Redefine the rbac roles of vineyard operator and update the helm chart (

v6d-io#1286) Redefine the over-request RBAC roles of vineyard operator. Fixes v6d-io#1280 Signed-off-by: Ye Cao <caoye.cao@alibaba-inc.com>
SighingSnow · Apr 10, 2023 · e6885b6 · e6885b6
1 parent 7d1a7c3
commit e6885b6
Show file tree

Hide file tree

Showing 29 changed files with 91 additions and 362 deletions.
diff --git a/charts/vineyard-operator/templates/manager-rbac.yaml b/charts/vineyard-operator/templates/manager-rbac.yaml
@@ -14,7 +14,6 @@ rules:
   - delete
   - get
   - list
-  - patch
   - update
   - watch
 - apiGroups:
@@ -35,7 +34,6 @@ rules:
   - list
   - patch
   - update
-  - watch
 - apiGroups:
   - ""
   resources:
@@ -47,7 +45,6 @@ rules:
   - list
   - patch
   - update
-  - watch
 - apiGroups:
   - ""
   resources:
@@ -57,9 +54,7 @@ rules:
   - delete
   - get
   - list
-  - patch
   - update
-  - watch
 - apiGroups:
   - ""
   resources:
@@ -72,11 +67,10 @@ rules:
   - pods/status
   verbs:
   - create
+  - delete
   - get
   - list
-  - patch
   - update
-  - watch
 - apiGroups:
   - ""
   resources:
@@ -86,10 +80,7 @@ rules:
   - create
   - delete
   - get
-  - list
-  - patch
   - update
-  - watch
 - apiGroups:
   - ""
   resources:
@@ -98,22 +89,23 @@ rules:
   - create
   - delete
   - get
-  - list
-  - patch
   - update
-  - watch
 - apiGroups:
   - apps
   resources:
   - deployments
   verbs:
   - create
-  - delete
   - get
   - list
-  - patch
   - update
   - watch
+- apiGroups:
+  - apps
+  resources:
+  - deployments/status
+  verbs:
+  - get
 - apiGroups:
   - batch
   resources:
@@ -123,7 +115,6 @@ rules:
   - delete
   - get
   - list
-  - patch
   - update
   - watch
 - apiGroups:
@@ -135,9 +126,7 @@ rules:
   - delete
   - get
   - list
-  - patch
   - update
-  - watch
 - apiGroups:
   - k8s.v6d.io
   resources:
@@ -296,13 +285,6 @@ rules:
   - get
   - patch
   - update
-- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
-  - clusterrolebindings
-  - clusterroles
-  verbs:
-  - '*'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

diff --git a/charts/vineyard-operator/templates/vineyardd-crd.yaml b/charts/vineyard-operator/templates/vineyardd-crd.yaml
@@ -46,9 +46,6 @@ spec:
             type: object
           spec:
             properties:
-              createServiceAccount:
-                default: false
-                type: boolean
               etcd:
                 default:
                   replicas: 3
@@ -116,9 +113,6 @@ spec:
                     default: ClusterIP
                     type: string
                 type: object
-              serviceAccountName:
-                default: ""
-                type: string
               vineyardConfig:
                 default:
                   etcdEndpoint: http://etcd-for-vineyard:2379

diff --git a/docs/notes/cloud-native/vineyard-operator.rst b/docs/notes/cloud-native/vineyard-operator.rst
@@ -27,14 +27,20 @@ for installation details), you can effortlessly create a vineyard cluster by uti
 the :code:`Vineyardd` CRD. The following example demonstrates the creation of a vineyard
 cluster with 3 daemon replicas:
 
+.. note::
+
+    The namespace of the vineyard cluster must be the same as the namespace of the
+    vineyard operator, as the vineyard cluster will use the vineyard operator's
+    service account.
+
 .. code:: yaml
 
     $ cat <<EOF | kubectl apply -f -
     apiVersion: k8s.v6d.io/v1alpha1
     kind: Vineyardd
     metadata:
       name: vineyardd-sample
-      # don't use default namespace
+      # use the same namespace as the vineyard operator
       namespace: vineyard-system
     EOF
 
