Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(kgo): fix RBAC policy rules #1148

Merged
merged 1 commit into from
Oct 17, 2024
Merged

fix(kgo): fix RBAC policy rules #1148

merged 1 commit into from
Oct 17, 2024

Conversation

pmalek
Copy link
Member

@pmalek pmalek commented Oct 16, 2024

What this PR does / why we need it:

Fix KGO's RBAC policy rules:

1 reflector.go:547] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:232: failed to list *v1alpha1.DataPlaneMetricsExtension: dataplanemetricsextensions.gateway-operator.konghq.com is forbidden: User "system:serviceaccount:kong-system:controller-manager" cannot list resource "dataplanemetricsextensions" in API group "gateway-operator.konghq.com" at the cluster scope
E1016 08:37:12.380734

This PR changes the generation script by using both KGO and KGOEE. The reason for this? KGO EE's manager role contains a super set of required policy rules so we can't just use KGO's manager role. Hence this change uses the base manifests + KGO EE's manager role.

There's probably a better way of doing this but this works ™️ .

NOTE: at some point we could consider using kubebuilder code markers instead of using already produced manifests if that would be easier/better.

Special notes for your reviewer:

The resulting RBAC manifests were generated with

charts/gateway-operator/scripts/update-rbac-resources.sh $KGO_REPO $KGOEE_REPO $CHARTS_REPO

This change used

This is related to #1060 as those tests would greatly catch errors that produce unwanted changes in manager's role policy rules (re #1138) especially now that newer versions of controller tools generate aggregated policy rules so it's harder to notice the change in permissions for a particular type.

Checklist

[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]

  • PR is based off the current tip of the main branch.
  • Changes are documented under the "Unreleased" header in CHANGELOG.md
  • New or modified sections of values.yaml are documented in the README.md
  • Commits follow the Kong commit message guidelines

@pmalek pmalek self-assigned this Oct 16, 2024
@pmalek pmalek marked this pull request as ready for review October 16, 2024 18:38
@pmalek pmalek requested a review from a team as a code owner October 16, 2024 18:38
@pmalek pmalek added this to the KGO v1.4.x milestone Oct 16, 2024
@pmalek pmalek merged commit 571b6b4 into main Oct 17, 2024
33 checks passed
@pmalek pmalek deleted the fix-kgo-rbac-policy-rules branch October 17, 2024 08:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants