Skip to content

Commit

Permalink
fix(module): fix user API RBAC (#116)
Browse files Browse the repository at this point in the history 
Signed-off-by: Pavel Tishkov <[email protected]>
  • Loading branch information
@fl64
fl64 authored Jun 4, 2024
1 parent 35504ea commit 460f069
Show file tree
Hide file tree
Showing 3 changed files with 146 additions and 27 deletions.
38 changes: 38 additions & 0 deletions docs/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,3 +88,41 @@ The virtual machine runs inside the Pod, which allows you to manage virtual mach
### Virtual Machine Operations

The `VirtualMachineOperations` resource is intended for declarative control of virtual machine state changes. The resource allows you to perform the following actions on virtual machines: Start, Stop, Restart.

## Role Model

The following user roles are provided for managing module resources:

- User
- PrivilegedUser
- Editor
- Admin
- ClusterEditor
- ClusterAdmin.

The following table shows the access matrix for these roles

| Abbreviation | Verb | Kubernetes verbs |
| ------------ | ------ | ------------------------ |
| C | create | create |
| R | read | get,list,watch |
| U | update | patch, update |
| D | delete | delete, deletecollection |

| Resource | User | PrivilegedUser | Editor | Admin | ClusterEditor | ClusterAdmin |
| ------------------------------------ | ---- | -------------- | ------ | ----- | ------------- | ------------ |
| virtualmachines | R | R | CRUD | CRUD | CRUD | CRUD |
| virtualmachinedisks | R | R | CRUD | CRUD | CRUD | CRUD |
| virtualmachineimages | R | R | R | CRUD | CRUD | CRUD |
| clustervirtualmachineimages | R | R | R | R | CRUD | CRUD |
| virtualmachineblockdeviceattachments | R | R | CRUD | CRUD | CRUD | CRUD |
| virtualmachineoperations | R | CR | CRUD | CRUD | CRUD | CRUD |
| virtualmachineipaddressclaims | R | R | CRUD | CRUD | CRUD | CRUD |
| virtualmachineipaddressleases | - | - | - | R | R | CRUD |
| virtualmachinecpumodel | R | R | R | R | CRUD | CRUD |

| d8 cli | User | PrivilegedUser | Editor | Admin | ClusterEditor | ClusterAdmin |
| ----------------------------- | ---- | -------------- | ------ | ----- | ------------- | ------------ |
| d8 v console | N | Y | Y | Y | Y | Y |
| d8 v ssh / scp / port-forward | N | Y | Y | Y | Y | Y |
| d8 v vnc | N | Y | Y | Y | Y | Y |
38 changes: 38 additions & 0 deletions docs/README_RU.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,3 +96,41 @@ Cоздание дисков для виртуальных машины обес
### Операции над виртуальными машинами

Ресурс `VirtualMachineOperations` предназначен для декларативного управления изменением состоянием виртуальной машины. Ресурс позволяет выполнять следующие действия над виртуальными машинами: Запуск (Start), Остановка(Stop), Рестарт(Restart).

## Ролевая модель

Для управления ресурсами модуля предусмотрены следующие роли пользователей:

- Пользователь (User)
- Привилегированный пользователь (PrivilegedUser)
- Редактор (Editor)
- Администратор (Admin)
- Редактор кластера (ClusterEditor)
- Администратор кластера (ClusterAdmin)

Далее таблице представлены матрица доступа для данных ролей

| Сокращение | Операция | Соответствующая операция Kubernetes |
| ---------- | -------- | ----------------------------------- |
| C | create | create |
| R | read | get,list,watch |
| U | update | patch, update |
| D | delete | delete, deletecollection |

| Resource | User | PrivilegedUser | Editor | Admin | ClusterEditor | ClusterAdmin |
| ------------------------------------ | ---- | -------------- | ------ | ----- | ------------- | ------------ |
| virtualmachines | R | R | CRUD | CRUD | CRUD | CRUD |
| virtualmachinedisks | R | R | CRUD | CRUD | CRUD | CRUD |
| virtualmachineimages | R | R | R | CRUD | CRUD | CRUD |
| clustervirtualmachineimages | R | R | R | R | CRUD | CRUD |
| virtualmachineblockdeviceattachments | R | R | CRUD | CRUD | CRUD | CRUD |
| virtualmachineoperations | R | CR | CRUD | CRUD | CRUD | CRUD |
| virtualmachineipaddressclaims | R | R | CRUD | CRUD | CRUD | CRUD |
| virtualmachineipaddressleases | - | - | - | R | R | CRUD |
| virtualmachinecpumodel | R | R | R | R | CRUD | CRUD |

