Fix roles / missing privileges

2026-06-05 22:53:39 +00:00 · 2024-09-05 09:36:44 +01:00
parent 9b1135cb7b
commit ee49c51192
15 changed files with 61 additions and 36 deletions
@@ -234,7 +234,7 @@ release-chart:
 	cd ../helm-charts/; git add -A charts/packages; git fix; git push;
 	cd ../helm-charts/charts/${CHART_NAME}; cr upload --config ../../chart-releaser.yaml --skip-existing;
 	cd ../helm-charts/charts/${CHART_NAME}; rm -fr .cr-index; mkdir .cr-index; cr index --config ../../chart-releaser.yaml; cp .cr-index/index.yaml ../../index.yaml;
-	git fix; git push
+	../helm-charts; git fix; git push

 # go-install-tool will 'go install' any package with custom target and name of binary, if it doesn't exist
 # $1 - target path with name of binary
@@ -10,9 +10,9 @@ description: |

 type: application

-version: 0.1.7
+version: 0.1.11

-appVersion: "0.1.7"
+appVersion: "0.1.11"

 home: https://github.com/lukaszraczylo/kubernetes-images-sync-operator

@@ -5,6 +5,18 @@ metadata:
  labels:
  {{- include "chart.labels" . | nindent 4 }}
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
  - apps
  resources:
@@ -37,8 +49,7 @@ rules:
 - apiGroups:
  - raczylo.com
  resources:
-  - clusterimageexports
-  - clusterimages
+  - '*'
  verbs:
  - create
  - delete
@@ -50,13 +61,13 @@ rules:
 - apiGroups:
  - raczylo.com
  resources:
-  - clusterimageexports/finalizers
+  - '*/finalizers'
  verbs:
  - update
 - apiGroups:
  - raczylo.com
  resources:
-  - clusterimageexports/status
+  - '*/status'
  verbs:
  - get
  - patch
@@ -22,4 +22,7 @@ rules:
  resources:
  - clusterimages/status
  verbs:
-  - get
+  - get
+  - patch
+  - update
+  - watch
@@ -18,4 +18,5 @@ rules:
  resources:
  - clusterimages/status
  verbs:
-  - get
+  - get
+  - watch
@@ -22,4 +22,7 @@ rules:
  resources:
  - clusterimageexports/status
  verbs:
-  - get
+  - get
+  - patch
+  - update
+  - watch
@@ -9,13 +9,8 @@ rules:
  - raczylo.com
  resources:
  - clusterimageexports
+  - clusterimageexports/status
  verbs:
  - get
  - list
-  - watch
- apiGroups:
-  - raczylo.com
-  resources:
-  - clusterimageexports/status
-  verbs:
-  - get
+  - watch
@@ -11,7 +11,7 @@ cmRaczyloCom:
        - ALL
    image:
      repository: ghcr.io/lukaszraczylo/kubernetes-images-sync-operator
-      tag: 0.1.7
+      tag: 0.1.11
    resources:
      limits:
        cpu: 500m
@@ -25,3 +25,6 @@ rules:
      - clusterimages/status
    verbs:
      - get
+      - patch
+      - update
+      - watch
@@ -21,3 +21,4 @@ rules:
      - clusterimages/status
    verbs:
      - get
+      - watch
@@ -25,3 +25,6 @@ rules:
      - clusterimageexports/status
    verbs:
      - get
+      - patch
+      - update
+      - watch
@@ -11,13 +11,8 @@ rules:
      - raczylo.com
    resources:
      - clusterimageexports
+      - clusterimageexports/status
    verbs:
      - get
      - list
      - watch
-  - apiGroups:
-      - raczylo.com
-    resources:
-      - clusterimageexports/status
-    verbs:
-      - get
@@ -4,6 +4,18 @@ kind: ClusterRole
 metadata:
  name: mr-raczylo-com
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
  - apps
  resources:
@@ -36,8 +48,7 @@ rules:
 - apiGroups:
  - raczylo.com
  resources:
-  - clusterimageexports
-  - clusterimages
+  - '*'
  verbs:
  - create
  - delete
@@ -49,13 +60,13 @@ rules:
 - apiGroups:
  - raczylo.com
  resources:
-  - clusterimageexports/finalizers
+  - '*/finalizers'
  verbs:
  - update
 - apiGroups:
  - raczylo.com
  resources:
-  - clusterimageexports/status
+  - '*/status'
  verbs:
  - get
  - patch
@@ -29,12 +29,11 @@ type ClusterImageReconciler struct {
 	ActiveJobs      int
 }

-// +kubebuilder:rbac:groups=raczylo.com,resources=clusterimages,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=raczylo.com,resources=clusterimages/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=raczylo.com,resources=clusterimages/finalizers,verbs=update
+// +kubebuilder:rbac:groups=raczylo.com,resources=*,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=raczylo.com,resources=*/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=raczylo.com,resources=*/finalizers,verbs=update
 // # additional RBAC rules - create and manage jobs
 // +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=raczylo.com,resources=clusterimageexports,verbs=get;list;watch;update;patch
 func (r *ClusterImageReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	l := log.FromContext(ctx)

@@ -30,15 +30,15 @@ type ClusterImageExportReconciler struct {
 	Scheme *runtime.Scheme
 }

-// +kubebuilder:rbac:groups=raczylo.com,resources=clusterimageexports,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=raczylo.com,resources=clusterimageexports/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=raczylo.com,resources=clusterimageexports/finalizers,verbs=update
+// +kubebuilder:rbac:groups=raczylo.com,resources=*,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=raczylo.com,resources=*/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=raczylo.com,resources=*/finalizers,verbs=update
 // additional RBAC rules
-// +kubebuilder:rbac:groups=raczylo.com,resources=clusterimages,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch
 // +kubebuilder:rbac:groups=apps,resources=daemonsets,verbs=get;list;watch
 // +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=batch,resources=cronjobs,verbs=get;list;watch
+// +kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch;create;update;patch;delete

 const clusterImageExportFinalizer = "finalizer.clusterimageexport.raczylo.com"