From f53d90feea682b8e60eccd55dfc58de9fb6fc008 Mon Sep 17 00:00:00 2001 From: Brandon Dunne Date: Wed, 13 Sep 2023 16:38:47 -0400 Subject: [PATCH] Group dependencies together for simplicity Also, restrict route permissions to only what we need --- manageiq-operator/config/rbac/role.yaml | 72 +------------------ .../controller/manageiq_controller.go | 16 ++--- 2 files changed, 8 insertions(+), 80 deletions(-) diff --git a/manageiq-operator/config/rbac/role.yaml b/manageiq-operator/config/rbac/role.yaml index ac97873df..660dcdd77 100644 --- a/manageiq-operator/config/rbac/role.yaml +++ b/manageiq-operator/config/rbac/role.yaml @@ -28,6 +28,8 @@ rules: - apps resources: - deployments + - deployments/scale + - replicasets verbs: - create - delete @@ -44,30 +46,6 @@ rules: - deployments/finalizers verbs: - update -- apiGroups: - - apps - resources: - - deployments/scale - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - apps - resources: - - replicasets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - apiGroups: - coordination.k8s.io resources: @@ -82,29 +60,7 @@ rules: - extensions resources: - deployments - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - extensions - resources: - deployments/scale - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - extensions - resources: - networkpolicies verbs: - create @@ -151,17 +107,6 @@ rules: - networking.k8s.io resources: - ingresses - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - networking.k8s.io - resources: - networkpolicies verbs: - create @@ -175,17 +120,6 @@ rules: - rbac.authorization.k8s.io resources: - rolebindings - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - rbac.authorization.k8s.io - resources: - roles verbs: - create @@ -198,7 +132,7 @@ rules: - apiGroups: - route.openshift.io resources: - - '*' + - route verbs: - create - delete diff --git a/manageiq-operator/internal/controller/manageiq_controller.go b/manageiq-operator/internal/controller/manageiq_controller.go index 7948ad35b..2fab96dd7 100644 --- a/manageiq-operator/internal/controller/manageiq_controller.go +++ b/manageiq-operator/internal/controller/manageiq_controller.go @@ -47,23 +47,17 @@ type ManageIQReconciler struct { } //+kubebuilder:rbac:namespace=changeme,groups="",resources=configmaps;events;persistentvolumeclaims;pods;pods/finalizers;secrets;serviceaccounts;services;services/finalizers,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:namespace=changeme,groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:namespace=changeme,groups=apps,resources=deployments;deployments/scale;replicasets,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:namespace=changeme,groups=apps,resources=deployments/finalizers,resourceNames=manageiq-operator,verbs=update -//+kubebuilder:rbac:namespace=changeme,groups=apps,resources=deployments/scale,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:namespace=changeme,groups=apps,resources=replicasets,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:namespace=changeme,groups=coordination.k8s.io,resources=leases,verbs=get;list;create;update;delete -//+kubebuilder:rbac:namespace=changeme,groups=extensions,resources=deployments,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:namespace=changeme,groups=extensions,resources=deployments/scale,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:namespace=changeme,groups=extensions,resources=networkpolicies,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:namespace=changeme,groups=extensions,resources=deployments;deployments/scale;networkpolicies,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:namespace=changeme,groups=manageiq.org,resources=manageiqs,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:namespace=changeme,groups=manageiq.org,resources=manageiqs/finalizers,verbs=update //+kubebuilder:rbac:namespace=changeme,groups=manageiq.org,resources=manageiqs/status,verbs=get;update;patch //+kubebuilder:rbac:namespace=changeme,groups=monitoring.coreos.com,resources=servicemonitors,verbs=get;create -//+kubebuilder:rbac:namespace=changeme,groups=networking.k8s.io,resources=ingresses,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:namespace=changeme,groups=networking.k8s.io,resources=networkpolicies,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:namespace=changeme,groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:namespace=changeme,groups=rbac.authorization.k8s.io,resources=roles,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:namespace=changeme,groups=route.openshift.io,resources=*,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:namespace=changeme,groups=networking.k8s.io,resources=ingresses;networkpolicies,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:namespace=changeme,groups=rbac.authorization.k8s.io,resources=rolebindings;roles,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:namespace=changeme,groups=route.openshift.io,resources=route,verbs=get;list;watch;create;update;patch;delete // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state.