fix: add service rbac & disable auth proxy (#71)

* fix:add service rbac * disable auth proxy
KusionStack · Aug 29, 2023 · 6dbef98 · 6dbef98
1 parent 571abdc
commit 6dbef98
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 5 deletions.
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -29,7 +29,7 @@ patchesStrategicMerge:
 # Protect the /metrics endpoint by putting it behind auth.
 # If you want your controller-manager to expose the /metrics
 # endpoint w/o any authn/z, please comment the following line.
-- manager_auth_proxy_patch.yaml
+#- manager_auth_proxy_patch.yaml
 
 
 

diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
@@ -14,7 +14,7 @@ resources:
 # Comment the following 4 lines if you want to disable
 # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
 # which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml
+#- auth_proxy_service.yaml
+#- auth_proxy_role.yaml
+#- auth_proxy_role_binding.yaml
+#- auth_proxy_client_clusterrole.yaml
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -123,3 +123,15 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
diff --git a/pkg/controllers/resourceconsist/resourceconsist_controller.go b/pkg/controllers/resourceconsist/resourceconsist_controller.go
@@ -123,6 +123,8 @@ type Consist struct {
 	recorder record.EventRecorder
 }
 
+// +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete
+
 func (r *Consist) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {
 	var employer client.Object
 	if watchOptions, ok := r.adapter.(ReconcileWatchOptions); ok {