OCPBUGS-32348: Allow system:node read config maps in infra namespaces

Host networking services running in on-prem platforms require access to the config map so that their configuration can be parametrized. As those services run as static pods, it is not possible to simply mount the config map from the Pod yaml definition. In order to overcome this, the respecive applications use k8s API calls to retrieve the config map at runtime. Credentials used by those components are `system:node` and by default they do not have access to required config map. In order to overcome this, we are allowing `system:node` to read config maps in the `openshift-*-infra` namespaces.
yuqi-zhang · May 27, 2024 · d42572e · d42572e
1 parent 23015aa
commit d42572e
Showing 1 changed file with 81 additions and 0 deletions.
diff --git a/install/0000_80_machine-config_03_rbac.yaml b/install/0000_80_machine-config_03_rbac.yaml
@@ -71,3 +71,84 @@ subjects:
 - kind: ServiceAccount
   name: prometheus-k8s
   namespace: openshift-monitoring
+---
+# Role host-networking-services lets system:node read config maps. This is needed in order to allow
+# configuring log level (and in the future more parameters) of static pods deployed in the
+# openshift-*-infra namespace.
+# Because host networking components right now only run on on-prem platforms, we create RoleBinding
+# explicitly only in namespaces for OpenStack, BareMetal, vSphere and Nutanix.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: host-networking-services
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: host-networking-system-node
+  namespace: openshift-openstack-infra
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: system:nodes
+roleRef:
+  kind: ClusterRole
+  name: host-networking-services
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: host-networking-system-node
+  namespace: openshift-kni-infra
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: system:nodes
+roleRef:
+  kind: ClusterRole
+  name: host-networking-services
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: host-networking-system-node
+  namespace: openshift-vsphere-infra
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: system:nodes
+roleRef:
+  kind: ClusterRole
+  name: host-networking-services
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: host-networking-system-node
+  namespace: openshift-nutanix-infra
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: system:nodes
+roleRef:
+  kind: ClusterRole
+  name: host-networking-services