github.com/argoproj-labs/argocd-operator@v0.10.0/controllers/argocd/policyrule.go (about) 1 package argocd 2 3 import ( 4 "fmt" 5 6 "golang.org/x/mod/semver" 7 8 "github.com/argoproj-labs/argocd-operator/common" 9 10 v1 "k8s.io/api/rbac/v1" 11 "sigs.k8s.io/controller-runtime/pkg/client" 12 ) 13 14 func policyRuleForApplicationController() []v1.PolicyRule { 15 16 return []v1.PolicyRule{ 17 { 18 APIGroups: []string{ 19 "*", 20 }, 21 Resources: []string{ 22 "*", 23 }, 24 Verbs: []string{ 25 "*", 26 }, 27 }, 28 } 29 } 30 31 func policyRuleForRedis(client client.Client) []v1.PolicyRule { 32 rules := []v1.PolicyRule{} 33 34 // Need additional policy rules if we are running on openshift, else the stateful set won't have the right 35 // permissions to start 36 rules = appendOpenShiftNonRootSCC(rules, client) 37 38 return rules 39 } 40 41 func policyRuleForRedisHa(client client.Client) []v1.PolicyRule { 42 43 rules := []v1.PolicyRule{ 44 { 45 APIGroups: []string{ 46 "", 47 }, 48 Resources: []string{ 49 "endpoints", 50 }, 51 Verbs: []string{ 52 "get", 53 }, 54 }, 55 } 56 57 // Need additional policy rules if we are running on openshift, else the stateful set won't have the right 58 // permissions to start 59 rules = appendOpenShiftNonRootSCC(rules, client) 60 61 return rules 62 } 63 64 func policyRuleForDexServer() []v1.PolicyRule { 65 66 return []v1.PolicyRule{ 67 { 68 APIGroups: []string{ 69 "", 70 }, 71 Resources: []string{ 72 "secrets", 73 "configmaps", 74 }, 75 Verbs: []string{ 76 "get", 77 "list", 78 "watch", 79 }, 80 }, 81 } 82 } 83 84 func policyRuleForServer() []v1.PolicyRule { 85 return []v1.PolicyRule{ 86 { 87 APIGroups: []string{ 88 "*", 89 }, 90 Resources: []string{ 91 "*", 92 }, 93 Verbs: []string{ 94 "get", 95 "patch", 96 "delete", 97 }, 98 }, 99 { 100 APIGroups: []string{ 101 "", 102 }, 103 Resources: []string{ 104 "secrets", 105 "configmaps", 106 }, 107 Verbs: []string{ 108 "create", 109 "get", 110 "list", 111 "watch", 112 "update", 113 "patch", 114 "delete", 115 }, 116 }, { 117 APIGroups: []string{ 118 "argoproj.io", 119 }, 120 Resources: []string{ 121 "applications", 122 "applicationsets", 123 "appprojects", 124 }, 125 Verbs: []string{ 126 "create", 127 "get", 128 "list", 129 "watch", 130 "update", 131 "delete", 132 "patch", 133 }, 134 }, 135 { 136 APIGroups: []string{ 137 "", 138 }, 139 Resources: []string{ 140 "events", 141 }, 142 Verbs: []string{ 143 "create", 144 "list", 145 }, 146 }, 147 { 148 APIGroups: []string{ 149 "batch", 150 }, 151 Resources: []string{ 152 "jobs", 153 }, 154 Verbs: []string{ 155 "create", 156 }, 157 }, 158 } 159 } 160 161 func policyRuleForNotificationsController() []v1.PolicyRule { 162 return []v1.PolicyRule{ 163 164 { 165 APIGroups: []string{ 166 "argoproj.io", 167 }, 168 Resources: []string{ 169 "applications", 170 "appprojects", 171 }, 172 Verbs: []string{ 173 "get", 174 "list", 175 "patch", 176 "update", 177 "watch", 178 }, 179 }, 180 { 181 APIGroups: []string{ 182 "", 183 }, 184 Resources: []string{ 185 "configmaps", 186 "secrets", 187 }, 188 Verbs: []string{ 189 "list", 190 "watch", 191 }, 192 }, 193 { 194 APIGroups: []string{ 195 "", 196 }, 197 ResourceNames: []string{ 198 "argocd-notifications-cm", 199 }, 200 Resources: []string{ 201 "configmaps", 202 }, 203 Verbs: []string{ 204 "get", 205 }, 206 }, 207 { 208 APIGroups: []string{ 209 "", 210 }, 211 ResourceNames: []string{ 212 "argocd-notifications-secret", 213 }, 214 Resources: []string{ 215 "secrets", 216 }, 217 Verbs: []string{ 218 "get", 219 }, 220 }, 221 } 222 } 223 224 func policyRuleForServerApplicationSourceNamespaces() []v1.PolicyRule { 225 return []v1.PolicyRule{ 226 { 227 APIGroups: []string{ 228 "argoproj.io", 229 }, 230 Resources: []string{ 231 "applications", 232 }, 233 Verbs: []string{ 234 "create", 235 "get", 236 "list", 237 "patch", 238 "update", 239 "watch", 240 "delete", 241 }, 242 }, 243 { 244 APIGroups: []string{ 245 "batch", 246 }, 247 Resources: []string{ 248 "jobs", 249 }, 250 Verbs: []string{ 251 "create", 252 }, 253 }, 254 } 255 } 256 257 func policyRuleForServerClusterRole() []v1.PolicyRule { 258 return []v1.PolicyRule{ 259 { 260 APIGroups: []string{ 261 "*", 262 }, 263 Resources: []string{ 264 "*", 265 }, 266 Verbs: []string{ 267 "get", 268 "delete", 269 "patch", 270 }, 271 }, 272 { 273 APIGroups: []string{ 274 "argoproj.io", 275 }, 276 Resources: []string{ 277 "applications", 278 "applicationsets", 279 }, 280 Verbs: []string{ 281 "list", 282 "watch", 283 }, 284 }, 285 { 286 APIGroups: []string{ 287 "", 288 }, 289 Resources: []string{ 290 "events", 291 }, 292 Verbs: []string{ 293 "list", 294 }, 295 }, 296 { 297 APIGroups: []string{ 298 "batch", 299 }, 300 Resources: []string{ 301 "jobs", 302 }, 303 Verbs: []string{ 304 "create", 305 }, 306 }, 307 } 308 } 309 310 func getPolicyRuleList(client client.Client) []struct { 311 name string 312 policyRule []v1.PolicyRule 313 } { 314 return []struct { 315 name string 316 policyRule []v1.PolicyRule 317 }{ 318 { 319 name: common.ArgoCDApplicationControllerComponent, 320 policyRule: policyRuleForApplicationController(), 321 }, { 322 name: common.ArgoCDDexServerComponent, 323 policyRule: policyRuleForDexServer(), 324 }, { 325 name: common.ArgoCDServerComponent, 326 policyRule: policyRuleForServer(), 327 }, { 328 name: common.ArgoCDRedisHAComponent, 329 policyRule: policyRuleForRedisHa(client), 330 }, { 331 name: common.ArgoCDRedisComponent, 332 policyRule: policyRuleForRedis(client), 333 }, 334 } 335 } 336 337 func getPolicyRuleClusterRoleList() []struct { 338 name string 339 policyRule []v1.PolicyRule 340 } { 341 return []struct { 342 name string 343 policyRule []v1.PolicyRule 344 }{ 345 { 346 name: common.ArgoCDApplicationControllerComponent, 347 policyRule: policyRuleForApplicationController(), 348 }, { 349 name: common.ArgoCDServerComponent, 350 policyRule: policyRuleForServerClusterRole(), 351 }, 352 } 353 } 354 355 func appendOpenShiftNonRootSCC(rules []v1.PolicyRule, client client.Client) []v1.PolicyRule { 356 if IsVersionAPIAvailable() { 357 // Starting with OpenShift 4.11, we need to use the resource name "nonroot-v2" instead of "nonroot" 358 resourceName := "nonroot" 359 version, err := getClusterVersion(client) 360 if err != nil { 361 log.Error(err, "couldn't get OpenShift version") 362 } 363 if version == "" || semver.Compare(fmt.Sprintf("v%s", version), "v4.10.999") > 0 { 364 resourceName = "nonroot-v2" 365 } 366 orules := v1.PolicyRule{ 367 APIGroups: []string{ 368 "security.openshift.io", 369 }, 370 ResourceNames: []string{ 371 resourceName, 372 }, 373 Resources: []string{ 374 "securitycontextconstraints", 375 }, 376 Verbs: []string{ 377 "use", 378 }, 379 } 380 rules = append(rules, orules) 381 } 382 return rules 383 } 384 385 func policyRuleForApplicationSetController() []v1.PolicyRule { 386 return []v1.PolicyRule{ 387 // ApplicationSet 388 { 389 APIGroups: []string{"argoproj.io"}, 390 Resources: []string{ 391 "applications", 392 "applicationsets", 393 "applicationsets/finalizers", 394 }, 395 Verbs: []string{ 396 "create", 397 "delete", 398 "get", 399 "list", 400 "patch", 401 "update", 402 "watch", 403 }, 404 }, 405 // ApplicationSet Status 406 { 407 APIGroups: []string{"argoproj.io"}, 408 Resources: []string{ 409 "applicationsets/status", 410 }, 411 Verbs: []string{ 412 "get", 413 "patch", 414 "update", 415 }, 416 }, 417 // AppProjects 418 { 419 APIGroups: []string{"argoproj.io"}, 420 Resources: []string{ 421 "appprojects", 422 }, 423 Verbs: []string{ 424 "get", 425 }, 426 }, 427 428 // Events 429 { 430 APIGroups: []string{""}, 431 Resources: []string{ 432 "events", 433 }, 434 Verbs: []string{ 435 "create", 436 "get", 437 "list", 438 "patch", 439 "watch", 440 }, 441 }, 442 443 // ConfigMaps 444 { 445 APIGroups: []string{""}, 446 Resources: []string{ 447 "configmaps", 448 }, 449 Verbs: []string{ 450 "create", 451 "update", 452 "delete", 453 "get", 454 "list", 455 "patch", 456 "watch", 457 }, 458 }, 459 460 // Secrets 461 { 462 APIGroups: []string{""}, 463 Resources: []string{ 464 "secrets", 465 }, 466 Verbs: []string{ 467 "get", 468 "list", 469 "watch", 470 }, 471 }, 472 473 // Deployments 474 { 475 APIGroups: []string{"apps", "extensions"}, 476 Resources: []string{ 477 "deployments", 478 }, 479 Verbs: []string{ 480 "get", 481 "list", 482 "watch", 483 }, 484 }, 485 486 // leases 487 { 488 APIGroups: []string{"coordination.k8s.io"}, 489 Resources: []string{ 490 "leases", 491 }, 492 Verbs: []string{ 493 "create", 494 "delete", 495 "get", 496 "list", 497 "patch", 498 "update", 499 "watch", 500 }, 501 }, 502 } 503 } 504 505 func policyRuleForServerApplicationSetSourceNamespaces() []v1.PolicyRule { 506 return []v1.PolicyRule{ 507 { 508 APIGroups: []string{ 509 "argoproj.io", 510 }, 511 Resources: []string{ 512 "applicationsets", 513 }, 514 Verbs: []string{ 515 "create", 516 "get", 517 "list", 518 "patch", 519 "update", 520 "watch", 521 "delete", 522 }, 523 }, 524 } 525 }