by-id/rbac.yaml @@ -16,18 +16,34 @@ metadata: name: aws-ssm-chaos-by-id-sa app.kubernetes.io/part-of: litmus rules: +# Create and monitor the experiment & helper pods - apiGroups: [""] - resources: ["pods","events","secrets","configmaps"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] +# Performs CRUD operations on the events inside chaosengine and chaosresult - apiGroups: [""] - resources: ["pods/exec","pods/log"] - verbs: ["create","list","get"] + resources: ["events"] + verbs: ["create","get","list","patch","update"] +# Fetch configmaps & secrets details and mount it to the experiment pod (if specified) +- apiGroups: [""] + resources: ["secrets","configmaps"] + verbs: ["get","list",] +# Track and get the runner, experiment, and helper pods log +- apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] +# for creating and managing to execute comands inside target container +- apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] +# for configuring and monitor the experiment job by the chaos-runner pod - apiGroups: ["batch"] resources: ["jobs"] verbs: ["create","list","get","delete","deletecollection"] +# for creation, status polling and deletion of litmus chaos resources used within a chaos workflow - apiGroups: ["litmuschaos.io"] resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] + verbs: ["create","list","get","patch","update","delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/aws-ssm/aws-ssm-chaos-by-tag/experiment.yaml b/charts/aws-ssm/aws-ssm-chaos-by-tag/experiment.yaml index 42bd36e..12130bd 100644 --- a/charts/aws-ssm/aws-ssm-chaos-by-tag/experiment.yaml +++ b/charts/aws-ssm/aws-ssm-chaos-by-tag/experiment.yaml @@ -14,28 +14,34 @@ spec: definition: scope: Cluster permissions: - - apiGroups: - - "" - - "batch" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "events" - - "pods/log" - - "pods/exec" - - "secrets" - - "configmaps" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "create" - - "list" - - "get" - - "patch" - - "update" - - "delete" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps & secrets details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["secrets","configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] image: "litmuschaos/go-runner:ci" imagePullPolicy: Always args: diff --git a/charts/aws-ssm/aws-ssm-chaos-by-tag/rbac.yaml b/charts/aws-ssm/aws-ssm-chaos-by-tag/rbac.yaml index 56b3ca5..473d902 100644 --- a/charts/aws-ssm/aws-ssm-chaos-by-tag/rbac.yaml +++ b/charts/aws-ssm/aws-ssm-chaos-by-tag/rbac.yaml @@ -16,18 +16,34 @@ metadata: name: aws-ssm-chaos-by-tag-sa app.kubernetes.io/part-of: litmus rules: +# Create and monitor the experiment & helper pods - apiGroups: [""] - resources: ["pods","events","secrets","configmaps"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] +# Performs CRUD operations on the events inside chaosengine and chaosresult - apiGroups: [""] - resources: ["pods/exec","pods/log"] - verbs: ["create","list","get"] + resources: ["events"] + verbs: ["create","get","list","patch","update"] +# Fetch configmaps & secrets details and mount it to the experiment pod (if specified) +- apiGroups: [""] + resources: ["secrets","configmaps"] + verbs: ["get","list",] +# Track and get the runner, experiment, and helper pods log +- apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] +# for creating and managing to execute comands inside target container +- apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] +# for configuring and monitor the experiment job by the chaos-runner pod - apiGroups: ["batch"] resources: ["jobs"] verbs: ["create","list","get","delete","deletecollection"] +# for creation, status polling and deletion of litmus chaos resources used within a chaos workflow - apiGroups: ["litmuschaos.io"] resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] + verbs: ["create","list","get","patch","update","delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/azure/azure-disk-loss/experiment.yaml b/charts/azure/azure-disk-loss/experiment.yaml index 181ff8b..0b25921 100644 --- a/charts/azure/azure-disk-loss/experiment.yaml +++ b/charts/azure/azure-disk-loss/experiment.yaml @@ -14,31 +14,34 @@ spec: definition: scope: Cluster permissions: - - apiGroups: - - "" - - "batch" - - "apps" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "pods/log" - - "events" - - "deployments" - - "replicasets" - - "pods/exec" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - - "secrets" - verbs: - - "create" - - "list" - - "get" - - "patch" - - "update" - - "delete" - - "deletecollection" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps & secrets details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["secrets","configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] image: "litmuschaos/go-runner:latest" imagePullPolicy: Always args: diff --git a/charts/azure/azure-disk-loss/rbac.yaml b/charts/azure/azure-disk-loss/rbac.yaml index 78dc2b2..0e91994 100644 --- a/charts/azure/azure-disk-loss/rbac.yaml +++ b/charts/azure/azure-disk-loss/rbac.yaml @@ -17,18 +17,34 @@ metadata: name: azure-disk-loss-sa app.kubernetes.io/part-of: litmus rules: + # Create and monitor the experiment & helper pods - apiGroups: [""] - resources: ["pods","events","secrets"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult - apiGroups: [""] - resources: ["pods/exec","pods/log"] - verbs: ["create","list","get"] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps & secrets details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["secrets","configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod - apiGroups: ["batch"] resources: ["jobs"] verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow - apiGroups: ["litmuschaos.io"] resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] + verbs: ["create","list","get","patch","update","delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/azure/azure-instance-stop/experiment.yaml b/charts/azure/azure-instance-stop/experiment.yaml index 361ef55..3bdc037 100644 --- a/charts/azure/azure-instance-stop/experiment.yaml +++ b/charts/azure/azure-instance-stop/experiment.yaml @@ -14,27 +14,34 @@ spec: definition: scope: Cluster permissions: - - apiGroups: - - "" - - "batch" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "events" - - "pods/log" - - "pods/exec" - - "secrets" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "create" - - "list" - - "get" - - "patch" - - "update" - - "delete" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps & secrets details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["secrets","configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] image: "litmuschaos/go-runner:ci" imagePullPolicy: Always args: diff --git a/charts/azure/azure-instance-stop/rbac.yaml b/charts/azure/azure-instance-stop/rbac.yaml index f3fcba6..323e2f3 100644 --- a/charts/azure/azure-instance-stop/rbac.yaml +++ b/charts/azure/azure-instance-stop/rbac.yaml @@ -16,18 +16,34 @@ metadata: name: azure-instance-stop-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events","secrets"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps & secrets details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["secrets","configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/cassandra/cassandra-pod-delete/experiment.yaml b/charts/cassandra/cassandra-pod-delete/experiment.yaml index 34c2791..f400435 100644 --- a/charts/cassandra/cassandra-pod-delete/experiment.yaml +++ b/charts/cassandra/cassandra-pod-delete/experiment.yaml @@ -14,31 +14,42 @@ spec: definition: scope: Namespaced permissions: - - apiGroups: - - "" - - "apps" - - "batch" - - "litmuschaos.io" - resources: - - "deployments" - - "statefulsets" - - "jobs" - - "pods" - - "pods/log" - - "pods/exec" - - "services" - - "events" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "create" - - "list" - - "get" - - "patch" - - "update" - - "delete" - - "deletecollection" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Create and manage the liveness and target application services + - apiGroups: [""] + resources: ["services"] + verbs: ["create","delete","get","list", "deletecollection"] + # Fetch configmaps & secrets details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["secrets","configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for deriving the parent/owner details of the pod + - apiGroups: ["apps"] + resources: ["deployments","statefulsets"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] image: "litmuschaos/go-runner:latest" imagePullPolicy: Always args: diff --git a/charts/cassandra/cassandra-pod-delete/rbac.yaml b/charts/cassandra/cassandra-pod-delete/rbac.yaml index a15bd8e..7295950 100644 --- a/charts/cassandra/cassandra-pod-delete/rbac.yaml +++ b/charts/cassandra/cassandra-pod-delete/rbac.yaml @@ -17,21 +17,42 @@ metadata: name: cassandra-pod-delete-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events","services"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["deployments","statefulsets"] - verbs: ["list","get"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Create and manage the liveness and target application services + - apiGroups: [""] + resources: ["services"] + verbs: ["create","delete","get","list", "deletecollection"] + # Fetch configmaps & secrets details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["secrets","configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for deriving the parent/owner details of the pod + - apiGroups: ["apps"] + resources: ["deployments","statefulsets"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/gcp/gcp-vm-disk-loss/experiment.yaml b/charts/gcp/gcp-vm-disk-loss/experiment.yaml index d6e0a29..18cfafb 100644 --- a/charts/gcp/gcp-vm-disk-loss/experiment.yaml +++ b/charts/gcp/gcp-vm-disk-loss/experiment.yaml @@ -14,28 +14,34 @@ spec: definition: scope: Cluster permissions: - - apiGroups: - - "" - - "batch" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "pods/log" - - "events" - - "secrets" - - "pods/exec" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "create" - - "list" - - "get" - - "patch" - - "update" - - "delete" - - "deletecollection" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps & secrets details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["secrets","configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] image: "litmuschaos/go-runner:ci" imagePullPolicy: Always args: diff --git a/charts/gcp/gcp-vm-disk-loss/rbac.yaml b/charts/gcp/gcp-vm-disk-loss/rbac.yaml index 286fe0e..27c2072 100644 --- a/charts/gcp/gcp-vm-disk-loss/rbac.yaml +++ b/charts/gcp/gcp-vm-disk-loss/rbac.yaml @@ -16,18 +16,34 @@ metadata: name: gcp-vm-disk-loss-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events","secrets"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps & secrets details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["secrets","configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/gcp/gcp-vm-instance-stop/experiment.yaml