Skip to content

Commit

Permalink
improve rbac settings of yurt-manager component (#2097)
Browse files Browse the repository at this point in the history 
Signed-off-by: rambohe-ch <linbo.hlb@alibaba-inc.com>
  • Loading branch information
@rambohe-ch
rambohe-ch committed Jul 16, 2024
1 parent 38171bc commit b3ff015
Show file tree
Hide file tree
Showing 4 changed files with 3 additions and 11 deletions.
9 changes: 1 addition & 8 deletions charts/yurt-manager/templates/yurt-manager-auto-generated.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -147,13 +147,6 @@ kind: ClusterRole
metadata:
name: yurt-manager-basecontroller
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- list
- watch
- apiGroups:
- apps
resources:
Expand Down Expand Up @@ -404,7 +397,6 @@ rules:
resources:
- pods
verbs:
- create
- delete
- get
- patch
Expand Down Expand Up @@ -657,6 +649,7 @@ rules:
- nodes
verbs:
- get
- patch
- apiGroups:
- ""
resources:
Expand Down
1 change: 0 additions & 1 deletion pkg/yurtmanager/controller/base/controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -132,7 +132,6 @@ func NewControllerInitializers() map[string]InitFunc {
// +kubebuilder:rbac:groups=apps.openyurt.io,resources=yurtappoverriders,verbs=list;watch
// +kubebuilder:rbac:groups=apps.openyurt.io,resources=yurtappsets,verbs=list;watch
// +kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=list;watch
// +kubebuilder:rbac:groups="",resources=secrets,verbs=list;watch
// +kubebuilder:rbac:groups=apps.openyurt.io,resources=yurtstaticsets,verbs=list;watch
// +kubebuilder:rbac:groups=crd.projectcalico.org,resources=blockaffinities,verbs=list;watch

Expand Down
2 changes: 1 addition & 1 deletion pkg/yurtmanager/controller/daemonpodupdater/daemon_pod_updater_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -197,7 +197,7 @@ func daemonsetUpdate(evt event.UpdateEvent) bool {
}

// +kubebuilder:rbac:groups=apps,resources=daemonsets,verbs=get;update
// +kubebuilder:rbac:groups=core,resources=pods,verbs=get;create;update;patch;delete
// +kubebuilder:rbac:groups=core,resources=pods,verbs=get;update;patch;delete
// +kubebuilder:rbac:groups=core,resources=nodes,verbs=get;update;patch

// Reconcile reads that state of the cluster for a DaemonSet object and makes changes based on the state read
Expand Down
2 changes: 1 addition & 1 deletion pkg/yurtmanager/controller/nodelifecycle/node_life_cycle_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -288,7 +288,7 @@ type ReconcileNodeLifeCycle struct {
}

// +kubebuilder:rbac:groups=core,resources=nodes/status,verbs=update
// +kubebuilder:rbac:groups=core,resources=nodes,verbs=get
// +kubebuilder:rbac:groups=core,resources=nodes,verbs=get;patch
// +kubebuilder:rbac:groups=core,resources=pods/status,verbs=update
// +kubebuilder:rbac:groups=core,resources=pods,verbs=get;delete
// +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get
Expand Down

0 comments on commit b3ff015

Please sign in to comment.