Fix roles / missing privileges

2026-06-10 23:29:11 +00:00 · 2024-09-05 09:36:44 +01:00
parent 9b1135cb7b
commit ee49c51192
15 changed files with 61 additions and 36 deletions
@@ -234,7 +234,7 @@ release-chart:
 	cd ../helm-charts/; git add -A charts/packages; git fix; git push;
 	cd ../helm-charts/charts/${CHART_NAME}; cr upload --config ../../chart-releaser.yaml --skip-existing;
 	cd ../helm-charts/charts/${CHART_NAME}; rm -fr .cr-index; mkdir .cr-index; cr index --config ../../chart-releaser.yaml; cp .cr-index/index.yaml ../../index.yaml;
-	git fix; git push
+	../helm-charts; git fix; git push
 # go-install-tool will 'go install' any package with custom target and name of binary, if it doesn't exist
 # $1 - target path with name of binary
@@ -10,9 +10,9 @@ description: |
 type: application
-version: 0.1.7
+version: 0.1.11
-appVersion: "0.1.7"
+appVersion: "0.1.11"
 home: https://github.com/lukaszraczylo/kubernetes-images-sync-operator
@@ -5,6 +5,18 @@ metadata:
  labels:
  {{- include "chart.labels" . | nindent 4 }}
 rules:
 - apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
 - apiGroups:
  - apps
  resources:
@@ -37,8 +49,7 @@ rules:
 - apiGroups:
  - raczylo.com
  resources:
-  - clusterimageexports
+  - '*'
  - clusterimages
  verbs:
  - create
  - delete
@@ -50,13 +61,13 @@ rules:
 - apiGroups:
  - raczylo.com
  resources:
-  - clusterimageexports/finalizers
+  - '*/finalizers'
  verbs:
  - update
 - apiGroups:
  - raczylo.com
  resources:
-  - clusterimageexports/status
+  - '*/status'
  verbs:
  - get
  - patch
@@ -22,4 +22,7 @@ rules:
  resources:
  - clusterimages/status
  verbs:
-  - get
+  - get
  - patch
  - update
  - watch
@@ -18,4 +18,5 @@ rules:
  resources:
  - clusterimages/status
  verbs:
-  - get
+  - get
  - watch
@@ -22,4 +22,7 @@ rules:
  resources:
  - clusterimageexports/status
  verbs:
-  - get
+  - get
  - patch
  - update
  - watch
@@ -9,13 +9,8 @@ rules:
  - raczylo.com
  resources:
  - clusterimageexports
  - clusterimageexports/status
  verbs:
  - get
  - list
-  - watch
+  - watch
 - apiGroups:
  - raczylo.com
  resources:
  - clusterimageexports/status
  verbs:
  - get
@@ -11,7 +11,7 @@ cmRaczyloCom:
        - ALL
    image:
      repository: ghcr.io/lukaszraczylo/kubernetes-images-sync-operator
-      tag: 0.1.7
+      tag: 0.1.11
    resources:
      limits:
        cpu: 500m
@@ -25,3 +25,6 @@ rules:
      - clusterimages/status
    verbs:
      - get
      - patch
      - update
      - watch
@@ -21,3 +21,4 @@ rules:
      - clusterimages/status
    verbs:
      - get
      - watch
@@ -25,3 +25,6 @@ rules:
      - clusterimageexports/status
    verbs:
      - get
      - patch
      - update
      - watch
@@ -11,13 +11,8 @@ rules:
      - raczylo.com
    resources:
      - clusterimageexports
      - clusterimageexports/status
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - raczylo.com
    resources:
      - clusterimageexports/status
    verbs:
      - get
@@ -4,6 +4,18 @@ kind: ClusterRole
 metadata:
  name: mr-raczylo-com
 rules:
 - apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
 - apiGroups:
  - apps
  resources:
@@ -36,8 +48,7 @@ rules:
 - apiGroups:
  - raczylo.com
  resources:
-  - clusterimageexports
+  - '*'
  - clusterimages
  verbs:
  - create
  - delete
@@ -49,13 +60,13 @@ rules:
 - apiGroups:
  - raczylo.com
  resources:
-  - clusterimageexports/finalizers
+  - '*/finalizers'
  verbs:
  - update
 - apiGroups:
  - raczylo.com
  resources:
-  - clusterimageexports/status
+  - '*/status'
  verbs:
  - get
  - patch
@@ -29,12 +29,11 @@ type ClusterImageReconciler struct {
 	ActiveJobs      int
 }
-// +kubebuilder:rbac:groups=raczylo.com,resources=clusterimages,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=raczylo.com,resources=*,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=raczylo.com,resources=clusterimages/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=raczylo.com,resources=*/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=raczylo.com,resources=clusterimages/finalizers,verbs=update
+// +kubebuilder:rbac:groups=raczylo.com,resources=*/finalizers,verbs=update
 // # additional RBAC rules - create and manage jobs
 // +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=raczylo.com,resources=clusterimageexports,verbs=get;list;watch;update;patch
 func (r *ClusterImageReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	l := log.FromContext(ctx)
@@ -30,15 +30,15 @@ type ClusterImageExportReconciler struct {
 	Scheme *runtime.Scheme
 }
-// +kubebuilder:rbac:groups=raczylo.com,resources=clusterimageexports,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=raczylo.com,resources=*,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=raczylo.com,resources=clusterimageexports/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=raczylo.com,resources=*/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=raczylo.com,resources=clusterimageexports/finalizers,verbs=update
+// +kubebuilder:rbac:groups=raczylo.com,resources=*/finalizers,verbs=update
 // additional RBAC rules
 // +kubebuilder:rbac:groups=raczylo.com,resources=clusterimages,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch
 // +kubebuilder:rbac:groups=apps,resources=daemonsets,verbs=get;list;watch
 // +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=batch,resources=cronjobs,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch;create;update;patch;delete
 const clusterImageExportFinalizer = "finalizer.clusterimageexport.raczylo.com"