b/charts/gcp/gcp-vm-instance-stop/experiment.yaml index 791c989..781ad1c 100644 --- a/charts/gcp/gcp-vm-instance-stop/experiment.yaml +++ b/charts/gcp/gcp-vm-instance-stop/experiment.yaml @@ -14,29 +14,38 @@ spec: definition: scope: Cluster permissions: - - apiGroups: - - "" - - "batch" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "pods/log" - - "events" - - "secrets" - - "pods/exec" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - - "nodes" - verbs: - - "create" - - "list" - - "get" - - "patch" - - "update" - - "delete" - - "deletecollection" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps & secrets details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["secrets","configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] image: "litmuschaos/go-runner:ci" imagePullPolicy: Always args: diff --git a/charts/gcp/gcp-vm-instance-stop/rbac.yaml b/charts/gcp/gcp-vm-instance-stop/rbac.yaml index 7a567b8..0592ea9 100644 --- a/charts/gcp/gcp-vm-instance-stop/rbac.yaml +++ b/charts/gcp/gcp-vm-instance-stop/rbac.yaml @@ -16,21 +16,38 @@ metadata: name: gcp-vm-instance-stop-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events","secrets"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: [""] - resources: ["nodes"] - verbs: ["get","list"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps & secrets details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["secrets","configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/generic/container-kill/experiment.yaml b/charts/generic/container-kill/experiment.yaml index 8ddc219..b3f115e 100644 --- a/charts/generic/container-kill/experiment.yaml +++ b/charts/generic/container-kill/experiment.yaml @@ -13,37 +13,50 @@ spec: definition: scope: Namespaced permissions: - - apiGroups: - - "" - - "apps" - - "batch" - - "apps.openshift.io" - - "argoproj.io" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "pods/log" - - "events" - - "replicationcontrollers" - - "deployments" - - "statefulsets" - - "daemonsets" - - "replicasets" - - "deploymentconfigs" - - "rollouts" - - "pods/exec" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "create" - - "list" - - "get" - - "update" - - "patch" - - "delete" - - "deletecollection" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] image: "litmuschaos/go-runner:latest" imagePullPolicy: Always args: diff --git a/charts/generic/container-kill/rbac-psp.yaml b/charts/generic/container-kill/rbac-psp.yaml index a002478..12de772 100644 --- a/charts/generic/container-kill/rbac-psp.yaml +++ b/charts/generic/container-kill/rbac-psp.yaml @@ -17,31 +17,55 @@ metadata: name: container-kill-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log","replicationcontrollers"] - verbs: ["list","get","create"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["deployments","statefulsets","daemonsets","replicasets"] - verbs: ["list","get"] -- apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["list","get"] -- apiGroups: ["argoproj.io"] - resources: ["rollouts"] - verbs: ["list","get"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: ["litmus"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # use litmus psp + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/generic/container-kill/rbac.yaml b/charts/generic/container-kill/rbac.yaml index cb579e9..ccea310 100644 --- a/charts/generic/container-kill/rbac.yaml +++ b/charts/generic/container-kill/rbac.yaml @@ -17,27 +17,50 @@ metadata: name: container-kill-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log","replicationcontrollers"] - verbs: ["list","get","create"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["deployments","statefulsets","daemonsets","replicasets"] - verbs: ["list","get"] -- apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["list","get"] -- apiGroups: ["argoproj.io"] - resources: ["rollouts"] - verbs: ["list","get"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/generic/container-kill/rbac_nginx_getstarted.yaml b/charts/generic/container-kill/rbac_nginx_getstarted.yaml index c9985c2..461b164 100644 --- a/charts/generic/container-kill/rbac_nginx_getstarted.yaml +++ b/charts/generic/container-kill/rbac_nginx_getstarted.yaml @@ -15,27 +15,50 @@ metadata: labels: name: container-kill-sa rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log","replicationcontrollers"] - verbs: ["list","get","create"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["deployments","statefulsets","daemonsets","replicasets"] - verbs: ["list","get"] -- apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["list","get"] -- apiGroups: ["argoproj.io"] - resources: ["rollouts"] - verbs: ["list","get"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/generic/disk-fill/experiment.yaml b/charts/generic/disk-fill/experiment.yaml index 7ce49ee..493ab77 100644 --- a/charts/generic/disk-fill/experiment.yaml +++ b/charts/generic/disk-fill/experiment.yaml @@ -14,37 +14,50 @@ spec: definition: scope: Namespaced permissions: - - apiGroups: - - "" - - "apps" - - "batch" - - "apps.openshift.io" - - "argoproj.io" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "pods/exec" - - "pods/log" - - "replicationcontrollers" - - "deployments" - - "statefulsets" - - "daemonsets" - - "replicasets" - - "deploymentconfigs" - - "rollouts" - - "events" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "create" - - "list" - - "get" - - "patch" - - "update" - - "delete" - - "deletecollection" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] image: "litmuschaos/go-runner:latest" imagePullPolicy: Always args: diff --git a/charts/generic/disk-fill/rbac-psp.yaml b/charts/generic/disk-fill/rbac-psp.yaml index 3e56296..e7aa880 100644 --- a/charts/generic/disk-fill/rbac-psp.yaml +++ b/charts/generic/disk-fill/rbac-psp.yaml @@ -17,31 +17,55 @@ metadata: name: disk-fill-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log","replicationcontrollers"] - verbs: ["list","get","create"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["deployments","statefulsets","daemonsets","replicasets"] - verbs: ["list","get"] -- apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["list","get"] -- apiGroups: ["argoproj.io"] - resources: ["rollouts"] - verbs: ["list","get"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: ["litmus"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # use litmus psp + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/generic/disk-fill/rbac.yaml b/charts/generic/disk-fill/rbac.yaml index 116e10a..37a9d9a 100644 --- a/charts/generic/disk-fill/rbac.yaml +++ b/charts/generic/disk-fill/rbac.yaml @@ -17,27 +17,50 @@ metadata: name: disk-fill-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log","replicationcontrollers"] - verbs: ["list","get","create"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["deployments","statefulsets","daemonsets","replicasets"] - verbs: ["list","get"] -- apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["list","get"] -- apiGroups: ["argoproj.io"] - resources: ["rollouts"] - verbs: ["list","get"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/generic/docker-service-kill/experiment.yaml b/charts/generic/docker-service-kill/experiment.yaml index 29a6701..056f9a6 100644 --- a/charts/generic/docker-service-kill/experiment.yaml +++ b/charts/generic/docker-service-kill/experiment.yaml @@ -14,33 +14,38 @@ spec: definition: scope: Cluster permissions: - - apiGroups: - - "" - - "batch" - - "apps" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "pods/log" - - "events" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "create" - - "list" - - "get" - - "patch" - - "update" - - "delete" - - apiGroups: - - "" - resources: - - "nodes" - verbs: - - "get" - - "list" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] image: "litmuschaos/go-runner:latest" imagePullPolicy: Always args: diff --git a/charts/generic/docker-service-kill/rbac-psp.yaml b/charts/generic/docker-service-kill/rbac-psp.yaml new file mode 100644 index 0000000..cc1c8a9 --- /dev/null +++ b/charts/generic/docker-service-kill/rbac-psp.yaml @@ -0,0 +1,71 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: docker-service-kill-sa + namespace: default + labels: + name: docker-service-kill-sa + app.kubernetes.io/part-of: litmus +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: docker-service-kill-sa + labels: + name: docker-service-kill-sa + app.kubernetes.io/part-of: litmus +rules: + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] + # use litmus psp + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: docker-service-kill-sa + labels: + name: docker-service-kill-sa + app.kubernetes.io/part-of: litmus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: docker-service-kill-sa +subjects: +- kind: ServiceAccount + name: docker-service-kill-sa + namespace: default diff --git a/charts/generic/docker-service-kill/rbac.yaml b/charts/generic/docker-service-kill/rbac.yaml index 56df087..1972a97 100644 --- a/charts/generic/docker-service-kill/rbac.yaml +++ b/charts/generic/docker-service-kill/rbac.yaml @@ -16,12 +16,38 @@ metadata: name: docker-service-kill-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: ["","litmuschaos.io","batch","apps"] - resources: ["pods","jobs","pods/log","events","chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update","delete"] -- apiGroups: [""] - resources: ["nodes"] - verbs: ["get","list"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/generic/kubelet-service-kill/experiment.yaml b/charts/generic/kubelet-service-kill/experiment.yaml index e9b83f0..5f86d74 100644 --- a/charts/generic/kubelet-service-kill/experiment.yaml +++ b/charts/generic/kubelet-service-kill/experiment.yaml @@ -14,34 +14,38 @@ spec: definition: scope: Cluster permissions: - - apiGroups: - - "" - - "batch" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "pods/log" - - "pods/exec" - - "events" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "create" - - "list" - - "get" - - "patch" - - "update" - - "delete" - - "deletecollection" - - apiGroups: - - "" - resources: - - "nodes" - verbs: - - "get" - - "list" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] image: "litmuschaos/go-runner:latest" imagePullPolicy: Always args: diff --git a/charts/generic/kubelet-service-kill/rbac-psp.yaml b/charts/generic/kubelet-service-kill/rbac-psp.yaml index 9d8afed..fb2dac3 100644 --- a/charts/generic/kubelet-service-kill/rbac-psp.yaml +++ b/charts/generic/kubelet-service-kill/rbac-psp.yaml @@ -16,25 +16,43 @@ metadata: name: kubelet-service-kill-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: [""] - resources: ["nodes"] - verbs: ["get","list"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: ["litmus"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] + # use litmus psp + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/generic/kubelet-service-kill/rbac.yaml b/charts/generic/kubelet-service-kill/rbac.yaml index 05806d1..4840f37 100644 --- a/charts/generic/kubelet-service-kill/rbac.yaml +++ b/charts/generic/kubelet-service-kill/rbac.yaml @@ -16,21 +16,38 @@ metadata: name: kubelet-service-kill-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: [""] - resources: ["nodes"] - verbs: ["get","list"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/generic/node-cpu-hog/experiment.yaml b/charts/generic/node-cpu-hog/experiment.yaml index be01225..53752a7 100644 --- a/charts/generic/node-cpu-hog/experiment.yaml +++ b/charts/generic/node-cpu-hog/experiment.yaml @@ -14,34 +14,38 @@ spec: definition: scope: Cluster permissions: - - apiGroups: - - "" - - "batch" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "pods/log" - - "pods/exec" - - "events" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "create" - - "list" - - "get" - - "patch" - - "update" - - "delete" - - "deletecollection" - - apiGroups: - - "" - resources: - - "nodes" - verbs: - - "get" - - "list" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] image: "litmuschaos/go-runner:latest" imagePullPolicy: Always args: diff --git a/charts/generic/node-cpu-hog/rbac-psp.yaml b/charts/generic/node-cpu-hog/rbac-psp.yaml index 7b9132a..4ae8ce7 100644 --- a/charts/generic/node-cpu-hog/rbac-psp.yaml +++ b/charts/generic/node-cpu-hog/rbac-psp.yaml @@ -16,25 +16,43 @@ metadata: name: node-cpu-hog-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log"] - verbs: ["list","get","create"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: [""] - resources: ["nodes"] - verbs: ["get","list"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: ["litmus"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] + # use litmus psp + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/generic/node-cpu-hog/rbac.yaml b/charts/generic/node-cpu-hog/rbac.yaml index 03a71cc..40e88cd 100644 --- a/charts/generic/node-cpu-hog/rbac.yaml +++ b/charts/generic/node-cpu-hog/rbac.yaml @@ -16,21 +16,38 @@ metadata: name: node-cpu-hog-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log"] - verbs: ["list","get","create"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: [""] - resources: ["nodes"] - verbs: ["get","list"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/generic/node-drain/experiment.yaml b/charts/generic/node-drain/experiment.yaml index 4fd373c..8834d1d 100644 --- a/charts/generic/node-drain/experiment.yaml +++ b/charts/generic/node-drain/experiment.yaml @@ -15,38 +15,42 @@ spec: definition: scope: Cluster permissions: - - apiGroups: - - "" - - "batch" - - "litmuschaos.io" - - "apps" - resources: - - "jobs" - - "pods" - - "events" - - "pods/log" - - "pods/exec" - - "daemonsets" - - "pods/eviction" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "create" - - "list" - - "get" - - "patch" - - "update" - - "delete" - - "deletecollection" - - apiGroups: - - "" - resources: - - "nodes" - verbs: - - "get" - - "list" - - "patch" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec","pods/eviction"] + verbs: ["get","list","create"] + # ignore daemonsets while draining the node + - apiGroups: ["apps"] + resources: ["daemonsets"] + verbs: ["list","get","delete"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list","patch"] image: "litmuschaos/go-runner:latest" imagePullPolicy: Always args: diff --git a/charts/generic/node-drain/rbac-psp.yaml b/charts/generic/node-drain/rbac-psp.yaml index e068b13..c1ddf8c 100644 --- a/charts/generic/node-drain/rbac-psp.yaml +++ b/charts/generic/node-drain/rbac-psp.yaml @@ -16,28 +16,47 @@ metadata: name: node-drain-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log","pods/eviction"] - verbs: ["list","get","create"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["daemonsets"] - verbs: ["list","get","delete"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: [""] - resources: ["nodes"] - verbs: ["patch","get","list"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: ["litmus"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec","pods/eviction"] + verbs: ["get","list","create"] + # ignore daemonsets while draining the node + - apiGroups: ["apps"] + resources: ["daemonsets"] + verbs: ["list","get","delete"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list","patch"] + # use litmus psp + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/generic/node-drain/rbac.yaml b/charts/generic/node-drain/rbac.yaml index cc873aa..e16cbd8 100644 --- a/charts/generic/node-drain/rbac.yaml +++ b/charts/generic/node-drain/rbac.yaml @@ -16,24 +16,42 @@ metadata: name: node-drain-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log","pods/eviction"] - verbs: ["list","get","create"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["daemonsets"] - verbs: ["list","get","delete"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: [""] - resources: ["nodes"] - verbs: ["patch","get","list"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec","pods/eviction"] + verbs: ["get","list","create"] + # ignore daemonsets while draining the node + - apiGroups: ["apps"] + resources: ["daemonsets"] + verbs: ["list","get","delete"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list","patch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/generic/node-io-stress/experiment.yaml b/charts/generic/node-io-stress/experiment.yaml index 89c6426..0e46e7f 100644 --- a/charts/generic/node-io-stress/experiment.yaml +++ b/charts/generic/node-io-stress/experiment.yaml @@ -14,34 +14,38 @@ spec: definition: scope: Cluster permissions: - - apiGroups: - - "" - - "batch" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "pods/log" - - "pods/exec" - - "events" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "create" - - "list" - - "get" - - "patch" - - "update" - - "delete" - - "deletecollection" - - apiGroups: - - "" - resources: - - "nodes" - verbs: - - "get" - - "list" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] image: "litmuschaos/go-runner:latest" imagePullPolicy: Always args: diff --git a/charts/generic/node-io-stress/rbac-psp.yaml b/charts/generic/node-io-stress/rbac-psp.yaml index 2b69551..ab12913 100644 --- a/charts/generic/node-io-stress/rbac-psp.yaml +++ b/charts/generic/node-io-stress/rbac-psp.yaml @@ -16,25 +16,43 @@ metadata: name: node-io-stress-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: [""] - resources: ["nodes"] - verbs: ["get","list"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: ["litmus"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] + # use litmus psp + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/generic/node-io-stress/rbac.yaml b/charts/generic/node-io-stress/rbac.yaml index e80ad14..a6858e7 100644 --- a/charts/generic/node-io-stress/rbac.yaml +++ b/charts/generic/node-io-stress/rbac.yaml @@ -16,21 +16,38 @@ metadata: name: node-io-stress-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: [""] - resources: ["nodes"] - verbs: ["get","list"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/generic/node-memory-hog/experiment.yaml b/charts/generic/node-memory-hog/experiment.yaml index a121453..f5f7b59 100644 --- a/charts/generic/node-memory-hog/experiment.yaml +++ b/charts/generic/node-memory-hog/experiment.yaml @@ -14,34 +14,38 @@ spec: definition: scope: Cluster permissions: - - apiGroups: - - "" - - "batch" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "pods/log" - - "pods/exec" - - "events" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "create" - - "list" - - "get" - - "patch" - - "update" - - "delete" - - "deletecollection" - - apiGroups: - - "" - resources: - - "nodes" - verbs: - - "get" - - "list" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] image: "litmuschaos/go-runner:latest" imagePullPolicy: Always args: diff --git a/charts/generic/node-memory-hog/rbac-psp.yaml b/charts/generic/node-memory-hog/rbac-psp.yaml index 8e3033d..a6002c5 100644 --- a/charts/generic/node-memory-hog/rbac-psp.yaml +++ b/charts/generic/node-memory-hog/rbac-psp.yaml @@ -16,25 +16,43 @@ metadata: name: node-memory-hog-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: [""] - resources: ["nodes"] - verbs: ["get","list"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: ["litmus"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] + # use litmus psp + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/generic/node-memory-hog/rbac.yaml b/charts/generic/node-memory-hog/rbac.yaml index bbebc19..74cd3eb 100644 --- a/charts/generic/node-memory-hog/rbac.yaml +++ b/charts/generic/node-memory-hog/rbac.yaml @@ -16,21 +16,38 @@ metadata: name: node-memory-hog-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: [""] - resources: ["nodes"] - verbs: ["get","list"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/generic/node-poweroff/experiment.yaml b/charts/generic/node-poweroff/experiment.yaml index 4e862e4..d598147 100644 --- a/charts/generic/node-poweroff/experiment.yaml +++ b/charts/generic/node-poweroff/experiment.yaml @@ -14,35 +14,38 @@ spec: definition: scope: Cluster permissions: - - apiGroups: - - "" - - "batch" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "pods/log" - - "pods/exec" - - "events" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - - "secrets" - verbs: - - "create" - - "list" - - "get" - - "patch" - - "update" - - "delete" - - "deletecollection" - - apiGroups: - - "" - resources: - - "nodes" - verbs: - - "get" - - "list" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps & secrets details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps","secrets"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] image: "litmuschaos/go-runner:latest" imagePullPolicy: Always args: diff --git a/charts/generic/node-poweroff/rbac-psp.yaml b/charts/generic/node-poweroff/rbac-psp.yaml index 7a3b1b0..93abac3 100644 --- a/charts/generic/node-poweroff/rbac-psp.yaml +++ b/charts/generic/node-poweroff/rbac-psp.yaml @@ -16,25 +16,43 @@ metadata: name: node-poweroff-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events","secrets"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: [""] - resources: ["nodes"] - verbs: ["get","list"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: ["litmus"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps & secrets details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps","secrets"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] + # use litmus psp + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/generic/node-poweroff/rbac.yaml b/charts/generic/node-poweroff/rbac.yaml index 7f9d642..16898df 100644 --- a/charts/generic/node-poweroff/rbac.yaml +++ b/charts/generic/node-poweroff/rbac.yaml @@ -16,21 +16,38 @@ metadata: name: node-poweroff-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events","secrets"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: [""] - resources: ["nodes"] - verbs: ["get","list"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps & secrets details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps","secrets"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/generic/node-restart/experiment.yaml b/charts/generic/node-restart/experiment.yaml index d95d7de..f36bf82 100644 --- a/charts/generic/node-restart/experiment.yaml +++ b/charts/generic/node-restart/experiment.yaml @@ -14,35 +14,38 @@ spec: definition: scope: Cluster permissions: - - apiGroups: - - "" - - "batch" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "pods/log" - - "pods/exec" - - "events" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - - "secrets" - verbs: - - "create" - - "list" - - "get" - - "patch" - - "update" - - "delete" - - "deletecollection" - - apiGroups: - - "" - resources: - - "nodes" - verbs: - - "get" - - "list" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps & secrets details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps","secrets"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] image: "litmuschaos/go-runner:latest" imagePullPolicy: Always args: diff --git a/charts/generic/node-restart/rbac-psp.yaml b/charts/generic/node-restart/rbac-psp.yaml index 2d2caa6..b21b60b 100644 --- a/charts/generic/node-restart/rbac-psp.yaml +++ b/charts/generic/node-restart/rbac-psp.yaml @@ -16,25 +16,43 @@ metadata: name: node-restart-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events","secrets"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: [""] - resources: ["nodes"] - verbs: ["get","list"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: ["litmus"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps & secrets details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps","secrets"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] + # use litmus psp + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/generic/node-restart/rbac.yaml b/charts/generic/node-restart/rbac.yaml index 3a844ad..9b48dd1 100644 --- a/charts/generic/node-restart/rbac.yaml +++ b/charts/generic/node-restart/rbac.yaml @@ -16,21 +16,38 @@ metadata: name: node-restart-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events","secrets"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: [""] - resources: ["nodes"] - verbs: ["get","list"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps & secrets details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps","secrets"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/generic/node-taint/experiment.yaml b/charts/generic/node-taint/experiment.yaml index cc11689..6845d02 100644 --- a/charts/generic/node-taint/experiment.yaml +++ b/charts/generic/node-taint/experiment.yaml @@ -15,39 +15,42 @@ spec: definition: scope: Cluster permissions: - - apiGroups: - - "" - - "batch" - - "apps" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "events" - - "pods/log" - - "pods/exec" - - "daemonsets" - - "pods/eviction" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "create" - - "list" - - "get" - - "patch" - - "update" - - "delete" - - "deletecollection" - - apiGroups: - - "" - resources: - - "nodes" - verbs: - - "get" - - "list" - - "patch" - - "update" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec","pods/eviction"] + verbs: ["get","list","create"] + # ignore daemonsets while draining the node + - apiGroups: ["apps"] + resources: ["daemonsets"] + verbs: ["list","get","delete"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list","patch","update"] image: "litmuschaos/go-runner:latest" imagePullPolicy: Always args: diff --git a/charts/generic/node-taint/rbac-psp.yaml b/charts/generic/node-taint/rbac-psp.yaml index 0f5726e..1188ec7 100644 --- a/charts/generic/node-taint/rbac-psp.yaml +++ b/charts/generic/node-taint/rbac-psp.yaml @@ -16,28 +16,47 @@ metadata: name: node-taint-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log","pods/eviction"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["daemonsets"] - verbs: ["list","get","delete"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: [""] - resources: ["nodes"] - verbs: ["patch","get","list","update"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: ["litmus"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec","pods/eviction"] + verbs: ["get","list","create"] + # ignore daemonsets while draining the node + - apiGroups: ["apps"] + resources: ["daemonsets"] + verbs: ["list","get","delete"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list","patch","update"] + # use litmus psp + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/generic/node-taint/rbac.yaml b/charts/generic/node-taint/rbac.yaml index 728d905..8981a55 100644 --- a/charts/generic/node-taint/rbac.yaml +++ b/charts/generic/node-taint/rbac.yaml @@ -16,24 +16,42 @@ metadata: name: node-taint-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log","pods/eviction"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["daemonsets"] - verbs: ["list","get","delete"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: [""] - resources: ["nodes"] - verbs: ["patch","get","list","update"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec","pods/eviction"] + verbs: ["get","list","create"] + # ignore daemonsets while draining the node + - apiGroups: ["apps"] + resources: ["daemonsets"] + verbs: ["list","get","delete"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list","patch","update"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/generic/pod-autoscaler/experiment.yaml b/charts/generic/pod-autoscaler/experiment.yaml index 1e26188..3950980 100644 --- a/charts/generic/pod-autoscaler/experiment.yaml +++ b/charts/generic/pod-autoscaler/experiment.yaml @@ -14,40 +14,38 @@ spec: definition: scope: Cluster permissions: - - apiGroups: - - "" - - "batch" - - "apps" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "pods/log" - - "pods/exec" - - "deployments" - - "statefulsets" - - "events" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "create" - - "list" - - "get" - - "patch" - - "update" - - "delete" - - "deletecollection" - - apiGroups: - - "" - resources: - - "nodes" - verbs: - - "get" - - "list" - - "create" - - "patch" - - "update" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # performs CRUD operations on the deployments and statefulsets + - apiGroups: ["apps"] + resources: ["deployments","statefulsets"] + verbs: ["list","get","patch","update"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] image: "litmuschaos/go-runner:latest" imagePullPolicy: Always args: diff --git a/charts/generic/pod-autoscaler/rbac-psp.yaml b/charts/generic/pod-autoscaler/rbac-psp.yaml index c7f6665..49a03ac 100644 --- a/charts/generic/pod-autoscaler/rbac-psp.yaml +++ b/charts/generic/pod-autoscaler/rbac-psp.yaml @@ -16,25 +16,43 @@ metadata: name: pod-autoscaler-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["deployments","statefulsets"] - verbs: ["list","get","patch","update"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: ["litmus"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # performs CRUD operations on the deployments and statefulsets + - apiGroups: ["apps"] + resources: ["deployments","statefulsets"] + verbs: ["list","get","patch","update"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # use litmus psp + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/generic/pod-autoscaler/rbac.yaml b/charts/generic/pod-autoscaler/rbac.yaml index f185b4f..19114f1 100644 --- a/charts/generic/pod-autoscaler/rbac.yaml +++ b/charts/generic/pod-autoscaler/rbac.yaml @@ -16,21 +16,38 @@ metadata: name: pod-autoscaler-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["deployments","statefulsets"] - verbs: ["list","get","patch","update"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # performs CRUD operations on the deployments and statefulsets + - apiGroups: ["apps"] + resources: ["deployments","statefulsets"] + verbs: ["list","get","patch","update"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/generic/pod-cpu-hog-exec/experiment.yaml b/charts/generic/pod-cpu-hog-exec/experiment.yaml index 82148bb..7335eaf 100644 --- a/charts/generic/pod-cpu-hog-exec/experiment.yaml +++ b/charts/generic/pod-cpu-hog-exec/experiment.yaml @@ -14,37 +14,50 @@ spec: definition: scope: Namespaced permissions: - - apiGroups: - - "" - - "batch" - - "apps" - - "apps.openshift.io" - - "argoproj.io" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "pods/log" - - "events" - - "replicationcontrollers" - - "deployments" - - "statefulsets" - - "daemonsets" - - "replicasets" - - "deploymentconfigs" - - "rollouts" - - "pods/exec" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "create" - - "list" - - "get" - - "patch" - - "update" - - "delete" - - "deletecollection" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] image: "litmuschaos/go-runner:ci" imagePullPolicy: Always args: diff --git a/charts/generic/pod-cpu-hog-exec/rbac-psp.yaml b/charts/generic/pod-cpu-hog-exec/rbac-psp.yaml index 0a9ae54..f1733be 100644 --- a/charts/generic/pod-cpu-hog-exec/rbac-psp.yaml +++ b/charts/generic/pod-cpu-hog-exec/rbac-psp.yaml @@ -17,31 +17,55 @@ metadata: name: pod-cpu-hog-exec-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log","replicationcontrollers"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["deployments","statefulsets","daemonsets","replicasets"] - verbs: ["list","get"] -- apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["list","get"] -- apiGroups: ["argoproj.io"] - resources: ["rollouts"] - verbs: ["list","get"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: ["litmus"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # use litmus psp + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/generic/pod-cpu-hog-exec/rbac.yaml b/charts/generic/pod-cpu-hog-exec/rbac.yaml index 7f84c71..9e80151 100644 --- a/charts/generic/pod-cpu-hog-exec/rbac.yaml +++ b/charts/generic/pod-cpu-hog-exec/rbac.yaml @@ -17,27 +17,50 @@ metadata: name: pod-cpu-hog-exec-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log","replicationcontrollers"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["deployments","statefulsets","daemonsets","replicasets"] - verbs: ["list","get"] -- apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["list","get"] -- apiGroups: ["argoproj.io"] - resources: ["rollouts"] - verbs: ["list","get"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/generic/pod-cpu-hog/experiment.yaml b/charts/generic/pod-cpu-hog/experiment.yaml index ff302ed..68cff4f 100644 --- a/charts/generic/pod-cpu-hog/experiment.yaml +++ b/charts/generic/pod-cpu-hog/experiment.yaml @@ -14,37 +14,50 @@ spec: definition: scope: Namespaced permissions: - - apiGroups: - - "" - - "batch" - - "apps" - - "apps.openshift.io" - - "argoproj.io" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "pods/log" - - "events" - - "replicationcontrollers" - - "deployments" - - "statefulsets" - - "daemonsets" - - "replicasets" - - "deploymentconfigs" - - "rollouts" - - "pods/exec" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "create" - - "list" - - "get" - - "patch" - - "update" - - "delete" - - "deletecollection" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] image: "litmuschaos/go-runner:ci" imagePullPolicy: Always args: diff --git a/charts/generic/pod-cpu-hog/rbac-psp.yaml b/charts/generic/pod-cpu-hog/rbac-psp.yaml index a262084..8952968 100644 --- a/charts/generic/pod-cpu-hog/rbac-psp.yaml +++ b/charts/generic/pod-cpu-hog/rbac-psp.yaml @@ -17,31 +17,55 @@ metadata: name: pod-cpu-hog-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log","replicationcontrollers"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["deployments","statefulsets","daemonsets","replicasets"] - verbs: ["list","get"] -- apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["list","get"] -- apiGroups: ["argoproj.io"] - resources: ["rollouts"] - verbs: ["list","get"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: ["litmus"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # use litmus psp + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/generic/pod-cpu-hog/rbac.yaml b/charts/generic/pod-cpu-hog/rbac.yaml index 61897a3..f045de3 100644 --- a/charts/generic/pod-cpu-hog/rbac.yaml +++ b/charts/generic/pod-cpu-hog/rbac.yaml @@ -17,27 +17,50 @@ metadata: name: pod-cpu-hog-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log","replicationcontrollers"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["deployments","statefulsets","daemonsets","replicasets"] - verbs: ["list","get"] -- apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["list","get"] -- apiGroups: ["argoproj.io"] - resources: ["rollouts"] - verbs: ["list","get"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/generic/pod-delete/experiment.yaml b/charts/generic/pod-delete/experiment.yaml index 7b82e76..c8915c3 100644 --- a/charts/generic/pod-delete/experiment.yaml +++ b/charts/generic/pod-delete/experiment.yaml @@ -14,38 +14,50 @@ spec: definition: scope: Namespaced permissions: - - apiGroups: - - "" - - "apps" - - "apps.openshift.io" - - "argoproj.io" - - "batch" - - "litmuschaos.io" - resources: - - "deployments" - - "jobs" - - "pods" - - "pods/log" - - "replicationcontrollers" - - "deployments" - - "statefulsets" - - "daemonsets" - - "replicasets" - - "deploymentconfigs" - - "rollouts" - - "pods/exec" - - "events" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "create" - - "list" - - "get" - - "patch" - - "update" - - "delete" - - "deletecollection" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] image: "litmuschaos/go-runner:latest" imagePullPolicy: Always args: diff --git a/charts/generic/pod-delete/rbac-psp.yaml b/charts/generic/pod-delete/rbac-psp.yaml index 5272426..e494e6b 100644 --- a/charts/generic/pod-delete/rbac-psp.yaml +++ b/charts/generic/pod-delete/rbac-psp.yaml @@ -17,31 +17,55 @@ metadata: name: pod-delete-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log","replicationcontrollers"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["deployments","statefulsets","daemonsets","replicasets"] - verbs: ["list","get"] -- apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["list","get"] -- apiGroups: ["argoproj.io"] - resources: ["rollouts"] - verbs: ["list","get"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: ["litmus"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # use litmus psp + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/generic/pod-delete/rbac.yaml b/charts/generic/pod-delete/rbac.yaml index 350173d..a3f4f5c 100644 --- a/charts/generic/pod-delete/rbac.yaml +++ b/charts/generic/pod-delete/rbac.yaml @@ -17,27 +17,50 @@ metadata: name: pod-delete-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log","replicationcontrollers"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["deployments","statefulsets","daemonsets","replicasets"] - verbs: ["list","get"] -- apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["list","get"] -- apiGroups: ["argoproj.io"] - resources: ["rollouts"] - verbs: ["list","get"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/generic/pod-delete/rbac_nginx_getstarted.yaml b/charts/generic/pod-delete/rbac_nginx_getstarted.yaml index efcc5cf..5ff2c83 100644 --- a/charts/generic/pod-delete/rbac_nginx_getstarted.yaml +++ b/charts/generic/pod-delete/rbac_nginx_getstarted.yaml @@ -15,27 +15,50 @@ metadata: labels: name: pod-delete-sa rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log","replicationcontrollers"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["deployments","statefulsets","daemonsets","replicasets"] - verbs: ["list","get"] -- apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["list","get"] -- apiGroups: ["argoproj.io"] - resources: ["rollouts"] - verbs: ["list","get"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/generic/pod-dns-error/experiment.yaml b/charts/generic/pod-dns-error/experiment.yaml index 02cc9e4..078c5c1 100644 --- a/charts/generic/pod-dns-error/experiment.yaml +++ b/charts/generic/pod-dns-error/experiment.yaml @@ -14,37 +14,50 @@ spec: definition: scope: Namespaced permissions: - - apiGroups: - - "" - - "batch" - - "apps" - - "apps.openshift.io" - - "argoproj.io" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "pods/log" - - "replicationcontrollers" - - "deployments" - - "statefulsets" - - "daemonsets" - - "replicasets" - - "deploymentconfigs" - - "rollouts" - - "pods/exec" - - "events" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "create" - - "list" - - "get" - - "patch" - - "update" - - "delete" - - "deletecollection" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] image: "litmuschaos/go-runner:latest" args: - -c diff --git a/charts/generic/pod-dns-error/rbac-psp.yaml b/charts/generic/pod-dns-error/rbac-psp.yaml index 7265de2..1e8bbfd 100644 --- a/charts/generic/pod-dns-error/rbac-psp.yaml +++ b/charts/generic/pod-dns-error/rbac-psp.yaml @@ -17,28 +17,51 @@ metadata: name: pod-dns-error-sa app.kubernetes.io/part-of: litmus rules: + # Create and monitor the experiment & helper pods - apiGroups: [""] - resources: ["pods", "events"] - verbs: - ["create", "list", "get", "patch", "update", "delete", "deletecollection"] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult - apiGroups: [""] - resources: ["pods/exec", "pods/log", "replicationcontrollers"] - verbs: ["create", "list", "get"] - - apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create", "list", "get", "delete", "deletecollection"] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) - apiGroups: ["apps"] - resources: ["deployments", "statefulsets", "daemonsets", "replicasets"] - verbs: ["list", "get"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) - apiGroups: ["apps.openshift.io"] resources: ["deploymentconfigs"] - verbs: ["list", "get"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) - apiGroups: ["argoproj.io"] resources: ["rollouts"] - verbs: ["list", "get"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow - apiGroups: ["litmuschaos.io"] - resources: ["chaosengines", "chaosexperiments", "chaosresults"] - verbs: ["create", "list", "get", "patch", "update"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # use litmus psp - apiGroups: ["policy"] resources: ["podsecuritypolicies"] verbs: ["use"] diff --git a/charts/generic/pod-dns-error/rbac.yaml b/charts/generic/pod-dns-error/rbac.yaml index ba524e7..84dc894 100644 --- a/charts/generic/pod-dns-error/rbac.yaml +++ b/charts/generic/pod-dns-error/rbac.yaml @@ -17,28 +17,50 @@ metadata: name: pod-dns-error-sa app.kubernetes.io/part-of: litmus rules: + # Create and monitor the experiment & helper pods - apiGroups: [""] - resources: ["pods", "events"] - verbs: - ["create", "list", "get", "patch", "update", "delete", "deletecollection"] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult - apiGroups: [""] - resources: ["pods/exec", "pods/log", "replicationcontrollers"] - verbs: ["create", "list", "get"] - - apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create", "list", "get", "delete", "deletecollection"] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) - apiGroups: ["apps"] - resources: ["deployments", "statefulsets", "daemonsets", "replicasets"] - verbs: ["list", "get"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) - apiGroups: ["apps.openshift.io"] resources: ["deploymentconfigs"] - verbs: ["list", "get"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) - apiGroups: ["argoproj.io"] resources: ["rollouts"] - verbs: ["list", "get"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow - apiGroups: ["litmuschaos.io"] - resources: ["chaosengines", "chaosexperiments", "chaosresults"] - verbs: ["create", "list", "get", "patch", "update"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/generic/pod-dns-spoof/experiment.yaml b/charts/generic/pod-dns-spoof/experiment.yaml index c1bd376..f860599 100644 --- a/charts/generic/pod-dns-spoof/experiment.yaml +++ b/charts/generic/pod-dns-spoof/experiment.yaml @@ -14,37 +14,50 @@ spec: definition: scope: Namespaced permissions: - - apiGroups: - - "" - - "batch" - - "apps" - - "apps.openshift.io" - - "argoproj.io" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "pods/log" - - "replicationcontrollers" - - "deployments" - - "statefulsets" - - "daemonsets" - - "replicasets" - - "deploymentconfigs" - - "rollouts" - - "pods/exec" - - "events" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "create" - - "list" - - "get" - - "patch" - - "update" - - "delete" - - "deletecollection" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] image: "litmuschaos/go-runner:latest" args: - -c diff --git a/charts/generic/pod-dns-spoof/rbac-psp.yaml b/charts/generic/pod-dns-spoof/rbac-psp.yaml index d06212b..106c044 100644 --- a/charts/generic/pod-dns-spoof/rbac-psp.yaml +++ b/charts/generic/pod-dns-spoof/rbac-psp.yaml @@ -17,28 +17,51 @@ metadata: name: pod-dns-spoof-sa app.kubernetes.io/part-of: litmus rules: + # Create and monitor the experiment & helper pods - apiGroups: [""] - resources: ["pods", "events"] - verbs: - ["create", "list", "get", "patch", "update", "delete", "deletecollection"] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult - apiGroups: [""] - resources: ["pods/exec", "pods/log", "replicationcontrollers"] - verbs: ["create", "list", "get"] - - apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create", "list", "get", "delete", "deletecollection"] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) - apiGroups: ["apps"] - resources: ["deployments", "statefulsets", "daemonsets", "replicasets"] - verbs: ["list", "get"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) - apiGroups: ["apps.openshift.io"] resources: ["deploymentconfigs"] - verbs: ["list", "get"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) - apiGroups: ["argoproj.io"] resources: ["rollouts"] - verbs: ["list", "get"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow - apiGroups: ["litmuschaos.io"] - resources: ["chaosengines", "chaosexperiments", "chaosresults"] - verbs: ["create", "list", "get", "patch", "update"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # use litmus psp - apiGroups: ["policy"] resources: ["podsecuritypolicies"] verbs: ["use"] diff --git a/charts/generic/pod-dns-spoof/rbac.yaml b/charts/generic/pod-dns-spoof/rbac.yaml index 32d6a01..6d2c76d 100644 --- a/charts/generic/pod-dns-spoof/rbac.yaml +++ b/charts/generic/pod-dns-spoof/rbac.yaml @@ -17,28 +17,50 @@ metadata: name: pod-dns-spoof-sa app.kubernetes.io/part-of: litmus rules: + # Create and monitor the experiment & helper pods - apiGroups: [""] - resources: ["pods", "events"] - verbs: - ["create", "list", "get", "patch", "update", "delete", "deletecollection"] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult - apiGroups: [""] - resources: ["pods/exec", "pods/log", "replicationcontrollers"] - verbs: ["create", "list", "get"] - - apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create", "list", "get", "delete", "deletecollection"] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) - apiGroups: ["apps"] - resources: ["deployments", "statefulsets", "daemonsets", "replicasets"] - verbs: ["list", "get"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) - apiGroups: ["apps.openshift.io"] resources: ["deploymentconfigs"] - verbs: ["list", "get"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) - apiGroups: ["argoproj.io"] resources: ["rollouts"] - verbs: ["list", "get"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow - apiGroups: ["litmuschaos.io"] - resources: ["chaosengines", "chaosexperiments", "chaosresults"] - verbs: ["create", "list", "get", "patch", "update"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/generic/pod-io-stress/experiment.yaml b/charts/generic/pod-io-stress/experiment.yaml index d6dc7b2..7b7e1a6 100644 --- a/charts/generic/pod-io-stress/experiment.yaml +++ b/charts/generic/pod-io-stress/experiment.yaml @@ -15,37 +15,50 @@ spec: definition: scope: Namespaced permissions: - - apiGroups: - - "" - - "batch" - - "apps" - - "apps.openshift.io" - - "argoproj.io" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "pods/log" - - "replicationcontrollers" - - "deployments" - - "statefulsets" - - "daemonsets" - - "replicasets" - - "deploymentconfigs" - - "rollouts" - - "pods/exec" - - "events" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "create" - - "list" - - "get" - - "patch" - - "update" - - "delete" - - "deletecollection" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] image: "litmuschaos/go-runner:ci" imagePullPolicy: Always args: diff --git a/charts/generic/pod-io-stress/rbac-psp.yaml b/charts/generic/pod-io-stress/rbac-psp.yaml index 039bf36..755512a 100644 --- a/charts/generic/pod-io-stress/rbac-psp.yaml +++ b/charts/generic/pod-io-stress/rbac-psp.yaml @@ -17,31 +17,55 @@ metadata: name: pod-io-stress-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log","replicationcontrollers"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["deployments","statefulsets","daemonsets","replicasets"] - verbs: ["list","get"] -- apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["list","get"] -- apiGroups: ["argoproj.io"] - resources: ["rollouts"] - verbs: ["list","get"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: ["litmus"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # use litmus psp + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/generic/pod-io-stress/rbac.yaml b/charts/generic/pod-io-stress/rbac.yaml index 4b407a2..e80025d 100644 --- a/charts/generic/pod-io-stress/rbac.yaml +++ b/charts/generic/pod-io-stress/rbac.yaml @@ -17,27 +17,50 @@ metadata: name: pod-io-stress-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log","replicationcontrollers"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["deployments","statefulsets","daemonsets","replicasets"] - verbs: ["list","get"] -- apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["list","get"] -- apiGroups: ["argoproj.io"] - resources: ["rollouts"] - verbs: ["list","get"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/generic/pod-memory-hog-exec/experiment.yaml b/charts/generic/pod-memory-hog-exec/experiment.yaml index 6def380..77531c6 100644 --- a/charts/generic/pod-memory-hog-exec/experiment.yaml +++ b/charts/generic/pod-memory-hog-exec/experiment.yaml @@ -15,37 +15,50 @@ spec: definition: scope: Namespaced permissions: - - apiGroups: - - "" - - "batch" - - "apps" - - "apps.openshift.io" - - "argoproj.io" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "pods/log" - - "replicationcontrollers" - - "deployments" - - "statefulsets" - - "daemonsets" - - "replicasets" - - "deploymentconfigs" - - "rollouts" - - "pods/exec" - - "events" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "create" - - "list" - - "get" - - "patch" - - "update" - - "delete" - - "deletecollection" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] image: "litmuschaos/go-runner:ci" imagePullPolicy: Always args: diff --git a/charts/generic/pod-memory-hog-exec/rbac-psp.yaml b/charts/generic/pod-memory-hog-exec/rbac-psp.yaml index 7dffa9d..eb39cec 100644 --- a/charts/generic/pod-memory-hog-exec/rbac-psp.yaml +++ b/charts/generic/pod-memory-hog-exec/rbac-psp.yaml @@ -17,31 +17,55 @@ metadata: name: pod-memory-hog-exec-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log","replicationcontrollers"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["deployments","statefulsets","daemonsets","replicasets"] - verbs: ["list","get"] -- apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["list","get"] -- apiGroups: ["argoproj.io"] - resources: ["rollouts"] - verbs: ["list","get"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: ["litmus"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # use litmus psp + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/generic/pod-memory-hog-exec/rbac.yaml b/charts/generic/pod-memory-hog-exec/rbac.yaml index 4fa73de..d4da0ca 100644 --- a/charts/generic/pod-memory-hog-exec/rbac.yaml +++ b/charts/generic/pod-memory-hog-exec/rbac.yaml @@ -17,27 +17,50 @@ metadata: name: pod-memory-hog-exec-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log","replicationcontrollers"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["deployments","statefulsets","daemonsets","replicasets"] - verbs: ["list","get"] -- apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["list","get"] -- apiGroups: ["argoproj.io"] - resources: ["rollouts"] - verbs: ["list","get"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/generic/pod-memory-hog/experiment.yaml b/charts/generic/pod-memory-hog/experiment.yaml index e906147..1127941 100644 --- a/charts/generic/pod-memory-hog/experiment.yaml +++ b/charts/generic/pod-memory-hog/experiment.yaml @@ -15,37 +15,50 @@ spec: definition: scope: Namespaced permissions: - - apiGroups: - - "" - - "batch" - - "apps" - - "apps.openshift.io" - - "argoproj.io" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "pods/log" - - "replicationcontrollers" - - "deployments" - - "statefulsets" - - "daemonsets" - - "replicasets" - - "deploymentconfigs" - - "rollouts" - - "pods/exec" - - "events" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "create" - - "list" - - "get" - - "patch" - - "update" - - "delete" - - "deletecollection" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] image: "litmuschaos/go-runner:ci" imagePullPolicy: Always args: diff --git a/charts/generic/pod-memory-hog/rbac-psp.yaml b/charts/generic/pod-memory-hog/rbac-psp.yaml index 99be500..3ad222d 100644 --- a/charts/generic/pod-memory-hog/rbac-psp.yaml +++ b/charts/generic/pod-memory-hog/rbac-psp.yaml @@ -17,31 +17,55 @@ metadata: name: pod-memory-hog-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log","replicationcontrollers"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["deployments","statefulsets","daemonsets","replicasets"] - verbs: ["list","get"] -- apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["list","get"] -- apiGroups: ["argoproj.io"] - resources: ["rollouts"] - verbs: ["list","get"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: ["litmus"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # use litmus psp + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/generic/pod-memory-hog/rbac.yaml b/charts/generic/pod-memory-hog/rbac.yaml index 0791426..61445c9 100644 --- a/charts/generic/pod-memory-hog/rbac.yaml +++ b/charts/generic/pod-memory-hog/rbac.yaml @@ -17,27 +17,50 @@ metadata: name: pod-memory-hog-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log","replicationcontrollers"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["deployments","statefulsets","daemonsets","replicasets"] - verbs: ["list","get"] -- apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["list","get"] -- apiGroups: ["argoproj.io"] - resources: ["rollouts"] - verbs: ["list","get"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/generic/pod-network-corruption/experiment.yaml b/charts/generic/pod-network-corruption/experiment.yaml index 29863a2..e7c0632 100644 --- a/charts/generic/pod-network-corruption/experiment.yaml +++ b/charts/generic/pod-network-corruption/experiment.yaml @@ -14,37 +14,50 @@ spec: definition: scope: Namespaced permissions: - - apiGroups: - - "" - - "batch" - - "apps" - - "apps.openshift.io" - - "argoproj.io" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "pods/log" - - "replicationcontrollers" - - "deployments" - - "statefulsets" - - "daemonsets" - - "replicasets" - - "deploymentconfigs" - - "rollouts" - - "pods/exec" - - "events" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "create" - - "delete" - - "list" - - "patch" - - "update" - - "get" - - "deletecollection" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] image: "litmuschaos/go-runner:latest" imagePullPolicy: Always args: diff --git a/charts/generic/pod-network-corruption/rbac-psp.yaml b/charts/generic/pod-network-corruption/rbac-psp.yaml index 9c019ad..685855b 100644 --- a/charts/generic/pod-network-corruption/rbac-psp.yaml +++ b/charts/generic/pod-network-corruption/rbac-psp.yaml @@ -17,31 +17,55 @@ metadata: name: pod-network-corruption-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log","replicationcontrollers"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["deployments","statefulsets","daemonsets","replicasets"] - verbs: ["list","get"] -- apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["list","get"] -- apiGroups: ["argoproj.io"] - resources: ["rollouts"] - verbs: ["list","get"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: ["litmus"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # use litmus psp + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/generic/pod-network-corruption/rbac.yaml b/charts/generic/pod-network-corruption/rbac.yaml index 7c7add0..f0319df 100644 --- a/charts/generic/pod-network-corruption/rbac.yaml +++ b/charts/generic/pod-network-corruption/rbac.yaml @@ -17,27 +17,50 @@ metadata: name: pod-network-corruption-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log","replicationcontrollers"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["deployments","statefulsets","daemonsets","replicasets"] - verbs: ["list","get"] -- apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["list","get"] -- apiGroups: ["argoproj.io"] - resources: ["rollouts"] - verbs: ["list","get"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/generic/pod-network-duplication/experiment.yaml b/charts/generic/pod-network-duplication/experiment.yaml index b97762e..a1f6744 100644 --- a/charts/generic/pod-network-duplication/experiment.yaml +++ b/charts/generic/pod-network-duplication/experiment.yaml @@ -14,37 +14,50 @@ spec: definition: scope: Namespaced permissions: - - apiGroups: - - "" - - "batch" - - "apps" - - "apps.openshift.io" - - "argoproj.io" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "pods/log" - - "replicationcontrollers" - - "deployments" - - "statefulsets" - - "daemonsets" - - "replicasets" - - "deploymentconfigs" - - "rollouts" - - "pods/exec" - - "events" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "get" - - "list" - - "patch" - - "create" - - "update" - - "delete" - - "deletecollection" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] image: "litmuschaos/go-runner:latest" imagePullPolicy: Always args: diff --git a/charts/generic/pod-network-duplication/rbac-psp.yaml b/charts/generic/pod-network-duplication/rbac-psp.yaml index e95e79e..01acf1a 100644 --- a/charts/generic/pod-network-duplication/rbac-psp.yaml +++ b/charts/generic/pod-network-duplication/rbac-psp.yaml @@ -16,31 +16,55 @@ metadata: name: pod-network-duplication-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log","replicationcontrollers"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["deployments","statefulsets","daemonsets","replicasets"] - verbs: ["list","get"] -- apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["list","get"] -- apiGroups: ["argoproj.io"] - resources: ["rollouts"] - verbs: ["list","get"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: ["litmus"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # use litmus psp + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/generic/pod-network-duplication/rbac.yaml b/charts/generic/pod-network-duplication/rbac.yaml index a65d77f..d225750 100644 --- a/charts/generic/pod-network-duplication/rbac.yaml +++ b/charts/generic/pod-network-duplication/rbac.yaml @@ -16,27 +16,50 @@ metadata: name: pod-network-duplication-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log","replicationcontrollers"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["deployments","statefulsets","daemonsets","replicasets"] - verbs: ["list","get"] -- apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["list","get"] -- apiGroups: ["argoproj.io"] - resources: ["rollouts"] - verbs: ["list","get"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/generic/pod-network-latency/experiment.yaml b/charts/generic/pod-network-latency/experiment.yaml index 11d64fe..f7ff3e1 100644 --- a/charts/generic/pod-network-latency/experiment.yaml +++ b/charts/generic/pod-network-latency/experiment.yaml @@ -14,37 +14,50 @@ spec: definition: scope: Namespaced permissions: - - apiGroups: - - "" - - "batch" - - "apps" - - "apps.openshift.io" - - "argoproj.io" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "pods/log" - - "replicationcontrollers" - - "deployments" - - "statefulsets" - - "daemonsets" - - "replicasets" - - "deploymentconfigs" - - "rollouts" - - "pods/exec" - - "events" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "create" - - "list" - - "get" - - "patch" - - "update" - - "delete" - - "deletecollection" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] image: "litmuschaos/go-runner:latest" imagePullPolicy: Always args: diff --git a/charts/generic/pod-network-latency/rbac-psp.yaml b/charts/generic/pod-network-latency/rbac-psp.yaml index 4d78f2e..ee147c7 100644 --- a/charts/generic/pod-network-latency/rbac-psp.yaml +++ b/charts/generic/pod-network-latency/rbac-psp.yaml @@ -17,31 +17,55 @@ metadata: name: pod-network-latency-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log","replicationcontrollers"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["deployments","statefulsets","daemonsets","replicasets"] - verbs: ["list","get"] -- apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["list","get"] -- apiGroups: ["argoproj.io"] - resources: ["rollouts"] - verbs: ["list","get"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: ["litmus"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # use litmus psp + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/generic/pod-network-latency/rbac.yaml b/charts/generic/pod-network-latency/rbac.yaml index f3edb70..4b65e6b 100644 --- a/charts/generic/pod-network-latency/rbac.yaml +++ b/charts/generic/pod-network-latency/rbac.yaml @@ -17,27 +17,50 @@ metadata: name: pod-network-latency-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log","replicationcontrollers"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["deployments","statefulsets","daemonsets","replicasets"] - verbs: ["list","get"] -- apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["list","get"] -- apiGroups: ["argoproj.io"] - resources: ["rollouts"] - verbs: ["list","get"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/generic/pod-network-loss/experiment.yaml b/charts/generic/pod-network-loss/experiment.yaml index 0750c36..4547aa6 100644 --- a/charts/generic/pod-network-loss/experiment.yaml +++ b/charts/generic/pod-network-loss/experiment.yaml @@ -14,37 +14,50 @@ spec: definition: scope: Namespaced permissions: - - apiGroups: - - "" - - "batch" - - "apps" - - "apps.openshift.io" - - "argoproj.io" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "pods/log" - - "replicationcontrollers" - - "deployments" - - "statefulsets" - - "daemonsets" - - "replicasets" - - "deploymentconfigs" - - "rollouts" - - "pods/exec" - - "events" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "get" - - "list" - - "patch" - - "create" - - "update" - - "delete" - - "deletecollection" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] image: "litmuschaos/go-runner:latest" imagePullPolicy: Always args: diff --git a/charts/generic/pod-network-loss/rbac-psp.yaml b/charts/generic/pod-network-loss/rbac-psp.yaml index 113a5f7..d3af1b8 100644 --- a/charts/generic/pod-network-loss/rbac-psp.yaml +++ b/charts/generic/pod-network-loss/rbac-psp.yaml @@ -16,31 +16,55 @@ metadata: name: pod-network-loss-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log","replicationcontrollers"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["deployments","statefulsets","daemonsets","replicasets"] - verbs: ["list","get"] -- apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["list","get"] -- apiGroups: ["argoproj.io"] - resources: ["rollouts"] - verbs: ["list","get"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: ["litmus"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # use litmus psp + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/generic/pod-network-loss/rbac.yaml b/charts/generic/pod-network-loss/rbac.yaml index 63736eb..caa0918 100644 --- a/charts/generic/pod-network-loss/rbac.yaml +++ b/charts/generic/pod-network-loss/rbac.yaml @@ -16,27 +16,50 @@ metadata: name: pod-network-loss-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log","replicationcontrollers"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["deployments","statefulsets","daemonsets","replicasets"] - verbs: ["list","get"] -- apiGroups: ["apps.openshift.io"] - resources: ["deploymentconfigs"] - verbs: ["list","get"] -- apiGroups: ["argoproj.io"] - resources: ["rollouts"] - verbs: ["list","get"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets}) + - apiGroups: ["apps"] + resources: ["deployments","statefulsets","replicasets", "daemonsets"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: ["apps.openshift.io"] + resources: ["deploymentconfigs"] + verbs: ["list","get"] + # deriving the parent/owner details of the pod(if parent is deploymentConfig) + - apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get","list"] + # deriving the parent/owner details of the pod(if parent is argo-rollouts) + - apiGroups: ["argoproj.io"] + resources: ["rollouts"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/generic/pod-network-partition/experiment.yaml b/charts/generic/pod-network-partition/experiment.yaml index 163e67e..7c2cde2 100644 --- a/charts/generic/pod-network-partition/experiment.yaml +++ b/charts/generic/pod-network-partition/experiment.yaml @@ -14,29 +14,38 @@ spec: definition: scope: Namespaced permissions: - - apiGroups: - - "" - - "batch" - - "networking.k8s.io" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "pods/log" - - networkpolicies - - "pods/exec" - - "events" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "get" - - "list" - - "patch" - - "create" - - "update" - - "delete" - - "deletecollection" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # performs CRUD operations on the network policies + - apiGroups: ["networking.k8s.io"] + resources: ["networkpolicies"] + verbs: ["create","delete","list","get"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] image: "litmuschaos/go-runner:latest" imagePullPolicy: Always args: diff --git a/charts/generic/pod-network-partition/rbac-psp.yaml b/charts/generic/pod-network-partition/rbac-psp.yaml index 272c5c5..9335123 100644 --- a/charts/generic/pod-network-partition/rbac-psp.yaml +++ b/charts/generic/pod-network-partition/rbac-psp.yaml @@ -16,25 +16,43 @@ metadata: name: pod-network-partition-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log"] - verbs: ["list","get","create"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["networking.k8s.io"] - resources: ["networkpolicies"] - verbs: ["create","delete","list","get"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: ["litmus"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # performs CRUD operations on the network policies + - apiGroups: ["networking.k8s.io"] + resources: ["networkpolicies"] + verbs: ["create","delete","list","get"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # use litmus psp + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: ["litmus"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/generic/pod-network-partition/rbac.yaml b/charts/generic/pod-network-partition/rbac.yaml index 5b94593..e2a0ae7 100644 --- a/charts/generic/pod-network-partition/rbac.yaml +++ b/charts/generic/pod-network-partition/rbac.yaml @@ -16,21 +16,38 @@ metadata: name: pod-network-partition-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log"] - verbs: ["list","get","create"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["networking.k8s.io"] - resources: ["networkpolicies"] - verbs: ["create","delete","list","get"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # performs CRUD operations on the network policies + - apiGroups: ["networking.k8s.io"] + resources: ["networkpolicies"] + verbs: ["create","delete","list","get"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/kafka/kafka-broker-pod-failure/experiment.yaml b/charts/kafka/kafka-broker-pod-failure/experiment.yaml index 9d30d54..5fae21d 100644 --- a/charts/kafka/kafka-broker-pod-failure/experiment.yaml +++ b/charts/kafka/kafka-broker-pod-failure/experiment.yaml @@ -14,38 +14,38 @@ spec: definition: scope: Cluster permissions: - - apiGroups: - - "" - - "apps" - - "batch" - - "litmuschaos.io" - resources: - - "statefulsets" - - "deployments" - - "events" - - "pods/log" - - "configmaps" - - "jobs" - - "pods" - - "pods/exec" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "create" - - "get" - - "delete" - - "list" - - "update" - - "patch" - - "deletecollection" - - apiGroups: - - "" - resources: - - "nodes" - verbs: - - "get" - - "list" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps & secrets details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["secrets","configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for deriving the parent/owner details of the pod + - apiGroups: ["apps"] + resources: ["deployments","statefulsets"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] image: "litmuschaos/go-runner:latest" imagePullPolicy: Always args: diff --git a/charts/kafka/kafka-broker-pod-failure/rbac.yaml b/charts/kafka/kafka-broker-pod-failure/rbac.yaml index 742eb0f..64fd1db 100644 --- a/charts/kafka/kafka-broker-pod-failure/rbac.yaml +++ b/charts/kafka/kafka-broker-pod-failure/rbac.yaml @@ -16,24 +16,38 @@ metadata: name: kafka-broker-pod-failure-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["apps"] - resources: ["deployments","statefulsets"] - verbs: ["list","get"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: [""] - resources: ["nodes"] - verbs: ["get","list"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps & secrets details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["secrets","configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for deriving the parent/owner details of the pod + - apiGroups: ["apps"] + resources: ["deployments","statefulsets"] + verbs: ["list","get"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/kube-aws/ebs-loss-by-id/experiment.yaml b/charts/kube-aws/ebs-loss-by-id/experiment.yaml index 74bdd0e..143caf4 100644 --- a/charts/kube-aws/ebs-loss-by-id/experiment.yaml +++ b/charts/kube-aws/ebs-loss-by-id/experiment.yaml @@ -14,27 +14,34 @@ spec: definition: scope: Cluster permissions: - - apiGroups: - - "" - - "batch" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "events" - - "pods/log" - - "pods/exec" - - "secrets" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "create" - - "list" - - "get" - - "patch" - - "update" - - "delete" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps & secrets details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["secrets","configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] image: "litmuschaos/go-runner:latest" imagePullPolicy: Always args: diff --git a/charts/kube-aws/ebs-loss-by-id/rbac.yaml b/charts/kube-aws/ebs-loss-by-id/rbac.yaml index 418cf4a..52a1c57 100644 --- a/charts/kube-aws/ebs-loss-by-id/rbac.yaml +++ b/charts/kube-aws/ebs-loss-by-id/rbac.yaml @@ -16,18 +16,34 @@ metadata: name: ebs-loss-by-id-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events","secrets"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps & secrets details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["secrets","configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/kube-aws/ebs-loss-by-tag/experiment.yaml b/charts/kube-aws/ebs-loss-by-tag/experiment.yaml index 4fb2adf..54a4710 100644 --- a/charts/kube-aws/ebs-loss-by-tag/experiment.yaml +++ b/charts/kube-aws/ebs-loss-by-tag/experiment.yaml @@ -14,27 +14,34 @@ spec: definition: scope: Cluster permissions: - - apiGroups: - - "" - - "batch" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "events" - - "pods/log" - - "pods/exec" - - "secrets" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "create" - - "list" - - "get" - - "patch" - - "update" - - "delete" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps & secrets details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["secrets","configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] image: "litmuschaos/go-runner:latest" imagePullPolicy: Always args: diff --git a/charts/kube-aws/ebs-loss-by-tag/rbac.yaml b/charts/kube-aws/ebs-loss-by-tag/rbac.yaml index 9690e37..52ad320 100644 --- a/charts/kube-aws/ebs-loss-by-tag/rbac.yaml +++ b/charts/kube-aws/ebs-loss-by-tag/rbac.yaml @@ -16,18 +16,34 @@ metadata: name: ebs-loss-by-tag-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events","secrets"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps & secrets details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["secrets","configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/kube-aws/ec2-terminate-by-id/experiment.yaml b/charts/kube-aws/ec2-terminate-by-id/experiment.yaml index b6e1aff..5386360 100644 --- a/charts/kube-aws/ec2-terminate-by-id/experiment.yaml +++ b/charts/kube-aws/ec2-terminate-by-id/experiment.yaml @@ -14,27 +14,38 @@ spec: definition: scope: Cluster permissions: - - apiGroups: - - "" - - "batch" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "events" - - "pods/log" - - "pods/exec" - - "secrets" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "create" - - "list" - - "get" - - "patch" - - "update" - - "delete" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps & secrets details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["secrets","configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] image: "litmuschaos/go-runner:latest" imagePullPolicy: Always args: diff --git a/charts/kube-aws/ec2-terminate-by-id/rbac.yaml b/charts/kube-aws/ec2-terminate-by-id/rbac.yaml index ad2b68a..0f7fb1c 100644 --- a/charts/kube-aws/ec2-terminate-by-id/rbac.yaml +++ b/charts/kube-aws/ec2-terminate-by-id/rbac.yaml @@ -16,21 +16,38 @@ metadata: name: ec2-terminate-by-id-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events","secrets"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: [""] - resources: ["nodes"] - verbs: ["patch","get","list"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps & secrets details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["secrets","configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/kube-aws/ec2-terminate-by-tag/experiment.yaml b/charts/kube-aws/ec2-terminate-by-tag/experiment.yaml index ba2157e..55e779a 100644 --- a/charts/kube-aws/ec2-terminate-by-tag/experiment.yaml +++ b/charts/kube-aws/ec2-terminate-by-tag/experiment.yaml @@ -14,27 +14,38 @@ spec: definition: scope: Cluster permissions: - - apiGroups: - - "" - - "batch" - - "litmuschaos.io" - resources: - - "jobs" - - "pods" - - "events" - - "pods/log" - - "pods/exec" - - "secrets" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "create" - - "list" - - "get" - - "patch" - - "update" - - "delete" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps & secrets details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["secrets","configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] image: "litmuschaos/go-runner:latest" imagePullPolicy: Always args: diff --git a/charts/kube-aws/ec2-terminate-by-tag/rbac.yaml b/charts/kube-aws/ec2-terminate-by-tag/rbac.yaml index 4b12839..e03101d 100644 --- a/charts/kube-aws/ec2-terminate-by-tag/rbac.yaml +++ b/charts/kube-aws/ec2-terminate-by-tag/rbac.yaml @@ -16,21 +16,38 @@ metadata: name: ec2-terminate-by-tag-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events","secrets"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] -- apiGroups: [""] - resources: ["nodes"] - verbs: ["patch","get","list"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps & secrets details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["secrets","configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] + # for experiment to perform node status checks + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get","list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/vmware/vm-poweroff/experiment.yaml b/charts/vmware/vm-poweroff/experiment.yaml index f217df6..1562815 100644 --- a/charts/vmware/vm-poweroff/experiment.yaml +++ b/charts/vmware/vm-poweroff/experiment.yaml @@ -14,27 +14,34 @@ spec: definition: scope: Cluster permissions: - - apiGroups: - - "" - - "batch" - - "litmuschaos.io" - resources: - - "jobs" - - "events" - - "pods/log" - - "pods/exec" - - "secrets" - - "pods" - - "chaosengines" - - "chaosexperiments" - - "chaosresults" - verbs: - - "create" - - "list" - - "get" - - "update" - - "patch" - - "delete" + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps & secrets details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["secrets","configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] image: "litmuschaos/go-runner:latest" args: - -c diff --git a/charts/vmware/vm-poweroff/rbac.yaml b/charts/vmware/vm-poweroff/rbac.yaml index 8973f44..4bbd8ee 100644 --- a/charts/vmware/vm-poweroff/rbac.yaml +++ b/charts/vmware/vm-poweroff/rbac.yaml @@ -16,18 +16,34 @@ metadata: name: vm-poweroff-sa app.kubernetes.io/part-of: litmus rules: -- apiGroups: [""] - resources: ["pods","events","secrets"] - verbs: ["create","list","get","patch","update","delete","deletecollection"] -- apiGroups: [""] - resources: ["pods/exec","pods/log"] - verbs: ["create","list","get"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create","list","get","delete","deletecollection"] -- apiGroups: ["litmuschaos.io"] - resources: ["chaosengines","chaosexperiments","chaosresults"] - verbs: ["create","list","get","patch","update"] + # Create and monitor the experiment & helper pods + - apiGroups: [""] + resources: ["pods"] + verbs: ["create","delete","get","list","patch","update", "deletecollection"] + # Performs CRUD operations on the events inside chaosengine and chaosresult + - apiGroups: [""] + resources: ["events"] + verbs: ["create","get","list","patch","update"] + # Fetch configmaps & secrets details and mount it to the experiment pod (if specified) + - apiGroups: [""] + resources: ["secrets","configmaps"] + verbs: ["get","list",] + # Track and get the runner, experiment, and helper pods log + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get","list","watch"] + # for creating and managing to execute comands inside target container + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get","list","create"] + # for configuring and monitor the experiment job by the chaos-runner pod + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create","list","get","delete","deletecollection"] + # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow + - apiGroups: ["litmuschaos.io"] + resources: ["chaosengines","chaosexperiments","chaosresults"] + verbs: ["create","list","get","patch","update","delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding