diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 1f5f360ae..93d461364 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -25,6 +25,7 @@ rules: - create - get - list + - patch - update - watch - apiGroups: @@ -151,6 +152,7 @@ rules: resources: - mariadbaccounts/finalizers verbs: + - patch - update - apiGroups: - mariadb.openstack.org @@ -169,6 +171,7 @@ rules: resources: - mariadbdatabases/finalizers verbs: + - patch - update - apiGroups: - memcached.openstack.org @@ -177,6 +180,7 @@ rules: verbs: - get - list + - patch - update - watch - apiGroups: @@ -184,6 +188,7 @@ rules: resources: - memcacheds/finalizers verbs: + - patch - update - apiGroups: - nova.openstack.org @@ -202,6 +207,7 @@ rules: resources: - nova/finalizers verbs: + - patch - update - apiGroups: - nova.openstack.org @@ -228,6 +234,7 @@ rules: resources: - novaapis/finalizers verbs: + - patch - update - apiGroups: - nova.openstack.org @@ -254,6 +261,7 @@ rules: resources: - novacells/finalizers verbs: + - patch - update - apiGroups: - nova.openstack.org @@ -280,6 +288,7 @@ rules: resources: - novacomputes/finalizers verbs: + - patch - update - apiGroups: - nova.openstack.org @@ -306,6 +315,7 @@ rules: resources: - novaconductors/finalizers verbs: + - patch - update - apiGroups: - nova.openstack.org @@ -332,6 +342,7 @@ rules: resources: - novametadata/finalizers verbs: + - patch - update - apiGroups: - nova.openstack.org @@ -358,6 +369,7 @@ rules: resources: - novanovncproxies/finalizers verbs: + - patch - update - apiGroups: - nova.openstack.org @@ -384,6 +396,7 @@ rules: resources: - novaschedulers/finalizers verbs: + - patch - update - apiGroups: - nova.openstack.org @@ -413,6 +426,7 @@ rules: - create - get - list + - patch - update - watch - apiGroups: @@ -423,6 +437,7 @@ rules: - create - get - list + - patch - update - watch - apiGroups: diff --git a/controllers/nova_controller.go b/controllers/nova_controller.go index af45c9179..44b421689 100644 --- a/controllers/nova_controller.go +++ b/controllers/nova_controller.go @@ -72,22 +72,22 @@ func (r *NovaReconciler) GetLogger(ctx context.Context) logr.Logger { // +kubebuilder:rbac:groups=nova.openstack.org,resources=nova,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=nova.openstack.org,resources=nova/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=nova.openstack.org,resources=nova/finalizers,verbs=update +// +kubebuilder:rbac:groups=nova.openstack.org,resources=nova/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbdatabases,verbs=get;list;watch;create;update;patch;delete; -// +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbdatabases/finalizers,verbs=update +// +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbdatabases/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbaccounts,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbaccounts/finalizers,verbs=update +// +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbaccounts/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis,verbs=get;list;watch; // +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneservices,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneendpoints,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=rabbitmq.openstack.org,resources=transporturls,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update; -// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update +// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update;patch // service account, role, rolebinding -// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update +// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update;patch +// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update;patch +// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update;patch // service account permissions that are needed to grant permission to the above // +kubebuilder:rbac:groups="security.openshift.io",resourceNames=anyuid,resources=securitycontextconstraints,verbs=use // +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch diff --git a/controllers/novaapi_controller.go b/controllers/novaapi_controller.go index cfe9748b2..075d57318 100644 --- a/controllers/novaapi_controller.go +++ b/controllers/novaapi_controller.go @@ -70,7 +70,7 @@ func (r *NovaAPIReconciler) GetLogger(ctx context.Context) logr.Logger { //+kubebuilder:rbac:groups=nova.openstack.org,resources=novaapis,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=nova.openstack.org,resources=novaapis/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=nova.openstack.org,resources=novaapis/finalizers,verbs=update +//+kubebuilder:rbac:groups=nova.openstack.org,resources=novaapis/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list; // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete; @@ -78,8 +78,8 @@ func (r *NovaAPIReconciler) GetLogger(ctx context.Context) logr.Logger { // +kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneendpoints,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch -// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update; -// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update +// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update;patch // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. diff --git a/controllers/novacell_controller.go b/controllers/novacell_controller.go index 8aeebfb71..3e869a28c 100644 --- a/controllers/novacell_controller.go +++ b/controllers/novacell_controller.go @@ -60,9 +60,9 @@ func (r *NovaCellReconciler) GetLogger(ctx context.Context) logr.Logger { //+kubebuilder:rbac:groups=nova.openstack.org,resources=novacells,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=nova.openstack.org,resources=novacells/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=nova.openstack.org,resources=novacells/finalizers,verbs=update -// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update; -// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update +//+kubebuilder:rbac:groups=nova.openstack.org,resources=novacells/finalizers,verbs=update;patch +// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update;patch // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. diff --git a/controllers/novacompute_controller.go b/controllers/novacompute_controller.go index 5f09650f1..f1e668b5a 100644 --- a/controllers/novacompute_controller.go +++ b/controllers/novacompute_controller.go @@ -62,7 +62,7 @@ func (r *NovaComputeReconciler) GetLogger(ctx context.Context) logr.Logger { //+kubebuilder:rbac:groups=nova.openstack.org,resources=novacomputes,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=nova.openstack.org,resources=novacomputes/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=nova.openstack.org,resources=novacomputes/finalizers,verbs=update +//+kubebuilder:rbac:groups=nova.openstack.org,resources=novacomputes/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list; // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete; diff --git a/controllers/novaconductor_controller.go b/controllers/novaconductor_controller.go index 98784c842..43d06b1b8 100644 --- a/controllers/novaconductor_controller.go +++ b/controllers/novaconductor_controller.go @@ -65,14 +65,14 @@ func (r *NovaConductorReconciler) GetLogger(ctx context.Context) logr.Logger { //+kubebuilder:rbac:groups=nova.openstack.org,resources=novaconductors,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=nova.openstack.org,resources=novaconductors/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=nova.openstack.org,resources=novaconductors/finalizers,verbs=update +//+kubebuilder:rbac:groups=nova.openstack.org,resources=novaconductors/finalizers,verbs=update;patch //+kubebuilder:rbac:groups=core,resources=pods,verbs=get;list; //+kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete; //+kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete; //+kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;create;update;patch;delete; //+kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch -//+kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update; -//+kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update +//+kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update;patch +//+kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=batch,resources=cronjobs,verbs=get;list;watch;create;update;patch;delete; // Reconcile is part of the main kubernetes reconciliation loop which aims to diff --git a/controllers/novametadata_controller.go b/controllers/novametadata_controller.go index a4ba7f5ed..f0a2f2305 100644 --- a/controllers/novametadata_controller.go +++ b/controllers/novametadata_controller.go @@ -67,14 +67,14 @@ func (r *NovaMetadataReconciler) GetLogger(ctx context.Context) logr.Logger { //+kubebuilder:rbac:groups=nova.openstack.org,resources=novametadata,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=nova.openstack.org,resources=novametadata/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=nova.openstack.org,resources=novametadata/finalizers,verbs=update +//+kubebuilder:rbac:groups=nova.openstack.org,resources=novametadata/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list; // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch -// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update; -// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update +// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update;patch // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. diff --git a/controllers/novanovncproxy_controller.go b/controllers/novanovncproxy_controller.go index b2a22e4a2..86fc5c825 100644 --- a/controllers/novanovncproxy_controller.go +++ b/controllers/novanovncproxy_controller.go @@ -64,15 +64,15 @@ func (r *NovaNoVNCProxyReconciler) GetLogger(ctx context.Context) logr.Logger { //+kubebuilder:rbac:groups=nova.openstack.org,resources=novanovncproxies,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=nova.openstack.org,resources=novanovncproxies/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=nova.openstack.org,resources=novanovncproxies/finalizers,verbs=update +//+kubebuilder:rbac:groups=nova.openstack.org,resources=novanovncproxies/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list; // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneendpoints,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch -// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update; -// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update +// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update;patch // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. diff --git a/controllers/novascheduler_controller.go b/controllers/novascheduler_controller.go index 0de053581..39e2c46cc 100644 --- a/controllers/novascheduler_controller.go +++ b/controllers/novascheduler_controller.go @@ -64,14 +64,14 @@ func (r *NovaSchedulerReconciler) GetLogger(ctx context.Context) logr.Logger { // +kubebuilder:rbac:groups=nova.openstack.org,resources=novaschedulers,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=nova.openstack.org,resources=novaschedulers/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=nova.openstack.org,resources=novaschedulers/finalizers,verbs=update +// +kubebuilder:rbac:groups=nova.openstack.org,resources=novaschedulers/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list; // +kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch -// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update; -// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update +// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update;patch // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state.