From b7c11d2829e64162e0bb483841855a39fae14836 Mon Sep 17 00:00:00 2001 From: zhenyus Date: Mon, 12 May 2025 09:56:54 +0800 Subject: [PATCH] feat: update RBAC configurations and add Jenkinsfile for aml-services Signed-off-by: zhenyus --- aml-services/alpha/ailab/Jenkinsfile | 35 +++++++++++++++++ cluster/bin/freeleaps-cluster-authenticator | 2 + .../freeleaps-controls-system/rbac/rbac.yaml | 19 ++++++++-- .../freeleaps-data-platform/rbac/rbac.yaml | 38 +++++++++++++++++-- .../rbac/rbac.yaml | 38 ++++++++++++++++--- 5 files changed, 120 insertions(+), 12 deletions(-) create mode 100644 aml-services/alpha/ailab/Jenkinsfile diff --git a/aml-services/alpha/ailab/Jenkinsfile b/aml-services/alpha/ailab/Jenkinsfile new file mode 100644 index 00000000..2d827f0d --- /dev/null +++ b/aml-services/alpha/ailab/Jenkinsfile @@ -0,0 +1,35 @@ +library 'first-class-pipeline' + +executeFreeleapsPipeline { + serviceName = 'aml-services' + environmentSlug = 'alpha' + serviceGitBranch = 'dev' + serviceGitRepo = "https://gitea.freeleaps.mathmast.com/freeleaps/aml-services.git" + serviceGitRepoType = 'monorepo' + serviceGitCredentialsId = 'freeleaps-repos-gitea-credentails' + executeMode = 'on-demand' + commitMessageLintEnabled = false + components = [ + [ + name: 'ailab', + root: 'apps/ailab', + language: 'python', + dependenciesManager: 'pip', + requirementsFile: 'requirements.txt', + buildCacheEnabled: true, + buildAgentImage: 'python:3.10-slim-buster', + buildArtifacts: ['.'], + lintEnabled: false, + sastEnabled: false, + imageRegistry: 'docker.io', + imageRepository: 'freeleaps', + imageName: 'ailab', + imageBuilder: 'dind', + dockerfilePath: 'Dockerfile', + imageBuildRoot: '.', + imageReleaseArchitectures: ['linux/amd64', 'linux/arm64/v8'], + registryCredentialsId: 'freeleaps-devops-docker-hub-credentials', + semanticReleaseEnabled: true + ] + ] +} \ No newline at end of file diff --git a/cluster/bin/freeleaps-cluster-authenticator b/cluster/bin/freeleaps-cluster-authenticator index d5542b71..d3e7ac3a 100755 --- a/cluster/bin/freeleaps-cluster-authenticator +++ b/cluster/bin/freeleaps-cluster-authenticator @@ -304,6 +304,8 @@ clear_auth() { exit 1 fi + rm -rf "${HOME}/.kube/cache/oidc-login" + echo "[CLEAR] kubectl authentication cleared successfully." } diff --git a/cluster/manifests/freeleaps-controls-system/rbac/rbac.yaml b/cluster/manifests/freeleaps-controls-system/rbac/rbac.yaml index 90e42dd1..d8e0a03a 100644 --- a/cluster/manifests/freeleaps-controls-system/rbac/rbac.yaml +++ b/cluster/manifests/freeleaps-controls-system/rbac/rbac.yaml @@ -1,9 +1,22 @@ apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: name: certificate-contributor - namespace: freeleaps-controls-system rules: - apiGroups: ["cert-manager.io"] resources: ["certificates"] - verbs: ["*"] \ No newline at end of file + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: certificate-contributor-binding + namespace: freeleaps-controls-system +subjects: + - kind: Group + name: mathmast:certificate-contributor + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: certificate-contributor + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/cluster/manifests/freeleaps-data-platform/rbac/rbac.yaml b/cluster/manifests/freeleaps-data-platform/rbac/rbac.yaml index eb98fe38..22e789ce 100644 --- a/cluster/manifests/freeleaps-data-platform/rbac/rbac.yaml +++ b/cluster/manifests/freeleaps-data-platform/rbac/rbac.yaml @@ -4,6 +4,38 @@ metadata: name: data-platform-contributor namespace: freeleaps-data-platform rules: - - apiGroups: ["*"] - resources: ["*"] - verbs: ["*"] \ No newline at end of file + - apiGroups: [""] + resources: ["secrets", "pods", "configmaps", "endpoints", "services", "persistentvolumeclaims"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["apps"] + resources: ["deployments", "replicasets"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["extensions"] + resources: ["ingresses"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["networking.k8s.io"] + resources: ["networkpolicies"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: data-platform-contributor-binding + namespace: freeleaps-data-platform +subjects: + - kind: Group + name: mathmast:data-platform-contributor + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: data-platform-contributor + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/cluster/manifests/freeleaps-monitoring-system/rbac/rbac.yaml b/cluster/manifests/freeleaps-monitoring-system/rbac/rbac.yaml index 24039d4d..8eb3809d 100644 --- a/cluster/manifests/freeleaps-monitoring-system/rbac/rbac.yaml +++ b/cluster/manifests/freeleaps-monitoring-system/rbac/rbac.yaml @@ -1,19 +1,45 @@ apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: name: prometheus-rules-contributor - namespace: freeleaps-monitoring-system rules: - apiGroups: ["monitoring.coreos.com"] resources: ["prometheusrules"] - verbs: ["*"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] --- apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: RoleBinding +metadata: + name: prometheus-rules-contributor-binding + namespace: freeleaps-monitoring-system +subjects: + - kind: Group + name: mathmast:prometheus-rules-contributor + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: prometheus-rules-contributor + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: name: service-monitor-contributor - namespace: freeleaps-monitoring-system rules: - apiGroups: ["monitoring.coreos.com"] resources: ["servicemonitors"] - verbs: ["*"] \ No newline at end of file + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: service-monitor-contributor-binding + namespace: freeleaps-monitoring-system +subjects: + - kind: Group + name: mathmast:service-monitor-contributor + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: service-monitor-contributor + apiGroup: rbac.authorization.k8s.io \ No newline at end of file