@@ -97,16 +103,6 @@ The detailed configuration entries for creating a vineyard cluster are listed as
          - The replicas of vineyardd.
          - 3
 
-       * - createServiceAccount
-         - bool
-         - Whether to create a service account for vineyardd.
-         - false
-
-       * - serviceAccountName
-         - string
-         - The name of vineyardd's service account.
-         - nil
-
        * - | vineyardConfig.
            | image
          - string
@@ -1186,7 +1182,7 @@ use the following YAML file:
     kind: Vineyardd
     metadata:
       name: vineyardd-sample
-      # don't use default namespace
+      # use the same namespace as the vineyard operator
       namespace: vineyard-system
     spec:
       vineyardConfig:
@@ -1734,7 +1730,9 @@ Failover mechanism of vineyard cluster
 --------------------------------------
 
 If you want to back up data for the current vineyard cluster, you can create a Backup CR to
-perform a backup operation. The main fields are described as follows.
+perform a backup operation. As the Backup CR will use the default service account of the 
+namespace the vineyard operator is deployed, you need to set up the same namespace as
+the vineyard operator. The main fields are described as follows.
 
 .. admonition:: Backup Configurations
    :class: admonition-details
@@ -1819,7 +1817,7 @@ up the data. The following is the yaml file of the backup:
   kind: Backup
   metadata:
     name: backup-sample
-    namespace: backup
+    namespace: vineyard-system
   spec:
     vineyarddName: vineyardd-sample
     vineyarddNamespace: vineyard-system
@@ -1852,10 +1850,10 @@ restore the data in the vineyard cluster, and the recover yaml file is as follow
   kind: Recover
   metadata:
     name: recover-sample
-    namespace: backup
+    namespace: vineyard-system
   spec:
     backupName: backup-sample
-    backupNamespace: backup
+    backupNamespace: vineyard-system
   EOF
 
 Then you could get the Recover's status to get the mapping relationship between the
@@ -1864,8 +1862,8 @@ object ID during backup and the object ID during recovery as follows:
 .. code:: bash
 
   $ kubectl get recover -A
-  NAMESPACE   NAME             MAPPING                                                                                                                     STATE
-  backup      recover-sample   {"o000ef92379fd8850":"o000ef9ea5189718d","o000ef9237a3a5432":"o000ef9eb5d26ad5e","o000ef97a8289973f":"o000ef9ed586ef1d3"}   Succeed
+  NAMESPACE            NAME             MAPPING                                                                                                                     STATE
+  vineyard-system      recover-sample   {"o000ef92379fd8850":"o000ef9ea5189718d","o000ef9237a3a5432":"o000ef9eb5d26ad5e","o000ef97a8289973f":"o000ef9ed586ef1d3"}   Succeed
 
 If you want to get more details about failover of vineyard cluster, please refer
 the `failover e2e test`_.

diff --git a/k8s/apis/k8s/v1alpha1/vineyardd_types.go b/k8s/apis/k8s/v1alpha1/vineyardd_types.go
@@ -203,16 +203,6 @@ type VineyarddSpec struct {
 	// +kubebuilder:default:=3
 	Replicas int `json:"replicas,omitempty"`
 
-	// whether to create the vineyardd's service account
-	// +kubebuilder:validation:Optional
-	// +kubebuilder:default:=false
-	CreateServiceAccount bool `json:"createServiceAccount,omitempty"`
-
-	// vineyardd's service account
-	// +kubebuilder:validation:Optional
-	// +kubebuilder:default:=""
-	ServiceAccountName string `json:"serviceAccountName,omitempty"`
-
 	// vineyardd's service
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:default:={type: "ClusterIP", port: 9600, selector: "rpc.vineyardd.v6d.io/rpc=vineyard-rpc"}

