Independent mysql-agent ClusterRole and RBAC

README.md

@@ -28,7 +28,7 @@ The MySQL Operator provides the following core features:
 
 ## Requirements
 
- * Kubernetes 1.7.0 +
+ * Kubernetes 1.8.0 +
 
 ## Contributing
 

cmd/mysql-operator/app/mysql_operator.go

@@ -73,11 +73,6 @@ func Run(s *options.MySQLOperatorServer) error {
 	kubeClient := kubernetes.NewForConfigOrDie(kubeconfig)
 	mysqlopClient := mysqlop.NewForConfigOrDie(kubeconfig)
 
-	serverVersion, err := kubeClient.Discovery().ServerVersion()
-	if err != nil {
-		glog.Fatalf("Failed to discover Kubernetes API server version: %v", err)
-	}
-
 	// Shared informers (non namespace specific).
 	operatorInformerFactory := informers.NewFilteredSharedInformerFactory(mysqlopClient, resyncPeriod(s)(), s.Namespace, nil)
 	kubeInformerFactory := kubeinformers.NewFilteredSharedInformerFactory(kubeClient, resyncPeriod(s)(), s.Namespace, nil)
@@ -88,12 +83,10 @@ func Run(s *options.MySQLOperatorServer) error {
 		*s,
 		mysqlopClient,
 		kubeClient,
-		serverVersion,
 		operatorInformerFactory.Mysql().V1().MySQLClusters(),
 		kubeInformerFactory.Apps().V1beta1().StatefulSets(),
 		kubeInformerFactory.Core().V1().Pods(),
 		kubeInformerFactory.Core().V1().Services(),
-		kubeInformerFactory.Core().V1().ConfigMaps(),
 		30*time.Second,
 		s.Namespace,
 	)

contrib/manifests/rbac.yaml

@@ -3,45 +3,141 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: mysql-operator
+
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: mysql-agent
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
+kind: Role
 metadata:
   name: mysql-operator
 rules:
   - apiGroups:
-    - "*"
+    - ""
     resources:
-    - "*"
+    - pods
     verbs:
-    - "*"
+    - get
+    - list
+    - patch
+    - update
+    - watch
+
+  - apiGroups:
+    - ""
+    resources:
+    - secrets
+    verbs:
+    - create
+
+  - apiGroups:
+    - ""
+    resources:
+    - services
+    verbs:
+    - create
+    - get
+    - list
+    - watch
+
+  - apiGroups:
+    - apps
+    resources:
+    - statefulsets
+    verbs:
+    - create
+    - get
+    - list
+    - patch
+    - update
+    - watch
+
+  - apiGroups:
+    - mysql.oracle.com
+    resources:
+    - mysqlbackups
+    - mysqlbackupschedules
+    - mysqlclusters
+    - mysqlrestores
+    verbs:
+    - get
+    - list
+    - patch
+    - update
+    - watch
+
+  - apiGroups:
+    - mysql.oracle.com
+    resources:
+    - mysqlbackups
+    verbs:
+    - create
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
+kind: ClusterRole
+metadata:
+  name: mysql-agent
+rules:
+  - apiGroups:
+    - ""
+    resources:
+    - pods
+    verbs:
+    - get
+    - list
+    - patch
+    - update
+    - watch
+
+  - apiGroups:
+    - ""
+    resources:
+    - secrets
+    verbs:
+    - get
+
+  - apiGroups:
+    - mysql.oracle.com
+    resources:
+    - mysqlbackups
+    - mysqlbackupschedules
+    - mysqlclusters
+    - mysqlrestores
+    verbs:
+    - get
+    - list
+    - patch
+    - update
+    - watch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
 metadata:
   name: mysql-operator
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind:  ClusterRole
+  kind:  Role
   name: mysql-operator
 subjects:
 - kind: ServiceAccount
   name: mysql-operator
   namespace: <NAMESPACE>
+
 ---
-kind: ClusterRoleBinding
+kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
   name: mysql-agent
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: mysql-operator
+  kind: Role
+  name: mysql-agent
 subjects:
 - kind: ServiceAccount
   name: mysql-agent

docs/tutorial.md

@@ -47,10 +47,10 @@ To install the chart in a cluster without RBAC with the release name `my-release
 $ helm install --name my-release mysql-operator
 ```
 
-If your cluster has RBAC enabled then you will need to run:
+If your cluster has RBAC disabled then you will need to run:
 
 ```console
-$ helm install --name my-release mysql-operator --set rbac.enabled=true
+$ helm install --name my-release mysql-operator --set rbac.enabled=false
 ```
 
 The above command deploys the MySQL Operator on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
@@ -73,11 +73,38 @@ The following tables lists the configurable parameters of the MySQL-operator cha
 
 Parameter | Description | Default
 --------- | ----------- | -------
-`rbac.enabled` | If true, enables RBAC | `false`
+`rbac.enabled` | If true, enables RBAC | `true`
 `operator.namespace` | Controls the namespace in which the operator is deployed | `mysql-operator`
 
 ## Create a simple MySQL cluster
 
+The first time you create a MySQL Cluster in a namespace you need to create the
+`mysql-agent` ServiceAccount and RoleBinding in that namespace:
+
+```bash
+$ cat <<EOF | kubectl create -f -
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: mysql-agent
+  namespace: my-namespace
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: mysql-agent
+  namespace: my-namespace
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: mysql-agent
+subjects:
+- kind: ServiceAccount
+  name: mysql-agent
+  namespace: my-namespace
+EOF
+```
+
 Now let's create a new MySQL cluster. Create a cluster.yaml file with the following contents
 
 ```yaml

mysql-operator/templates/02-rbac.yaml

@@ -4,12 +4,14 @@ kind: ServiceAccount
 metadata:
   name: mysql-operator
   namespace: {{ if .Values.operator.global }}mysql-operator{{ else }}{{ .Values.operator.namespace}}{{ end }}
+
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: mysql-agent
   namespace: {{ if .Values.operator.global }}default{{ else }}{{ .Values.operator.namespace}}{{ end }}
+
 ---
 {{- if .Values.rbac.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -19,14 +21,108 @@ metadata:
   namespace: {{ .Values.operator.namespace}}{{ end }}
 rules:
   - apiGroups:
-    - "*"
+    - ""
     resources:
-    - "*"
+    - pods
     verbs:
-    - "*"
+    - get
+    - list
+    - patch
+    - update
+    - watch
+
+  - apiGroups:
+    - ""
+    resources:
+    - secrets
+    verbs:
+    - create
+
+  - apiGroups:
+    - ""
+    resources:
+    - services
+    verbs:
+    - create
+    - get
+    - list
+    - watch
+
+  - apiGroups:
+    - apps
+    resources:
+    - statefulsets
+    verbs:
+    - create
+    - get
+    - list
+    - patch
+    - update
+    - watch
+
+  - apiGroups:
+    - mysql.oracle.com
+    resources:
+    - mysqlbackups
+    - mysqlbackupschedules
+    - mysqlclusters
+    - mysqlrestores
+    verbs:
+    - get
+    - list
+    - patch
+    - update
+    - watch
+
+  - apiGroups:
+    - mysql.oracle.com
+    resources:
+    - mysqlbackups
+    verbs:
+    - create
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: {{ if .Values.operator.global }}Cluster{{ end }}RoleBinding
+kind: {{ if .Values.operator.global }}Cluster{{ end }}Role
+metadata:
+  name: mysql-agent{{ if .Values.operator.global }}{{ else}}
+  namespace: {{ .Values.operator.namespace}}{{ end }}
+rules:
+  - apiGroups:
+    - ""
+    resources:
+    - pods
+    verbs:
+    - get
+    - list
+    - patch
+    - update
+    - watch
+
+  - apiGroups:
+    - ""
+    resources:
+    - secrets
+    verbs:
+    - get
+
+  - apiGroups:
+    - mysql.oracle.com
+    resources:
+    - mysqlbackups
+    - mysqlbackupschedules
+    - mysqlclusters
+    - mysqlrestores
+    verbs:
+    - get
+    - list
+    - patch
+    - update
+    - watch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind:  {{ if .Values.operator.global }}Cluster{{ end }}RoleBinding
 metadata:
   name: mysql-operator
   namespace: {{ .Values.operator.namespace}}
@@ -38,18 +134,19 @@ subjects:
 - kind: ServiceAccount
   name: mysql-operator
   namespace: {{ .Values.operator.namespace }}
+
 ---
-kind: {{ if .Values.operator.global }}Cluster{{ end }}RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1
+kind:  {{ if .Values.operator.global }}Cluster{{ end }}RoleBinding
 metadata:
   name: mysql-agent
-  namespace: {{ if .Values.operator.global }}default{{ else }}{{ .Values.operator.namespace }}{{ end }}
+  namespace: {{ .Values.operator.namespace}}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: {{ if .Values.operator.global }}Cluster{{ end }}Role
-  name: mysql-operator
+  kind:  {{ if .Values.operator.global }}Cluster{{ end }}Role
+  name: mysql-agent
 subjects:
 - kind: ServiceAccount
   name: mysql-agent
-  namespace: {{ if .Values.operator.global }}default{{ else }}{{ .Values.operator.namespace }}{{ end }}
+  namespace: {{ .Values.operator.namespace }}
 {{- end }}

mysql-operator/values.yaml

@@ -1,5 +1,5 @@
 rbac:
-  enabled: false
+  enabled: true
 operator:
   namespace: mysql-operator
   global: true