From 2d6bc05798b5cf620df5b7a61675179bae1a8e2c Mon Sep 17 00:00:00 2001 From: Sunil Arora Date: Wed, 28 Nov 2018 15:01:38 -0800 Subject: [PATCH] add RBAC annotation for status subresource --- pkg/scaffold/controller/controller.go | 2 + test/project/config/rbac/rbac_role.yaml | 48 +++++++++++++++++++ .../firstmate/firstmate_controller.go | 2 + .../controller/frigate/frigate_controller.go | 1 + .../healthcheckpolicy_controller.go | 1 + .../controller/kraken/kraken_controller.go | 1 + .../namespace/namespace_controller.go | 1 + 7 files changed, 56 insertions(+) diff --git a/pkg/scaffold/controller/controller.go b/pkg/scaffold/controller/controller.go index 129e47c810..ad1c0279cc 100644 --- a/pkg/scaffold/controller/controller.go +++ b/pkg/scaffold/controller/controller.go @@ -194,8 +194,10 @@ type Reconcile{{ .Resource.Kind }} struct { {{ if .Resource.CreateExampleReconcileBody -}} // Automatically generate RBAC rules to allow the Controller to read and write Deployments // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=apps,resources=deployments/status,verbs=get;update;patch {{ end -}} // +kubebuilder:rbac:groups={{.GroupDomain}},resources={{ .Plural }},verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups={{.GroupDomain}},resources={{ .Plural }}/status,verbs=get;update;patch func (r *Reconcile{{ .Resource.Kind }}) Reconcile(request reconcile.Request) (reconcile.Result, error) { // Fetch the {{ .Resource.Kind }} instance instance := &{{ .Resource.Group}}{{ .Resource.Version }}.{{ .Resource.Kind }}{} diff --git a/test/project/config/rbac/rbac_role.yaml b/test/project/config/rbac/rbac_role.yaml index 240d290083..b56f2f6bd1 100644 --- a/test/project/config/rbac/rbac_role.yaml +++ b/test/project/config/rbac/rbac_role.yaml @@ -16,6 +16,14 @@ rules: - update - patch - delete +- apiGroups: + - apps + resources: + - deployments/status + verbs: + - get + - update + - patch - apiGroups: - crew.testproject.org resources: @@ -28,6 +36,14 @@ rules: - update - patch - delete +- apiGroups: + - crew.testproject.org + resources: + - firstmates/status + verbs: + - get + - update + - patch - apiGroups: - ship.testproject.org resources: @@ -40,6 +56,14 @@ rules: - update - patch - delete +- apiGroups: + - ship.testproject.org + resources: + - frigates/status + verbs: + - get + - update + - patch - apiGroups: - policy.testproject.org resources: @@ -52,6 +76,14 @@ rules: - update - patch - delete +- apiGroups: + - policy.testproject.org + resources: + - healthcheckpolicies/status + verbs: + - get + - update + - patch - apiGroups: - creatures.testproject.org resources: @@ -64,6 +96,14 @@ rules: - update - patch - delete +- apiGroups: + - creatures.testproject.org + resources: + - krakens/status + verbs: + - get + - update + - patch - apiGroups: - "" resources: @@ -76,6 +116,14 @@ rules: - update - patch - delete +- apiGroups: + - "" + resources: + - namespaces/status + verbs: + - get + - update + - patch - apiGroups: - admissionregistration.k8s.io resources: diff --git a/test/project/pkg/controller/firstmate/firstmate_controller.go b/test/project/pkg/controller/firstmate/firstmate_controller.go index ddc909193e..4c89d0aa0e 100644 --- a/test/project/pkg/controller/firstmate/firstmate_controller.go +++ b/test/project/pkg/controller/firstmate/firstmate_controller.go @@ -94,7 +94,9 @@ type ReconcileFirstMate struct { // a Deployment as an example // Automatically generate RBAC rules to allow the Controller to read and write Deployments // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=apps,resources=deployments/status,verbs=get;update;patch // +kubebuilder:rbac:groups=crew.testproject.org,resources=firstmates,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=crew.testproject.org,resources=firstmates/status,verbs=get;update;patch