diff --git a/k8s/cmd/README.md b/k8s/cmd/README.md
@@ -727,10 +727,8 @@ vineyardctl deploy vineyard-deployment [flags]
       --plugin.distributedAssemblyImage string    the distributed image of vineyard workflow (default "ghcr.io/v6d-io/v6d/distributed-assembly")
       --plugin.localAssemblyImage string          the local assembly image of vineyardd workflow (default "ghcr.io/v6d-io/v6d/local-assembly")
       --plugin.recoverImage string                the recover image of vineyardd (default "ghcr.io/v6d-io/v6d/recover-job")
-      --vineyard.create.serviceAccount            create service account for vineyardd
       --vineyard.etcd.replicas int                the number of etcd replicas in a vineyard cluster (default 3)
       --vineyard.replicas int                     the number of vineyardd replicas (default 3)
-      --vineyard.serviceAccount.name string       the service account name of vineyardd
       --vineyardd.envs strings                    The environment variables of vineyardd
       --vineyardd.etcdEndpoint string             The etcd endpoint of vineyardd (default "http://etcd-for-vineyard:2379")
       --vineyardd.etcdPrefix string               The etcd prefix of vineyardd (default "/vineyard")
@@ -862,10 +860,8 @@ vineyardctl deploy vineyardd [flags]
       --plugin.distributedAssemblyImage string    the distributed image of vineyard workflow (default "ghcr.io/v6d-io/v6d/distributed-assembly")
       --plugin.localAssemblyImage string          the local assembly image of vineyardd workflow (default "ghcr.io/v6d-io/v6d/local-assembly")
       --plugin.recoverImage string                the recover image of vineyardd (default "ghcr.io/v6d-io/v6d/recover-job")
-      --vineyard.create.serviceAccount            create service account for vineyardd
       --vineyard.etcd.replicas int                the number of etcd replicas in a vineyard cluster (default 3)
       --vineyard.replicas int                     the number of vineyardd replicas (default 3)
-      --vineyard.serviceAccount.name string       the service account name of vineyardd
       --vineyardd.envs strings                    The environment variables of vineyardd
       --vineyardd.etcdEndpoint string             The etcd endpoint of vineyardd (default "http://etcd-for-vineyard:2379")
       --vineyardd.etcdPrefix string               The etcd prefix of vineyardd (default "/vineyard")
@@ -1147,3 +1143,13 @@ vineyardctl schedule workload [flags]
       --vineyardd-namespace string   the namespace of vineyard cluster (default "vineyard-system")
 ```
 
+
+ Options
+
+```
+  -h, --help                         help for workload
+      --resource string              the json string of kubernetes workload
+      --vineyardd-name string        the namespace of vineyard cluster (default "vineyardd-sample")
+      --vineyardd-namespace string   the namespace of vineyard cluster (default "vineyard-system")
+```
+
diff --git a/k8s/cmd/commands/flags/vineyardd_flags.go b/k8s/cmd/commands/flags/vineyardd_flags.go
@@ -145,12 +145,6 @@ func ApplyVineyarddOpts(cmd *cobra.Command) {
 	// setup the vineyardd configuration
 	cmd.Flags().IntVarP(&VineyarddOpts.Replicas, "vineyard.replicas", "", 3,
 		"the number of vineyardd replicas")
-	cmd.Flags().BoolVarP(&VineyarddOpts.CreateServiceAccount,
-		"vineyard.create.serviceAccount", "", false,
-		"create service account for vineyardd")
-	cmd.Flags().StringVarP(&VineyarddOpts.ServiceAccountName,
-		"vineyard.serviceAccount.name",
-		"", "", "the service account name of vineyardd")
 	cmd.Flags().IntVarP(&VineyarddOpts.Etcd.Replicas, "vineyard.etcd.replicas",
 		"", 3, "the number of etcd replicas in a vineyard cluster")
 	cmd.Flags().StringVarP(&VineyarddFile, "file", "f", "", "the path of vineyardd")

diff --git a/k8s/config/crd/bases/k8s.v6d.io_vineyardds.yaml b/k8s/config/crd/bases/k8s.v6d.io_vineyardds.yaml
@@ -34,9 +34,6 @@ spec:
             type: object
           spec:
             properties:
-              createServiceAccount:
-                default: false
-                type: boolean
               etcd:
                 default:
                   replicas: 3
@@ -104,9 +101,6 @@ spec:
                     default: ClusterIP
                     type: string
                 type: object
-              serviceAccountName:
-                default: ""
-                type: string
               vineyardConfig:
                 default:
                   etcdEndpoint: http://etcd-for-vineyard:2379