From 805cdf7ff94bf00bfd0f2e14c33fb603b90c99ea Mon Sep 17 00:00:00 2001 From: Swarup Ghosh Date: Mon, 25 Aug 2025 17:13:53 +0530 Subject: [PATCH 1/4] Minimal possible get/list RBAC for mg-admin SA Signed-off-by: Swarup Ghosh --- deploy/05_must-gather-admin.ClusterRole.yaml | 426 +++++++++++++++++- ..._must-gather-admin.ClusterRoleBinding.yaml | 2 +- .../05_must-gather-minimal.ClusterRole.yaml | 425 +++++++++++++++++ ..._must-gather-admin.ClusterRoleBinding.yaml | 2 +- 4 files changed, 845 insertions(+), 10 deletions(-) create mode 100644 examples/other_resources/05_must-gather-minimal.ClusterRole.yaml diff --git a/deploy/05_must-gather-admin.ClusterRole.yaml b/deploy/05_must-gather-admin.ClusterRole.yaml index e85c23915..76aea728e 100644 --- a/deploy/05_must-gather-admin.ClusterRole.yaml +++ b/deploy/05_must-gather-admin.ClusterRole.yaml @@ -1,15 +1,425 @@ -kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: - name: must-gather-admin + name: must-gather-minimal rules: -- apiGroups: - - '*' +- apiGroups: [""] + resources: + - nodes + - nodes/log # For oc adm node-logs + - nodes/proxy # For accessing node metrics + - pods + - pods/log # For pod logs + - services + - endpoints + - persistentvolumes + - persistentvolumeclaims + - namespaces + - configmaps + - secrets # Limited to service account tokens + - events + - limitranges + - resourcequotas + - replicationcontrollers + - serviceaccounts + verbs: + - get + - list +- apiGroups: [""] + resources: + - pods/exec + verbs: + - create # Required for oc exec +- apiGroups: [""] + resources: + - pods/portforward + verbs: + - create # Required for oc cp +- apiGroups: ["coordination.k8s.io"] + resources: + - leases + verbs: + - get + - list +- apiGroups: ["storage.k8s.io"] + resources: + - storageclasses + - volumeattachments + - csidrivers + - csinodes + - volumesnapshotclasses + - volumesnapshotcontents + - csistoragecapacities + verbs: + - get + - list +- apiGroups: ["certificates.k8s.io"] + resources: + - certificatesigningrequests + verbs: + - get + - list +- apiGroups: ["apiregistration.k8s.io"] + resources: + - apiservices + verbs: + - get + - list +- apiGroups: ["flowcontrol.apiserver.k8s.io"] + resources: + - prioritylevelconfigurations + - flowschemas + verbs: + - get + - list +- apiGroups: [""] + resources: + - projects # OpenShift namespaces + verbs: + - get + - list +- apiGroups: ["config.openshift.io"] + resources: + - clusterversions + - clusteroperators + - networks + - apiservers + - infrastructures + - ingresses + - featuregates + verbs: + - get + - list +- apiGroups: ["operator.openshift.io"] + resources: + - networks + - imagecontentsourcepolicies + - ingresscontrollers + verbs: + - get + - list +- apiGroups: ["quota.openshift.io"] + resources: + - clusterresourcequotas + verbs: + - get + - list +- apiGroups: ["machineconfiguration.openshift.io"] + resources: + - machineconfigs + - machineconfigpools + - controllerconfigs + - kubeletconfigs + - machineosbuilds + - machineosconfigs + - machineconfignodes + - pinnedimagesets + verbs: + - get + - list +- apiGroups: ["tuned.openshift.io"] + resources: + - tuneds + verbs: + - get + - list +- apiGroups: ["performance.openshift.io"] + resources: + - performanceprofiles + verbs: + - get + - list +- apiGroups: ["node.k8s.io"] + resources: + - runtimeclasses + verbs: + - get + - list +- apiGroups: ["operators.coreos.com"] + resources: + - subscriptions + - clusterserviceversions + - catalogsources + - installplans + - operatorgroups + verbs: + - get + - list +- apiGroups: ["apiserver.openshift.io"] + resources: + - apirequestcounts + verbs: + - get + - list +- apiGroups: ["k8s.ovn.org"] + resources: + - egressips + - adminnetworkpolicies + - baselineadminnetworkpolicies + - routeadvertisements + verbs: + - get + - list +- apiGroups: ["network.openshift.io"] + resources: + - hostsubnets + - netnamespaces + - egressnetworkpolicies + verbs: + - get + - list +- apiGroups: ["cloud.network.openshift.io"] + resources: + - cloudprivateipconfigs + verbs: + - get + - list +- apiGroups: ["networking.k8s.io"] + resources: + - networkpolicies + verbs: + - get + - list +- apiGroups: ["policy.networking.k8s.io"] + resources: + - adminnetworkpolicies + - baselineadminnetworkpolicies + verbs: + - get + - list +- apiGroups: ["k8s.cni.cncf.io"] + resources: + - network-attachment-definitions + - multi-networkpolicies + verbs: + - get + - list +- apiGroups: ["whereabouts.cni.cncf.io"] + resources: + - ippools + - overlappingrangeipreservations + verbs: + - get + - list +- apiGroups: ["nmstate.io"] + resources: + - nmstates + - nodenetworkstates + - nodenetworkconfigurationenactments + - nodenetworkconfigurationpolicies + verbs: + - get + - list +- apiGroups: ["sriovnetwork.openshift.io"] resources: - - '*' + - sriovnetworknodepolicies + - sriovnetworknodestates + - sriovnetworkpoolconfigs + - sriovnetworks + - sriovoperatorconfigs + - sriovibnetworks verbs: - - '*' + - get + - list +- apiGroups: ["metallb.io"] + resources: + - bgppeers + - bfdprofiles + - bgpadvertisements + - ipaddresspools + - l2advertisements + - communities + - metallbs + verbs: + - get + - list +- apiGroups: ["frrk8s.metallb.io"] + resources: + - frrconfigurations + verbs: + - get + - list +- apiGroups: ["cns.vmware.com"] + resources: + - csinodetopologies + - cnsvspherevolumemigrations + - cnsvolumeoperationrequests + verbs: + - get + - list +- apiGroups: ["aro.openshift.io"] + resources: + - clusters + verbs: + - get + - list +- apiGroups: ["operator.openshift.io"] + resources: + - clustercsidrivers + verbs: + - get + - list +- apiGroups: ["updateservice.operator.openshift.io"] + resources: + - updateservices + verbs: + - get + - list +- apiGroups: ["controlplane.operator.openshift.io"] + resources: + - podnetworkconnectivitychecks + verbs: + - get + - list +- apiGroups: ["k8s.ovn.org"] + resources: + - egressfirewalls + verbs: + - get + - list +- apiGroups: ["ingressnodefirewall.openshift.io"] + resources: + - ingressnodefirewalls + verbs: + - get + - list +- apiGroups: ["apps"] + resources: + - deployments + verbs: + - get # To find insights operator deployment +- apiGroups: ["apps"] + resources: + - daemonsets + verbs: + - get + - list + - create # For temporary perf-node-gather-daemonset + - delete # For cleanup of temporary daemonset +# Raw API Access for specific endpoints +# Note: These require special handling and should be restricted in production - nonResourceURLs: - - '*' + - "/debug/api_priority_and_fairness/*" # API Priority and Fairness debugging + - "/metrics" # Metrics endpoint + verbs: + - get +- apiGroups: ["monitoring.coreos.com"] + resources: + - prometheuses + - alertmanagers + - servicemonitors + verbs: + - get + - list +- apiGroups: ["machine.openshift.io"] + resources: + - machines + - machinesets + verbs: + - get + - list +- apiGroups: ["user.openshift.io"] + resources: + - users + - groups + verbs: + - get + - list +- apiGroups: ["security.openshift.io"] + resources: + - securitycontextconstraints + verbs: + - get + - list +- apiGroups: ["route.openshift.io"] + resources: + - routes + verbs: + - get + - list +- apiGroups: [""] + resources: + - configmaps + - secrets + resourceNames: + - cluster-monitoring-config + - alertmanager-main + verbs: + - get + namespaces: + - openshift-monitoring + - openshift-user-workload-monitoring +- apiGroups: ["*"] + resources: + - "*/status" + - "*/scale" + verbs: + - get +- apiGroups: [""] + resources: + - serviceaccounts + verbs: + - get + - list +- apiGroups: ["image.openshift.io"] + resources: + - images + - imagestreamtags + - imagestreams + verbs: + - get + - list +- apiGroups: ["build.openshift.io"] + resources: + - builds + - buildconfigs + verbs: + - get + - list +- apiGroups: ["apps"] + resources: + - deployments + - replicasets + - statefulsets + - daemonsets + verbs: + - get + - list +- apiGroups: ["batch"] + resources: + - jobs + - cronjobs + verbs: + - get + - list +- apiGroups: ["autoscaling"] + resources: + - horizontalpodautoscalers + verbs: + - get + - list +- apiGroups: ["policy"] + resources: + - poddisruptionbudgets + - podsecuritypolicies + verbs: + - get + - list +- apiGroups: ["rbac.authorization.k8s.io"] + resources: + - roles + - rolebindings + - clusterroles + - clusterrolebindings + verbs: + - get + - list +- apiGroups: ["authorization.openshift.io"] + resources: + - roles + - rolebindings + - clusterroles + - clusterrolebindings verbs: - - '*' + - get + - list diff --git a/deploy/06_must-gather-admin.ClusterRoleBinding.yaml b/deploy/06_must-gather-admin.ClusterRoleBinding.yaml index 929a1aa24..8a914c974 100644 --- a/deploy/06_must-gather-admin.ClusterRoleBinding.yaml +++ b/deploy/06_must-gather-admin.ClusterRoleBinding.yaml @@ -4,7 +4,7 @@ metadata: name: must-gather-admin roleRef: kind: ClusterRole - name: must-gather-admin + name: must-gather-minimal apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount diff --git a/examples/other_resources/05_must-gather-minimal.ClusterRole.yaml b/examples/other_resources/05_must-gather-minimal.ClusterRole.yaml new file mode 100644 index 000000000..76aea728e --- /dev/null +++ b/examples/other_resources/05_must-gather-minimal.ClusterRole.yaml @@ -0,0 +1,425 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: must-gather-minimal +rules: +- apiGroups: [""] + resources: + - nodes + - nodes/log # For oc adm node-logs + - nodes/proxy # For accessing node metrics + - pods + - pods/log # For pod logs + - services + - endpoints + - persistentvolumes + - persistentvolumeclaims + - namespaces + - configmaps + - secrets # Limited to service account tokens + - events + - limitranges + - resourcequotas + - replicationcontrollers + - serviceaccounts + verbs: + - get + - list +- apiGroups: [""] + resources: + - pods/exec + verbs: + - create # Required for oc exec +- apiGroups: [""] + resources: + - pods/portforward + verbs: + - create # Required for oc cp +- apiGroups: ["coordination.k8s.io"] + resources: + - leases + verbs: + - get + - list +- apiGroups: ["storage.k8s.io"] + resources: + - storageclasses + - volumeattachments + - csidrivers + - csinodes + - volumesnapshotclasses + - volumesnapshotcontents + - csistoragecapacities + verbs: + - get + - list +- apiGroups: ["certificates.k8s.io"] + resources: + - certificatesigningrequests + verbs: + - get + - list +- apiGroups: ["apiregistration.k8s.io"] + resources: + - apiservices + verbs: + - get + - list +- apiGroups: ["flowcontrol.apiserver.k8s.io"] + resources: + - prioritylevelconfigurations + - flowschemas + verbs: + - get + - list +- apiGroups: [""] + resources: + - projects # OpenShift namespaces + verbs: + - get + - list +- apiGroups: ["config.openshift.io"] + resources: + - clusterversions + - clusteroperators + - networks + - apiservers + - infrastructures + - ingresses + - featuregates + verbs: + - get + - list +- apiGroups: ["operator.openshift.io"] + resources: + - networks + - imagecontentsourcepolicies + - ingresscontrollers + verbs: + - get + - list +- apiGroups: ["quota.openshift.io"] + resources: + - clusterresourcequotas + verbs: + - get + - list +- apiGroups: ["machineconfiguration.openshift.io"] + resources: + - machineconfigs + - machineconfigpools + - controllerconfigs + - kubeletconfigs + - machineosbuilds + - machineosconfigs + - machineconfignodes + - pinnedimagesets + verbs: + - get + - list +- apiGroups: ["tuned.openshift.io"] + resources: + - tuneds + verbs: + - get + - list +- apiGroups: ["performance.openshift.io"] + resources: + - performanceprofiles + verbs: + - get + - list +- apiGroups: ["node.k8s.io"] + resources: + - runtimeclasses + verbs: + - get + - list +- apiGroups: ["operators.coreos.com"] + resources: + - subscriptions + - clusterserviceversions + - catalogsources + - installplans + - operatorgroups + verbs: + - get + - list +- apiGroups: ["apiserver.openshift.io"] + resources: + - apirequestcounts + verbs: + - get + - list +- apiGroups: ["k8s.ovn.org"] + resources: + - egressips + - adminnetworkpolicies + - baselineadminnetworkpolicies + - routeadvertisements + verbs: + - get + - list +- apiGroups: ["network.openshift.io"] + resources: + - hostsubnets + - netnamespaces + - egressnetworkpolicies + verbs: + - get + - list +- apiGroups: ["cloud.network.openshift.io"] + resources: + - cloudprivateipconfigs + verbs: + - get + - list +- apiGroups: ["networking.k8s.io"] + resources: + - networkpolicies + verbs: + - get + - list +- apiGroups: ["policy.networking.k8s.io"] + resources: + - adminnetworkpolicies + - baselineadminnetworkpolicies + verbs: + - get + - list +- apiGroups: ["k8s.cni.cncf.io"] + resources: + - network-attachment-definitions + - multi-networkpolicies + verbs: + - get + - list +- apiGroups: ["whereabouts.cni.cncf.io"] + resources: + - ippools + - overlappingrangeipreservations + verbs: + - get + - list +- apiGroups: ["nmstate.io"] + resources: + - nmstates + - nodenetworkstates + - nodenetworkconfigurationenactments + - nodenetworkconfigurationpolicies + verbs: + - get + - list +- apiGroups: ["sriovnetwork.openshift.io"] + resources: + - sriovnetworknodepolicies + - sriovnetworknodestates + - sriovnetworkpoolconfigs + - sriovnetworks + - sriovoperatorconfigs + - sriovibnetworks + verbs: + - get + - list +- apiGroups: ["metallb.io"] + resources: + - bgppeers + - bfdprofiles + - bgpadvertisements + - ipaddresspools + - l2advertisements + - communities + - metallbs + verbs: + - get + - list +- apiGroups: ["frrk8s.metallb.io"] + resources: + - frrconfigurations + verbs: + - get + - list +- apiGroups: ["cns.vmware.com"] + resources: + - csinodetopologies + - cnsvspherevolumemigrations + - cnsvolumeoperationrequests + verbs: + - get + - list +- apiGroups: ["aro.openshift.io"] + resources: + - clusters + verbs: + - get + - list +- apiGroups: ["operator.openshift.io"] + resources: + - clustercsidrivers + verbs: + - get + - list +- apiGroups: ["updateservice.operator.openshift.io"] + resources: + - updateservices + verbs: + - get + - list +- apiGroups: ["controlplane.operator.openshift.io"] + resources: + - podnetworkconnectivitychecks + verbs: + - get + - list +- apiGroups: ["k8s.ovn.org"] + resources: + - egressfirewalls + verbs: + - get + - list +- apiGroups: ["ingressnodefirewall.openshift.io"] + resources: + - ingressnodefirewalls + verbs: + - get + - list +- apiGroups: ["apps"] + resources: + - deployments + verbs: + - get # To find insights operator deployment +- apiGroups: ["apps"] + resources: + - daemonsets + verbs: + - get + - list + - create # For temporary perf-node-gather-daemonset + - delete # For cleanup of temporary daemonset +# Raw API Access for specific endpoints +# Note: These require special handling and should be restricted in production +- nonResourceURLs: + - "/debug/api_priority_and_fairness/*" # API Priority and Fairness debugging + - "/metrics" # Metrics endpoint + verbs: + - get +- apiGroups: ["monitoring.coreos.com"] + resources: + - prometheuses + - alertmanagers + - servicemonitors + verbs: + - get + - list +- apiGroups: ["machine.openshift.io"] + resources: + - machines + - machinesets + verbs: + - get + - list +- apiGroups: ["user.openshift.io"] + resources: + - users + - groups + verbs: + - get + - list +- apiGroups: ["security.openshift.io"] + resources: + - securitycontextconstraints + verbs: + - get + - list +- apiGroups: ["route.openshift.io"] + resources: + - routes + verbs: + - get + - list +- apiGroups: [""] + resources: + - configmaps + - secrets + resourceNames: + - cluster-monitoring-config + - alertmanager-main + verbs: + - get + namespaces: + - openshift-monitoring + - openshift-user-workload-monitoring +- apiGroups: ["*"] + resources: + - "*/status" + - "*/scale" + verbs: + - get +- apiGroups: [""] + resources: + - serviceaccounts + verbs: + - get + - list +- apiGroups: ["image.openshift.io"] + resources: + - images + - imagestreamtags + - imagestreams + verbs: + - get + - list +- apiGroups: ["build.openshift.io"] + resources: + - builds + - buildconfigs + verbs: + - get + - list +- apiGroups: ["apps"] + resources: + - deployments + - replicasets + - statefulsets + - daemonsets + verbs: + - get + - list +- apiGroups: ["batch"] + resources: + - jobs + - cronjobs + verbs: + - get + - list +- apiGroups: ["autoscaling"] + resources: + - horizontalpodautoscalers + verbs: + - get + - list +- apiGroups: ["policy"] + resources: + - poddisruptionbudgets + - podsecuritypolicies + verbs: + - get + - list +- apiGroups: ["rbac.authorization.k8s.io"] + resources: + - roles + - rolebindings + - clusterroles + - clusterrolebindings + verbs: + - get + - list +- apiGroups: ["authorization.openshift.io"] + resources: + - roles + - rolebindings + - clusterroles + - clusterrolebindings + verbs: + - get + - list diff --git a/examples/other_resources/06_must-gather-admin.ClusterRoleBinding.yaml b/examples/other_resources/06_must-gather-admin.ClusterRoleBinding.yaml index 929a1aa24..8a914c974 100644 --- a/examples/other_resources/06_must-gather-admin.ClusterRoleBinding.yaml +++ b/examples/other_resources/06_must-gather-admin.ClusterRoleBinding.yaml @@ -4,7 +4,7 @@ metadata: name: must-gather-admin roleRef: kind: ClusterRole - name: must-gather-admin + name: must-gather-minimal apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount From 0508ae44e1041bf2270808b1d39f46503d805973 Mon Sep 17 00:00:00 2001 From: Swarup Ghosh Date: Thu, 11 Sep 2025 22:03:49 +0530 Subject: [PATCH 2/4] update RBAC with missing resources and rm secrets access Signed-off-by: Swarup Ghosh --- deploy/05_must-gather-admin.ClusterRole.yaml | 449 ++++++++++-------- .../05_must-gather-minimal.ClusterRole.yaml | 449 ++++++++++-------- 2 files changed, 514 insertions(+), 384 deletions(-) diff --git a/deploy/05_must-gather-admin.ClusterRole.yaml b/deploy/05_must-gather-admin.ClusterRole.yaml index 76aea728e..eaf963ae8 100644 --- a/deploy/05_must-gather-admin.ClusterRole.yaml +++ b/deploy/05_must-gather-admin.ClusterRole.yaml @@ -1,189 +1,241 @@ -apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: must-gather-minimal rules: - apiGroups: [""] resources: + - namespaces - nodes - - nodes/log # For oc adm node-logs - - nodes/proxy # For accessing node metrics + - nodes/log + - nodes/proxy # TODO(swghosh): check requirement - pods - - pods/log # For pod logs + - pods/log - services - endpoints - persistentvolumes - persistentvolumeclaims - - namespaces - configmaps - - secrets # Limited to service account tokens + # - secrets # TODO(swghosh): check remediation, deliberately access removed - events - limitranges - resourcequotas - replicationcontrollers - serviceaccounts + - projects verbs: - get - list + - watch - apiGroups: [""] resources: - pods/exec + - pods/portforward # TODO(swghosh): check requirement verbs: - - create # Required for oc exec -- apiGroups: [""] + - create +- apiGroups: + - "*" # TODO(swghosh): check if we can de-scope down resources: - - pods/portforward + - "*/status" + - "*/scale" verbs: - - create # Required for oc cp -- apiGroups: ["coordination.k8s.io"] + - get +- apiGroups: ["apps"] resources: - - leases + - deployments + - daemonsets + - replicasets + - statefulsets verbs: - get - list -- apiGroups: ["storage.k8s.io"] +- apiGroups: ["apps"] resources: - - storageclasses - - volumeattachments - - csidrivers - - csinodes - - volumesnapshotclasses - - volumesnapshotcontents - - csistoragecapacities + - daemonsets + verbs: + - create + - delete +- apiGroups: ["apps.openshift.io"] + resources: + - deploymentconfigs verbs: - get - list -- apiGroups: ["certificates.k8s.io"] + - watch +- apiGroups: ["admissionregistration.k8s.io"] resources: - - certificatesigningrequests + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - watch +- apiGroups: ["apiextensions.k8s.io"] + resources: + - customresourcedefinitions verbs: - get - list + - watch - apiGroups: ["apiregistration.k8s.io"] resources: - apiservices verbs: - get - list -- apiGroups: ["flowcontrol.apiserver.k8s.io"] +- apiGroups: ["apiserver.openshift.io"] resources: - - prioritylevelconfigurations - - flowschemas + - apirequestcounts verbs: - get - list -- apiGroups: [""] +- apiGroups: ["aro.openshift.io"] resources: - - projects # OpenShift namespaces + - clusters verbs: - get - list -- apiGroups: ["config.openshift.io"] +- apiGroups: ["authorization.openshift.io"] resources: - - clusterversions - - clusteroperators - - networks - - apiservers - - infrastructures - - ingresses - - featuregates + - roles + - rolebindings + - clusterroles + - clusterrolebindings verbs: - get - list -- apiGroups: ["operator.openshift.io"] +- apiGroups: ["autoscaling"] resources: - - networks - - imagecontentsourcepolicies - - ingresscontrollers + - horizontalpodautoscalers verbs: - get - list -- apiGroups: ["quota.openshift.io"] +- apiGroups: ["batch"] resources: - - clusterresourcequotas + - jobs + - cronjobs verbs: - get - list -- apiGroups: ["machineconfiguration.openshift.io"] +- apiGroups: ["build.openshift.io"] resources: - - machineconfigs - - machineconfigpools - - controllerconfigs - - kubeletconfigs - - machineosbuilds - - machineosconfigs - - machineconfignodes - - pinnedimagesets + - builds + - buildconfigs verbs: - get - list -- apiGroups: ["tuned.openshift.io"] +- apiGroups: ["certificates.k8s.io"] resources: - - tuneds + - certificatesigningrequests verbs: - get - list -- apiGroups: ["performance.openshift.io"] +- apiGroups: ["cloud.network.openshift.io"] resources: - - performanceprofiles + - cloudprivateipconfigs verbs: - get - list -- apiGroups: ["node.k8s.io"] +- apiGroups: ["cns.vmware.com"] # TODO(swghosh): check validity resources: - - runtimeclasses + - csinodetopologies + - cnsvspherevolumemigrations + - cnsvolumeoperationrequests verbs: - get - list -- apiGroups: ["operators.coreos.com"] +- apiGroups: ["config.openshift.io"] resources: - - subscriptions - - clusterserviceversions - - catalogsources - - installplans - - operatorgroups + - nodes + - operatorhubs + - images + - oauths + - dnses + - imagedigestmirrorsets + - proxies + - imagetagmirrorsets + - authentications + - schedulers + - consoles + - projects + - builds + - imagecontentpolicies + - clusterversions + - clusteroperators + - networks + - apiservers + - infrastructures + - ingresses + - featuregates verbs: - get - list -- apiGroups: ["apiserver.openshift.io"] + - watch +- apiGroups: ["controlplane.operator.openshift.io"] resources: - - apirequestcounts + - podnetworkconnectivitychecks verbs: - get - list -- apiGroups: ["k8s.ovn.org"] +- apiGroups: ["coordination.k8s.io"] resources: - - egressips - - adminnetworkpolicies - - baselineadminnetworkpolicies - - routeadvertisements + - leases verbs: - get - list -- apiGroups: ["network.openshift.io"] +- apiGroups: ["discovery.k8s.io"] resources: - - hostsubnets - - netnamespaces - - egressnetworkpolicies + - endpointslices verbs: - get - list -- apiGroups: ["cloud.network.openshift.io"] + - watch +- apiGroups: ["flowcontrol.apiserver.k8s.io"] resources: - - cloudprivateipconfigs + - prioritylevelconfigurations + - flowschemas verbs: - get - list -- apiGroups: ["networking.k8s.io"] +- apiGroups: ["frrk8s.metallb.io"] resources: - - networkpolicies + - frrconfigurations verbs: - get - list -- apiGroups: ["policy.networking.k8s.io"] +- apiGroups: ["gateway.networking.k8s.io"] resources: - - adminnetworkpolicies - - baselineadminnetworkpolicies + - gatewayclasses + verbs: + - get + - list + - watch +- apiGroups: ["image.openshift.io"] + resources: + - images + - imagestreamtags + - imagestreams + verbs: + - get + - list +- apiGroups: ["imageregistry.operator.openshift.io"] + resources: + - configs + - imagepruners + verbs: + - get + - list + - watch +- apiGroups: ["ingress.operator.openshift.io"] + resources: + - dnsrecords + verbs: + - get + - list + - watch +- apiGroups: ["ingressnodefirewall.openshift.io"] + resources: + - ingressnodefirewalls verbs: - get - list @@ -194,33 +246,43 @@ rules: verbs: - get - list -- apiGroups: ["whereabouts.cni.cncf.io"] +- apiGroups: ["k8s.ovn.org"] resources: - - ippools - - overlappingrangeipreservations + - egressqoses + - egressips + - adminnetworkpolicies + - baselineadminnetworkpolicies + - routeadvertisements + - egressfirewalls verbs: - get - list -- apiGroups: ["nmstate.io"] + - watch +- apiGroups: ["machine.openshift.io"] resources: - - nmstates - - nodenetworkstates - - nodenetworkconfigurationenactments - - nodenetworkconfigurationpolicies + - controlplanemachinesets + - machinehealthchecks + - machines + - machinesets verbs: - get - list -- apiGroups: ["sriovnetwork.openshift.io"] + - watch +- apiGroups: ["machineconfiguration.openshift.io"] resources: - - sriovnetworknodepolicies - - sriovnetworknodestates - - sriovnetworkpoolconfigs - - sriovnetworks - - sriovoperatorconfigs - - sriovibnetworks + - containerruntimeconfigs + - machineconfigs + - machineconfigpools + - controllerconfigs + - kubeletconfigs + - machineosbuilds + - machineosconfigs + - machineconfignodes + - pinnedimagesets verbs: - get - list + - watch - apiGroups: ["metallb.io"] resources: - bgppeers @@ -233,193 +295,196 @@ rules: verbs: - get - list -- apiGroups: ["frrk8s.metallb.io"] +- apiGroups: ["metrics.k8s.io"] resources: - - frrconfigurations + - pods verbs: - get - list -- apiGroups: ["cns.vmware.com"] + - watch +- apiGroups: ["migration.k8s.io"] resources: - - csinodetopologies - - cnsvspherevolumemigrations - - cnsvolumeoperationrequests + - storageversionmigrations verbs: - get - list -- apiGroups: ["aro.openshift.io"] + - watch +- apiGroups: ["monitoring.coreos.com"] resources: - - clusters + - prometheuses + - alertmanagers + - servicemonitors verbs: - get - list -- apiGroups: ["operator.openshift.io"] +- apiGroups: ["network.openshift.io"] resources: - - clustercsidrivers + - hostsubnets + - netnamespaces + - egressnetworkpolicies verbs: - get - list -- apiGroups: ["updateservice.operator.openshift.io"] +- apiGroups: ["networking.k8s.io"] resources: - - updateservices + - networkpolicies verbs: - get - list -- apiGroups: ["controlplane.operator.openshift.io"] +- apiGroups: ["nmstate.io"] # TODO(swghosh): check validity resources: - - podnetworkconnectivitychecks + - nmstates + - nodenetworkstates + - nodenetworkconfigurationenactments + - nodenetworkconfigurationpolicies verbs: - get - list -- apiGroups: ["k8s.ovn.org"] +- apiGroups: ["node.k8s.io"] resources: - - egressfirewalls + - runtimeclasses verbs: - get - list -- apiGroups: ["ingressnodefirewall.openshift.io"] +- apiGroups: ["oauth.openshift.io"] # TODO(swghosh): check validity resources: - - ingressnodefirewalls + - oauthclients verbs: - get - list -- apiGroups: ["apps"] - resources: - - deployments - verbs: - - get # To find insights operator deployment -- apiGroups: ["apps"] + - watch +- apiGroups: ["operator.openshift.io"] resources: - - daemonsets + - machineconfigurations + - authentications + - configs + - consoles + - dnses + - etcds + - kubeapiservers + - kubecontrollermanagers + - kubeschedulers + - kubestorageversionmigrators + - networks + - imagecontentsourcepolicies + - ingresscontrollers + - clustercsidrivers verbs: - get - list - - create # For temporary perf-node-gather-daemonset - - delete # For cleanup of temporary daemonset -# Raw API Access for specific endpoints -# Note: These require special handling and should be restricted in production -- nonResourceURLs: - - "/debug/api_priority_and_fairness/*" # API Priority and Fairness debugging - - "/metrics" # Metrics endpoint - verbs: - - get -- apiGroups: ["monitoring.coreos.com"] + - watch +- apiGroups: ["operators.coreos.com"] resources: - - prometheuses - - alertmanagers - - servicemonitors + - operatorconditions + - olmconfigs + - operators + - subscriptions + - clusterserviceversions + - catalogsources + - installplans + - operatorgroups verbs: - get - list -- apiGroups: ["machine.openshift.io"] + - watch +- apiGroups: ["performance.openshift.io"] resources: - - machines - - machinesets + - performanceprofiles verbs: - get - list -- apiGroups: ["user.openshift.io"] +- apiGroups: ["policy"] resources: - - users - - groups + - poddisruptionbudgets + - podsecuritypolicies verbs: - get - list -- apiGroups: ["security.openshift.io"] +- apiGroups: ["policy.networking.k8s.io"] resources: - - securitycontextconstraints + - adminnetworkpolicies + - baselineadminnetworkpolicies verbs: - get - list -- apiGroups: ["route.openshift.io"] +- apiGroups: ["quota.openshift.io"] resources: - - routes + - clusterresourcequotas verbs: - get - list -- apiGroups: [""] - resources: - - configmaps - - secrets - resourceNames: - - cluster-monitoring-config - - alertmanager-main - verbs: - - get - namespaces: - - openshift-monitoring - - openshift-user-workload-monitoring -- apiGroups: ["*"] +- apiGroups: ["rbac.authorization.k8s.io"] resources: - - "*/status" - - "*/scale" + - roles + - rolebindings + - clusterroles + - clusterrolebindings verbs: - get -- apiGroups: [""] + - list +- apiGroups: ["route.openshift.io"] resources: - - serviceaccounts + - routes verbs: - get - list -- apiGroups: ["image.openshift.io"] +- apiGroups: ["security.openshift.io"] resources: - - images - - imagestreamtags - - imagestreams + - securitycontextconstraints verbs: - get - list -- apiGroups: ["build.openshift.io"] +- apiGroups: ["sriovnetwork.openshift.io"] # TODO(swghosh): check validity resources: - - builds - - buildconfigs + - sriovnetworknodepolicies + - sriovnetworknodestates + - sriovnetworkpoolconfigs + - sriovnetworks + - sriovoperatorconfigs + - sriovibnetworks verbs: - get - list -- apiGroups: ["apps"] +- apiGroups: ["storage.k8s.io"] resources: - - deployments - - replicasets - - statefulsets - - daemonsets + - storageclasses + - volumeattachments + - csidrivers + - csinodes + - volumesnapshotclasses + - volumesnapshotcontents + - csistoragecapacities verbs: - get - list -- apiGroups: ["batch"] +- apiGroups: ["tuned.openshift.io"] # TODO(swghosh): check validity resources: - - jobs - - cronjobs + - tuneds verbs: - get - list -- apiGroups: ["autoscaling"] +- apiGroups: ["updateservice.operator.openshift.io"] # TODO(swghosh): check validity resources: - - horizontalpodautoscalers + - updateservices verbs: - get - list -- apiGroups: ["policy"] +- apiGroups: ["user.openshift.io"] resources: - - poddisruptionbudgets - - podsecuritypolicies + - users + - groups verbs: - get - list -- apiGroups: ["rbac.authorization.k8s.io"] +- apiGroups: ["whereabouts.cni.cncf.io"] resources: - - roles - - rolebindings - - clusterroles - - clusterrolebindings + - ippools + - overlappingrangeipreservations verbs: - get - list -- apiGroups: ["authorization.openshift.io"] - resources: - - roles - - rolebindings - - clusterroles - - clusterrolebindings +- nonResourceURLs: + - "/debug/api_priority_and_fairness/*" + - "/metrics" verbs: - get - - list diff --git a/examples/other_resources/05_must-gather-minimal.ClusterRole.yaml b/examples/other_resources/05_must-gather-minimal.ClusterRole.yaml index 76aea728e..eaf963ae8 100644 --- a/examples/other_resources/05_must-gather-minimal.ClusterRole.yaml +++ b/examples/other_resources/05_must-gather-minimal.ClusterRole.yaml @@ -1,189 +1,241 @@ -apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: must-gather-minimal rules: - apiGroups: [""] resources: + - namespaces - nodes - - nodes/log # For oc adm node-logs - - nodes/proxy # For accessing node metrics + - nodes/log + - nodes/proxy # TODO(swghosh): check requirement - pods - - pods/log # For pod logs + - pods/log - services - endpoints - persistentvolumes - persistentvolumeclaims - - namespaces - configmaps - - secrets # Limited to service account tokens + # - secrets # TODO(swghosh): check remediation, deliberately access removed - events - limitranges - resourcequotas - replicationcontrollers - serviceaccounts + - projects verbs: - get - list + - watch - apiGroups: [""] resources: - pods/exec + - pods/portforward # TODO(swghosh): check requirement verbs: - - create # Required for oc exec -- apiGroups: [""] + - create +- apiGroups: + - "*" # TODO(swghosh): check if we can de-scope down resources: - - pods/portforward + - "*/status" + - "*/scale" verbs: - - create # Required for oc cp -- apiGroups: ["coordination.k8s.io"] + - get +- apiGroups: ["apps"] resources: - - leases + - deployments + - daemonsets + - replicasets + - statefulsets verbs: - get - list -- apiGroups: ["storage.k8s.io"] +- apiGroups: ["apps"] resources: - - storageclasses - - volumeattachments - - csidrivers - - csinodes - - volumesnapshotclasses - - volumesnapshotcontents - - csistoragecapacities + - daemonsets + verbs: + - create + - delete +- apiGroups: ["apps.openshift.io"] + resources: + - deploymentconfigs verbs: - get - list -- apiGroups: ["certificates.k8s.io"] + - watch +- apiGroups: ["admissionregistration.k8s.io"] resources: - - certificatesigningrequests + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - watch +- apiGroups: ["apiextensions.k8s.io"] + resources: + - customresourcedefinitions verbs: - get - list + - watch - apiGroups: ["apiregistration.k8s.io"] resources: - apiservices verbs: - get - list -- apiGroups: ["flowcontrol.apiserver.k8s.io"] +- apiGroups: ["apiserver.openshift.io"] resources: - - prioritylevelconfigurations - - flowschemas + - apirequestcounts verbs: - get - list -- apiGroups: [""] +- apiGroups: ["aro.openshift.io"] resources: - - projects # OpenShift namespaces + - clusters verbs: - get - list -- apiGroups: ["config.openshift.io"] +- apiGroups: ["authorization.openshift.io"] resources: - - clusterversions - - clusteroperators - - networks - - apiservers - - infrastructures - - ingresses - - featuregates + - roles + - rolebindings + - clusterroles + - clusterrolebindings verbs: - get - list -- apiGroups: ["operator.openshift.io"] +- apiGroups: ["autoscaling"] resources: - - networks - - imagecontentsourcepolicies - - ingresscontrollers + - horizontalpodautoscalers verbs: - get - list -- apiGroups: ["quota.openshift.io"] +- apiGroups: ["batch"] resources: - - clusterresourcequotas + - jobs + - cronjobs verbs: - get - list -- apiGroups: ["machineconfiguration.openshift.io"] +- apiGroups: ["build.openshift.io"] resources: - - machineconfigs - - machineconfigpools - - controllerconfigs - - kubeletconfigs - - machineosbuilds - - machineosconfigs - - machineconfignodes - - pinnedimagesets + - builds + - buildconfigs verbs: - get - list -- apiGroups: ["tuned.openshift.io"] +- apiGroups: ["certificates.k8s.io"] resources: - - tuneds + - certificatesigningrequests verbs: - get - list -- apiGroups: ["performance.openshift.io"] +- apiGroups: ["cloud.network.openshift.io"] resources: - - performanceprofiles + - cloudprivateipconfigs verbs: - get - list -- apiGroups: ["node.k8s.io"] +- apiGroups: ["cns.vmware.com"] # TODO(swghosh): check validity resources: - - runtimeclasses + - csinodetopologies + - cnsvspherevolumemigrations + - cnsvolumeoperationrequests verbs: - get - list -- apiGroups: ["operators.coreos.com"] +- apiGroups: ["config.openshift.io"] resources: - - subscriptions - - clusterserviceversions - - catalogsources - - installplans - - operatorgroups + - nodes + - operatorhubs + - images + - oauths + - dnses + - imagedigestmirrorsets + - proxies + - imagetagmirrorsets + - authentications + - schedulers + - consoles + - projects + - builds + - imagecontentpolicies + - clusterversions + - clusteroperators + - networks + - apiservers + - infrastructures + - ingresses + - featuregates verbs: - get - list -- apiGroups: ["apiserver.openshift.io"] + - watch +- apiGroups: ["controlplane.operator.openshift.io"] resources: - - apirequestcounts + - podnetworkconnectivitychecks verbs: - get - list -- apiGroups: ["k8s.ovn.org"] +- apiGroups: ["coordination.k8s.io"] resources: - - egressips - - adminnetworkpolicies - - baselineadminnetworkpolicies - - routeadvertisements + - leases verbs: - get - list -- apiGroups: ["network.openshift.io"] +- apiGroups: ["discovery.k8s.io"] resources: - - hostsubnets - - netnamespaces - - egressnetworkpolicies + - endpointslices verbs: - get - list -- apiGroups: ["cloud.network.openshift.io"] + - watch +- apiGroups: ["flowcontrol.apiserver.k8s.io"] resources: - - cloudprivateipconfigs + - prioritylevelconfigurations + - flowschemas verbs: - get - list -- apiGroups: ["networking.k8s.io"] +- apiGroups: ["frrk8s.metallb.io"] resources: - - networkpolicies + - frrconfigurations verbs: - get - list -- apiGroups: ["policy.networking.k8s.io"] +- apiGroups: ["gateway.networking.k8s.io"] resources: - - adminnetworkpolicies - - baselineadminnetworkpolicies + - gatewayclasses + verbs: + - get + - list + - watch +- apiGroups: ["image.openshift.io"] + resources: + - images + - imagestreamtags + - imagestreams + verbs: + - get + - list +- apiGroups: ["imageregistry.operator.openshift.io"] + resources: + - configs + - imagepruners + verbs: + - get + - list + - watch +- apiGroups: ["ingress.operator.openshift.io"] + resources: + - dnsrecords + verbs: + - get + - list + - watch +- apiGroups: ["ingressnodefirewall.openshift.io"] + resources: + - ingressnodefirewalls verbs: - get - list @@ -194,33 +246,43 @@ rules: verbs: - get - list -- apiGroups: ["whereabouts.cni.cncf.io"] +- apiGroups: ["k8s.ovn.org"] resources: - - ippools - - overlappingrangeipreservations + - egressqoses + - egressips + - adminnetworkpolicies + - baselineadminnetworkpolicies + - routeadvertisements + - egressfirewalls verbs: - get - list -- apiGroups: ["nmstate.io"] + - watch +- apiGroups: ["machine.openshift.io"] resources: - - nmstates - - nodenetworkstates - - nodenetworkconfigurationenactments - - nodenetworkconfigurationpolicies + - controlplanemachinesets + - machinehealthchecks + - machines + - machinesets verbs: - get - list -- apiGroups: ["sriovnetwork.openshift.io"] + - watch +- apiGroups: ["machineconfiguration.openshift.io"] resources: - - sriovnetworknodepolicies - - sriovnetworknodestates - - sriovnetworkpoolconfigs - - sriovnetworks - - sriovoperatorconfigs - - sriovibnetworks + - containerruntimeconfigs + - machineconfigs + - machineconfigpools + - controllerconfigs + - kubeletconfigs + - machineosbuilds + - machineosconfigs + - machineconfignodes + - pinnedimagesets verbs: - get - list + - watch - apiGroups: ["metallb.io"] resources: - bgppeers @@ -233,193 +295,196 @@ rules: verbs: - get - list -- apiGroups: ["frrk8s.metallb.io"] +- apiGroups: ["metrics.k8s.io"] resources: - - frrconfigurations + - pods verbs: - get - list -- apiGroups: ["cns.vmware.com"] + - watch +- apiGroups: ["migration.k8s.io"] resources: - - csinodetopologies - - cnsvspherevolumemigrations - - cnsvolumeoperationrequests + - storageversionmigrations verbs: - get - list -- apiGroups: ["aro.openshift.io"] + - watch +- apiGroups: ["monitoring.coreos.com"] resources: - - clusters + - prometheuses + - alertmanagers + - servicemonitors verbs: - get - list -- apiGroups: ["operator.openshift.io"] +- apiGroups: ["network.openshift.io"] resources: - - clustercsidrivers + - hostsubnets + - netnamespaces + - egressnetworkpolicies verbs: - get - list -- apiGroups: ["updateservice.operator.openshift.io"] +- apiGroups: ["networking.k8s.io"] resources: - - updateservices + - networkpolicies verbs: - get - list -- apiGroups: ["controlplane.operator.openshift.io"] +- apiGroups: ["nmstate.io"] # TODO(swghosh): check validity resources: - - podnetworkconnectivitychecks + - nmstates + - nodenetworkstates + - nodenetworkconfigurationenactments + - nodenetworkconfigurationpolicies verbs: - get - list -- apiGroups: ["k8s.ovn.org"] +- apiGroups: ["node.k8s.io"] resources: - - egressfirewalls + - runtimeclasses verbs: - get - list -- apiGroups: ["ingressnodefirewall.openshift.io"] +- apiGroups: ["oauth.openshift.io"] # TODO(swghosh): check validity resources: - - ingressnodefirewalls + - oauthclients verbs: - get - list -- apiGroups: ["apps"] - resources: - - deployments - verbs: - - get # To find insights operator deployment -- apiGroups: ["apps"] + - watch +- apiGroups: ["operator.openshift.io"] resources: - - daemonsets + - machineconfigurations + - authentications + - configs + - consoles + - dnses + - etcds + - kubeapiservers + - kubecontrollermanagers + - kubeschedulers + - kubestorageversionmigrators + - networks + - imagecontentsourcepolicies + - ingresscontrollers + - clustercsidrivers verbs: - get - list - - create # For temporary perf-node-gather-daemonset - - delete # For cleanup of temporary daemonset -# Raw API Access for specific endpoints -# Note: These require special handling and should be restricted in production -- nonResourceURLs: - - "/debug/api_priority_and_fairness/*" # API Priority and Fairness debugging - - "/metrics" # Metrics endpoint - verbs: - - get -- apiGroups: ["monitoring.coreos.com"] + - watch +- apiGroups: ["operators.coreos.com"] resources: - - prometheuses - - alertmanagers - - servicemonitors + - operatorconditions + - olmconfigs + - operators + - subscriptions + - clusterserviceversions + - catalogsources + - installplans + - operatorgroups verbs: - get - list -- apiGroups: ["machine.openshift.io"] + - watch +- apiGroups: ["performance.openshift.io"] resources: - - machines - - machinesets + - performanceprofiles verbs: - get - list -- apiGroups: ["user.openshift.io"] +- apiGroups: ["policy"] resources: - - users - - groups + - poddisruptionbudgets + - podsecuritypolicies verbs: - get - list -- apiGroups: ["security.openshift.io"] +- apiGroups: ["policy.networking.k8s.io"] resources: - - securitycontextconstraints + - adminnetworkpolicies + - baselineadminnetworkpolicies verbs: - get - list -- apiGroups: ["route.openshift.io"] +- apiGroups: ["quota.openshift.io"] resources: - - routes + - clusterresourcequotas verbs: - get - list -- apiGroups: [""] - resources: - - configmaps - - secrets - resourceNames: - - cluster-monitoring-config - - alertmanager-main - verbs: - - get - namespaces: - - openshift-monitoring - - openshift-user-workload-monitoring -- apiGroups: ["*"] +- apiGroups: ["rbac.authorization.k8s.io"] resources: - - "*/status" - - "*/scale" + - roles + - rolebindings + - clusterroles + - clusterrolebindings verbs: - get -- apiGroups: [""] + - list +- apiGroups: ["route.openshift.io"] resources: - - serviceaccounts + - routes verbs: - get - list -- apiGroups: ["image.openshift.io"] +- apiGroups: ["security.openshift.io"] resources: - - images - - imagestreamtags - - imagestreams + - securitycontextconstraints verbs: - get - list -- apiGroups: ["build.openshift.io"] +- apiGroups: ["sriovnetwork.openshift.io"] # TODO(swghosh): check validity resources: - - builds - - buildconfigs + - sriovnetworknodepolicies + - sriovnetworknodestates + - sriovnetworkpoolconfigs + - sriovnetworks + - sriovoperatorconfigs + - sriovibnetworks verbs: - get - list -- apiGroups: ["apps"] +- apiGroups: ["storage.k8s.io"] resources: - - deployments - - replicasets - - statefulsets - - daemonsets + - storageclasses + - volumeattachments + - csidrivers + - csinodes + - volumesnapshotclasses + - volumesnapshotcontents + - csistoragecapacities verbs: - get - list -- apiGroups: ["batch"] +- apiGroups: ["tuned.openshift.io"] # TODO(swghosh): check validity resources: - - jobs - - cronjobs + - tuneds verbs: - get - list -- apiGroups: ["autoscaling"] +- apiGroups: ["updateservice.operator.openshift.io"] # TODO(swghosh): check validity resources: - - horizontalpodautoscalers + - updateservices verbs: - get - list -- apiGroups: ["policy"] +- apiGroups: ["user.openshift.io"] resources: - - poddisruptionbudgets - - podsecuritypolicies + - users + - groups verbs: - get - list -- apiGroups: ["rbac.authorization.k8s.io"] +- apiGroups: ["whereabouts.cni.cncf.io"] resources: - - roles - - rolebindings - - clusterroles - - clusterrolebindings + - ippools + - overlappingrangeipreservations verbs: - get - list -- apiGroups: ["authorization.openshift.io"] - resources: - - roles - - rolebindings - - clusterroles - - clusterrolebindings +- nonResourceURLs: + - "/debug/api_priority_and_fairness/*" + - "/metrics" verbs: - get - - list From 2fd99b75559d6dc780994948a581658a2f0bfe2f Mon Sep 17 00:00:00 2001 From: Swarup Ghosh Date: Thu, 11 Sep 2025 22:10:49 +0530 Subject: [PATCH 3/4] use soft link in examples/other_resources from deploy/examples for must-gather-minimal CR, CRB Signed-off-by: Swarup Ghosh --- .../05_must-gather-admin.ClusterRole.yaml | 1 + .../05_must-gather-minimal.ClusterRole.yaml | 490 ------------------ ..._must-gather-admin.ClusterRoleBinding.yaml | 13 +- 3 files changed, 2 insertions(+), 502 deletions(-) create mode 120000 examples/other_resources/05_must-gather-admin.ClusterRole.yaml delete mode 100644 examples/other_resources/05_must-gather-minimal.ClusterRole.yaml mode change 100644 => 120000 examples/other_resources/06_must-gather-admin.ClusterRoleBinding.yaml diff --git a/examples/other_resources/05_must-gather-admin.ClusterRole.yaml b/examples/other_resources/05_must-gather-admin.ClusterRole.yaml new file mode 120000 index 000000000..97dba7974 --- /dev/null +++ b/examples/other_resources/05_must-gather-admin.ClusterRole.yaml @@ -0,0 +1 @@ +deploy/05_must-gather-admin.ClusterRole.yaml \ No newline at end of file diff --git a/examples/other_resources/05_must-gather-minimal.ClusterRole.yaml b/examples/other_resources/05_must-gather-minimal.ClusterRole.yaml deleted file mode 100644 index eaf963ae8..000000000 --- a/examples/other_resources/05_must-gather-minimal.ClusterRole.yaml +++ /dev/null @@ -1,490 +0,0 @@ -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: must-gather-minimal -rules: -- apiGroups: [""] - resources: - - namespaces - - nodes - - nodes/log - - nodes/proxy # TODO(swghosh): check requirement - - pods - - pods/log - - services - - endpoints - - persistentvolumes - - persistentvolumeclaims - - configmaps - # - secrets # TODO(swghosh): check remediation, deliberately access removed - - events - - limitranges - - resourcequotas - - replicationcontrollers - - serviceaccounts - - projects - verbs: - - get - - list - - watch -- apiGroups: [""] - resources: - - pods/exec - - pods/portforward # TODO(swghosh): check requirement - verbs: - - create -- apiGroups: - - "*" # TODO(swghosh): check if we can de-scope down - resources: - - "*/status" - - "*/scale" - verbs: - - get -- apiGroups: ["apps"] - resources: - - deployments - - daemonsets - - replicasets - - statefulsets - verbs: - - get - - list -- apiGroups: ["apps"] - resources: - - daemonsets - verbs: - - create - - delete -- apiGroups: ["apps.openshift.io"] - resources: - - deploymentconfigs - verbs: - - get - - list - - watch -- apiGroups: ["admissionregistration.k8s.io"] - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: - - get - - list - - watch -- apiGroups: ["apiextensions.k8s.io"] - resources: - - customresourcedefinitions - verbs: - - get - - list - - watch -- apiGroups: ["apiregistration.k8s.io"] - resources: - - apiservices - verbs: - - get - - list -- apiGroups: ["apiserver.openshift.io"] - resources: - - apirequestcounts - verbs: - - get - - list -- apiGroups: ["aro.openshift.io"] - resources: - - clusters - verbs: - - get - - list -- apiGroups: ["authorization.openshift.io"] - resources: - - roles - - rolebindings - - clusterroles - - clusterrolebindings - verbs: - - get - - list -- apiGroups: ["autoscaling"] - resources: - - horizontalpodautoscalers - verbs: - - get - - list -- apiGroups: ["batch"] - resources: - - jobs - - cronjobs - verbs: - - get - - list -- apiGroups: ["build.openshift.io"] - resources: - - builds - - buildconfigs - verbs: - - get - - list -- apiGroups: ["certificates.k8s.io"] - resources: - - certificatesigningrequests - verbs: - - get - - list -- apiGroups: ["cloud.network.openshift.io"] - resources: - - cloudprivateipconfigs - verbs: - - get - - list -- apiGroups: ["cns.vmware.com"] # TODO(swghosh): check validity - resources: - - csinodetopologies - - cnsvspherevolumemigrations - - cnsvolumeoperationrequests - verbs: - - get - - list -- apiGroups: ["config.openshift.io"] - resources: - - nodes - - operatorhubs - - images - - oauths - - dnses - - imagedigestmirrorsets - - proxies - - imagetagmirrorsets - - authentications - - schedulers - - consoles - - projects - - builds - - imagecontentpolicies - - clusterversions - - clusteroperators - - networks - - apiservers - - infrastructures - - ingresses - - featuregates - verbs: - - get - - list - - watch -- apiGroups: ["controlplane.operator.openshift.io"] - resources: - - podnetworkconnectivitychecks - verbs: - - get - - list -- apiGroups: ["coordination.k8s.io"] - resources: - - leases - verbs: - - get - - list -- apiGroups: ["discovery.k8s.io"] - resources: - - endpointslices - verbs: - - get - - list - - watch -- apiGroups: ["flowcontrol.apiserver.k8s.io"] - resources: - - prioritylevelconfigurations - - flowschemas - verbs: - - get - - list -- apiGroups: ["frrk8s.metallb.io"] - resources: - - frrconfigurations - verbs: - - get - - list -- apiGroups: ["gateway.networking.k8s.io"] - resources: - - gatewayclasses - verbs: - - get - - list - - watch -- apiGroups: ["image.openshift.io"] - resources: - - images - - imagestreamtags - - imagestreams - verbs: - - get - - list -- apiGroups: ["imageregistry.operator.openshift.io"] - resources: - - configs - - imagepruners - verbs: - - get - - list - - watch -- apiGroups: ["ingress.operator.openshift.io"] - resources: - - dnsrecords - verbs: - - get - - list - - watch -- apiGroups: ["ingressnodefirewall.openshift.io"] - resources: - - ingressnodefirewalls - verbs: - - get - - list -- apiGroups: ["k8s.cni.cncf.io"] - resources: - - network-attachment-definitions - - multi-networkpolicies - verbs: - - get - - list -- apiGroups: ["k8s.ovn.org"] - resources: - - egressqoses - - egressips - - adminnetworkpolicies - - baselineadminnetworkpolicies - - routeadvertisements - - egressfirewalls - verbs: - - get - - list - - watch -- apiGroups: ["machine.openshift.io"] - resources: - - controlplanemachinesets - - machinehealthchecks - - machines - - machinesets - verbs: - - get - - list - - watch -- apiGroups: ["machineconfiguration.openshift.io"] - resources: - - containerruntimeconfigs - - machineconfigs - - machineconfigpools - - controllerconfigs - - kubeletconfigs - - machineosbuilds - - machineosconfigs - - machineconfignodes - - pinnedimagesets - verbs: - - get - - list - - watch -- apiGroups: ["metallb.io"] - resources: - - bgppeers - - bfdprofiles - - bgpadvertisements - - ipaddresspools - - l2advertisements - - communities - - metallbs - verbs: - - get - - list -- apiGroups: ["metrics.k8s.io"] - resources: - - pods - verbs: - - get - - list - - watch -- apiGroups: ["migration.k8s.io"] - resources: - - storageversionmigrations - verbs: - - get - - list - - watch -- apiGroups: ["monitoring.coreos.com"] - resources: - - prometheuses - - alertmanagers - - servicemonitors - verbs: - - get - - list -- apiGroups: ["network.openshift.io"] - resources: - - hostsubnets - - netnamespaces - - egressnetworkpolicies - verbs: - - get - - list -- apiGroups: ["networking.k8s.io"] - resources: - - networkpolicies - verbs: - - get - - list -- apiGroups: ["nmstate.io"] # TODO(swghosh): check validity - resources: - - nmstates - - nodenetworkstates - - nodenetworkconfigurationenactments - - nodenetworkconfigurationpolicies - verbs: - - get - - list -- apiGroups: ["node.k8s.io"] - resources: - - runtimeclasses - verbs: - - get - - list -- apiGroups: ["oauth.openshift.io"] # TODO(swghosh): check validity - resources: - - oauthclients - verbs: - - get - - list - - watch -- apiGroups: ["operator.openshift.io"] - resources: - - machineconfigurations - - authentications - - configs - - consoles - - dnses - - etcds - - kubeapiservers - - kubecontrollermanagers - - kubeschedulers - - kubestorageversionmigrators - - networks - - imagecontentsourcepolicies - - ingresscontrollers - - clustercsidrivers - verbs: - - get - - list - - watch -- apiGroups: ["operators.coreos.com"] - resources: - - operatorconditions - - olmconfigs - - operators - - subscriptions - - clusterserviceversions - - catalogsources - - installplans - - operatorgroups - verbs: - - get - - list - - watch -- apiGroups: ["performance.openshift.io"] - resources: - - performanceprofiles - verbs: - - get - - list -- apiGroups: ["policy"] - resources: - - poddisruptionbudgets - - podsecuritypolicies - verbs: - - get - - list -- apiGroups: ["policy.networking.k8s.io"] - resources: - - adminnetworkpolicies - - baselineadminnetworkpolicies - verbs: - - get - - list -- apiGroups: ["quota.openshift.io"] - resources: - - clusterresourcequotas - verbs: - - get - - list -- apiGroups: ["rbac.authorization.k8s.io"] - resources: - - roles - - rolebindings - - clusterroles - - clusterrolebindings - verbs: - - get - - list -- apiGroups: ["route.openshift.io"] - resources: - - routes - verbs: - - get - - list -- apiGroups: ["security.openshift.io"] - resources: - - securitycontextconstraints - verbs: - - get - - list -- apiGroups: ["sriovnetwork.openshift.io"] # TODO(swghosh): check validity - resources: - - sriovnetworknodepolicies - - sriovnetworknodestates - - sriovnetworkpoolconfigs - - sriovnetworks - - sriovoperatorconfigs - - sriovibnetworks - verbs: - - get - - list -- apiGroups: ["storage.k8s.io"] - resources: - - storageclasses - - volumeattachments - - csidrivers - - csinodes - - volumesnapshotclasses - - volumesnapshotcontents - - csistoragecapacities - verbs: - - get - - list -- apiGroups: ["tuned.openshift.io"] # TODO(swghosh): check validity - resources: - - tuneds - verbs: - - get - - list -- apiGroups: ["updateservice.operator.openshift.io"] # TODO(swghosh): check validity - resources: - - updateservices - verbs: - - get - - list -- apiGroups: ["user.openshift.io"] - resources: - - users - - groups - verbs: - - get - - list -- apiGroups: ["whereabouts.cni.cncf.io"] - resources: - - ippools - - overlappingrangeipreservations - verbs: - - get - - list -- nonResourceURLs: - - "/debug/api_priority_and_fairness/*" - - "/metrics" - verbs: - - get diff --git a/examples/other_resources/06_must-gather-admin.ClusterRoleBinding.yaml b/examples/other_resources/06_must-gather-admin.ClusterRoleBinding.yaml deleted file mode 100644 index 8a914c974..000000000 --- a/examples/other_resources/06_must-gather-admin.ClusterRoleBinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: must-gather-admin -roleRef: - kind: ClusterRole - name: must-gather-minimal - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: must-gather-admin - namespace: must-gather-operator diff --git a/examples/other_resources/06_must-gather-admin.ClusterRoleBinding.yaml b/examples/other_resources/06_must-gather-admin.ClusterRoleBinding.yaml new file mode 120000 index 000000000..ba9dd4330 --- /dev/null +++ b/examples/other_resources/06_must-gather-admin.ClusterRoleBinding.yaml @@ -0,0 +1 @@ +deploy/06_must-gather-admin.ClusterRoleBinding.yaml \ No newline at end of file From ae6d67944b3b2e2c3c6e2a23038d50833018fec0 Mon Sep 17 00:00:00 2001 From: Swarup Ghosh Date: Thu, 11 Sep 2025 22:17:58 +0530 Subject: [PATCH 4/4] experiment: without */status, */scale resources Signed-off-by: Swarup Ghosh --- deploy/05_must-gather-admin.ClusterRole.yaml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/deploy/05_must-gather-admin.ClusterRole.yaml b/deploy/05_must-gather-admin.ClusterRole.yaml index eaf963ae8..48e58d4f5 100644 --- a/deploy/05_must-gather-admin.ClusterRole.yaml +++ b/deploy/05_must-gather-admin.ClusterRole.yaml @@ -33,13 +33,6 @@ rules: - pods/portforward # TODO(swghosh): check requirement verbs: - create -- apiGroups: - - "*" # TODO(swghosh): check if we can de-scope down - resources: - - "*/status" - - "*/scale" - verbs: - - get - apiGroups: ["apps"] resources: - deployments