| d8 cli | User | PrivilegedUser | Editor | Admin | ClusterEditor | ClusterAdmin |
| ----------------------------- | ---- | -------------- | ------ | ----- | ------------- | ------------ |
| d8 v console | N | Y | Y | Y | Y | Y |
| d8 v ssh / scp / port-forward | N | Y | Y | Y | Y | Y |
| d8 v vnc | N | Y | Y | Y | Y | Y |
97 changes: 70 additions & 27 deletions templates/user-authz-cluster-roles.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,14 +10,22 @@ rules:
- apiGroups:
- virtualization.deckhouse.io
resources:
- virtualmachines
- clustervirtualimages
- virtualdisks
- virtualimages
- virtualmachinecpumodels
- virtualmachineipaddressleases
- virtualmachineipaddressclaims
- virtualmachineblockdeviceattachments
- virtualmachineipaddressclaims
- virtualmachinecpumodels
- virtualmachineoperations
verbs:
- get
- list
- watch
- apiGroups:
- subresources.virtualization.deckhouse.io
resources:
- virtualmachines
- clustervirtualimages
verbs:
- get
- list
Expand All @@ -31,31 +39,21 @@ metadata:
name: d8:user-authz:virtualization:privileged-user
{{- include "helm_lib_module_labels" (list .) | nindent 2 }}
rules:

- apiGroups:
- subresources.kubevirt.io
- virtualization.deckhouse.io
resources:
- virtualmachineinstances/console
- virtualmachineinstances/vnc
- virtualmachineinstances/vnc/screenshot
- virtualmachineinstances/guestosinfo
- virtualmachineinstances/filesystemlist
- virtualmachineinstances/userlist
- virtualmachineoperations
verbs:
- get
- create
- apiGroups:
- subresources.kubevirt.io
- subresources.virtualization.deckhouse.io
resources:
- virtualmachineinstances/softreboot
- virtualmachineinstances/pause
- virtualmachineinstances/unpause
- virtualmachines/restart
- virtualmachines/start
- virtualmachines/stop
- virtualmachineinstances/addvolume
- virtualmachineinstances/removevolume
- virtualmachineinstances/freeze
- virtualmachines/console
- virtualmachines/vnc
- virtualmachines/portforward
verbs:
- get
- create
- update
---
apiVersion: rbac.authorization.k8s.io/v1
Expand All @@ -69,19 +67,44 @@ rules:
- apiGroups:
- virtualization.deckhouse.io
resources:
- virtualmachines
- virtualdisks
- virtualimages
- virtualmachinecpumodels
- virtualmachineipaddressleases
- virtualmachineipaddressclaims
- virtualmachineblockdeviceattachments
- virtualmachineipaddressclaims
- virtualmachineoperations
verbs:
- create
- delete
- deletecollection
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
user-authz.deckhouse.io/access-level: Admin
name: d8:user-authz:virtualization:admin
{{- include "helm_lib_module_labels" (list . (dict "app" "virtualization-controller")) | nindent 2 }}
rules:
- apiGroups:
- virtualization.deckhouse.io
resources:
- virtualmachines
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- virtualization.deckhouse.io
resources:
- virtualmachineipaddressleases
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
Expand All @@ -95,6 +118,26 @@ rules:
- virtualization.deckhouse.io
resources:
- clustervirtualimages
- virtualmachinecpumodels
verbs:
- create
- delete
- deletecollection
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
user-authz.deckhouse.io/access-level: ClusterAdmin
name: d8:user-authz:virtualization:cluster-admin
{{- include "helm_lib_module_labels" (list . (dict "app" "virtualization-controller")) | nindent 2 }}
rules:
- apiGroups:
- virtualization.deckhouse.io
resources:
- virtualmachineipaddressleases
verbs:
- create
- delete
Expand Down

0 comments on commit 460f069

Please sign in to comment.