From d7d2285e1e870998bf4d736da5b8c02b2be99fda Mon Sep 17 00:00:00 2001 From: Balazs Gibizer Date: Thu, 4 Jul 2024 16:21:29 +0200 Subject: [PATCH] Adding patch rbac perm for serviceaccounts We also took the opportunity and added patch to all the existing rbac rules that had update already to avoid similar issues in the future Resolves: https://issues.redhat.com/browse/OSPRH-8363 --- config/rbac/role.yaml | 15 +++++++++++++++ controllers/nova_controller.go | 16 ++++++++-------- controllers/novaapi_controller.go | 6 +++--- controllers/novacell_controller.go | 6 +++--- controllers/novacompute_controller.go | 2 +- controllers/novaconductor_controller.go | 6 +++--- controllers/novametadata_controller.go | 6 +++--- controllers/novanovncproxy_controller.go | 6 +++--- controllers/novascheduler_controller.go | 6 +++--- 9 files changed, 42 insertions(+), 27 deletions(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 1f5f360ae..93d461364 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -25,6 +25,7 @@ rules: - create - get - list + - patch - update - watch - apiGroups: @@ -151,6 +152,7 @@ rules: resources: - mariadbaccounts/finalizers verbs: + - patch - update - apiGroups: - mariadb.openstack.org @@ -169,6 +171,7 @@ rules: resources: - mariadbdatabases/finalizers verbs: + - patch - update - apiGroups: - memcached.openstack.org @@ -177,6 +180,7 @@ rules: verbs: - get - list + - patch - update - watch - apiGroups: @@ -184,6 +188,7 @@ rules: resources: - memcacheds/finalizers verbs: + - patch - update - apiGroups: - nova.openstack.org @@ -202,6 +207,7 @@ rules: resources: - nova/finalizers verbs: + - patch - update - apiGroups: - nova.openstack.org @@ -228,6 +234,7 @@ rules: resources: - novaapis/finalizers verbs: + - patch - update - apiGroups: - nova.openstack.org @@ -254,6 +261,7 @@ rules: resources: - novacells/finalizers verbs: + - patch - update - apiGroups: - nova.openstack.org @@ -280,6 +288,7 @@ rules: resources: - novacomputes/finalizers verbs: + - patch - update - apiGroups: - nova.openstack.org @@ -306,6 +315,7 @@ rules: resources: - novaconductors/finalizers verbs: + - patch - update - apiGroups: - nova.openstack.org @@ -332,6 +342,7 @@ rules: resources: - novametadata/finalizers verbs: + - patch - update - apiGroups: - nova.openstack.org @@ -358,6 +369,7 @@ rules: resources: - novanovncproxies/finalizers verbs: + - patch - update - apiGroups: - nova.openstack.org @@ -384,6 +396,7 @@ rules: resources: - novaschedulers/finalizers verbs: + - patch - update - apiGroups: - nova.openstack.org @@ -413,6 +426,7 @@ rules: - create - get - list + - patch - update - watch - apiGroups: @@ -423,6 +437,7 @@ rules: - create - get - list + - patch - update - watch - apiGroups: diff --git a/controllers/nova_controller.go b/controllers/nova_controller.go index af45c9179..44b421689 100644 --- a/controllers/nova_controller.go +++ b/controllers/nova_controller.go @@ -72,22 +72,22 @@ func (r *NovaReconciler) GetLogger(ctx context.Context) logr.Logger { // +kubebuilder:rbac:groups=nova.openstack.org,resources=nova,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=nova.openstack.org,resources=nova/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=nova.openstack.org,resources=nova/finalizers,verbs=update +// +kubebuilder:rbac:groups=nova.openstack.org,resources=nova/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbdatabases,verbs=get;list;watch;create;update;patch;delete; -// +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbdatabases/finalizers,verbs=update +// +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbdatabases/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbaccounts,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbaccounts/finalizers,verbs=update +// +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbaccounts/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis,verbs=get;list;watch; // +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneservices,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneendpoints,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=rabbitmq.openstack.org,resources=transporturls,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update; -// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update +// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update;patch // service account, role, rolebinding -// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update +// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update;patch +// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update;patch +// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update;patch // service account permissions that are needed to grant permission to the above // +kubebuilder:rbac:groups="security.openshift.io",resourceNames=anyuid,resources=securitycontextconstraints,verbs=use // +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch diff --git a/controllers/novaapi_controller.go b/controllers/novaapi_controller.go index cfe9748b2..075d57318 100644 --- a/controllers/novaapi_controller.go +++ b/controllers/novaapi_controller.go @@ -70,7 +70,7 @@ func (r *NovaAPIReconciler) GetLogger(ctx context.Context) logr.Logger { //+kubebuilder:rbac:groups=nova.openstack.org,resources=novaapis,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=nova.openstack.org,resources=novaapis/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=nova.openstack.org,resources=novaapis/finalizers,verbs=update +//+kubebuilder:rbac:groups=nova.openstack.org,resources=novaapis/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list; // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete; @@ -78,8 +78,8 @@ func (r *NovaAPIReconciler) GetLogger(ctx context.Context) logr.Logger { // +kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneendpoints,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch -// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update; -// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update +// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update;patch // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. diff --git a/controllers/novacell_controller.go b/controllers/novacell_controller.go index 8aeebfb71..3e869a28c 100644 --- a/controllers/novacell_controller.go +++ b/controllers/novacell_controller.go @@ -60,9 +60,9 @@ func (r *NovaCellReconciler) GetLogger(ctx context.Context) logr.Logger { //+kubebuilder:rbac:groups=nova.openstack.org,resources=novacells,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=nova.openstack.org,resources=novacells/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=nova.openstack.org,resources=novacells/finalizers,verbs=update -// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update; -// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update +//+kubebuilder:rbac:groups=nova.openstack.org,resources=novacells/finalizers,verbs=update;patch +// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update;patch // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. diff --git a/controllers/novacompute_controller.go b/controllers/novacompute_controller.go index 5f09650f1..f1e668b5a 100644 --- a/controllers/novacompute_controller.go +++ b/controllers/novacompute_controller.go @@ -62,7 +62,7 @@ func (r *NovaComputeReconciler) GetLogger(ctx context.Context) logr.Logger { //+kubebuilder:rbac:groups=nova.openstack.org,resources=novacomputes,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=nova.openstack.org,resources=novacomputes/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=nova.openstack.org,resources=novacomputes/finalizers,verbs=update +//+kubebuilder:rbac:groups=nova.openstack.org,resources=novacomputes/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list; // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete; diff --git a/controllers/novaconductor_controller.go b/controllers/novaconductor_controller.go index 98784c842..43d06b1b8 100644 --- a/controllers/novaconductor_controller.go +++ b/controllers/novaconductor_controller.go @@ -65,14 +65,14 @@ func (r *NovaConductorReconciler) GetLogger(ctx context.Context) logr.Logger { //+kubebuilder:rbac:groups=nova.openstack.org,resources=novaconductors,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=nova.openstack.org,resources=novaconductors/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=nova.openstack.org,resources=novaconductors/finalizers,verbs=update +//+kubebuilder:rbac:groups=nova.openstack.org,resources=novaconductors/finalizers,verbs=update;patch //+kubebuilder:rbac:groups=core,resources=pods,verbs=get;list; //+kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete; //+kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete; //+kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;create;update;patch;delete; //+kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch -//+kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update; -//+kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update +//+kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update;patch +//+kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=batch,resources=cronjobs,verbs=get;list;watch;create;update;patch;delete; // Reconcile is part of the main kubernetes reconciliation loop which aims to diff --git a/controllers/novametadata_controller.go b/controllers/novametadata_controller.go index a4ba7f5ed..f0a2f2305 100644 --- a/controllers/novametadata_controller.go +++ b/controllers/novametadata_controller.go @@ -67,14 +67,14 @@ func (r *NovaMetadataReconciler) GetLogger(ctx context.Context) logr.Logger { //+kubebuilder:rbac:groups=nova.openstack.org,resources=novametadata,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=nova.openstack.org,resources=novametadata/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=nova.openstack.org,resources=novametadata/finalizers,verbs=update +//+kubebuilder:rbac:groups=nova.openstack.org,resources=novametadata/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list; // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch -// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update; -// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update +// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update;patch // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. diff --git a/controllers/novanovncproxy_controller.go b/controllers/novanovncproxy_controller.go index b2a22e4a2..86fc5c825 100644 --- a/controllers/novanovncproxy_controller.go +++ b/controllers/novanovncproxy_controller.go @@ -64,15 +64,15 @@ func (r *NovaNoVNCProxyReconciler) GetLogger(ctx context.Context) logr.Logger { //+kubebuilder:rbac:groups=nova.openstack.org,resources=novanovncproxies,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=nova.openstack.org,resources=novanovncproxies/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=nova.openstack.org,resources=novanovncproxies/finalizers,verbs=update +//+kubebuilder:rbac:groups=nova.openstack.org,resources=novanovncproxies/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list; // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneendpoints,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch -// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update; -// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update +// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update;patch // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. diff --git a/controllers/novascheduler_controller.go b/controllers/novascheduler_controller.go index 0de053581..39e2c46cc 100644 --- a/controllers/novascheduler_controller.go +++ b/controllers/novascheduler_controller.go @@ -64,14 +64,14 @@ func (r *NovaSchedulerReconciler) GetLogger(ctx context.Context) logr.Logger { // +kubebuilder:rbac:groups=nova.openstack.org,resources=novaschedulers,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=nova.openstack.org,resources=novaschedulers/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=nova.openstack.org,resources=novaschedulers/finalizers,verbs=update +// +kubebuilder:rbac:groups=nova.openstack.org,resources=novaschedulers/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list; // +kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get;list;watch;create;update;patch;delete; // +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch -// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update; -// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update +// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update;patch // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state.