search

apecloud / kubeblocks

KubeBlocks is an open-source control plane software that runs and manages databases, message queues and other stateful applications on K8s.
https://kubeblocks.io
GNU Affero General Public License v3.0
2.14k stars 176 forks source link

[Improvement] use kubeconfig with only a certain namespace permission to test the function of kbcli #2295

Closed ldming closed 1 year ago

ldming commented 1 year ago

Is your improvement request related to a problem? Please describe.

Now, we always use the super user kubeconfig to use kbcli, BUT, in most cases, users may only have permissions for a certain namespace, for example, sealos, we should test kbcli use this kind kubeconfig.

The role should have authorization to access KubeBlocks cluster-level resources, such as CRD:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: read-crd-role
rules:
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - get
  - list
  - watch

Get all cluster-level resource:

kubectl api-resources --namespaced=false 

NAME                              SHORTNAMES          APIVERSION                              NAMESPACED   KIND
componentstatuses                 cs                  v1                                      false        ComponentStatus
namespaces                        ns                  v1                                      false        Namespace
nodes                             no                  v1                                      false        Node
persistentvolumes                 pv                  v1                                      false        PersistentVolume
mutatingwebhookconfigurations                         admissionregistration.k8s.io/v1         false        MutatingWebhookConfiguration
validatingwebhookconfigurations                       admissionregistration.k8s.io/v1         false        ValidatingWebhookConfiguration
customresourcedefinitions         crd,crds            apiextensions.k8s.io/v1                 false        CustomResourceDefinition
apiservices                                           apiregistration.k8s.io/v1               false        APIService
clusterdefinitions                cd                  apps.kubeblocks.io/v1alpha1             false        ClusterDefinition
clusterversions                   cv                  apps.kubeblocks.io/v1alpha1             false        ClusterVersion
configconstraints                 cc                  apps.kubeblocks.io/v1alpha1             false        ConfigConstraint
tokenreviews                                          authentication.k8s.io/v1                false        TokenReview
selfsubjectaccessreviews                              authorization.k8s.io/v1                 false        SelfSubjectAccessReview
selfsubjectrulesreviews                               authorization.k8s.io/v1                 false        SelfSubjectRulesReview
subjectaccessreviews                                  authorization.k8s.io/v1                 false        SubjectAccessReview
certificatesigningrequests        csr                 certificates.k8s.io/v1                  false        CertificateSigningRequest
backuppolicytemplates                                 dataprotection.kubeblocks.io/v1alpha1   false        BackupPolicyTemplate
backuptools                                           dataprotection.kubeblocks.io/v1alpha1   false        BackupTool
addons                                                extensions.kubeblocks.io/v1alpha1       false        Addon
flowschemas                                           flowcontrol.apiserver.k8s.io/v1beta2    false        FlowSchema
prioritylevelconfigurations                           flowcontrol.apiserver.k8s.io/v1beta2    false        PriorityLevelConfiguration
ingressclasses                                        networking.k8s.io/v1                    false        IngressClass
runtimeclasses                                        node.k8s.io/v1                          false        RuntimeClass
clusterrolebindings                                   rbac.authorization.k8s.io/v1            false        ClusterRoleBinding
clusterroles                                          rbac.authorization.k8s.io/v1            false        ClusterRole
priorityclasses                   pc                  scheduling.k8s.io/v1                    false        PriorityClass
volumesnapshotclasses             vsclass,vsclasses   snapshot.storage.k8s.io/v1              false        VolumeSnapshotClass
volumesnapshotcontents            vsc,vscs            snapshot.storage.k8s.io/v1              false        VolumeSnapshotContent
csidrivers                                            storage.k8s.io/v1                       false        CSIDriver
csinodes                                              storage.k8s.io/v1                       false        CSINode
storageclasses                    sc                  storage.k8s.io/v1                       false        StorageClass
volumeattachments                                     storage.k8s.io/v1                       false        VolumeAttachment

If this is a new function, please describe the motivation and goals. A clear and concise description of why you want to happen, link the design doc if possible

Describe the solution you'd like A clear and concise description of what you want to happen.

Describe alternatives you've considered A clear and concise description of any alternative solutions or fuctions you've considered.

Additional context Add any other context or screenshots about the improvement request here.

ahjing99 commented 1 year ago

I have tested all the kbcli cluster -h commands, and opened issues above

ahjing99 commented 1 year ago

Closing as test is done