I am new to the Kubernetes world but some time ago I developed a Kubernetes operator using OperatorSDK and Golang. I was using cluster-admin role for running the operator pod but now I want to reduce the resources the operator can work with.
It there some tool that can scan the code of the operator and generate an appropriate clusterrole? Or is there some clever way to find what resources are used by the operator?
The easiest way is probably to remove all of the permissions and then add each one back based on the errors thrown
Assuming that you need to add privileges to your clusterrole because your controller is reconciling Kubernetes workloads itself, you could use the operator-builder project (see https://github.com/vmware-tanzu-labs/operator-builder) to do it for you. The code that does this automatically for you is found at https://github.com/vmware-tanzu-labs/operator-builder/blob/main/internal/workload/v1/rbac.go#L104 .
The pattern from OperatorSDK will be familiar to what you are currently doing as OperatorSDK and Operator Builder are both plugins to Kubebuilder, and thus follow similar patterns (e.g. <command> init <args> and <command> create api <args>.
EXAMPLE:
Your config (project-specific construct) would look like this:
name: webstore
kind: StandaloneWorkload
spec:
api:
domain: acme.com
group: apps
version: v1alpha1
kind: WebStore
clusterScoped: false
resources:
- resources.yamlBasically your input (resources.yaml from the above config) would be something like this:
apiVersion: apps/v1
kind: Deployment
metadata:
name: webstore-deploy
spec:
replicas: 2 # +operator-builder:field:name=webStoreReplicas,default=2,type=int
selector:
matchLabels:
app: webstore
template:
metadata:
labels:
app: webstore
spec:
containers:
- name: webstore-container
#+operator-builder:field:name=webstoreImage,default="nginx:1.17",type=string,description="Defines the web store image"
image: nginx:1.17
ports:
- containerPort: 8080
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: webstore-ing
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: app.acme.com
http:
paths:
- path: /
backend:
serviceName: webstorep-svc
servicePort: 80
---
kind: Service
apiVersion: v1
metadata:
name: webstore-svc # +operator-builder:field:name=serviceName,type=string,default="webstore-svc"
spec:
selector:
app: webstore
ports:
- protocol: TCP
port: 80
targetPort: 8080Running the following commands:
operator-builder init \
--workload-config <path_to_config> \
--repo github.com/acme/acme-cnp-mgr \
--skip-go-version-check
operator-builder create \
create api \
--workload-config <path_to_config> \
--controller \
--resource
Your output would be something like (in the controller file):
// +kubebuilder:rbac:groups=apps.acme.com,resources=webstores,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=apps.acme.com,resources=webstores/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=networking.k8s.io,resources=ingresses,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;deleteWhen you run the make manifests command, your RBAC is generated based upon the correct Kubebuilder markers.
DISCLAIMER: I am a key contributor to the project and of course think that this will be helpful to automate the generation of RBAC markers. :)