func (r *ReconcileFirstMate) Reconcile(request reconcile.Request) (reconcile.Result, error) { // Fetch the FirstMate instance instance := &crewv1.FirstMate{} diff --git a/test/project/pkg/controller/frigate/frigate_controller.go b/test/project/pkg/controller/frigate/frigate_controller.go index 7eccd4a99e..a73b61ab19 100644 --- a/test/project/pkg/controller/frigate/frigate_controller.go +++ b/test/project/pkg/controller/frigate/frigate_controller.go @@ -87,6 +87,7 @@ type ReconcileFrigate struct { // TODO(user): Modify this Reconcile function to implement your Controller logic. The scaffolding writes // a Deployment as an example // +kubebuilder:rbac:groups=ship.testproject.org,resources=frigates,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=ship.testproject.org,resources=frigates/status,verbs=get;update;patch func (r *ReconcileFrigate) Reconcile(request reconcile.Request) (reconcile.Result, error) { // Fetch the Frigate instance instance := &shipv1beta1.Frigate{} diff --git a/test/project/pkg/controller/healthcheckpolicy/healthcheckpolicy_controller.go b/test/project/pkg/controller/healthcheckpolicy/healthcheckpolicy_controller.go index 8c9b5e5013..2787a606e2 100644 --- a/test/project/pkg/controller/healthcheckpolicy/healthcheckpolicy_controller.go +++ b/test/project/pkg/controller/healthcheckpolicy/healthcheckpolicy_controller.go @@ -87,6 +87,7 @@ type ReconcileHealthCheckPolicy struct { // TODO(user): Modify this Reconcile function to implement your Controller logic. The scaffolding writes // a Deployment as an example // +kubebuilder:rbac:groups=policy.testproject.org,resources=healthcheckpolicies,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=policy.testproject.org,resources=healthcheckpolicies/status,verbs=get;update;patch func (r *ReconcileHealthCheckPolicy) Reconcile(request reconcile.Request) (reconcile.Result, error) { // Fetch the HealthCheckPolicy instance instance := &policyv1beta1.HealthCheckPolicy{} diff --git a/test/project/pkg/controller/kraken/kraken_controller.go b/test/project/pkg/controller/kraken/kraken_controller.go index 0d14263a4c..0eaab5c8c1 100644 --- a/test/project/pkg/controller/kraken/kraken_controller.go +++ b/test/project/pkg/controller/kraken/kraken_controller.go @@ -87,6 +87,7 @@ type ReconcileKraken struct { // TODO(user): Modify this Reconcile function to implement your Controller logic. The scaffolding writes // a Deployment as an example // +kubebuilder:rbac:groups=creatures.testproject.org,resources=krakens,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=creatures.testproject.org,resources=krakens/status,verbs=get;update;patch func (r *ReconcileKraken) Reconcile(request reconcile.Request) (reconcile.Result, error) { // Fetch the Kraken instance instance := &creaturesv2alpha1.Kraken{} diff --git a/test/project/pkg/controller/namespace/namespace_controller.go b/test/project/pkg/controller/namespace/namespace_controller.go index f3e7e1f010..b929f19a16 100644 --- a/test/project/pkg/controller/namespace/namespace_controller.go +++ b/test/project/pkg/controller/namespace/namespace_controller.go @@ -87,6 +87,7 @@ type ReconcileNamespace struct { // TODO(user): Modify this Reconcile function to implement your Controller logic. The scaffolding writes // a Deployment as an example // +kubebuilder:rbac:groups=core,resources=namespaces,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=core,resources=namespaces/status,verbs=get;update;patch func (r *ReconcileNamespace) Reconcile(request reconcile.Request) (reconcile.Result, error) { // Fetch the Namespace instance instance := &corev1.Namespace{}