From ee49c511925d63cd54cb52fa1d2196f3b4e2bb38 Mon Sep 17 00:00:00 2001 From: Lukasz Raczylo Date: Thu, 5 Sep 2024 09:36:44 +0100 Subject: [PATCH] Fix roles / missing privileges --- Makefile | 2 +- chart/Chart.yaml | 4 ++-- chart/templates/mr-raczylo-com-rbac.yaml | 19 +++++++++++++++---- .../raczylo.com-clusterimage-editor-rbac.yaml | 5 ++++- .../raczylo.com-clusterimage-viewer-rbac.yaml | 3 ++- ...lo.com-clusterimageexport-editor-rbac.yaml | 5 ++++- ...lo.com-clusterimageexport-viewer-rbac.yaml | 9 ++------- chart/values.yaml | 2 +- .../raczylo.com_clusterimage_editor_role.yaml | 3 +++ .../raczylo.com_clusterimage_viewer_role.yaml | 1 + ...lo.com_clusterimageexport_editor_role.yaml | 3 +++ ...lo.com_clusterimageexport_viewer_role.yaml | 7 +------ config/rbac/role.yaml | 19 +++++++++++++++---- .../raczylo.com/clusterimage_controller.go | 7 +++---- .../clusterimageexport_controller.go | 8 ++++---- 15 files changed, 61 insertions(+), 36 deletions(-) diff --git a/Makefile b/Makefile index b300152..99793a2 100644 --- a/Makefile +++ b/Makefile @@ -234,7 +234,7 @@ release-chart: cd ../helm-charts/; git add -A charts/packages; git fix; git push; cd ../helm-charts/charts/${CHART_NAME}; cr upload --config ../../chart-releaser.yaml --skip-existing; cd ../helm-charts/charts/${CHART_NAME}; rm -fr .cr-index; mkdir .cr-index; cr index --config ../../chart-releaser.yaml; cp .cr-index/index.yaml ../../index.yaml; - git fix; git push + ../helm-charts; git fix; git push # go-install-tool will 'go install' any package with custom target and name of binary, if it doesn't exist # $1 - target path with name of binary diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 92162f7..7e25d46 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -10,9 +10,9 @@ description: | type: application -version: 0.1.7 +version: 0.1.11 -appVersion: "0.1.7" +appVersion: "0.1.11" home: https://github.com/lukaszraczylo/kubernetes-images-sync-operator diff --git a/chart/templates/mr-raczylo-com-rbac.yaml b/chart/templates/mr-raczylo-com-rbac.yaml index ec1388a..fd0b2e9 100644 --- a/chart/templates/mr-raczylo-com-rbac.yaml +++ b/chart/templates/mr-raczylo-com-rbac.yaml @@ -5,6 +5,18 @@ metadata: labels: {{- include "chart.labels" . | nindent 4 }} rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - apps resources: @@ -37,8 +49,7 @@ rules: - apiGroups: - raczylo.com resources: - - clusterimageexports - - clusterimages + - '*' verbs: - create - delete @@ -50,13 +61,13 @@ rules: - apiGroups: - raczylo.com resources: - - clusterimageexports/finalizers + - '*/finalizers' verbs: - update - apiGroups: - raczylo.com resources: - - clusterimageexports/status + - '*/status' verbs: - get - patch diff --git a/chart/templates/raczylo.com-clusterimage-editor-rbac.yaml b/chart/templates/raczylo.com-clusterimage-editor-rbac.yaml index 9261080..146eccf 100644 --- a/chart/templates/raczylo.com-clusterimage-editor-rbac.yaml +++ b/chart/templates/raczylo.com-clusterimage-editor-rbac.yaml @@ -22,4 +22,7 @@ rules: resources: - clusterimages/status verbs: - - get \ No newline at end of file + - get + - patch + - update + - watch \ No newline at end of file diff --git a/chart/templates/raczylo.com-clusterimage-viewer-rbac.yaml b/chart/templates/raczylo.com-clusterimage-viewer-rbac.yaml index 0fddff6..737e554 100644 --- a/chart/templates/raczylo.com-clusterimage-viewer-rbac.yaml +++ b/chart/templates/raczylo.com-clusterimage-viewer-rbac.yaml @@ -18,4 +18,5 @@ rules: resources: - clusterimages/status verbs: - - get \ No newline at end of file + - get + - watch \ No newline at end of file diff --git a/chart/templates/raczylo.com-clusterimageexport-editor-rbac.yaml b/chart/templates/raczylo.com-clusterimageexport-editor-rbac.yaml index 5bd4b77..3768c33 100644 --- a/chart/templates/raczylo.com-clusterimageexport-editor-rbac.yaml +++ b/chart/templates/raczylo.com-clusterimageexport-editor-rbac.yaml @@ -22,4 +22,7 @@ rules: resources: - clusterimageexports/status verbs: - - get \ No newline at end of file + - get + - patch + - update + - watch \ No newline at end of file diff --git a/chart/templates/raczylo.com-clusterimageexport-viewer-rbac.yaml b/chart/templates/raczylo.com-clusterimageexport-viewer-rbac.yaml index 99d203d..bf6a5bb 100644 --- a/chart/templates/raczylo.com-clusterimageexport-viewer-rbac.yaml +++ b/chart/templates/raczylo.com-clusterimageexport-viewer-rbac.yaml @@ -9,13 +9,8 @@ rules: - raczylo.com resources: - clusterimageexports + - clusterimageexports/status verbs: - get - list - - watch -- apiGroups: - - raczylo.com - resources: - - clusterimageexports/status - verbs: - - get \ No newline at end of file + - watch \ No newline at end of file diff --git a/chart/values.yaml b/chart/values.yaml index 7d77cad..211f702 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -11,7 +11,7 @@ cmRaczyloCom: - ALL image: repository: ghcr.io/lukaszraczylo/kubernetes-images-sync-operator - tag: 0.1.7 + tag: 0.1.11 resources: limits: cpu: 500m diff --git a/config/rbac/raczylo.com_clusterimage_editor_role.yaml b/config/rbac/raczylo.com_clusterimage_editor_role.yaml index ec3aa7b..d99b2ff 100644 --- a/config/rbac/raczylo.com_clusterimage_editor_role.yaml +++ b/config/rbac/raczylo.com_clusterimage_editor_role.yaml @@ -25,3 +25,6 @@ rules: - clusterimages/status verbs: - get + - patch + - update + - watch diff --git a/config/rbac/raczylo.com_clusterimage_viewer_role.yaml b/config/rbac/raczylo.com_clusterimage_viewer_role.yaml index 2e9ef11..9847dda 100644 --- a/config/rbac/raczylo.com_clusterimage_viewer_role.yaml +++ b/config/rbac/raczylo.com_clusterimage_viewer_role.yaml @@ -21,3 +21,4 @@ rules: - clusterimages/status verbs: - get + - watch diff --git a/config/rbac/raczylo.com_clusterimageexport_editor_role.yaml b/config/rbac/raczylo.com_clusterimageexport_editor_role.yaml index 4c0214e..6710b15 100644 --- a/config/rbac/raczylo.com_clusterimageexport_editor_role.yaml +++ b/config/rbac/raczylo.com_clusterimageexport_editor_role.yaml @@ -25,3 +25,6 @@ rules: - clusterimageexports/status verbs: - get + - patch + - update + - watch diff --git a/config/rbac/raczylo.com_clusterimageexport_viewer_role.yaml b/config/rbac/raczylo.com_clusterimageexport_viewer_role.yaml index 9f0585a..3190a6e 100644 --- a/config/rbac/raczylo.com_clusterimageexport_viewer_role.yaml +++ b/config/rbac/raczylo.com_clusterimageexport_viewer_role.yaml @@ -11,13 +11,8 @@ rules: - raczylo.com resources: - clusterimageexports + - clusterimageexports/status verbs: - get - list - watch - - apiGroups: - - raczylo.com - resources: - - clusterimageexports/status - verbs: - - get diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 41781d8..da99789 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -4,6 +4,18 @@ kind: ClusterRole metadata: name: mr-raczylo-com rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - apps resources: @@ -36,8 +48,7 @@ rules: - apiGroups: - raczylo.com resources: - - clusterimageexports - - clusterimages + - '*' verbs: - create - delete @@ -49,13 +60,13 @@ rules: - apiGroups: - raczylo.com resources: - - clusterimageexports/finalizers + - '*/finalizers' verbs: - update - apiGroups: - raczylo.com resources: - - clusterimageexports/status + - '*/status' verbs: - get - patch diff --git a/internal/controller/raczylo.com/clusterimage_controller.go b/internal/controller/raczylo.com/clusterimage_controller.go index 5ccfc8a..40904e0 100644 --- a/internal/controller/raczylo.com/clusterimage_controller.go +++ b/internal/controller/raczylo.com/clusterimage_controller.go @@ -29,12 +29,11 @@ type ClusterImageReconciler struct { ActiveJobs int } -// +kubebuilder:rbac:groups=raczylo.com,resources=clusterimages,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=raczylo.com,resources=clusterimages/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=raczylo.com,resources=clusterimages/finalizers,verbs=update +// +kubebuilder:rbac:groups=raczylo.com,resources=*,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=raczylo.com,resources=*/status,verbs=get;update;patch +// +kubebuilder:rbac:groups=raczylo.com,resources=*/finalizers,verbs=update // # additional RBAC rules - create and manage jobs // +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=raczylo.com,resources=clusterimageexports,verbs=get;list;watch;update;patch func (r *ClusterImageReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { l := log.FromContext(ctx) diff --git a/internal/controller/raczylo.com/clusterimageexport_controller.go b/internal/controller/raczylo.com/clusterimageexport_controller.go index bdaa16f..a247484 100644 --- a/internal/controller/raczylo.com/clusterimageexport_controller.go +++ b/internal/controller/raczylo.com/clusterimageexport_controller.go @@ -30,15 +30,15 @@ type ClusterImageExportReconciler struct { Scheme *runtime.Scheme } -// +kubebuilder:rbac:groups=raczylo.com,resources=clusterimageexports,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=raczylo.com,resources=clusterimageexports/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=raczylo.com,resources=clusterimageexports/finalizers,verbs=update +// +kubebuilder:rbac:groups=raczylo.com,resources=*,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=raczylo.com,resources=*/status,verbs=get;update;patch +// +kubebuilder:rbac:groups=raczylo.com,resources=*/finalizers,verbs=update // additional RBAC rules -// +kubebuilder:rbac:groups=raczylo.com,resources=clusterimages,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch // +kubebuilder:rbac:groups=apps,resources=daemonsets,verbs=get;list;watch // +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=batch,resources=cronjobs,verbs=get;list;watch +// +kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch;create;update;patch;delete const clusterImageExportFinalizer = "finalizer.clusterimageexport.raczylo.com"