From e4fbd6f02f11492492cc68542877d7567c098586 Mon Sep 17 00:00:00 2001 From: Pavel Tishkov Date: Thu, 28 Nov 2024 17:47:11 +0300 Subject: [PATCH] feat(module): fix roles #2 Signed-off-by: Pavel Tishkov --- docs.yaml | 99 ------------------- rbac.yaml | 10 -- .../manage/permissions/manage_internals.yaml | 3 +- .../manage/permissions/manage_resources.yaml | 3 +- .../manage/permissions/view_resources.yaml | 3 +- .../use/capabilities/access_console.yaml | 1 - .../execute_virtualmachine_operations.yaml | 1 - .../rbacv2/use/capabilities/forward_port.yaml | 1 - .../use/capabilities/manage_internals.yaml | 2 - .../use/capabilities/manage_resources.yaml | 1 - .../use/capabilities/view_resources.yaml | 1 - 11 files changed, 3 insertions(+), 122 deletions(-) delete mode 100644 docs.yaml delete mode 100644 rbac.yaml diff --git a/docs.yaml b/docs.yaml deleted file mode 100644 index 294122713..000000000 --- a/docs.yaml +++ /dev/null @@ -1,99 +0,0 @@ -modules: - virtualization: - capabilities: - manage: - - name: d8:manage:capability:module:virtualization:view - rules: - - apiGroups: - - virtualization.deckhouse.io - resources: - - clustervirtualimages - - virtualmachineclasses - - virtualmachineipaddressleases - verbs: - - get - - list - - watch - - apiGroups: - - deckhouse.io - resourceNames: - - virtualization - resources: - - moduleconfigs - verbs: - - get - - list - - watch - - name: d8:manage:capability:module:virtualization:edit - rules: - - apiGroups: - - virtualization.deckhouse.io - resources: - - clustervirtualimages - - virtualmachineclasses - - virtualmachineipaddressleases - verbs: - - create - - update - - patch - - delete - - deletecollection - - apiGroups: - - deckhouse.io - resourceNames: - - virtualization - resources: - - moduleconfigs - verbs: - - create - - update - - patch - - delete - use: - - name: d8:use:capability:module:virtualization:view - rules: - - apiGroups: - - virtualization.deckhouse.io - resources: - - virtualdisks - - virtualdisksnapshots - - virtualimages - - virtualmachineblockdeviceattachments - - virtualmachineipaddresses - - virtualmachineoperations - - virtualmachinerestores - - virtualmachines - - virtualmachinesnapshots - verbs: - - get - - list - - watch - - name: d8:use:capability:module:virtualization:edit - rules: - - apiGroups: - - virtualization.deckhouse.io - resources: - - virtualdisks - - virtualdisksnapshots - - virtualimages - - virtualmachineblockdeviceattachments - - virtualmachineipaddresses - - virtualmachineoperations - - virtualmachinerestores - - virtualmachines - - virtualmachinesnapshots - verbs: - - create - - update - - patch - - delete - - deletecollection - namespace: d8-virtualization - scopes: - - virtualization -scopes: - virtualization: - modules: - - virtualization - namespaces: - - d8-virtualization diff --git a/rbac.yaml b/rbac.yaml deleted file mode 100644 index 1495eae20..000000000 --- a/rbac.yaml +++ /dev/null @@ -1,10 +0,0 @@ -module: virtualization -namespace: d8-virtualization -scopes: - - virtualization -crds: - - crds/*.yaml -allowedResources: - - group: virtualization.deckhouse.io - resources: - - all diff --git a/templates/rbacv2/manage/permissions/manage_internals.yaml b/templates/rbacv2/manage/permissions/manage_internals.yaml index 7e548ffb4..7c4bf871e 100644 --- a/templates/rbacv2/manage/permissions/manage_internals.yaml +++ b/templates/rbacv2/manage/permissions/manage_internals.yaml @@ -1,7 +1,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null labels: heritage: deckhouse module: virtualization @@ -9,7 +8,7 @@ metadata: rbac.deckhouse.io/kind: manage rbac.deckhouse.io/level: module rbac.deckhouse.io/namespace: d8-virtualization - name: d8:manage:permission:virtualization:manage_internals + name: d8:manage:permission:subsystem:virtualization:manage_internals rules: - apiGroups: - cdi.internal.virtualization.deckhouse.io diff --git a/templates/rbacv2/manage/permissions/manage_resources.yaml