handle required RBAC permissions

operator-framework · Oct 1, 2018 · 2c80629 · 2c80629
1 parent f16b153
commit 2c80629
Showing 1 changed file with 109 additions and 1 deletion.
diff --git a/pkg/controller/operators/olm/operator.go b/pkg/controller/operators/olm/operator.go
@@ -322,7 +322,6 @@ func (a *Operator) updateDeploymentAnnotation(op *v1alpha2.OperatorGroup) error
 	}
 	nsList.WriteString(namespaceList.Items[nsCount-1].Name)
 
-	// write namespaces to watch in every deployment
 	currentNamespace := op.GetNamespace()
 	csvsInNamespace := a.csvsInNamespace(currentNamespace)
 	for csvName, csv := range csvsInNamespace {
@@ -336,6 +335,115 @@ func (a *Operator) updateDeploymentAnnotation(op *v1alpha2.OperatorGroup) error
 			return fmt.Errorf("could not assert strategy implementation as deployment for CSV %s", csvName)
 		}
 
+		managerPolicyRules := []rbacv1.PolicyRule{}
+		apiEditPolicyRules := []rbacv1.PolicyRule{}
+		apiViewPolicyRules := []rbacv1.PolicyRule{}
+		for _, owned := range csv.Spec.CustomResourceDefinitions.Owned {
+			resourceNames := []string{}
+			for _, resource := range owned.Resources {
+				resourceNames = append(resourceNames, resource.Name)
+			}
+			managerPolicyRules = append(managerPolicyRules, rbacv1.PolicyRule{Verbs: []string{"*"}, APIGroups: []string{owned.Name}, Resources: resourceNames})
+			apiEditPolicyRules = append(apiEditPolicyRules, rbacv1.PolicyRule{Verbs: []string{"create", "update", "patch", "delete"}, APIGroups: []string{owned.Name}, Resources: []string{owned.Kind}})
+			apiViewPolicyRules = append(apiViewPolicyRules, rbacv1.PolicyRule{Verbs: []string{"get", "list", "watch"}, APIGroups: []string{owned.Name}, Resources: []string{owned.Kind}})
+		}
+		clusterRole := &rbacv1.ClusterRole{
+			Rules: managerPolicyRules,
+		}
+		ownerutil.AddNonBlockingOwner(clusterRole, csv)
+		clusterRole.SetGenerateName(fmt.Sprintf("owned-crd-manager-%s-", csv.Spec.DisplayName))
+		createdClusterRole, err := a.OpClient.KubernetesInterface().RbacV1().ClusterRoles().Create(clusterRole)
+		if err != nil {
+			return err
+		}
+		for _, sa := range strategyDetailsDeployment.Permissions {
+			roleBinding := &rbacv1.ClusterRoleBinding{
+				RoleRef: rbacv1.RoleRef{
+					Kind:     "ClusterRole",
+					Name:     createdClusterRole.GetName(),
+					APIGroup: rbacv1.GroupName,
+				},
+				Subjects: []rbacv1.Subject{{
+					Kind:      "ServiceAccount",
+					Name:      sa.ServiceAccountName,
+					Namespace: currentNamespace,
+				}},
+			}
+			ownerutil.AddNonBlockingOwner(roleBinding, csv)
+			roleBinding.SetName(fmt.Sprintf("%s-%s", createdClusterRole.GetName(), sa.ServiceAccountName))
+			_, err := a.OpClient.KubernetesInterface().RbacV1().ClusterRoleBindings().Create(roleBinding)
+			if err != nil {
+				return err
+			}
+		}
+
+		// api-specific roles
+		apiEditClusterRole := &rbacv1.ClusterRole{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: fmt.Sprintf("%s-edit", csvName),
+			},
+			Rules: apiEditPolicyRules,
+		}
+		_, err = a.OpClient.KubernetesInterface().RbacV1().ClusterRoles().Create(apiEditClusterRole)
+		if err != nil {
+			return err
+		}
+		apiViewClusterRole := &rbacv1.ClusterRole{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: fmt.Sprintf("%s-view", csvName),
+			},
+			Rules: apiViewPolicyRules,
+		}
+		_, err = a.OpClient.KubernetesInterface().RbacV1().ClusterRoles().Create(apiViewClusterRole)
+		if err != nil {
+			return err
+		}
+
+		// operator specific roles
+		operatorEditClusterRole := &rbacv1.ClusterRole{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: fmt.Sprintf("%s-operator-edit", csvName),
+			},
+			Rules: apiEditPolicyRules,
+		}
+		_, err = a.OpClient.KubernetesInterface().RbacV1().ClusterRoles().Create(operatorEditClusterRole)
+		if err != nil {
+			return err
+		}
+		operatorViewClusterRole := &rbacv1.ClusterRole{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: fmt.Sprintf("%s-operator-view", csvName),
+			},
+			Rules: apiViewPolicyRules,
+		}
+		_, err = a.OpClient.KubernetesInterface().RbacV1().ClusterRoles().Create(operatorViewClusterRole)
+		if err != nil {
+			return err
+		}
+
+		// operator group specific roles
+		operatorGroupEditClusterRole := &rbacv1.ClusterRole{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: fmt.Sprintf("%s-edit", op.Name),
+			},
+			Rules: apiEditPolicyRules,
+		}
+		_, err = a.OpClient.KubernetesInterface().RbacV1().ClusterRoles().Create(operatorGroupEditClusterRole)
+		if err != nil {
+			return err
+		}
+		operatorGroupViewClusterRole := &rbacv1.ClusterRole{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: fmt.Sprintf("%s-view", op.Name),
+			},
+			Rules: apiViewPolicyRules,
+		}
+		_, err = a.OpClient.KubernetesInterface().RbacV1().ClusterRoles().Create(operatorGroupViewClusterRole)
+		if err != nil {
+			return err
+		}
+
+		// write namespaces to watch in every deployment
 		for _, deploy := range strategyDetailsDeployment.DeploymentSpecs {
 			originalData, err := json.Marshal(csv)
 			if err != nil {