From ac3ea44d0d6175254f3cc0ba99a4997198c2a281 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakob=20M=C3=B6ller?= Date: Thu, 18 Jan 2024 11:56:20 +0100 Subject: [PATCH] fix: add missing permissions to cluster scoped resources MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jakob Möller --- bundle/manifests/lvms-operator.clusterserviceversion.yaml | 4 ++++ config/rbac/role.yaml | 4 ++++ internal/controllers/lvmcluster/controller.go | 7 +++---- internal/controllers/lvmcluster/resource/scc.go | 2 ++ .../controllers/lvmcluster/resource/topolvm_csi_driver.go | 2 +- .../lvmcluster/resource/topolvm_snapshotclass.go | 2 +- .../lvmcluster/resource/topolvm_storageclass.go | 2 +- 7 files changed, 16 insertions(+), 7 deletions(-) diff --git a/bundle/manifests/lvms-operator.clusterserviceversion.yaml b/bundle/manifests/lvms-operator.clusterserviceversion.yaml index b90ecf1c2..dbae982fb 100644 --- a/bundle/manifests/lvms-operator.clusterserviceversion.yaml +++ b/bundle/manifests/lvms-operator.clusterserviceversion.yaml @@ -320,6 +320,7 @@ spec: - delete - get - list + - patch - update - watch - apiGroups: @@ -331,6 +332,7 @@ spec: - delete - get - list + - patch - update - watch - apiGroups: @@ -366,6 +368,7 @@ spec: - delete - get - list + - patch - update - watch - apiGroups: @@ -397,6 +400,7 @@ spec: - delete - get - list + - patch - update - watch - apiGroups: diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 15169dd0a..557f95668 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -212,6 +212,7 @@ rules: - delete - get - list + - patch - update - watch - apiGroups: @@ -223,6 +224,7 @@ rules: - delete - get - list + - patch - update - watch - apiGroups: @@ -258,6 +260,7 @@ rules: - delete - get - list + - patch - update - watch - apiGroups: @@ -289,6 +292,7 @@ rules: - delete - get - list + - patch - update - watch - apiGroups: diff --git a/internal/controllers/lvmcluster/controller.go b/internal/controllers/lvmcluster/controller.go index 3587ecabb..6e75783e7 100644 --- a/internal/controllers/lvmcluster/controller.go +++ b/internal/controllers/lvmcluster/controller.go @@ -117,7 +117,6 @@ func (r *Reconciler) GetLogPassthroughOptions() *logpassthrough.Options { //+kubebuilder:rbac:groups=lvm.topolvm.io,resources=lvmvolumegroupnodestatuses,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=lvm.topolvm.io,resources=lvmvolumegroupnodestatuses/status,verbs=get;update;patch //+kubebuilder:rbac:groups=lvm.topolvm.io,resources=lvmvolumegroupnodestatuses/finalizers,verbs=update -//+kubebuilder:rbac:groups=security.openshift.io,resources=securitycontextconstraints,verbs=get;list;watch;create;update;delete //+kubebuilder:rbac:groups=config.openshift.io,resources=infrastructures,verbs=get //+kubebuilder:rbac:groups=topolvm.io,resources=logicalvolumes,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=topolvm.io,resources=logicalvolumes/status,verbs=get;list;watch;create;update;patch;delete @@ -128,12 +127,12 @@ func (r *Reconciler) GetLogPassthroughOptions() *logpassthrough.Options { //+kubebuilder:rbac:groups=core,resources=persistentvolumeclaims,verbs=get;list;watch;update;delete //+kubebuilder:rbac:groups=core,resources=persistentvolumeclaims/status,verbs=patch //+kubebuilder:rbac:groups=core,resources=events,verbs=list;watch;create;update;patch -//+kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=get;list;watch;update -//+kubebuilder:rbac:groups=storage.k8s.io,resources=csidrivers,verbs=get;list;watch;update +//+kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=get;list;watch;update;patch;create;delete +//+kubebuilder:rbac:groups=storage.k8s.io,resources=csidrivers,verbs=get;list;watch;update;patch;create;delete //+kubebuilder:rbac:groups=storage.k8s.io,resources=csinodes,verbs=get;list;watch //+kubebuilder:rbac:groups=storage.k8s.io,resources=volumeattachments,verbs=get;list;watch //+kubebuilder:rbac:groups=storage.k8s.io,resources=csistoragecapacities,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups=snapshot.storage.k8s.io,resources=volumesnapshotclasses,verbs=get;list;watch;update +//+kubebuilder:rbac:groups=snapshot.storage.k8s.io,resources=volumesnapshotclasses,verbs=get;list;watch;update;create;patch;delete //+kubebuilder:rbac:groups=snapshot.storage.k8s.io,resources=volumesnapshots,verbs=get;list //+kubebuilder:rbac:groups=snapshot.storage.k8s.io,resources=volumesnapshotcontents,verbs=get;list;watch;update;patch //+kubebuilder:rbac:groups=snapshot.storage.k8s.io,resources=volumesnapshotcontents/status,verbs=update;patch diff --git a/internal/controllers/lvmcluster/resource/scc.go b/internal/controllers/lvmcluster/resource/scc.go index cabc52282..4eacc370d 100644 --- a/internal/controllers/lvmcluster/resource/scc.go +++ b/internal/controllers/lvmcluster/resource/scc.go @@ -49,6 +49,8 @@ func (c openshiftSccs) GetName() string { return sccName } +//+kubebuilder:rbac:groups=security.openshift.io,resources=securitycontextconstraints,verbs=get;list;watch;create;update;delete;patch + func (c openshiftSccs) EnsureCreated(r Reconciler, ctx context.Context, cluster *lvmv1alpha1.LVMCluster) error { logger := log.FromContext(ctx).WithValues("resourceManager", c.GetName()) sccs := getAllSCCs(r.GetNamespace()) diff --git a/internal/controllers/lvmcluster/resource/topolvm_csi_driver.go b/internal/controllers/lvmcluster/resource/topolvm_csi_driver.go index e137a16ee..c705da74a 100644 --- a/internal/controllers/lvmcluster/resource/topolvm_csi_driver.go +++ b/internal/controllers/lvmcluster/resource/topolvm_csi_driver.go @@ -48,7 +48,7 @@ func (c csiDriver) GetName() string { return driverName } -//+kubebuilder:rbac:groups=storage.k8s.io,resources=csidrivers,verbs=get;create;delete;watch;list +//+kubebuilder:rbac:groups=storage.k8s.io,resources=csidrivers,verbs=get;create;delete;watch;list;update;patch func (c csiDriver) EnsureCreated(r Reconciler, ctx context.Context, cluster *lvmv1alpha1.LVMCluster) error { logger := log.FromContext(ctx).WithValues("resourceManager", c.GetName()) diff --git a/internal/controllers/lvmcluster/resource/topolvm_snapshotclass.go b/internal/controllers/lvmcluster/resource/topolvm_snapshotclass.go index ab9e2f054..e5fc20d53 100644 --- a/internal/controllers/lvmcluster/resource/topolvm_snapshotclass.go +++ b/internal/controllers/lvmcluster/resource/topolvm_snapshotclass.go @@ -49,7 +49,7 @@ func (s topolvmVolumeSnapshotClass) GetName() string { return vscName } -//+kubebuilder:rbac:groups=snapshot.storage.k8s.io,resources=volumesnapshotclasses,verbs=get;create;delete;watch;list +//+kubebuilder:rbac:groups=snapshot.storage.k8s.io,resources=volumesnapshotclasses,verbs=get;create;delete;watch;list;update;patch func (s topolvmVolumeSnapshotClass) EnsureCreated(r Reconciler, ctx context.Context, cluster *lvmv1alpha1.LVMCluster) error { logger := log.FromContext(ctx).WithValues("resourceManager", s.GetName()) diff --git a/internal/controllers/lvmcluster/resource/topolvm_storageclass.go b/internal/controllers/lvmcluster/resource/topolvm_storageclass.go index 2b6bbe58a..a409b5531 100644 --- a/internal/controllers/lvmcluster/resource/topolvm_storageclass.go +++ b/internal/controllers/lvmcluster/resource/topolvm_storageclass.go @@ -48,7 +48,7 @@ func (s topolvmStorageClass) GetName() string { return scName } -//+kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=get;create;delete;watch;list +//+kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=get;create;delete;watch;list;update;patch func (s topolvmStorageClass) EnsureCreated(r Reconciler, ctx context.Context, cluster *lvmv1alpha1.LVMCluster) error { logger := log.FromContext(ctx).WithValues("resourceManager", s.GetName())