From 606ca9a31c57683d528531f622de53bb31ce9505 Mon Sep 17 00:00:00 2001 From: Martin Schuppert Date: Thu, 4 Jul 2024 17:57:12 +0200 Subject: [PATCH] Adding patch rbac perm for serviceaccounts We also took the opportunity and added patch to all the existing rbac rules that had update already to avoid similar issues in the future Resolves: https://issues.redhat.com/browse/OSPRH-8363 Signed-off-by: Martin Schuppert --- config/rbac/role.yaml | 9 +++++++++ controllers/keystoneapi_controller.go | 14 +++++++------- controllers/keystoneendpoint_controller.go | 6 +++--- controllers/keystoneservice_controller.go | 4 ++-- 4 files changed, 21 insertions(+), 12 deletions(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 8892929b..a2aab6c7 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -25,6 +25,7 @@ rules: - create - get - list + - patch - update - watch - apiGroups: @@ -124,6 +125,7 @@ rules: resources: - keystoneapis/finalizers verbs: + - patch - update - apiGroups: - keystone.openstack.org @@ -150,6 +152,7 @@ rules: resources: - keystoneendpoints/finalizers verbs: + - patch - update - apiGroups: - keystone.openstack.org @@ -176,6 +179,7 @@ rules: resources: - keystoneservices/finalizers verbs: + - patch - update - apiGroups: - keystone.openstack.org @@ -202,6 +206,7 @@ rules: resources: - mariadbaccounts/finalizers verbs: + - patch - update - apiGroups: - mariadb.openstack.org @@ -222,6 +227,7 @@ rules: verbs: - get - list + - patch - update - watch - apiGroups: @@ -229,6 +235,7 @@ rules: resources: - memcacheds/finalizers verbs: + - patch - update - apiGroups: - rabbitmq.openstack.org @@ -250,6 +257,7 @@ rules: - create - get - list + - patch - update - watch - apiGroups: @@ -260,6 +268,7 @@ rules: - create - get - list + - patch - update - watch - apiGroups: diff --git a/controllers/keystoneapi_controller.go b/controllers/keystoneapi_controller.go index 49b8e58b..713a260c 100644 --- a/controllers/keystoneapi_controller.go +++ b/controllers/keystoneapi_controller.go @@ -95,7 +95,7 @@ type KeystoneAPIReconciler struct { // +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis/finalizers,verbs=update +// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete; @@ -105,16 +105,16 @@ type KeystoneAPIReconciler struct { // +kubebuilder:rbac:groups=route.openshift.io,resources=routes,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbdatabases,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbaccounts,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbaccounts/finalizers,verbs=update -// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update -// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update +// +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbaccounts/finalizers,verbs=update;patch +// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch // +kubebuilder:rbac:groups=rabbitmq.openstack.org,resources=transporturls,verbs=get;list;watch;create;update;patch;delete // service account, role, rolebinding -// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update +// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update;patch +// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update;patch +// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update;patch // keystone service account permissions that are needed to grant permission to the above // +kubebuilder:rbac:groups="security.openshift.io",resourceNames=anyuid,resources=securitycontextconstraints,verbs=use // +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch diff --git a/controllers/keystoneendpoint_controller.go b/controllers/keystoneendpoint_controller.go index 39a699a4..8b00b655 100644 --- a/controllers/keystoneendpoint_controller.go +++ b/controllers/keystoneendpoint_controller.go @@ -51,11 +51,11 @@ func (r *KeystoneEndpointReconciler) GetLogger(ctx context.Context) logr.Logger //+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneendpoints,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneendpoints/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneendpoints/finalizers,verbs=update +//+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneendpoints/finalizers,verbs=update;patch //+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis,verbs=get;list;update;patch -//+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis/finalizers,verbs=update +//+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis/finalizers,verbs=update;patch //+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneservices,verbs=get;list;update;patch -//+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneservices/finalizers,verbs=update +//+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneservices/finalizers,verbs=update;patch // Reconcile keystone endpoint requests func (r *KeystoneEndpointReconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, _err error) { diff --git a/controllers/keystoneservice_controller.go b/controllers/keystoneservice_controller.go index 0a5fdb54..4fcc1c7e 100644 --- a/controllers/keystoneservice_controller.go +++ b/controllers/keystoneservice_controller.go @@ -68,9 +68,9 @@ func (r *KeystoneServiceReconciler) GetLogger(ctx context.Context) logr.Logger { // +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneservices,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneservices/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneservices/finalizers,verbs=update +// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneservices/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis,verbs=get;list;update;patch -// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis/finalizers,verbs=update +// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis/finalizers,verbs=update;patch // Reconcile keystone service requests func (r *KeystoneServiceReconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, _err error) {