Skip to content

Commit

Permalink
Adding patch rbac perm for serviceaccounts
Browse files Browse the repository at this point in the history 
We also took the opportunity and added patch to all the existing rbac
rules that had update already to avoid similar issues in the future

Resolves: https://issues.redhat.com/browse/OSPRH-8363

Signed-off-by: Martin Schuppert <mschuppert@redhat.com>
  • Loading branch information
@stuggi
stuggi committed Jul 4, 2024
1 parent a2bf140 commit 606ca9a
Show file tree
Hide file tree
Showing 4 changed files with 21 additions and 12 deletions.
9 changes: 9 additions & 0 deletions config/rbac/role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ rules:
- create
- get
- list
- patch
- update
- watch
- apiGroups:
Expand Down Expand Up @@ -124,6 +125,7 @@ rules:
resources:
- keystoneapis/finalizers
verbs:
- patch
- update
- apiGroups:
- keystone.openstack.org
Expand All @@ -150,6 +152,7 @@ rules:
resources:
- keystoneendpoints/finalizers
verbs:
- patch
- update
- apiGroups:
- keystone.openstack.org
Expand All @@ -176,6 +179,7 @@ rules:
resources:
- keystoneservices/finalizers
verbs:
- patch
- update
- apiGroups:
- keystone.openstack.org
Expand All @@ -202,6 +206,7 @@ rules:
resources:
- mariadbaccounts/finalizers
verbs:
- patch
- update
- apiGroups:
- mariadb.openstack.org
Expand All @@ -222,13 +227,15 @@ rules:
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- memcached.openstack.org
resources:
- memcacheds/finalizers
verbs:
- patch
- update
- apiGroups:
- rabbitmq.openstack.org
Expand All @@ -250,6 +257,7 @@ rules:
- create
- get
- list
- patch
- update
- watch
- apiGroups:
Expand All @@ -260,6 +268,7 @@ rules:
- create
- get
- list
- patch
- update
- watch
- apiGroups:
Expand Down
14 changes: 7 additions & 7 deletions controllers/keystoneapi_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ type KeystoneAPIReconciler struct {

// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis/finalizers,verbs=update
// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis/finalizers,verbs=update;patch
// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete;
// +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch;create;update;patch;delete;
// +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete;
Expand All @@ -105,16 +105,16 @@ type KeystoneAPIReconciler struct {
// +kubebuilder:rbac:groups=route.openshift.io,resources=routes,verbs=get;list;watch;create;update;patch;delete;
// +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbdatabases,verbs=get;list;watch;create;update;patch;delete;
// +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbaccounts,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbaccounts/finalizers,verbs=update
// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update
// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update
// +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbaccounts/finalizers,verbs=update;patch
// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update;patch
// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update;patch
// +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch
// +kubebuilder:rbac:groups=rabbitmq.openstack.org,resources=transporturls,verbs=get;list;watch;create;update;patch;delete

// service account, role, rolebinding
// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update
// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update
// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update
// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update;patch
// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update;patch
// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update;patch
// keystone service account permissions that are needed to grant permission to the above
// +kubebuilder:rbac:groups="security.openshift.io",resourceNames=anyuid,resources=securitycontextconstraints,verbs=use
// +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch
Expand Down
6 changes: 3 additions & 3 deletions controllers/keystoneendpoint_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,11 +51,11 @@ func (r *KeystoneEndpointReconciler) GetLogger(ctx context.Context) logr.Logger

//+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneendpoints,verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneendpoints/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneendpoints/finalizers,verbs=update
//+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneendpoints/finalizers,verbs=update;patch
//+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis,verbs=get;list;update;patch
//+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis/finalizers,verbs=update
//+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis/finalizers,verbs=update;patch
//+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneservices,verbs=get;list;update;patch
//+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneservices/finalizers,verbs=update
//+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneservices/finalizers,verbs=update;patch

// Reconcile keystone endpoint requests
func (r *KeystoneEndpointReconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, _err error) {
Expand Down
4 changes: 2 additions & 2 deletions controllers/keystoneservice_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,9 +68,9 @@ func (r *KeystoneServiceReconciler) GetLogger(ctx context.Context) logr.Logger {

// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneservices,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneservices/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneservices/finalizers,verbs=update
// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneservices/finalizers,verbs=update;patch
// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis,verbs=get;list;update;patch
// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis/finalizers,verbs=update
// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis/finalizers,verbs=update;patch

// Reconcile keystone service requests
func (r *KeystoneServiceReconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, _err error) {
Expand Down

0 comments on commit 606ca9a

Please sign in to comment.