From 1bda2c3fed684f20ec68608e39e88af524bf5936 Mon Sep 17 00:00:00 2001 From: Lars Kellogg-Stedman Date: Thu, 23 Jun 2022 09:55:39 -0400 Subject: [PATCH 1/6] Install group sync operator The group sync operator will allow us to sync the membership of openshift groups with github teams. --- .../namespaces/group-sync-operator/kustomization.yaml | 4 ++++ .../core/namespaces/group-sync-operator/namespace.yaml | 5 +++++ .../group-sync-operator/kustomization.yaml | 5 +++++ .../group-sync-operator/operatorgroup.yaml | 7 +++++++ .../group-sync-operator/kustomization.yaml | 5 +++++ .../group-sync-operator/subscription.yaml | 10 ++++++++++ .../bundles/group-sync-operator/kustomization.yaml | 6 ++++++ 7 files changed, 42 insertions(+) create mode 100644 cluster-scope/base/core/namespaces/group-sync-operator/kustomization.yaml create mode 100644 cluster-scope/base/core/namespaces/group-sync-operator/namespace.yaml create mode 100644 cluster-scope/base/operators.coreos.com/operatorgroups/group-sync-operator/kustomization.yaml create mode 100644 cluster-scope/base/operators.coreos.com/operatorgroups/group-sync-operator/operatorgroup.yaml create mode 100644 cluster-scope/base/operators.coreos.com/subscriptions/group-sync-operator/kustomization.yaml create mode 100644 cluster-scope/base/operators.coreos.com/subscriptions/group-sync-operator/subscription.yaml create mode 100644 cluster-scope/bundles/group-sync-operator/kustomization.yaml diff --git a/cluster-scope/base/core/namespaces/group-sync-operator/kustomization.yaml b/cluster-scope/base/core/namespaces/group-sync-operator/kustomization.yaml new file mode 100644 index 00000000..c313b540 --- /dev/null +++ b/cluster-scope/base/core/namespaces/group-sync-operator/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- namespace.yaml diff --git a/cluster-scope/base/core/namespaces/group-sync-operator/namespace.yaml b/cluster-scope/base/core/namespaces/group-sync-operator/namespace.yaml new file mode 100644 index 00000000..35daae20 --- /dev/null +++ b/cluster-scope/base/core/namespaces/group-sync-operator/namespace.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: group-sync-operator +spec: {} diff --git a/cluster-scope/base/operators.coreos.com/operatorgroups/group-sync-operator/kustomization.yaml b/cluster-scope/base/operators.coreos.com/operatorgroups/group-sync-operator/kustomization.yaml new file mode 100644 index 00000000..786372e0 --- /dev/null +++ b/cluster-scope/base/operators.coreos.com/operatorgroups/group-sync-operator/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: group-sync-operator +resources: +- operatorgroup.yaml diff --git a/cluster-scope/base/operators.coreos.com/operatorgroups/group-sync-operator/operatorgroup.yaml b/cluster-scope/base/operators.coreos.com/operatorgroups/group-sync-operator/operatorgroup.yaml new file mode 100644 index 00000000..84f8c682 --- /dev/null +++ b/cluster-scope/base/operators.coreos.com/operatorgroups/group-sync-operator/operatorgroup.yaml @@ -0,0 +1,7 @@ +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: group-sync-operator +spec: + targetNamespaces: + - group-sync-operator diff --git a/cluster-scope/base/operators.coreos.com/subscriptions/group-sync-operator/kustomization.yaml b/cluster-scope/base/operators.coreos.com/subscriptions/group-sync-operator/kustomization.yaml new file mode 100644 index 00000000..4c043e54 --- /dev/null +++ b/cluster-scope/base/operators.coreos.com/subscriptions/group-sync-operator/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: group-sync-operator +resources: +- subscription.yaml diff --git a/cluster-scope/base/operators.coreos.com/subscriptions/group-sync-operator/subscription.yaml b/cluster-scope/base/operators.coreos.com/subscriptions/group-sync-operator/subscription.yaml new file mode 100644 index 00000000..2b4385f7 --- /dev/null +++ b/cluster-scope/base/operators.coreos.com/subscriptions/group-sync-operator/subscription.yaml @@ -0,0 +1,10 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: group-sync-operator +spec: + channel: alpha + installPlanApproval: Automatic + name: group-sync-operator + source: community-operators + sourceNamespace: openshift-marketplace diff --git a/cluster-scope/bundles/group-sync-operator/kustomization.yaml b/cluster-scope/bundles/group-sync-operator/kustomization.yaml new file mode 100644 index 00000000..a1c99a5e --- /dev/null +++ b/cluster-scope/bundles/group-sync-operator/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../base/core/namespaces/group-sync-operator +- ../../base/operators.coreos.com/operatorgroups/group-sync-operator +- ../../base/operators.coreos.com/subscriptions/group-sync-operator From 108af762f74ab9b6bcb5812c5e297c2a84f16c9c Mon Sep 17 00:00:00 2001 From: Lars Kellogg-Stedman Date: Thu, 23 Jun 2022 10:53:53 -0400 Subject: [PATCH 2/6] Configure nerc-ocp-infra to sync ocp-on-nerc github groups Remove static members of cluster-admins group and configure RBAC for nerc-ops group instead. --- .../nerc-ops-cluster-reader.yaml | 12 ++++++++++++ .../clusterrolebindings/nerc-ops-sudoers.yaml | 12 ++++++++++++ .../groupsyncs/github-ocp-on-nerc.yaml | 14 ++++++++++++++ .../overlays/nerc-ocp-infra/kustomization.yaml | 7 +++++-- 4 files changed, 43 insertions(+), 2 deletions(-) create mode 100644 cluster-scope/overlays/nerc-ocp-infra/clusterrolebindings/nerc-ops-cluster-reader.yaml create mode 100644 cluster-scope/overlays/nerc-ocp-infra/clusterrolebindings/nerc-ops-sudoers.yaml create mode 100644 cluster-scope/overlays/nerc-ocp-infra/groupsyncs/github-ocp-on-nerc.yaml diff --git a/cluster-scope/overlays/nerc-ocp-infra/clusterrolebindings/nerc-ops-cluster-reader.yaml b/cluster-scope/overlays/nerc-ocp-infra/clusterrolebindings/nerc-ops-cluster-reader.yaml new file mode 100644 index 00000000..73dc0ffa --- /dev/null +++ b/cluster-scope/overlays/nerc-ocp-infra/clusterrolebindings/nerc-ops-cluster-reader.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: nerc-ops-cluster-reader +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-reader +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: nerc-ops diff --git a/cluster-scope/overlays/nerc-ocp-infra/clusterrolebindings/nerc-ops-sudoers.yaml b/cluster-scope/overlays/nerc-ocp-infra/clusterrolebindings/nerc-ops-sudoers.yaml new file mode 100644 index 00000000..fdf41ea2 --- /dev/null +++ b/cluster-scope/overlays/nerc-ocp-infra/clusterrolebindings/nerc-ops-sudoers.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: nerc-ops-sudoers +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: sudoer +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: nerc-ops diff --git a/cluster-scope/overlays/nerc-ocp-infra/groupsyncs/github-ocp-on-nerc.yaml b/cluster-scope/overlays/nerc-ocp-infra/groupsyncs/github-ocp-on-nerc.yaml new file mode 100644 index 00000000..c8ef702b --- /dev/null +++ b/cluster-scope/overlays/nerc-ocp-infra/groupsyncs/github-ocp-on-nerc.yaml @@ -0,0 +1,14 @@ +apiVersion: redhatcop.redhat.io/v1alpha1 +kind: GroupSync +metadata: + name: github-ocp-on-nerc + namespace: group-sync-operator +spec: + providers: + - name: github + github: + organization: ocp-on-nerc + prune: true + credentialsSecret: + name: github-ocp-on-nerc + namespace: group-sync-operator diff --git a/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml b/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml index 61e931cd..1a35fb7c 100644 --- a/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml +++ b/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml @@ -9,6 +9,9 @@ resources: - ../../bundles/odf - clusterversion.yaml +- groupsyncs/github-ocp-on-nerc.yaml +- clusterrolebindings/nerc-ops-cluster-reader.yaml +- clusterrolebindings/nerc-ops-sudoers.yaml + patches: - - path: oauths/cluster_patch.yaml - - path: groups/cluster-admins_patch.yaml +- path: oauths/cluster_patch.yaml From fbbe761381f27a2da18db60137d5a9d946c0ad6b Mon Sep 17 00:00:00 2001 From: Lars Kellogg-Stedman Date: Thu, 23 Jun 2022 09:55:39 -0400 Subject: [PATCH 3/6] Install group sync operator The group sync operator will allow us to sync the membership of openshift groups with github teams. From 195eee35239533301c379ad7a28280478ec6246b Mon Sep 17 00:00:00 2001 From: Lars Kellogg-Stedman Date: Thu, 23 Jun 2022 10:53:53 -0400 Subject: [PATCH 4/6] Configure nerc-ocp-infra to sync ocp-on-nerc github groups Remove static members of cluster-admins group and configure RBAC for nerc-ops group instead. From d267e550518d4effd651cf113ca6de97132d26ce Mon Sep 17 00:00:00 2001 From: Lars Kellogg-Stedman Date: Mon, 27 Jun 2022 07:28:35 -0400 Subject: [PATCH 5/6] Allow cluster admins to create portforwards --- .../clusterrolebinding.yaml | 12 ++++++++++++ .../kustomization.yaml | 4 ++++ .../allow-portforward-all/clusterrole.yaml | 11 +++++++++++ .../allow-portforward-all/kustomization.yaml | 4 ++++ .../bundles/cluster-admin-rbac/kustomization.yaml | 2 ++ 5 files changed, 33 insertions(+) create mode 100644 cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-portforward/clusterrolebinding.yaml create mode 100644 cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-portforward/kustomization.yaml create mode 100644 cluster-scope/base/rbac.authorization.k8s.io/clusterroles/allow-portforward-all/clusterrole.yaml create mode 100644 cluster-scope/base/rbac.authorization.k8s.io/clusterroles/allow-portforward-all/kustomization.yaml diff --git a/cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-portforward/clusterrolebinding.yaml b/cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-portforward/clusterrolebinding.yaml new file mode 100644 index 00000000..ccb4e4fb --- /dev/null +++ b/cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-portforward/clusterrolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cluster-admins-nerc-portforward +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: allow-portforward-all +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: cluster-admins diff --git a/cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-portforward/kustomization.yaml b/cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-portforward/kustomization.yaml new file mode 100644 index 00000000..464a5f99 --- /dev/null +++ b/cluster-scope/base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-portforward/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - clusterrolebinding.yaml diff --git a/cluster-scope/base/rbac.authorization.k8s.io/clusterroles/allow-portforward-all/clusterrole.yaml b/cluster-scope/base/rbac.authorization.k8s.io/clusterroles/allow-portforward-all/clusterrole.yaml new file mode 100644 index 00000000..17b14dd4 --- /dev/null +++ b/cluster-scope/base/rbac.authorization.k8s.io/clusterroles/allow-portforward-all/clusterrole.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: allow-portforward-all +rules: + - apiGroups: + - "" + resources: + - "pods/portforward" + verbs: + - "*" diff --git a/cluster-scope/base/rbac.authorization.k8s.io/clusterroles/allow-portforward-all/kustomization.yaml b/cluster-scope/base/rbac.authorization.k8s.io/clusterroles/allow-portforward-all/kustomization.yaml new file mode 100644 index 00000000..69b27f0b --- /dev/null +++ b/cluster-scope/base/rbac.authorization.k8s.io/clusterroles/allow-portforward-all/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - clusterrole.yaml diff --git a/cluster-scope/bundles/cluster-admin-rbac/kustomization.yaml b/cluster-scope/bundles/cluster-admin-rbac/kustomization.yaml index c5a71773..e1916ceb 100644 --- a/cluster-scope/bundles/cluster-admin-rbac/kustomization.yaml +++ b/cluster-scope/bundles/cluster-admin-rbac/kustomization.yaml @@ -4,3 +4,5 @@ resources: - ../../base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-sudoer - ../../base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-reader - ../../base/user.openshift.io/groups/cluster-admins +- ../../base/rbac.authorization.k8s.io/clusterroles/allow-portforward-all +- ../../base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-portforward From 8995691b103036b92e5022e4fc53bfee6aefa637 Mon Sep 17 00:00:00 2001 From: Lars Kellogg-Stedman Date: Mon, 27 Jun 2022 08:10:09 -0400 Subject: [PATCH 6/6] Add portforward permissions to nerc-ops group --- .../clusterrolebindings/nerc-ops-portforward.yaml | 12 ++++++++++++ .../overlays/nerc-ocp-infra/kustomization.yaml | 1 + 2 files changed, 13 insertions(+) create mode 100644 cluster-scope/overlays/nerc-ocp-infra/clusterrolebindings/nerc-ops-portforward.yaml diff --git a/cluster-scope/overlays/nerc-ocp-infra/clusterrolebindings/nerc-ops-portforward.yaml b/cluster-scope/overlays/nerc-ocp-infra/clusterrolebindings/nerc-ops-portforward.yaml new file mode 100644 index 00000000..66943b35 --- /dev/null +++ b/cluster-scope/overlays/nerc-ocp-infra/clusterrolebindings/nerc-ops-portforward.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: nerc-ops-portforward +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: allow-portforward-all +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: nerc-ops diff --git a/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml b/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml index 1a35fb7c..c4ebf9c7 100644 --- a/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml +++ b/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml @@ -12,6 +12,7 @@ resources: - groupsyncs/github-ocp-on-nerc.yaml - clusterrolebindings/nerc-ops-cluster-reader.yaml - clusterrolebindings/nerc-ops-sudoers.yaml +- clusterrolebindings/nerc-ops-portforward.yaml patches: - path: oauths/cluster_patch.yaml