From dcf7da88fce3597f02b3ad2e6912dad2fe16bf25 Mon Sep 17 00:00:00 2001 From: Martin Schuppert Date: Thu, 4 Jul 2024 18:10:28 +0200 Subject: [PATCH] Adding patch rbac perm for serviceaccounts We also took the opportunity and added patch to all the existing rbac rules that had update already to avoid similar issues in the future Resolves: https://issues.redhat.com/browse/OSPRH-8363 Signed-off-by: Martin Schuppert --- config/rbac/role.yaml | 6 ++++++ controllers/ovncontroller_controller.go | 8 ++++---- controllers/ovndbcluster_controller.go | 8 ++++---- controllers/ovnnorthd_controller.go | 8 ++++---- 4 files changed, 18 insertions(+), 12 deletions(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index e1d3c44a..c2b3e8ed 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -25,6 +25,7 @@ rules: - create - get - list + - patch - update - watch - apiGroups: @@ -159,6 +160,7 @@ rules: resources: - ovncontrollers/finalizers verbs: + - patch - update - apiGroups: - ovn.openstack.org @@ -185,6 +187,7 @@ rules: resources: - ovndbclusters/finalizers verbs: + - patch - update - apiGroups: - ovn.openstack.org @@ -213,6 +216,7 @@ rules: resources: - ovnnorthds/finalizers verbs: + - patch - update - apiGroups: - ovn.openstack.org @@ -230,6 +234,7 @@ rules: - create - get - list + - patch - update - watch - apiGroups: @@ -240,6 +245,7 @@ rules: - create - get - list + - patch - update - watch - apiGroups: diff --git a/controllers/ovncontroller_controller.go b/controllers/ovncontroller_controller.go index cee764e0..3c0c4b93 100644 --- a/controllers/ovncontroller_controller.go +++ b/controllers/ovncontroller_controller.go @@ -78,7 +78,7 @@ func (r *OVNControllerReconciler) GetClient() client.Client { //+kubebuilder:rbac:groups=ovn.openstack.org,resources=ovncontrollers,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=ovn.openstack.org,resources=ovncontrollers/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=ovn.openstack.org,resources=ovncontrollers/finalizers,verbs=update +//+kubebuilder:rbac:groups=ovn.openstack.org,resources=ovncontrollers/finalizers,verbs=update;patch //+kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch;create;update;patch;delete; //+kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete; //+kubebuilder:rbac:groups=core,resources=pods,verbs=get;list; @@ -88,9 +88,9 @@ func (r *OVNControllerReconciler) GetClient() client.Client { //+kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=create;delete;get;list;patch;update;watch // service account, role, rolebinding -// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update +// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update;patch +// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update;patch +// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update;patch // service account permissions that are needed to grant permission to the above // +kubebuilder:rbac:groups="security.openshift.io",resourceNames=anyuid;privileged,resources=securitycontextconstraints,verbs=use // +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch diff --git a/controllers/ovndbcluster_controller.go b/controllers/ovndbcluster_controller.go index 29aeb30c..390a4b44 100644 --- a/controllers/ovndbcluster_controller.go +++ b/controllers/ovndbcluster_controller.go @@ -87,7 +87,7 @@ func (r *OVNDBClusterReconciler) GetLogger(ctx context.Context) logr.Logger { //+kubebuilder:rbac:groups=ovn.openstack.org,resources=ovndbclusters,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=ovn.openstack.org,resources=ovndbclusters/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=ovn.openstack.org,resources=ovndbclusters/finalizers,verbs=update +//+kubebuilder:rbac:groups=ovn.openstack.org,resources=ovndbclusters/finalizers,verbs=update;patch //+kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch;create;update;patch;delete; //+kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete; //+kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get;list;watch;create;patch;update;delete; @@ -97,9 +97,9 @@ func (r *OVNDBClusterReconciler) GetLogger(ctx context.Context) logr.Logger { //+kubebuilder:rbac:groups=network.openstack.org,resources=dnsdata,verbs=get;list;watch;create;update;patch;delete // service account, role, rolebinding -// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update +// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update;patch +// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update;patch +// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update;patch // service account permissions that are needed to grant permission to the above // +kubebuilder:rbac:groups="security.openshift.io",resourceNames=restricted-v2,resources=securitycontextconstraints,verbs=use // +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch diff --git a/controllers/ovnnorthd_controller.go b/controllers/ovnnorthd_controller.go index 780595b9..e3b43afd 100644 --- a/controllers/ovnnorthd_controller.go +++ b/controllers/ovnnorthd_controller.go @@ -74,7 +74,7 @@ func (r *OVNNorthdReconciler) GetLogger(ctx context.Context) logr.Logger { //+kubebuilder:rbac:groups=ovn.openstack.org,resources=ovnnorthds,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=ovn.openstack.org,resources=ovnnorthds/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=ovn.openstack.org,resources=ovnnorthds/finalizers,verbs=update +//+kubebuilder:rbac:groups=ovn.openstack.org,resources=ovnnorthds/finalizers,verbs=update;patch //+kubebuilder:rbac:groups=ovn.openstack.org,resources=ovndbclusters,verbs=get;list;watch; //+kubebuilder:rbac:groups=ovn.openstack.org,resources=ovndbclusters/status,verbs=get;list;watch; //+kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch;create;update;patch;delete; @@ -83,9 +83,9 @@ func (r *OVNNorthdReconciler) GetLogger(ctx context.Context) logr.Logger { //+kubebuilder:rbac:groups=core,resources=pods,verbs=get;list; // service account, role, rolebinding -// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update +// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update;patch +// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update;patch +// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update;patch // service account permissions that are needed to grant permission to the above // +kubebuilder:rbac:groups="security.openshift.io",resourceNames=restricted-v2,resources=securitycontextconstraints,verbs=use // +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch