Auto-generate RBAC manifests by the controller-gen #1815
Conversation
Pull Request Test Coverage Report for Build 5139444961
💛 - Coveralls |
| @@ -37,7 +37,7 @@ help: ## Display this help. | |||
| ##@ Development | |||
|
|
|||
| manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. | |||
| $(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./pkg/apis/..." output:crd:artifacts:config=manifests/base/crds | |||
| $(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=training-operator webhook paths="./pkg/..." output:crd:artifacts:config=manifests/base/crds output:rbac:artifacts:config=manifests/base/rbac | |||
There was a problem hiding this comment.
| $(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=training-operator webhook paths="./pkg/..." output:crd:artifacts:config=manifests/base/crds output:rbac:artifacts:config=manifests/base/rbac | |
| $(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./pkg/..." output:crd:artifacts:config=manifests/base/crds output:rbac:artifacts:config=manifests/base/rbac |
Can we keep using manager-role for backward compatibility?
There was a problem hiding this comment.
Actually, RBAC manifests were not generated by controller-gen previously(Because the path=./pkg/apis/... does not include the kubebuilder RBAC flag, which is in ./pkg/controller.v1/...), and the role name was training-operator. Therefore, to maintain backward compatibility, using training-operator.
training-operator/manifests/base/cluster-role.yaml
Lines 2 to 7 in fc8a644
There was a problem hiding this comment.
Oh, I see. Thank you for the clarification!
| //+kubebuilder:rbac:groups=scheduling.volcano.sh,resources=podgroups,verbs=get;list;watch;create;update;patch;delete | ||
| //+kubebuilder:rbac:groups=scheduling.sigs.k8s.io,resources=podgroups,verbs=get;list;watch;create;update;patch;delete | ||
| //+kubebuilder:rbac:groups="",resources=events,verbs=get;list;watch;create;update;patch;delete |
There was a problem hiding this comment.
Can we add these markers to all controllers to clarify the needed roles in each controller?
manifests/base/rbac/role.yaml
Outdated
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: ClusterRole | ||
| metadata: | ||
| creationTimestamp: null |
There was a problem hiding this comment.
Why it generates creationTimestamp ?
There was a problem hiding this comment.
That is a bug of the controller-gen.
We should upgrade controller-tools to v0.11 or later.
There was a problem hiding this comment.
Currently, we use v0.10.0.
Line 111 in 93c758c
There was a problem hiding this comment.
Although, we should upgrade k8s libraries version before we upgrade controller-gen version.
There was a problem hiding this comment.
Oh, I missed putting a link: kubernetes-sigs/controller-tools#800
There was a problem hiding this comment.
Thank you for adding this @Syulin7!
Can we move ServiceAccount to RBAC folder also ?
Since it is needed for ClusterRole.
|
@andreyvelich @tenzen-y Thanks for the review! please take a look again. |
Looks good. Once #1817 is merged into the master branch, let's merge this PR. /lgtm |
|
@Syulin7 Can you do a rebase? |
Signed-off-by: Syulin7 <735122171@qq.com>
|
Thanks for this feature /approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: johnugeorge, Syulin7 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Which issue(s) this PR fixes (optional, in
Fixes #<issue number>, #<issue number>, ...format, will close the issue(s) when PR gets merged):Fixes #1814
Auto-generate RBAC manifests by the controller-gen and remove unused permissions: