Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

missing items in the tekton chains application description #11

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

missing items in the tekton chains application description #11

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions ...bac.authorization.k8s.io/clusterroles/tekton-chains/chain-tenant-access-cluster-role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
# This is the access that the controller needs on a per-namespace basis.
name: tekton-chains-controller-tenant-access
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-chains
rules:
# Read-write access to create Pods, K8s Events and PVCs (for Workspaces)
- apiGroups: [""]
resources: ["pods", "pods/log", "events", "persistentvolumeclaims"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
# Read-only access to these.
- apiGroups: [""]
resources: ["configmaps", "limitranges", "secrets", "serviceaccounts"]
verbs: ["get", "list", "watch"]
# Read-write access to StatefulSets for Affinity Assistant.
- apiGroups: ["apps"]
resources: ["statefulsets"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
1 change: 1 addition & 0 deletions cluster-scope/base/rbac.authorization.k8s.io/clusterroles/tekton-chains/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- chains-cluster-role.yaml
- chain-tenant-access-cluster-role.yaml
1 change: 1 addition & 0 deletions cluster-scope/bundles/tekton-chains/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,4 @@ resources:
- ../../base/core/namespaces/tekton-chains
- ../../base/rbac.authorization.k8s.io/clusterrolebindings/tekton-chains
- ../../base/rbac.authorization.k8s.io/clusterroles/tekton-chains
- ../../../tekton-chains/overlays/rosa
47 changes: 47 additions & 0 deletions tekton-chains/base/clusterrole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
kind: ClusterRole
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reson why we chose to put this here? Roles are RBAC which are always scoped to the cluster or cluster resource, even if they are application specific. Usually what we do is create a bundle cluster-scope/bundles that references all the other cluster scoped resources like clusterrolebindings, clusterroles, roles, rolebindings, operatorGroups, subscriptions, etc. We then reference that bundle from either the application overlay or the cluster-scope overlay (which becomes cluster-resources in argocd).

apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tekton-chains-controller-cluster-access
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-chains
rules:
- apiGroups: [""]
# Controller needs to watch Pods created by TaskRuns to see them progress.
resources: ["pods"]
verbs: ["list", "watch"]
# Controller needs cluster access to all of the CRDs that it is responsible for
# managing.
- apiGroups: ["tekton.dev"]
resources: ["tasks", "clustertasks", "taskruns", "pipelines", "pipelineruns", "pipelineresources", "conditions", "runs"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["tekton.dev"]
resources: ["taskruns/finalizers", "pipelineruns/finalizers", "runs/finalizers"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["tekton.dev"]
resources: ["tasks/status", "clustertasks/status", "taskruns/status", "pipelines/status", "pipelineruns/status", "pipelineresources/status", "runs/status"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
# This is the access that the controller needs on a per-namespace basis.
name: tekton-chains-controller-tenant-access
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-chains
rules:
# Read-write access to create Pods, K8s Events and PVCs (for Workspaces)
- apiGroups: [""]
resources: ["pods", "pods/log", "events", "persistentvolumeclaims"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
# Read-only access to these.
- apiGroups: [""]
resources: ["configmaps", "limitranges", "secrets", "serviceaccounts"]
verbs: ["get", "list", "watch"]
# Read-write access to StatefulSets for Affinity Assistant.
- apiGroups: ["apps"]
resources: ["statefulsets"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
71 changes: 71 additions & 0 deletions tekton-chains/base/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: tekton-chains-controller
namespace: tekton-chains
labels:
app.kubernetes.io/name: controller
app.kubernetes.io/component: controller
app.kubernetes.io/instance: default
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since instance and part-of labels apply to all files within the base deployment, best practice is to us commonLabels in the kustomize to apply to every file but this is just a style thing.

app.kubernetes.io/part-of: tekton-chains
pipeline.tekton.dev/release: "devel"
version: "v0.14.0"
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: controller
app.kubernetes.io/component: controller
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-chains
template:
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
labels:
app: tekton-chains-controller
app.kubernetes.io/name: controller
app.kubernetes.io/component: controller
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-chains
# # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
pipeline.tekton.dev/release: "devel"
version: "v0.14.0"
spec:
serviceAccountName: tekton-chains-controller
containers:
- name: tekton-chains-controller
image: gcr.io/tekton-releases/github.com/tektoncd/chains/cmd/controller:v0.14.0@sha256:b10b5a6298fe78ffeb72b7ed69794b0e7315a952482b9bff80858bc6746cbe4f
volumeMounts:
- name: signing-secrets
mountPath: /etc/signing-secrets
- name: oidc-info
mountPath: /var/run/sigstore/cosign
env:
- name: SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: METRICS_DOMAIN
value: tekton.dev/chains
securityContext:
allowPrivilegeEscalation: false
# User 65532 is the distroless nonroot user ID
runAsUser: 65532
runAsGroup: 65532
volumes:
- name: signing-secrets
secret:
secretName: signing-secrets
- name: oidc-info
projected:
sources:
# The "public good" instance supports tokens from EKS and GKE by default.
# The fulcio URL can also be redirected to an instance that has been
# configured to accept other issuers as well. Removing this volume
# completely will direct chains to use alternate ambient credentials
# (e.g. GKE workload identity, SPIFFE)
- serviceAccountToken:
path: oidc-token
expirationSeconds: 600 # Use as short-lived as possible.
audience: sigstore
3 changes: 3 additions & 0 deletions tekton-chains/base/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,6 @@ resources:
- chains-logging-cm.yaml
- chains-scc.yaml
- signing-secret-sealed.yaml
- deployment.yaml
- role.yaml
- rolebinding.yaml
31 changes: 31 additions & 0 deletions tekton-chains/base/role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
kind: Role
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as before,RBAC is always cluster-scoped should be moved there.

apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tekton-chains-leader-election
namespace: tekton-chains
labels:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-chains
rules:
# We uses leases for leaderelection
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: tekton-chains-info
namespace: tekton-chains
labels:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-chains
rules:
# All system:authenticated users need to have access
# to the chains-info ConfigMap even if they don't
# have access to other resources present in the
# installed namespace
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["chains-info"]
verbs: ["get"]
36 changes: 36 additions & 0 deletions tekton-chains/base/rolebinding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
apiVersion: rbac.authorization.k8s.io/v1
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RBAC --> cluster-scope

kind: RoleBinding
metadata:
name: tekton-chains-controller-leaderelection
namespace: tekton-chains
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-chains
subjects:
- kind: ServiceAccount
name: tekton-chains-controller
namespace: tekton-chains
roleRef:
kind: Role
name: tekton-chains-leader-election
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tekton-chains-info
namespace: tekton-chains
labels:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-chains
subjects:
# Giving all system:authenticated users the access to the
# ConfigMap which contains version information
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.io
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: tekton-chains-info