Merge pull request #401 from uditgaurav/update_rbac

Chore(rbac): Update litmus rbac to version v1 from v1beta1

.github/workflows/build.yml

@@ -105,7 +105,7 @@ jobs:
         env: 
           KUBECONFIG: /etc/rancher/k3s/k3s.yaml
         run: |
-          curl -sfL https://get.k3s.io | sh -s - --docker --write-kubeconfig-mode 664
+          curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=v1.20.14-rc1+k3s1 sh -s - --docker --write-kubeconfig-mode 664
           kubectl wait node --all --for condition=ready --timeout=90s
           mkdir -p $HOME/.kube
           cp /etc/rancher/k3s/k3s.yaml $HOME/.kube/config

.github/workflows/push.yml

@@ -80,7 +80,7 @@ jobs:
         env: 
           KUBECONFIG: /etc/rancher/k3s/k3s.yaml
         run: |
-          curl -sfL https://get.k3s.io | sh -s - --docker --write-kubeconfig-mode 664
+          curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=v1.20.14-rc1+k3s1 sh -s - --docker --write-kubeconfig-mode 664
           kubectl wait node --all --for condition=ready --timeout=90s
           mkdir -p $HOME/.kube
           cp /etc/rancher/k3s/k3s.yaml $HOME/.kube/config

.github/workflows/release.yml

@@ -93,7 +93,7 @@ jobs:
         env: 
           KUBECONFIG: /etc/rancher/k3s/k3s.yaml
         run: |
-          curl -sfL https://get.k3s.io | sh -s - --docker --write-kubeconfig-mode 664
+          curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=v1.20.14-rc1+k3s1 sh -s - --docker --write-kubeconfig-mode 664
           kubectl wait node --all --for condition=ready --timeout=90s
           mkdir -p $HOME/.kube
           cp /etc/rancher/k3s/k3s.yaml $HOME/.kube/config

deploy/rbac.yaml

@@ -18,7 +18,7 @@ metadata:
     app.kubernetes.io/managed-by: kubectl
     name: litmus
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: litmus
@@ -32,17 +32,32 @@ metadata:
     app.kubernetes.io/managed-by: kubectl
     name: litmus
 rules:
-- apiGroups: ["","apps","batch","apps.openshift.io","argoproj.io"]
-  resources: ["jobs","deployments","replicationcontrollers","daemonsets","replicasets","statefulsets","deploymentconfigs","rollouts","secrets"]
-  verbs: ["get","list","watch","deletecollection"]
-- apiGroups: ["","litmuschaos.io"]
-  resources: ["pods","configmaps","events","services","chaosengines","chaosexperiments","chaosresults"]
+- apiGroups: [""]
+  resources: ["replicationcontrollers","secrets"]
+  verbs: ["get","list"]
+- apiGroups: ["apps.openshift.io"]
+  resources: ["deploymentconfigs"]
+  verbs: ["get","list"]
+- apiGroups: ["apps"]
+  resources: ["deployments", "daemonsets", "replicasets", "statefulsets"]
+  verbs: ["get","list"]
+- apiGroups: ["batch"]
+  resources: ["jobs"]
+  verbs: ["get","list","deletecollection"]
+- apiGroups: ["argoproj.io"]
+  resources: ["rollouts"]
+  verbs: ["get","list"]
+- apiGroups: [""]
+  resources: ["pods","configmaps","events","services"]
+  verbs: ["get","create","update","patch","delete","list","watch","deletecollection"]
+- apiGroups: ["litmuschaos.io"]
+  resources: ["chaosengines","chaosexperiments","chaosresults"]
   verbs: ["get","create","update","patch","delete","list","watch","deletecollection"]
 - apiGroups: ["apiextensions.k8s.io"]
   resources: ["customresourcedefinitions"]
   verbs: ["list","get"]
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: litmus
@@ -62,4 +77,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: litmus
-  namespace: litmus
+  namespace: litmus

tests/bdd/bdd_test.go

@@ -388,7 +388,7 @@ var _ = Describe("BDD on chaos-operator", func() {
 			By("Creating ChaosEngine")
 			chaosEngine := &v1alpha1.ChaosEngine{
 				ObjectMeta: metav1.ObjectMeta{
-					Name:      "engine-nginx",
+					Name:      "engine-nginx-1",
 					Namespace: "litmus",
 				},
 				Spec: v1alpha1.ChaosEngineSpec{
@@ -427,7 +427,7 @@ var _ = Describe("BDD on chaos-operator", func() {
 				Wait(time.Duration(2) * time.Second).
 				Try(func(attempt uint) error {
 					//Fetching engine-nginx-runner pod
-					_, err := client.CoreV1().Pods("litmus").Get("engine-nginx-runner", metav1.GetOptions{})
+					_, err := client.CoreV1().Pods("litmus").Get("engine-nginx-1-runner", metav1.GetOptions{})
 					isNotFound := errors.IsNotFound(err)
 					if isNotFound {
 						return nil
@@ -444,7 +444,7 @@ var _ = Describe("BDD on chaos-operator", func() {
 				Wait(time.Duration(2) * time.Second).
 				Try(func(attempt uint) error {
 					//Fetching engineStatus
-					engine, err := clientSet.ChaosEngines("litmus").Get("engine-nginx", metav1.GetOptions{})
+					engine, err := clientSet.ChaosEngines("litmus").Get("engine-nginx-1", metav1.GetOptions{})
 					if err != nil {
 						return err
 					}

tests/manifest/pod_delete_rbac.yaml

@@ -6,26 +6,70 @@ metadata:
   namespace: litmus
   labels:
     name: pod-delete-sa
+    app.kubernetes.io/part-of: litmus
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: pod-delete-sa
   namespace: litmus
   labels:
     name: pod-delete-sa
+    app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: ["","litmuschaos.io","batch","apps"]
-  resources: ["pods","deployments","pods/log","events","jobs","chaosengines","chaosexperiments","chaosresults"]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+  # Create and monitor the experiment & helper pods
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create","get","list","patch","update"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get","list",]
+  # Track and get the runner, experiment, and helper pods log 
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get","list","watch"]  
+  # for creating and managing to execute comands inside target container
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
+  - apiGroups: ["apps"]
+    resources: ["deployments","statefulsets","replicasets", "daemonsets"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
+  - apiGroups: ["apps.openshift.io"]
+    resources: ["deploymentconfigs"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)
+  - apiGroups: [""]
+    resources: ["replicationcontrollers"]
+    verbs: ["get","list"]
+  # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+  - apiGroups: ["argoproj.io"]
+    resources: ["rollouts"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: pod-delete-sa
   namespace: litmus
   labels:
     name: pod-delete-sa
+    app.kubernetes.io/part-of: litmus
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -34,3 +78,4 @@ subjects:
 - kind: ServiceAccount
   name: pod-delete-sa
   namespace: litmus
+