b/templates/rbacv2/manage/permissions/manage_resources.yaml index 8596078f0..dbb05251a 100644 --- a/templates/rbacv2/manage/permissions/manage_resources.yaml +++ b/templates/rbacv2/manage/permissions/manage_resources.yaml @@ -1,7 +1,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null labels: heritage: deckhouse module: virtualization @@ -9,7 +8,7 @@ metadata: rbac.deckhouse.io/kind: manage rbac.deckhouse.io/level: module rbac.deckhouse.io/namespace: d8-virtualization - name: d8:manage:permission:virtualization:manage_resources + name: d8:manage:permission:subsystem:virtualization:manage_resources rules: - apiGroups: - virtualization.deckhouse.io diff --git a/templates/rbacv2/manage/permissions/view_resources.yaml b/templates/rbacv2/manage/permissions/view_resources.yaml index 7aed2ff69..c2a8b2b01 100644 --- a/templates/rbacv2/manage/permissions/view_resources.yaml +++ b/templates/rbacv2/manage/permissions/view_resources.yaml @@ -1,7 +1,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null labels: heritage: deckhouse module: virtualization @@ -9,7 +8,7 @@ metadata: rbac.deckhouse.io/kind: manage rbac.deckhouse.io/level: module rbac.deckhouse.io/namespace: d8-virtualization - name: d8:manage:permission:virtualization:view_resources + name: d8:manage:permission:subsystem:virtualization:view_resources rules: - apiGroups: - virtualization.deckhouse.io diff --git a/templates/rbacv2/use/capabilities/access_console.yaml b/templates/rbacv2/use/capabilities/access_console.yaml index 471409b5f..7c6ec850d 100644 --- a/templates/rbacv2/use/capabilities/access_console.yaml +++ b/templates/rbacv2/use/capabilities/access_console.yaml @@ -1,7 +1,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null labels: heritage: deckhouse module: virtualization diff --git a/templates/rbacv2/use/capabilities/execute_virtualmachine_operations.yaml b/templates/rbacv2/use/capabilities/execute_virtualmachine_operations.yaml index f2341352b..baa4fce1e 100644 --- a/templates/rbacv2/use/capabilities/execute_virtualmachine_operations.yaml +++ b/templates/rbacv2/use/capabilities/execute_virtualmachine_operations.yaml @@ -1,7 +1,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null labels: heritage: deckhouse module: virtualization diff --git a/templates/rbacv2/use/capabilities/forward_port.yaml b/templates/rbacv2/use/capabilities/forward_port.yaml index 306147e10..fced608c8 100644 --- a/templates/rbacv2/use/capabilities/forward_port.yaml +++ b/templates/rbacv2/use/capabilities/forward_port.yaml @@ -1,7 +1,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null labels: heritage: deckhouse module: virtualization diff --git a/templates/rbacv2/use/capabilities/manage_internals.yaml b/templates/rbacv2/use/capabilities/manage_internals.yaml index 26a805c2c..0e88c14a0 100644 --- a/templates/rbacv2/use/capabilities/manage_internals.yaml +++ b/templates/rbacv2/use/capabilities/manage_internals.yaml @@ -1,11 +1,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null labels: heritage: deckhouse module: virtualization - # TODO rbac.deckhouse.io/aggregate-to-virtualization-as: super-admin rbac.deckhouse.io/kind: use name: d8:use:capability:virtualization:manage_internals diff --git a/templates/rbacv2/use/capabilities/manage_resources.yaml b/templates/rbacv2/use/capabilities/manage_resources.yaml index 04985ce08..5a47e1d26 100644 --- a/templates/rbacv2/use/capabilities/manage_resources.yaml +++ b/templates/rbacv2/use/capabilities/manage_resources.yaml @@ -1,7 +1,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null labels: heritage: deckhouse module: virtualization diff --git a/templates/rbacv2/use/capabilities/view_resources.yaml b/templates/rbacv2/use/capabilities/view_resources.yaml index f346a17b9..f9c74fcca 100644 --- a/templates/rbacv2/use/capabilities/view_resources.yaml +++ b/templates/rbacv2/use/capabilities/view_resources.yaml @@ -1,7 +1,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null labels: heritage: deckhouse module: virtualization